TCSE1ICB Individual Assignment (15%)
Cybersecurity Risk Management Plan
You are an entrepreneur looking to start DigiWords Inc, a platform. for self-publishing e-books. Authors and independent publishers can upload their manuscripts as electronic files to the platform, which then converts them into multiple e-book formats for various devices. Before submitting your application to register your business, you also need to submit a Cybersecurity Risk Management Plan for your business. The purpose of this plan is to protect intellectual property and financial data, ensure that your business meets with regulatory requirements, and create confidence in your clients that you are treating security of their data seriously. Your plan should be simple (easy to understand), but also dynamic, as you may change systems as business progresses incoming years.
1. Preparation for risk analysis [20 marks]
a. Set scope and focus [10 marks/100 words]
b. Describe the overall goal and target of analysis (e.g. put the diagram that shows the interaction of users and IT systems) [10 marks]
2. High level analysis [20 marks]
a. Identify involved parties or stakeholders (e.g. supplier) [ 5 marks]
b. Identify assets (e.g. customer database, customer satisfaction) [5 marks]
c. Draw a relationship between assets. For example, asset diagram of a fictional AutoEngine
Inc company is depicted below. [5 marks] You can use https://app.diagrams.net/ or any other drawing software
d. List initial threats in the following format [5 marks]
|
Cause of the threat (Who or What?)
|
What may happen (risk)?
|
Enabler
|
|
e.g. Hacker
|
Extract customer database
|
Through SQL injection
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Likelihood, Consequence scale, Risk function and evaluation Criteria [30 marks]
3.1. Likelihood (certain, likely, possible, unlikely, rare) [ 10 marks]
|
Likelihood
|
Description
|
|
e.g. certain
|
10 times per year or a significant number of similar occurrences already on record
|
|
|
|
3.2. Consequence scale (Hint: catastrophic, serious, moderate, minor, insignificant) [10 marks]
|
Consequence
|
Description
|
|
e.g. Catastrophic
|
Range of 65% affected or downtime in range of [1month, 1 year] Or the ICT director has been jailed
|
|
|
|
3.3. Risk Function and evaluation criteria [10 marks] This table is for one asset (customer database)
|
Risk function (e.g. for customer database)
|
|
Consequence/Likelihood
|
Insignificant
|
Minor
|
Moderate
|
Serious
|
Catastrophic
|
|
Rare
|
|
|
|
|
|
|
Unlikely
|
|
|
|
|
|
|
Possible
|
|
|
|
|
|
|
Likely
|
|
|
|
|
|
Shade: green for “acceptable”, yellow for “monitor” and red for “needs to be treated”
4. Risk Treatment [30 marks]
4.1 Draw your own diagram that shows the interaction of a given threat and each asset with the likelihood between them. For instance, the same company in 2(c) has a diagram that looks like the following [10 marks]
4.2. Draw your own diagram that shows the interaction of a given threat and each asset, labelling the harm the threat causes (as R1, 2, etc.) between them. For instance, the same company in 2(c) has a diagram that looks like the following: [10 marks]
4.3. List treatment as follows: [10 marks]
|
Treatment
|
Cost
|
Risk
|
Risk reduction
|
|
Treatment 1: increase
|
low
|
Risk 1
|
Risk 1: unacceptable to
|
|
employee awareness
|
|
|
acceptable
|
|
|
|
|
|