Description
All of the information is in the attached file.If you need any extra information feel free to contact me
Unformatted Attachment Preview
Assignment due Sunday, March 24, 2024 by 11:00pm
ICS 230 – Assignment #2 (Risk Analysis for a Company)
Due date: 11:59 PM on March 24th, 2024
Format: This is a group of students assignment. Reflection of each member is
required.
Template
Given: The student is given a scenario where an organization’s sensitive data are
leaked due to a breach and information about their currently implemented security
defense system/measures are provided. The student is also given a list that contains
a full list of assets inventory for the organization, including all descriptions and
monetary values.
XYZ Company Background:
XYZ Corporation is a small-medium-sized technology company specializing in
software development and IT solutions. The company employs approximately 200
employees and handles sensitive data from clients in various industries, including
financial institutions and healthcare providers. XYZ Corporation takes data security
seriously and has implemented several security defense systems and measures to
protect its assets.
Current Security Defense Systems/Measures:
1. Firewall and Intrusion Detection System: XYZ Corporation has deployed a
robust firewall and intrusion detection system to monitor network traffic and
prevent unauthorized access to its internal systems. The system is designed
to identify and block suspicious activities.
2. Access Control and Authentication: The company enforces strong access
control policies, requiring employees to use unique usernames and
passwords to access their systems. Additionally, two-factor authentication
(2FA) is implemented for accessing critical systems and databases.
3. Encryption: XYZ Corporation uses encryption techniques to safeguard
sensitive data both at rest and during transit. All data stored on servers and
databases are encrypted, and secure communication protocols (such as
SSL/TLS) are utilized for data transmission.
4. Regular Software Updates and Patches: The company has a strict policy of
regularly updating software and applying security patches to mitigate
vulnerabilities. This includes operating systems, applications, and third-party
software.
5. Employee Training and Awareness: XYZ Corporation conducts regular
security awareness training programs for employees to educate them about
data protection best practices, such as recognizing phishing attempts and the
importance of strong passwords.
Company Assets and Inventory:
• Servers and Networking Equipment: Dell PowerEdge R740 Server (x3) $10,000 each
•
•
•
•
•
•
•
•
•
Cisco Catalyst 3850 Switch (x2) – $5,000 each
Juniper SRX340 Firewall – $8,000
Databases and Storage Systems: Oracle Database Server – $20,000
NetApp FAS2650 Storage System – $15,000
Workstations and Laptops: • _HP EliteBook 840 G7 (x50) – $1,500 each
Dell OptiPlex 7070 Desktop (x25) – $1,200 each
Software Licenses: • _Microsoft Office 365 Enterprise License – $12,000
Adobe Creative Cloud License – $6,000
Client Data: • _Financial Institution Client Data (confidential) – Value not
specified
• Healthcare Provider Client Data (protected health information) – Value not
specified
Note: The values provided are hypothetical and may not represent actual prices in market.
Description of Data Breach Incident:
Despite the implemented security defense systems and measures, XYZ Corporation
recently experienced a data breach incident. The breach occurred when a malicious
attacker exploited a vulnerability in an outdated software component that had not
been patched promptly. The attacker gained unauthorized access to the company’s
internal network and managed to extract sensitive client data, including financial
institution client data and protected health information from healthcare providers. The
exact value of the stolen data is yet to be determined, but it poses a significant risk to
both the affected clients and XYZ Corporation’s reputation.
Upon discovering the breach, XYZ Corporation took immediate action to contain the
incident, engage with a cybersecurity forensic firm to investigate the extent of the
breach, and notify the affected clients. The company is now working diligently to
strengthen its security measures, update all software components, and enhance
employee training programs to prevent future breaches and protect its assets and
sensitive data.
Required: The student will
1. Assess the current security measures and strategies implemented at this
company.
2. Perform a full analysis of possible types of breaches that might take place on
those assets (minimum of three breaches) and use a risk analysis and
assessment statistical techniques to report the security posture of that
organization.
3. Identify and rank company XYZ’s assets, threats, and vulnerabilities using a
tool (like Excel) that shows all calculations and decision-making logic. Record
any assumptions made.
4. Conduct a detailed Cost Benefit Analysis (CBA) for a chosen control based on
prior risk analysis, justify assumptions, and provide a concise conclusion and
recommendation regarding the control’s purchase.
NB. Make sure to use proper and concise security terminologies in your report as
covered in various sessions.
Deliverables: The assignment deliverables are as follows:
A Full PDF report to document your findings for the following (Template):
1. Part A: Countermeasures: A comprehensive assessment/critique of the
listed 5 current security measures adopted by the XYZ company. The
description shall include how these measures operate to protect data, which
assets they target to protect, whether they are effective, and what are other
potential security threats the current defenses impose on the XYZ company.
2. Part B: Attacks: Provide full description of a minimum of 3 attacks (web
based, network based, and software based) that can be launched against the
company XYZ based on the current security posture as analyzed in part A.
For each identified attack, provide sufficient information about the attack type,
vulnerability or vulnerabilities that might lead to that attack, asset or assets
that might be compromised, and security components that might be
compromised, and your suggestion to mitigate that attack.
3. Part C: Risk Analysis: Perform the following tasks with respect to risk analysis
of the company XYX assets: Prioritize Assets, Identify and Prioritize Threats
and Vulnerabilities for each asset, Calculate risk for each vulnerability,
Prioritize which vulnerability would you address first and why? The risk
analysis process shall be done using a tool that can be a full excel
spreadsheet showing all calculations and interpretations. Document any
assumptions made during your analysis.
Note: Check useful resources for some useful tools that might shed light on what we
expect you to submit in this part of the assignment.
1. Part D: Cost Benefit Analysis (CBA): You are required to carry out a
comprehensive Cost-Benefit Analysis (CBA) for a control measure that you
have identified as a potential solution to risks outlined in your earlier risk
analysis (Part C). Your analysis should lead to a well-reasoned conclusion on
whether the control should be implemented. The CBA process shall be done
using a tool that can be a full excel spreadsheet showing all calculations and
interpretations. Document any assumptions made during your analysis. Justify
each assumption’s relevance and reasonableness. Summarize the results of
your CBA and present a clear recommendation on whether or not to purchase
the control.
2. Reflection:
Each student must write a bulleted list reflecting on their individual contribution to the
fulfillment of this assignment’s requirements as a team member. Please use the firstperson pronoun “I” in your reflection.
1. References: Cite all used references using APA style.
Submission instruction
• Submit PDF file as a primary resource (Template)
• Submit Excel sheet as a secondary resource.
• Students must use their own words to document the report and refrain from
copy/paste from web resources or using AI tools and also cite any references used
properly.
Useful Resources
1. https://www.youtube.com/watch?v=KIS4L4kn0RM
2. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/it-assetvaluation-risk-assessment-and-control-implementation-model
Academic Integrity Disclaimer
I hereby confirm that the work submitted for the assignment is entirely my own. I
affirm that I have not used any artificial intelligence (AI) tools or any other
unauthorized means to generate answers or complete any part of this assignment.
The work presented reflects my own ideas, research, and understanding of the
subject matter. I understand the importance of academic integrity and the
consequences of submitting work that is not my own. I acknowledge that any
violation of academic honesty policies may result in disciplinary action, including but
not limited to, a failing grade for the assignment or the entire course.
By submitting this assignment, I declare that I have complied with the academic
integrity standards set forth by CIS/ZU. I am aware of the ethical implications of
using external assistance and have adhered to the principles of honesty and integrity
throughout the completion of this assignment.
Purchase answer to see full
attachment