Computer and

Information System
INFORMATION SECURITY RISK ASSESSMENT

Student Name
REGISTRATION | DEPARTMENT
Contents
1. Introduction..............................................................................................................................2
1.1. Purpose..............................................................................................................................2
1.2. Outcomes of the Case.......................................................................................................2
2. The Company...........................................................................................................................2
2.1. Analysis of Data center.....................................................................................................2
3. Risk Determination Phase........................................................................................................3
3.1. Identify Assets and asset owners......................................................................................3
3.2. Identify Asset Value..........................................................................................................4
3.3. Identify threats to Assets and their Likelihood.................................................................4
3.4. Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified threats
6
3.5. Describe Risks to the Assets based on Points (3, 4, 5).....................................................8
3.6. Evaluate Risk based on Point 5.........................................................................................9
4. Safeguard Determination Phase...............................................................................................9
4.1. Define the recommended Controls and Safeguards........................................................11
4.1.1 Controls Types.........................................................................................................11
20 critical security controls.....................................................................................................12
Basic CIS Controls................................................................................................................12
Foundational CIS Controls....................................................................................................12
Organizational CIS Controls..................................................................................................13
4.2. Determine the residual likelihood of occurrence............................................................13
4.3. Determine residual risk levels.........................................................................................13
5. References..............................................................................................................................15
 1. Introduction
The PREDICTX contains other branches and a head quarter, they have installed IT infrastructure
for the communication within or out of company. Since the company is concerned about the
security of its Data center because they encountered some weird activities that caused down the
network and cost the time and money. In this study we will identify the risk and mitigate them to
the level as possible.
1.1. Purpose
The purpose of assessment of risk is to identify the possible threats and vulnerabilities of IT
infrastructure of PREDICTX. This report will be used to identify the risk mitigation plans of
company. It will help to eliminate or minimize the level of level of threat, breaches and security
vulnerabilities by adding control measures, as necessary.
1.2. Outcomes of the Case
This case study provides the detailed information of IT infrastructure of PREDICTX and
security concerns of company. This IT infrastructure includes many servers, firewalls, protocols
and different software. These tools and technologies are more likely to be affected by the internet
hackers. The company needs to secure all IT resources of company, wants to make sure that only
authenticated users send and receive messages to and from the company. To make distinguish
the corporates’ network from the internet they deployed the firewall between the internet and
corporate’s network and Internet Protocol Security (IPsec) is configured for secure
communication.

2. The Company
PREDICTX comprises of many remote buildings and across the country and a head-quarter,
connecting these buildings with each other form a company. It is a micro-finance company and it
has 1500 employees in total in all its branches. To deal with their routine work they rely on
electronic transactions, they made communication with customers and suppliers. These
transactions are made with the help of BizTalk server. This server is responsible for the
communication between the 85 internal and 2300 external application. The company processed
2.5 million documents monthly and they are estimating this amount will be elevated to 6 million
in the end of 2021.
2.1. Analysis of Data center
PREDICTX has configured the data center devices that contains servers, firewalls, applications,
switches and routers. The company processed huge amount of documents daily, outside users
also send document to the company, these document are sent by the users are communicated
with the help of BizTalk server, it receives, process and format the document and then forward it
and plays the intermediary role. External users share flat files to the File share server and connect
this server via PPTP pipeline, though these files are being received over the internet, file share
server is kept outside of the corporates’ network. The corporates’ network is distinguished from
the internet using a firewall and company incorporated IPsec for secure and encrypted
communication. When files are loaded to the file share servers these files are received using a
custom file-movement application and these files are forwarded to the BizTalk server.
Files are propagated in internal and external network using a using file-movement application.
The BizTalk server before modifying the format of data validates the file that is labeled with
information of sender, receiver, and document type, if any of this information is missing server
rejects it and then message is reviewed by the technical team.
Files are also exchange using HTTP, files are loaded to web server placed outside of the network
and to exchange mails PREDICTX Microsoft Exchange server and to prevent the mails from
viruses and spam mail exchange relay is applied outside of the firewall and all participants use
Microsoft Outlook software through a Outlook web access to exchange mails.

3. Risk Determination Phase

In this section we will identify the risk and explore the intensity of the risk.
3.1. Identify Assets and asset owners
The most critical and crucial task in risk management is identification, categorization of IT
assets and their owners, owner of assets is the one who is responsible to manage, control and
configure the assets. Identification of IT assets help to deploy required security controls
depending upon the nature and role of asset in a network that need to be protected in the security
process. In this part we identified the assets and their owners given in case study (Alwi & Zainol
Ariffin, 2019).
No. Assets Asset’s Owner
1 Servers Network Administrator
 2 Firewall Network Security Administrator
3 Protocols Network Administrator
4 Application IT Manager
5 Database Database Administrator
6 Backup IT Manager
7 Network Network Administrator
8 Email IT Manager
9 Website IT Technician
10 People HR Manager

3.2. Identify Asset Value

Identification of assets and their value is a critical step, to determine the security level. The value
of an asset to an organization can be both quantitative (related to its cost) and qualitative (its
relative importance) (Hladka et al., 2020).
The value of assets is determined using CIA (Confidentiality, Integrity and Availability) model.
This model incorporates following formula to determine the value (Singh & Joshi, 2017).
Total asset value = asset value × asset worth
No. Assets Asset’s Owner Asset Value
1 Servers Network Administrator High
2 Firewall Network Security Administrator High
3 Protocols Network Administrator High
4 Software IT Manager High
5 Database Database Administrator High
6 Backup IT Manager Medium
7 Network Network Administrator High
8 Email IT Manager High
9 Website IT Technician High
10 People HR Manager Low

3.3. Identify threats to Assets and their Likelihood.

No. Assets Asset Threat and Likelihood Likelihood

1 Servers Threats High
 Brute Force Attack
 Botnet
 DDOS
 Cross-site Scripting
2 Firewall Threats High
 Insider Attacks
 Missed Security Patches
 DDoS Attacks
  Lax Password
3 Protocols Threats High
 Deliberate Exposure
 Sniffing
 Traffic Analysis
 Spoofing
 Falsification
4 Software Threats High
 OS command injection
 Cross-site scripting and
forgery
 Bugs
 Weak passwords
5 Database Threats High
 Malware
 SQL Injection
 Privilege Abuse
 Brute-Force Attack
6 Backup Threats High
 Data loss
 Data breaches
 Ransomware
 espionage
7 Network Threats High
 Trojan horse
 Adware and spyware
 Computer worm
 DOS and DDOS attack
 Phishing
 Man-in-the-middle
attacks
8 Email Threats High
 Malware
 Spam and phishing
 Social engineering
 Entities with malicious
intent
9 Website Threats High
 Malware
 Phishing
 Employee Sabotage
 DDoS attacks

10 People Threats High

  Getting exposed to
spoofing
 Piggybacking
 Juice jacking

3.4. Identify Vulnerabilities and the Likelihood of their Exploitation by the Identified
threats
Threat Assets Vulnerabilities Likelihood
 Brute Force Attack Servers Brute force attack is become Very High
 Botnet successful if servers are protected
 Cross-site Scripting with weak passwords.

Servers infected by botnet if they

traffic is not protected by the
firewall.

Due to lack of web browser

security

 Insider Attacks Firewall if any attempts to make changes in High

 Missed Security Patches firewall security configurations.
 DDoS Attacks
 Lax Password if important security patches are
missed to install during
configuration.
 Deliberate Exposure Protocols Moderate
 Sniffing Advertise false routes
 Traffic Analysis
By proxying traffic, attacker A can
 Spoofing
easily inject packets
 Falsification
into B’s session
 OS command injection Software High
 Cross-site scripting and happen when software integrates
forgery user-manageable data in a
 Bugs command.
 Weak passwords
Cracked software installation.

Downloading software from

untrusted sites.

Giving full rights to application

 Malware Database Inject malicious code into a SQL High
  SQL Injection statement.
 Privilege Abuse Broken configuration management
 Brute-Force Attack
 Data loss Backup Lack of inconsistency of Moderate
 Data breaches management.
 Ransomware
 espionage Backup archives stolen by insiders

 Trojan horse Network High

 Adware and spyware Lack of properly managed network
 Computer worm devices.
 DOS and DDOS attack
Outdated or unpatched software
 Phishing that exposes the systems.
 Man-in-the-middle attacks
Unauthorized access to the
network.
 Malware Email High
 Spam and phishing Email attached with malicious
 Social engineering documents.
 Entities with malicious
Emails infected by key-loggers.
intent
 Malware Website Very High
 Phishing Inclusion of malicious coded file.
 Employee Sabotage
Injecting malicious/spam posts into
 DDoS attacks
a site.

Bypassing the authentication of

website.
 Getting exposed to People Moderate
spoofing Personal issues, take revenge or
 Piggybacking gain benefits.
 Juice jacking

No. Assets Vulnerabilities of Threats Likelihood

1 Servers  Servers that are accessible over the network are likely to be attacked by High
the hackers. They can breach into the server by performing brute-force
attack, weak passwords and usernames can easily be compromised.
 One or more devices can be compromise if network is affected by the
Botnet, when network of computing devices is under the influence of
 Botnet attack, they can perform other attacks, data theft and spam.
 If server is not flexible it can easily be down using Denial-of-Service
(DOS) or Distributed Denial-of-Service (DDOS).
2 Firewall  Firewalls are configured to control traffic outside of network, but firewall High
security can also be compromised if any particular attempt to make
changes in firewall security configurations or the security can be
compromised in this if important security patches are missed to install
during configuration.
3 Protocols  Attacker attempts sniff after hacking into the network, attacker stores all Medium
routing information to and from the legitimate router.
 Attacker analyse the data traffic and can affect the data that is being
communicated.
 Attacker spoof into the network by proving its identity as a legitimate
resource of the network and cause to happen many other attacks.
4 Software  The software that are infected by the viruses and worms if installed they High
cause trouble within the network.
5 Database  Database are infected with the malware and other viruses all data stored High
in the database either deleted or deformed.
6 Backup  If the system is under ransomware attack, the backup patches are not Medium
uploaded to the cloud or any other backup storage devices. Data can also
be theft from the backup patches.
7 Network  The network can be comprised with trojan horse virus it misleads the High
network administrator and fall him into the trap of cyber-attack.
 Some passive attackers attempt to eavesdrop only they gain access of the
network and just sniff the routing information and data communication
between the application of internal and external network.
8 Email  Because e-mail is widely deployed, well understood, and used to High
communicate with untrusted, external organizations, it is frequently the
target of attacks. Attackers can exploit e-mail to gain control over an
organization, access confidential information, or disrupt IT access to
resources.
9 Website  Ransomware attacks are on the rise and if you are a victim, your entire High
website could be taken offline for a short time.
 Phishing is the illegal practice of sending fake emails on behalf of real
companies in an attempt to trick people into revealing personal
information such as identification numbers, passwords and credit card
numbers.
10 People  You must also keep in mind that the sender of an email is not always who Medium
he or she claims to be. Spoofing is when a user falsifies information, for
example, the geolocation or the name in an email to fool the victim into
believing the user is somebody else.
 Most workplaces employ access cards together with passcodes to restrict
access inside buildings. Yet in larger workplaces, where too many people
work for everyone to know one another, it is commonplace that people
hold up the doors for strangers to let them pass.
 3.5. Describe Risks to the Assets based on Points (3, 4, 5)
Point 3:
In point 3 it is described that employees reported some cyber attacks they are facing during their
routine work and employees are copying important data into their portable devices. While
company is under attack, copying data into other risk of loss of data and data integrity. It is
reported that malware and viruses are spreading potentially through USBs and portable devices.
When USB is connected with a PC affected with malware, those malicious files are copied
unintentionally and when affected USB is attached to the other PCs or systems, these malicious
files installed using autorun or autoplay feature of windows.
Point 4:
Point 4 describes the issue of unauthorised access to premises of the office, it may cause due the
tailgating, bypassing security doors etc. these loopholes will help to the unauthorized to get
access to the server room, data center etc. and it will cause a disaster to the company. The
competitor will get benefited and can make strategy to make down the reputation and sell of
company.
Point 5:
In this point harassment issue is reported by the female employee, after investigation the alleged
employees said they will sue the company for their rights. According law threatened employees
can’t do such things, but to take their revenge they can dispose off the critical and valuable
information of the company or they can breach into the security system of the IT assets.

3.6. Evaluate Risk based on Point 5

Assets Risk Evaluation
People High – people are most valuable assets of the company, people can be employee,
staff, customers, vendors etc. In this study we describe the risk only of the
employees according to the point 5. Employees help companies to reach their goals
by completing their mission and vision statement. If any riot happens in company
employees can expose crucial information that can help the competitors to get
company down.

4. Safeguard Determination Phase

In this section different safeguards, control and security measures will be discussed.
Threat Security Control Residual Residual Residual Risk
 Likelihood Severity of Level
Impact
 Brute Force Penetration Tests High, if servers Moderate, if Moderate,
Attack and Red Team are protected reports are servers are
 Botnet Exercises with passwords generated by being tested
 Cross-site and being security team daily to
Scripting tested by cyber and took identify
security team precautions breaches.
according to
the loopholes.
 Insider Boundary Defense Moderate, if Moderate, if Low, if
Attacks flow of intrusion firewall is
 Missed inbound and detection and being updated
Security outbound intrusion daily.
Patches traffic is being prevention is
 DDoS Attacks monitored. deployed.
 Lax Password
 Deliberate Limitation and Low, if ports, Low, if Low, if default
Exposure Control of protocols and devices are port numbers
 Sniffing Network Ports, services on properly are changed.
 Traffic Protocols, and network configured
Analysis Services devices.
 Spoofing
 Falsification
 OS command Inventory of Moderate, if Moderate, if Low,
injection Authorized and only authorized versions are preventing to
 Cross-site Unauthorized software is updated. give full access
scripting and Software installed. to devices.
forgery
 Bugs
 Weak
passwords
 Malware Data Protection Moderate, if Moderate, if Low, because
 SQL encryption, servers are not of access
Injection integrity directly restriction
 Privilege protection connected with protocols
Abuse methods are the database.
 Brute-Force applied
Attack
 Data loss Data Recovery Low, monitor if Low, if data Low, backup
 Data Capability data is timely archives are devices are
breaches monitored. being updated. kept under
 Ransomware critical security
 espionage prevention
methods.
  Trojan horse Maintenance, Moderate, if Moderate, if Low, necessary
 Adware and Monitoring, and event logs are prevention actions are
spyware Analysis of Audit monitored methods are taken if any
 Computer Logs. daily. applied based odd activity is
worm on previous monitored.
 DOS and malicious
DDOS attack activities.
 Phishing
 Man-in-the-
middle
attacks
 Malware Email and Web Moderate, if Moderate, Low, email
 Spam and Browser email servers implementing communication
phishing Protections. are protected spam filtering is encrypted.
 Social with strong procedures.
engineering passwords and
 Entities with access control
malicious mechanisms
intent
 Malware Application High, if Moderate, Moderate, if
 Phishing Software Security software developing, vulnerabilities
 Employee versions are adding, and in web-based
Sabotage updated to testing security and other
 DDoS install latest features application
attacks security software is
 patches. tested in
development
phase.
 Getting Controlled Access Low, limited Low, if Low, access
exposed to Based on the Need access to the IT physical depending
spoofing to Know assets. security is upon the job
 Piggybackin enhanced to responsibility
g control access and knowledge
 Juice jacking of of severity and
unauthorized sensitivity of
persons. assets.

4.1. Define the recommended Controls and Safeguards

Information security controls are measures taken to reduce information security risks such as
information systems breaches, data theft, and unauthorized changes to digital information or
systems. These security controls are intended to help protect the availability, confidentiality, and
integrity of data and networks, and are typically implemented after an information security risk
assessment.
 4.1.1 Controls Types
Types of information security controls include security policies, procedures, plans, devices and
software intended to strengthen cybersecurity. There are three categories of information
security controls:
 Preventive security controls, designed to prevent cyber security incidents
 Detective security controls, aimed at detecting a cyber security breach attempt (“event”)
or successful breach (“incident”) while it is in progress, and alerting cyber security
personnel
 Corrective security controls, used after a cyber security incident to help minimize data
loss and damage to the system or network, and restore critical business systems and
processes as quickly as possible (“resilience”) (Almeida & Respício, 2018)
The most widely used information security frameworks and standards include:
 The National Institute of Standards and Technology (NIST) Special Publication 800-53,
Security and Privacy Controls for Federal Information Systems and Organizations. This
document lists security requirements useful not only for federal agencies but for all
organizations’ information security risk management programs ((NIST), n.d.).
 The International Organization for Standardization (ISO) standard ISO 27001,
Information Security Management, which provides guidance on information technology
security and computer security (Achmadi et al., 2018).
 The Payment Card Industry Data Security Standard (PCI DSS), which establishes
security requirements and security controls for the protection of sensitive data associated
with personal credit card and payment card information (Yulianto et al., 2016).
20 critical security controls.
Basic CIS Controls
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Controlled Use of Administrative Privileges
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations
and Servers
6. Maintenance, Monitoring and Analysis of Audit Logs
Foundational CIS Controls
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols and Services
10. Data Recovery Capabilities
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
Organizational CIS Controls
17. Implement a Security Awareness and Training Program
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises.

4.2. Determine the residual likelihood of occurrence

Risk Weight Severity Scale
Scoring
Factor
Likelihood 100% 3-point scale (1 = Low, 2 = Medium, 3 = High)
Impact 100% 3-point scale (1 = Low, 2 = Medium, 3 = High)

Likelihood Impact Inherent Risk Score

3 (High) 3 (High) 9 (3 x 3)
    Inherent Risk = 9

Control 1 reduces the likelihood of the risk by 25%

Control 2 reduces the likelihood of the risk by 15%
Operating Likelihood Impact Residual
segment Risk
and Score
treatment
  3 x (1-40%) = 1.8 3 x (1-0%) = 3 (Residual Risk) 5.4 (1.8
(Residual Risk) x 3)
 Control 1 Control = 25% Control = 0%  
Control 2 Control = 15% Control = 0%  

4.3. Determine residual risk levels.

Risk levels

Likelihood Impact severity

of
occurrence

Insignifican Minor Significant damaging Serious Critical

t

Negligible low Low Low Low low low

Very low Low low low Low low Moderate

Low Low Low Moderate Moderate moderate high

Medium low Low Moderate High High high

high Low Moderate High High High High

Very high Low Moderate High High High high

extreme Low moderate High High High High

5. References

(No Title). (n.d.). Retrieved November 20, 2020, from

https://www.nist.gov/system/files/documents/2017/12/20/formatted_nist_open_government
_plan_2016_final.pdf
Achmadi, D., Suryanto, Y., & Ramli, K. (2018). On Developing Information Security
Management System (ISMS) Framework for ISO 27001-based Data Center. 2018
International Workshop on Big Data and Information Security, IWBIS 2018, 149–157.
https://doi.org/10.1109/IWBIS.2018.8471700
Almeida, L., & Respício, A. (2018). Decision support for selecting information security controls.
Journal of Decision Systems, 27, 173–180. https://doi.org/10.1080/12460125.2018.1468177
Alwi, A., & Zainol Ariffin, K. A. (2019, January 25). Information Security Risk Assessment for
the Malaysian Aeronautical Information Management System. Proceedings of the 2018
Cyber Resilience Conference, CRC 2018. https://doi.org/10.1109/CR.2018.8626841
Hladka, O. M., Karpovych, I. M., & Nakonechnа, J. (2020). Modeling the Risk Level of
Information Security at Enterprise. Modeling, Control and Information Technologies, 4,
109–112. https://doi.org/10.31713/mcit.2020.23
Singh, U., & Joshi, C. (2017). Information Security Risk Management Framework for University
Computing Environment. Undefined.
Yulianto, S., Lim, C., & Soewito, B. (2016). Information security maturity model: A best
practice driven approach to PCI DSS compliance. Proceedings - 2016 IEEE Region 10
Symposium, TENSYMP 2016, 65–70.
https://doi.org/10.1109/TENCONSpring.2016.7519379