Create a company or business based on your skillset as a Cybersecurity Professional. This company can be real or imaginary. The idea is for you to envision yourself running a company and understanding your assets and risks.
1. What is the name of your company?
2. What does your company do?
Perform a risk assessment of your company
3. Identify and scope assets
The first step when performing a risk assessment is to identify the assets to be evaluated and to determine the scope of the assessment.
For example, do you want to perform an assessment on every single asset in the company, including your buildings, employees, electronic data, trade secrets, vehicles, office equipment, and so on? (Remember, an asset may not be tangible; information is just as much an asset as the server where it resides.)
To avoid getting overwhelmed, its usually best to limit your scope to one type of asset at a time and then conduct risk assessments on other types as time and resources allow. After picking your first target, identify what else it touches.
Lets assume that you want to assess only the electronic data stored on your information systems. What other assets are responsible for handling and securing the data? These are things like servers, desktop PCs, firewalls, mobile devices, etc. You must include these secondary assets in the assessment, because a risk posed to these devices is also a cybersecurity risk thats posed to your data.
Dont forget to consider both internal and external assets. For example, is your CRM data stored on a local server, or in a cloud service? Are there persistent VPN connections to partners IT systems? Keep asking whats next in the chain? until you exhaust the search space.
4. List 10 Assets
QUANTITATIVE RISK ASSESSMENT: Determine the value of the assets
After identifying and scoping the assets to be assessed, you must next determine their value.
This is often difficult to do because value includes more factors than what you paid for the physical item.
Lets continue using the example of confidential electronic data. There are many questions to ask when determining its value:
· If you lost all your companys data tomorrow, how much time and money would it cost to create it all from scratch again?
· How much would a competitor pay to obtain it?
· What revenue would be lost as a result of the data being compromised?
· Would there be financial or legal penalties to pay?
All of these questions can give you a general estimate of how much your companys data is worth. In addition to using numbers and evidence to determine an assets value (called a quantitative risk assessment)
5. ESTIMATE ASSETS VALUE for each asset. Also explain why you give it that value.
6. What is the TOTAL VALUE OF ALL YOUR ASSETS:
QUALITATIVE RISK ASSESSMENT Is a subjective rating to determine likelihood and impact of losing or damaging an asset.
· How would losing your data impact day-to-day operations? Could your employees even work? How would it affect your companys reputation? How far would it set you back in terms of productivity?
For a Qualitative Assessment, you can use the following chart to determine the risk for a particular asset.
Asset
Server Room
Threat
Server room for a small company located in the basement. Hurricane threat from a company located in Miami, Florida.
PROBABILITY
IMPACT
Low
Medium
High
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
In the above example the probability and impact are both High so the qualitative risk assessments are HIGH.
7. DO AN QUANTITATIVE ASSESSMENT FOR 3 ASSETS
Asset
Threat
PROBABILITY
IMPACT
Low
Medium
High
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
=== PART 1 Questions to Answer in Discussion ===
· Create a Company or Business based on your skillset as Cybersecurity Professional. This company can be real or imaginary. The idea is for you to envision yourself running a company and understanding your assets and risks.
· What is the name of your company?
· What does your company do?
· Do a Quantitative Risk Assessment. What are your company’s assets (minimum 10)? What is the Value of your assets?
· Do a Qualitative Risk Assessment.
Choose 3 Assets and use the Assessment chart to define the asset, the threat, probability, and impact.
Asset
Laptop
Threat
Laptop gets stolen.
PROBABILITY
IMPACT
Low
Medium
High
High
Medium
Recent Comments