Assignment Overview

Cybersecurity is all about managing risk. Risk cannot be totally eliminated in most cases but you need to understand your internal environment and the various threats against it. Then you need to take the necessary steps to mitigate or control them based on the risk appetite of the company. In the class session and with the learning activities you have learned a great deal about Risk Management, Risk Analysis, Risk Identification, and Risk Controls (NIST documents). This is an opportunity for you as the CISO to practice your Risk Management skills. This is a “hands-on” experiential learning experience.

In this assignment, you will be identifying and describing assets, vulnerabilities and mitigation strategies.

Select (5) information assets from your company inventory that you feel are important to the success of your company. Provide a high level description of each information asset and then briefly explain why each of these information assets is important. An information asset can be just about anything that is important to your company such as:

• Hardware: ex. Your company’s web server
• Software: ex. A new mobile app
• Company Information: ex. Your product’s secret recipe
• Customer Data: ex. Customer’s credit card numbers, PII, others

For each of the (5) identified assets, determine its appropriate classification category and corresponding value to the profitability of the company. You must also include an explanation of your classification scheme and how you are determining the profit value so your audience understands your reasoning. Use visual elements to display your information. A portion of your grade will be based on how you communicate your information.

For each Asset, select (1) vulnerability that you believe is most worrisome for that particular Asset. Provide a high level description of the vulnerability and then briefly explain why you chose it. You should have a total of (5) vulnerabilities when this part of the analysis is complete: 1 vulnerability per asset.

For each of the (5) identified vulnerabilities, determine their corresponding probability and impact consequence. You decide how to represent the probability and impact consequence but you must also include an explanation of your decision process so your audience understands your reasoning. Use visual elements to display your information. You can use a numerical score, a color scheme or even High/Medium/Low type system. A portion of your grade will be based on how you communicate your information.

1

Finally, determine the appropriate risk mitigation strategy and the appropriate security controls for each of the (5) identified vulnerabilities. You must also include an explanation of your controls and why they are the best choice for the particular vulnerability. Most risks will require more than a single control to mitigate them.

Your 5 assets, 5 vulnerabilities, 5+ controls (recommendations) should be listed in a table. Remember CIA and data classification are important. Additionally, likelihood of occurrence is a good way to highlight critical and high risk items in an effort to prioritize and focus the executives attention and budget priorities. Once your tables(s) are created they are also a good way to summarize your risk report and ask for their permission to move forward with the recommended plans.

Your assignment should be in a “Word” document (not .pdf) format to allow me to provide feedback within the document. Upload your Risk Project in the word file in the Risk information assignment box. Please be sure to name the word file document using the following naming convention to make it easier for everyone to manage:

Grading Metrics – Risk Report 100 points

1. The Asset portion of this assignment will be worth (30 pts)
2. The Vulnerability portion of this assignment will be worth (30 pts)
3. The Mitigation portion of this assignment will be worth (20 pts)
4. Keep in mind that how well you visually represent all this information in an easy to understand format will be part of the grading criteria. You will not receive full credit if all you use is text to complete this assignment
5. Provide a Reference List and use APA formatting within your report. I should see that you are using at least 10 references for your report and your book plus a specific part of the lecture should be one of those references (20 pts)

Grading Metrics – Risk Presentation – 50 points

1. Prepare 3-5 .ppt slides (30 points)
2. These should be professionally developed (10 points)
3. Each slide should have notes of what you are saying to the Executives (10)

2