Risk Assessment Plan

Risk assessment plan encompass all the functions, processes and applications in ABC LLC (Metivier, 2017). Specifically, the information systems, consisting of computing and network components of ABC LLC (Massachusetts Government, 2018). The plan will be broken into multiple sections:

1. System inventory documentation

2. System policy, standards and procedures

3. Threats and vulnerability, with severity level

4. Safety controls to mitigate threats and vulnerability

5. Recommended changes to improve safety

6. Residual risk level after recommended changes are implemented (2018)

System & Data Documentation

This part of risk assessment plan will identify each and every information system in ABC LLC along with details associated, which include system owner, system identification, operating perimeter of system, system purpose and details and current level of system security (Massachusetts Government, 2018). This will include the network diagram with interconnected computing nodes, highlighting the perimeter of operating system.

Functional and operational details are outlined with inclusion of supported business process, application processes, interconnected components, software, interfaces, asset identification, physical location, listing of user accounts etc. (2018).

Data classification and definition is also performed int his phase (Lamar Institute of Technology, 2012). This will include employee and customer identification information, such as social security number, credit card numbers, address, date of birth and so on. Data custodian and owners are identified for provisioning and access control (2012).

System Risk Determination

In this part of risk assessment plan, threats and vulnerabilities are identified for each and every information system identified during system documentation phase (Massachusetts Government, 2018). This will include the potential dangers to the systems. It will also identify the weakness of systems that can be exploited, for instance human, physical, environmental, and technical (2018).

Details of risks are outlined for every information system (Massachusetts Government, 2018). This will include risks due to interconnections, system dependencies, software faults, human errors, malicious intent, incorrect permissions and so on. Existing safety controls to safeguard the system are documented, like scanning tools, security advisories, audits, system deficiency reports, past risk assessments, NIST vulnerability database etc. Likelihood of threat occurrence is discussed along with severity impact, such as negligible, very low, low, medium, high, very high and extreme. Levels of risk are also determined, whether low, moderate or high risk. Severity impact of risk for every information system is than tagged as insignificant, minor, significant, damaging, serious or critical (2018).

Safety Controls and Residual Risk Determination

For each and every information system identified in ABC LLC, safety controls and measures are recommended, which include stricter user provisioning, administrative controls, user authentication, infrastructure data protection, physical and environmental data security (Metivier, 2017). Assuming all the recommended measures are implemented, residual likelihood of threat, severity and risk levels are recomputed. Metivier (2017) formulated a simple risk rating formula by multiplying the impact (if exploited) and likelihood. NIST presented a risk assessment in their special publication, shown here in Table 1.

Table 1: Risk rating using NIST’s product formula of likelihood and impact

Standards

Special publication from National Institute of Standards and Technology (NIST) outlining the security and privacy controls for information systems and organizations will be followed and implemented at ABC LLC. NIST cyber security framework describe current security posture, target security state of information systems, identification and prioritization of values processes, progress assessment towards goal and communication amongst all stakeholders (NIST, 2018). Three main components of NIST cybersecurity framework are core, implementation tiers and profiles (2017).

ISO 27000 family – 27000 series of standards developed by the International Standards Organization to manage information securely and risk associated with people, processes and systems (Theriault, 2017). There are several sub-standards for varying industries, for instance 27001 has six parts, which include definition of security policy, scope of policy, risk assessment, management of risk, security controls and statement of applicability (2017).

References

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/

NIST (2018). NIST Cybersecurity framework. Retrieved from https://www.nist.gov/cyberframework

Massachusetts Government (2018). Information Security Risk Assessment Guidelines. Retrieved from http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html

Lamar Institute of Technology (2012). Information Technology Risk Management Plan. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=2ahUKEwjTysm3ua_dAhVL_IMKHT5-DYUQFjABegQICxAC&url=https%3A%2F%2Fwww.lit.edu%2Fdepts%2FTechService%2FDocs%2FLIT%2520Risk%2520Management%2520Plan%2520ver%25202.31.pdf&usg=AOvVaw0wQRoEwe20CU4ddNGshCfC

Metivier, B. (2017). Sage Advice – cybersecurity blog. Retrieved from https://www.sagedatasecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment