Risk Analysis and Management IT & Computer Science Coursework (Coursework Sample)

INF80043-IS\IT RISK MANAGEMENTGROUP ASSIGNMENTSUBMITTED TO : DR ADI PRANATO10/19/2016Student IDSur NameGiven NameSignature100057886SaeedMuhammad Wasiqwasiq100657095KhanRizwanRiz101046500SofatAbhishekAbhishek101018185YounasWaqarWaqar
Executive Summary
The project conducts a comprehensive risk assessment for Organix Company Limited using a combination of the threat oriented and vulnerability oriented approaches. There are numerous risks factors that expose or increase the susceptibility of Organix to threat events. They include online operations of its business, CMOs managing business operations, operating in a highly regulated environment, lack of a properly integrated enterprise system to mention just a few instances. In this report, controls are recommended to Organix to helps prevent, detect, deter, the risks from actualization as well as recovery and corrective strategies in case of the actualization of the risks.
Table of Contents TOC \o "1-3" \h \z \u Executive Summary PAGEREF _Toc464564841 \h iList of Tables PAGEREF _Toc464564842 \h ivList of Figures PAGEREF _Toc464564843 \h ivIntroduction PAGEREF _Toc464564844 \h 1Purpose PAGEREF _Toc464564845 \h 1Scope PAGEREF _Toc464564846 \h 1Risk Management PAGEREF _Toc464564847 \h 2Risk Assessment PAGEREF _Toc464564848 \h 21.System Characterisation PAGEREF _Toc464564849 \h 22.Threat Identification PAGEREF _Toc464564850 \h 63.Vulnerability Identification PAGEREF _Toc464564851 \h 84.Control Analysis PAGEREF _Toc464564852 \h 125.Likelihood Determination PAGEREF _Toc464564853 \h 166.Impact Analysis PAGEREF _Toc464564854 \h 167.Risk Determination PAGEREF _Toc464564855 \h 168.Control Recommendations PAGEREF _Toc464564856 \h 29Risk Mitigation PAGEREF _Toc464564857 \h 361.Prioritise Actions PAGEREF _Toc464564858 \h 362.Evaluate Recommended Control Options PAGEREF _Toc464564859 \h 383.Conduct Cost Benefit Analysis PAGEREF _Toc464564860 \h 434.Select Controls PAGEREF _Toc464564861 \h 435.Assign Responsibility PAGEREF _Toc464564862 \h 446.Develop Safeguard Implementation Plan PAGEREF _Toc464564863 \h 457.Implement Selected Controls PAGEREF _Toc464564864 \h 49Conclusion PAGEREF _Toc464564865 \h 49References PAGEREF _Toc464564866 \h 51Appendix PAGEREF _Toc464564867 \h 52
List of Tables
TOC \h \z \c "Table" Table 1: Overview of Organix System PAGEREF _Toc464564805 \h 3
Table 2: Overview of threat sources and threat events that and their likelihood of occurrence PAGEREF _Toc464564806 \h 7
Table 3: Analysis of Organix Vulnerabilities in the technical, operational, and managerial contexts PAGEREF _Toc464564807 \h 9
Table 4: Control Analysis of Organix System PAGEREF _Toc464564808 \h 12
Table 5: Risk determination matrix PAGEREF _Toc464564809 \h 17
Table 6: Risk Determination of Threat Events for Organix PAGEREF _Toc464564810 \h 18
Table 7: Control recommendations for risks identified PAGEREF _Toc464564811 \h 29
Table 8: Risk actions prioritization for Organix PAGEREF _Toc464564812 \h 37
Table 9: Effectiveness versus Feasibility Matrix for Control Recommendations PAGEREF _Toc464564813 \h 38
Table 10: Control effectiveness-feasibility scale PAGEREF _Toc464564814 \h 38
Table 11: Control Analysis PAGEREF _Toc464564815 \h 39
Table 12: Implementation plan for the Prioritized risks factors and there recommended controls options PAGEREF _Toc464564816 \h 45
Table 13: Cost-Benefit Analysis PAGEREF _Toc464564817 \h 52
List of Figures
TOC \h \z \c "Figure" Figure 1: Risk Mitigation Methodology (Stoneburner, Goguen and Feringa 2004 pp. 31) PAGEREF _Toc464564704 \h 36
Introduction
Organix is an establishment in the food and supplement industry in Australia. The organization is made-up of an inter-web of a complex system of companies that transcends geographic barriers by linking electronically to Australia, a group of Asian countries, New Zealand and other parts of the world. From 2013, after Organix established its privately labelled brand, it outsourced its production and packaging to Contract Manufacturing Organisations (CMOs). All the companies operations are centralized and managed at the Southbank Precinct; this includes CMOs management, logistics, marketing, raw material sourcing, and even the online shops. The CMOs and Organix operations are managed by a semi-customized CMO management module, which transmits data via a Virtual Private Network (VPN). The company has both a physical and an online presence; as such, the hardware infrastructure of Organix would require the company to have comprehensive computer systems to manage the business processes. To support its web-based infrastructure the organization has partnered with a web development and web marketing companies to manage its operations, which includes the payment gateways and personal data of Organix customers as captured on the company’s web platform, which is highly sensitive data. Organix has its operations in several countries, which becomes a challenging endeavour when it requires to comply with the local regulations of each country. The following report conducts a risk assessment and mitigation strategy for Organix.
Purpose
The purpose of this project is to carry out a risk assessment on Organix PTY internal operations, external operations (CMOs, distributors, and outsourced company’s) with the objective of identifying areas of threat and vulnerability, the likelihood of the threat occurrence and the potential impact on the organization. Then, a risk mitigation strategy will be developed that takes into consideration the recommended controls and cost-benefit analysis to select control measures and even assign responsibility to the required parties.
Scope
The applied the NIST framework 800-30 to develop a risk management report that focused on Organix as an organization (tier 1), its business processes (tier 2) and its information systems (tier 3) while combing a threat-oriented approach to the vulnerability oriented approach to determine the magnitude of risks that that Organix faces. The accruing data will be used to develop appropriate risk mitigation approaches. Noteworthy, is to appreciate that the Risk assessment process was limited in that background knowledge offered, which was very limiting. In some sections, the groups had to apply assumptions in order to make up for gaps in knowledge. That said, the information offered was enough to develop a risk mitigation approach that would be critical in managing Organix at the three tiers.