Sample CSE5CRM Cyber Security Risk Management Program Assignment

CSE5CRM Cyber Security Risk Management Program Assignment Sample

Assessment Components

Component 1: Asset Evaluation and Classification

Objective: Demonstrate the ability to identify and classify organizational assets for risk assessments.

Tasks:

 1. Asset Inventory Creation:

Develop a comprehensive inventory of an organization's assets (hardware, software, data, human resources). Provide a detailed description of each asset.

2. Asset Categorization:

Categorize each asset into groups (e.g., critical, sensitive, non-critical).

Justify the categorization based on the asset's role and importance to the organization.

3. CIA Triad Evaluation:

Assess each asset based on confidentiality, integrity, and availability requirements.

Assign a classification level (e.g., high, medium, low) and justify the classification.

4. Business Impact Analysis:

Conduct a Business Impact Analysis (BIA) to determine the potential impact of asset compromise on business operations.

Classify assets according to their impact on business continuity.

5. Data Sensitivity and Value Assessment:

Evaluate the sensitivity and value of data handled by each asset.

Classify assets based on the data they manage and provide justification.

Deliverable: A report documenting the asset inventory, categorization, CIA triad evaluation, business impact analysis, and data sensitivity and value assessment.

Assessment Criteria:

- Completeness and accuracy of the asset inventory.

- Justification for asset categorization and classification.

- Depth of analysis in the BIA and data sensitivity assessment.

- Clarity and organization of the report.

Component 2: Developing Methods for Evaluating and Monitoring Cyber Risk Management

Objective: Develop and apply methods for evaluating and monitoring cyber risk management.

Tasks:

1. Qualitative Risk Assessment:

Utilize qualitative methods (e.g., expert judgment, scenario analysis) to evaluate cyber risks.

Document the process and findings.

2. Quantitative Risk Assessment:

Apply quantitative methods (e.g., Annual Loss Expectancy, Monte Carlo simulations) to quantify cyber risks.

Present the results and explain the methodology used.

3. Key Risk Indicators (KRIs):

Develop a set of KRIs to monitor the organization's risk landscape.

Explain how these KRIs will be measured and monitored.

4. Continuous Monitoring Plan:

Design a plan for continuous monitoring of cyber threats, including tools and techniques to be used (e.g., SIEM, IDS, EDR).

Explain how the monitoring plan will be implemented and maintained.

5. Periodic Risk Assessment Plan:

Develop a schedule and methodology for conducting regular risk assessments.

Outline the steps for updating the risk assessment based on new threats and vulnerabilities.

Deliverable: A comprehensive document detailing the qualitative and quantitative risk assessments, KRIs, continuous monitoring plan, and periodic risk assessment plan.

Assessment Criteria:

- Appropriateness and thoroughness of the risk assessment methods.

- Justification for the selection of KRIs.

- Feasibility and effectiveness of the continuous monitoring and periodic risk assessment plans.

- Clarity and professionalism of the document.

Component 3: Determining Cost-effective Treatments to Manage Cyber Risk

Objective: Identify and justify cost-effective treatments to manage cyber risk.

Tasks:

1. Risk Treatment Options Analysis:

Identify and analyze risk treatment options (e.g., risk avoidance, risk reduction, risk transfer, risk acceptance).

Provide examples and justifications for each option.

2. Prioritization of Security Controls:

Prioritize security controls based on their effectiveness and cost.

Use the results from the risk assessments to guide prioritization.

3. Cost-benefit Analysis:

Conduct a cost-benefit analysis for each proposed security control.

Include calculations for Return on Security Investment (ROSI) and Total Cost of Ownership (TCO).

4. Implementation Plan:

Develop a plan for implementing selected security controls.

Outline the steps, resources required, and timeline for implementation.

5. Cost-effective Security Metrics:

Propose metrics to measure the cost-effectiveness of implemented security controls.

Explain how these metrics will be monitored and reported.

Solution

Component 1: Asset Evaluation and Classification

1.1 Asset Inventory Creation

Table 1: Assets inventory
(Source: Self-created)

1.2 Asset Categorization

Critical

- Web Server
- Firewall
- ERP System

Non-critical

- Workstations

Sensitive

- CRM System
- Customer Database

1.3 CIA Triad Evaluation

Table 2: CIA Triad Evaluation
(Source: Self-created)

Justification

The risk classification levels, therefore, depend on the significance of the asset to the operations, security, and data of the organization. The firewall, IT administrator, and customer database are highly classified because their loss or compromise impacts confidentiality, integrity, and availability severely by breaching customer data, shutting down operations, and attracting penalties. Enterprise resource planning and customer relationship management, as are the systems under discussion, are considered high in importance (Fraser et al. 2021).

1.4 Business Impact Analysis

Business impact analysis (BIA) is the assessment for the Assignment Help of the effect that adverse events will have on an organization’s operations in the event of the compromise of assets. In the case of the web server, firewall, CRM system, and ERP system, if compromised, it is very devastating to business continuity. For example, the web server responsible for hosting customer applications means the absence of this resource will result in a lack of access to services, loss of trust, and consequently low revenues. It safeguards the whole network and the failure of a firewall means that the organization is vulnerable to cyber-attacks and all the other systems would be at risk (Ghadge et al. 2020).

Figure 1: Risk Assessment and Business Impact Analysis
(Source: Linkedin.com, 2024)

Also, highly sensitive assets such as the customer database and financial records will cause severe legal and financial penalties as a result of data privacy laws such as GDPR. The opportunity loss would mean the inability to make sales, customer inconvenience, and delay in responding to their needs and demand but the harm is not severe as it will entail loss in potential revenue. Despite the definite usefulness of data analysts, their non-attendance does not necessarily lead to a stop of activities (Crumpler, and Lewis, 2022).

Classification

Table 3: Assets classification
(Source: Self-created)

1.5 Data Sensitivity and Value Assessment

Table 4: Data Sensitivity and Value Assessment
(Source: Self-created)

Component 2: Developing Methods for Evaluating and Monitoring Cyber Risk Management

2.1 Qualitative Risk Assessment

The qualitative risk assessment process of the anticipated scenario opened quite valuable information for the organization’s cybersecurity risks. The analysis of possible phishing attacks showed one important conclusion, though such attacks are progressing in real-world scenarios. For instance, the recent attack, the Twitter hack of the year 2020, where the attackers used phishing techniques to gain control over the executives’ accounts, indicates the risks involving negligence when it comes to the aspect of employee training on how to identify the threats (Li, and Liu, 2021). The investigation of insider threats provided more understanding of problems related to frustrated personnel becoming criminals and exploiting their privileges. Prominent examples like the Edward Snowden case of 2016 show that insider threats can have severe consequences for organizational reputation and customer loyalty.

2.2 Quantitative Risk Assessment

Annual Loss Expectancy (ALE)

The Annual Loss Expectancy (ALE) assessment enables the measurement of loss from identified threats in the assets. First, one specifies the assets and the threats that they face, for example, loss of data, or ransomware attacks. Next, every asset is given a dollar amount attached to it. There are three main types of threats, and the threat frequency, which is expressed as the Annual Rate of Occurrence (ARO), is calculated using statistical data (Kamiya et al. 2021).
“SLE=Asset Value * Exposure Factor”
“ALE= SLE * ARO”

Findings

Table 5: Findings from quantitative analysis
(Source: Self-created)

2.3 Key Risk Indicators

Key Risk Indicators (KRIs)

- Number of Security Incidents: This KRI measures the overall cumulative count of security incidents which can be within a month or within a quarter. An increasing rate of occurrence may also point to weaknesses that may require prompt action to be taken.

- Phishing Attack Rate: This represents the number of employees who have failed the phishing simulation tests. A higher rate indicates the need for enhancing the security training and awareness programs within their organizations (Zwilling et al. 2022).

- User Access Violations: This one measures the number of attempts made by unauthorized individuals to access restricted data or information systems. In user group wise use of physical access controls, an increase in violations could be from potential insiders or lack of access control (Sarker et al. 2021).
Measurement and Monitoring of KRIs

- Data Collection: Implement organizational structures for acquiring key data for each KRI. For instance, the Security Information and Event Management (SIEM) tool logs security incidents and access attempts.

- Regular Reporting: Develop KPIs and KRIs and locate or build the respective trending charts into the systems, to provide capabilities to track changes over time. In cases of monthly or quarterly reporting, there will be improved recognition of new trends and risks (Gupta et al. 2023).

- Continuous Review: Ensure that KRIs are dynamic while conducting routine reviews on such factors in relation to changes in the risk environment and business direction. This ensures that the indicators are still meaningful and in tune with the objectives that the organization seeks to put forward (Khinvasara et al. 2023).

2.4 Continuous Monitoring Plan

Table 6: Continuous Monitoring Plan
(Source: Self-created)

2.5 Periodic Risk Assessment Plan

Table 7: Continuous Monitoring Plan
(Source: Self-created)

The process of the newly updated risk assessment has included several steps that still need to be followed to ensure cybersecurity is still adequate. First, the organizations have to gather threat intelligence by either purchasing, or getting a feed that alerts them to threats, the second part is that they have to read and be aware of different industry reports and trends.

Component 3: Determining Cost-effective Treatments to Manage Cyber Risk

3.1 Risk Treatment Options Analysis

Risk Avoidance

Risk avoidance gives direction in the disposal of do in order to erase each activity that has the possibility to put the organization at risk. For example, if relatives are aware of vulnerabilities of a certain software application that cannot be fixed to a reasonable extent, they might decide not to use it in the organization.

Figure 2: Risk treatment options
(Source: Researchgate.net, 2024)

Risk Reduction

Risk minimization is centered on achieving the lowest probabilities of occurrence of risks and their severity. For instance, an organization may employ more and sophisticated firewalls and intrusion detection systems, to strengthen a network security standard (Zeadally et al. 2020). Training common employees on cybersecurity can also reduce the instances of errors which are common causes of cyber threats.

Risk Transfer

Risk transfer means the transferring of responsibility of a risk to a third party usually through contracts and or insurance. For example, an organization may invest in cyber liability insurance for protection from losses that may occur due to hacking. The said approach enables the organization to cap its resources liability while at the same time making sure that resources for dealing with such are available.

3.2 Prioritization of Security Controls

Risk control is helpful for organizations because it assists in efforts to prioritize security controls and allocate resources in a way that will be most effective in diminishing risk. Considering security controls, it is also possible to describe a risk-based approach that takes into account not only the effectiveness of the particular control but also the costs for its implementation.

Figure 3: How to implement the types of security controls
(Source: sprinto.com, 2024)

Also, the cost of controls should also be taken into consideration by organizations. It is not reasonable to use high-cost controls at workplaces when low-cost can offer almost the same level of protection.

3.3 Cost-Benefit Analysis

Firewall

- Initial Cost: $20,000
- Annual Maintenance Cost: $3,000
- Lifespan: 5 years

Total Cost (TCO) = 20,000 + (3,000*5)
=35,000
Risk Reduced (Annual Savings) = $100,000
ROSI = 10000/3500 * 100
= 285.71%

Intrusion Detection System

- Initial Cost: $15,000
- Annual Maintenance Cost: $2,500
- Lifespan: 5 years
- Risk Reduced (Annual Savings): $75,000

Total Cost (TCO) = 15000 + 2500*5
= 27500
ROSI = 75000 / 27500 * 100
= 272.73%

Employee Training

- Initial Cost: $5,000
- Annual Maintenance Cost: $1,000
- Lifespan: 3 years
- Risk Reduced (Annual Savings): $25,000

Total Cost (TCO) = 5000 + 3*1000
= 8000
ROSI = 25000/8000 *100
= 312.5%

Based on the cost-benefit analysis, the three proposed security controls have high ROSI, and the most beneficial security control is the employee training program.

3.4 Implementation Plan

Table 8: Implementation plan
(Source: Self-created)

3.5 Cost-effective Security Metrics

Proposed Metrics to Measure

Thus, the effectiveness of the security controls implemented in an organization can be represented by a set of metrics that are listed below, which can give a proper understanding of the organization’s security. One of these is Return on Security Investment (ROSI) which measures security investment dollar returns against the dollars invested.

Monitoring and Reporting of Metrics

In order to make these metrics more effective, the organization should incorporate a proper monitoring and reporting technique in order to ensure that security controls are evaluated consistently. This serves as a basis for making the correct evaluations concerning the prevailing security situation (Khando et al. 2021).

References