Risk Assessment Summary Report

Executive Summary 

Cybersecurity is a critical component of system infrastructure security that ensures an organization is free from threats. It is a shared responsibility that involves people, tools, processes, and technologies that work together to protect organizational assets. The three fundamental goals in organizational protection comprise of confidentiality, availability, and integrity. Confidentiality ensures that information access is only permitted to authorized personnel. On the other hand, integrity ensures that everything remains intact, complete, and free from corruption. Likewise, availability ensures that information and systems are available when the client or the business needs them. This risk assessment report presents organizational threats, vulnerabilities, impacts, probability matrix, mitigation strategies, and recommendations for risk assessment in the financial industry.   

Don't use plagiarized sources. Get Your Custom Essay on
Risk Assessment Summary Report
Just from $13/Page
Order Essay

Internal and External Threats  

Vulnerable AssetsThreats 
PeopleEmployees Unauthorized staffillegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff error
Authorized staffMalicious software, misuse of resources, willful damage
Non-employees Strangers Eavesdropping, willful damage
People trusted by the organizationwillful damage, masquerading of user identity
Procedures Sensitive Transmission errors, software failure, 
Standard user error, willful damage, operational staff error, misuse of resources, 
DataProcess failure of power supply, hardware failure, malicious software, virus
Storage Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply
Transmission Traffic overloading, transmission errors, communication infiltration, malicious software, virus
SoftwareOperating Systemuser error, willful damage, operational staff error, illegal export/import of software, maintenance error 
Security ComponentIndustrial action, maintenance error, willful damage, illegal use of the software.
Application user error, operational staff error, malicious software, virus, unauthorized users using the software, 
HardwareNetwork Communication infiltration, malicious software, virus 
System Devices Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contamination

Risk Assessment Summary Report

Organizations need to obtain cyber risk scores and learn that managing cyber risk incorporates managing behavioral risk besides technical flaws and skills gaps. However, there are recommendations based on the observations from scores of businesses on the ABC, FICO, and Chambers. The six cyber risk management recommendations can help financial institutions and organizations improve their security posture as well as securing their sensitive data.

Prioritized Risks and Response Matrix

Vulnerable AssetsThreats impactRisk probabilityMitigation strategies 
PeopleEmployees Unauthorized staffillegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff errorHigh Medium Unauthorized access trialsRegular reviews
Authorized staffMalicious software, misuse of resources, willful damageHigh High Proper trainingUnauthorized access trialsRegular reviewsDesignation of rolesPolicy enforcement
Non-employees Strangers Eavesdropping, willful damageHigh Medium Regular vulnerability assessmentPhysical environment security
People trusted by the organizationwillful damage, masquerading of user identityHigh Medium Asset managementCyber insuranceCyber policy 
Procedures Sensitive Transmission errors, software failure, High High Network securityBackup and recoveryInformation system protectionCyber policyAsset management
Standard user error, willful damage, operational staff error, misuse of resources, Medium Medium 
DataProcess failure of power supply, hardware failure, malicious software, virusLow  Medium Backup and storageNetwork securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance 
Storage Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply
Transmission Traffic overloading, transmission errors, communication infiltration, malicious software, virusMedium Low 
SoftwareOperating Systemuser error, willful damage, operational staff error, illegal export/import of software, maintenance error Medium Medium Network securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance 
Security ComponentIndustrial action, maintenance error, willful damage, illegal use of the software.Low Low 
Application user error, operational staff error, malicious software, virus, unauthorized users using the software, Low Low 
HardwareNetwork Communication infiltration, malicious software, virus Medium Medium Information management and breach reportingRisk management and governance 
System Devices Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contaminationLow Low Network securityAssessing threats and vulnerabilitiesCybersecurity awareness and trainingPersonal screening and insider threatInformation management and breach reportingRisk management and governance 

Recommended Risk Management Strategies and Technologies

Governance and risk management

Cybersecurity is not only a technical issue but also a multifaceted concern that needs an approach that is enterprise wide (Haouari et al., 2018). It is important to note that it is impossible to attain total protection from cyber that but having a governance framework and mismanagement structure in an organization helps alleviate the exposure to threats and the extent of damage to the IT infrastructure (Polemi, 2017). 

Personal screening and insider threat

About 71% of IT professionals believe that insider threat is a critical concern in cybersecurity. Insides are considered employees (current and former), contractors, vendors, or any person authorized to access the system (Haouari et al., 2018). Thus, it is essential to build a multidisciplinary team, understand and solve organizational issues, the examine-pre-employment process of screening, conduct training, develop practices and policies, and enforce separation of duties to facilitate personal screening and manage insider threat.

Physical environment security

Organizations should ensure defensive mechanisms to human threats, supply system threats, and environmental threats to ensure that it’s IT infrastructure is secure (Haouari et al., 2018).

Cybersecurity awareness and training

Organizations should ensure mandatory cybersecurity awareness and training for all personnel and the training can be carried out classes, online, videos, and seminars (Haouari et al., 2018; Mirzaei et al., 2018). Making all personnel understand their roles in the organizations alleviates internal threats to the IT infrastructure. 

Assessment of threats and vulnerabilities

Organizations should run automated vulnerability assessment tools against all systems on the network regularly and deliver the most critical vulnerabilities to each system administrator (Haouari et al., 2018). Besides, the tools vulnerability assessment tools should be updated regularly.

When the organizations ensure and implement the best practices, it stands high chances of minimizing threats and risks to its IT infrastructure.

AssetThreats Risk probabilityMitigation strategies Potential response Prioritization of Responses
Unauthorized staffillegal and unauthorized use of software, misuse of resources, industrial action, user error, willful damage, operational staff errorMedium Unauthorized access trialsSecurity policy
  
Involve stakeholders Create a financial impact assessment scale
Regular reviews
 
Authorized staffMalicious software, misuse of resources, willful damageHigh Proper trainingThird-party access security   
Unauthorized access trials
Regular reviews
Designation of roles
Policy enforcement
Strangers Eavesdropping, willful damageMedium Regular vulnerability assessment Information security infrastructure 
Physical environment security
People trusted by the organizationwillful damage, masquerading of user identityMedium Asset management Information security infrastructure   
Cyber insurance
Cyber policy 
 Transmission errors, software failure, High Network security  Information classification   Define ace acceptable and unacceptable riskCreate a probability scale
Backup and recovery
Information system protection
Cyber policy
 user error, willful damage, operational staff error, misuse of resources, Medium Asset management Security policy

 Failure of power supply, hardware failure, malicious software, virusMedium Backup and storageMonitoring access and use of the systemUser responsibility




    
Involve business stakeholders 
Network security
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
 Deterioration of storage media, unauthorized use of storage media, theft, repudiation, failure of power supply Information management and breach reportingOperational procedures and responsibilities



Identify cybersecurity threat
 Traffic overloading, transmission errors, communication infiltration, malicious software, virusLow Risk management and governance  Business requirement access control User access management


 User error, willful damage, operational staff error, illegal export/import of software, maintenance error Medium Network security Application access control 



  
Access severity levels
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
 Industrial action, maintenance error, willful damage, illegal use of the software.Low Information management and breach reporting Business continuity management


Involve business stakeholders 
 user error, operational staff error, malicious software, virus, unauthorized users using the software,Low Risk management and governance  Monitoring 



Set ermine the proximity of the threat event 
 Communication infiltration, malicious software, virus Medium Information management and breach reportingSecurity of system filesSecurity application system



Risk management and governance 
 Airborne particles and dust, theft, power fluctuation, air-conditioning failure, extreme humidity and temperature, environmental contaminationLow Network security Monitoring Housekeeping 








    
Assess levels of severity
Assessing threats and vulnerabilities
Cybersecurity awareness and training
Personal screening and insider threat
Information management and breach reporting
Risk management and governance 

Risk Management Implementation Recommendations

The first cyber risk recommendation is the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework when it comes to developing information security programs. The CFC deters malicious cyber actors and reduces network weakness (Kohnke et al., 2017). Moreover, it offers voluntary guidance as per the existing practices, guidelines, and standards for better management and reduces risk in the five core functions in organizations: Identifying, Protecting, Detecting, Responding, and Recovering. Adoption of best practices in all the five areas will help financial institutions in aligning and prorating in cybersecurity activities as per its business mission, resources, and risk tolerance (the United States, 2017). However, organizations should not be limited to NIST only; they can go for other risk management frameworks like NIST. 

Secondly, organizations should obtain and maintain a reliable understanding of the network they are using. Also, they should identify all the assets and ensure they are under active security management (Polemi, 2017). Organizations should fully manage changes in their scope of the network because even a small change can result from divestitures, acquisitions or mergers (the United States, 2017). Consequently, it can lead to geographical expansion or changes within the organization offerings that calls for modifications to the present internet-facing assets. When organizations fully manage their changes, it could also save them from becoming vulnerable (Mirzaei et al., 2018). Therefore, understanding the outside and the inside of the network is important to organizations as it helps them identify unexpected gaps as well as correctable vulnerabilities. 

Thirdly, organizations should find weak links within it while adhering to processes and policies. Most of the security teams and technology operate independently; hence, there is a need for coordination and interaction (Zhang, & Ghorbani, 2020). Therefore, financial institutions require an IT team, network-engineering team, and software engineering team to help in the operation (Kohnke et al., 2017). The teams will help in assessing the effectiveness and evaluating issues related to security by category. Categorization of discernible technical flaws in configuration or posture, an organization can easily draw useful conclusions regarding the effectiveness of the processes, procedures, and maturity based on function.

Fourthly, financial institutions should make sure that their network team abides by the best practices required in network management. Sometimes the network teams might find it difficult to understand the impact of network configuration on specific risk especially while evaluating it from the outside. Items like exploitable open ports speak for themselves, whereas others are more subtle though they indicate a gap in adopting and executing best practices (Zhang, & Ghorbani, 2020). Financial institutions should avoid unnecessary exposure to network infrastructure assets. However, in case there is a need to expose, they should ensure the correct configuration for the exposed network infrastructure assets. 

Fifthly, organizations should protect and monitor endpoints of the network. Financial institutions should learn to assess endpoint security’s health by looking for evidence in their compromise (the United States, 2016). Material data breach events and compromised endpoints are not the same, but research shows a correlation between them in the incidents of malicious behavior because of subsequent breach behavior and compromise. Financial institutions need to monitor endpoints with endpoint agents actively or use virus protection products (Mirzaei et al., 2018). The institutions should go further to engaging the broader community of security in the depiction of possible endpoint compromise by looking at the published Real-time Blackhole Lists (RBLs) that show suspected or confirmed malicious activities from network endpoints.

Lastly, organizations should have active certificate management programs are present and being implemented. It is easy for the routine maintenance of security certificate programs to slip because of ignoring and deprioritizing basic tasks by favoring pressing issues (Kohnke et al., 2017). A non-standard or expired certificate may sometime fail to show serious network risks (the United States, 2016). Poor certificate management is evident when financial institutions fail to implement and maintain best practices in more broadly way. Research shows that inactive and ineffective management of certificate by organizations raise chances of them suffering from compromises like material breach event.

References 

Haouari, A., Mostapha, Z., & Yassir, S. (January 01, 2018). Current State Survey and Future Opportunities for Trust and Security in Green Cloud Computing.

Information Security Governance Practices and Commitments in Organizations. (January 01, 2019).

Kohnke, A., Sigler, K., & Shoemaker, D. (2017). Implementing cybersecurity: A guide to the National Institute of Standards and Technology Risk Management Framework.

Mirzaei, O., Maria, . F. J., & Manzano, L. G. (January 01, 2018). Dynamic Risk Assessment in IT Environments.

United States., Powner, D. A., United States., & United States. (2018). Information technology: the continued implementation of high-risk recommendations is needed to better manage acquisitions, operations, and cybersecurity: Testimony before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform, House of Representatives.

The United States. (2017). Defense cybersecurity: DOD’s monitoring of progress in implementing cyber strategies can be strengthened.

The United States. (2016). Utility resilience at Department of Defense installations: Issues and risk mitigation.

Polemi, N. (2017). Port Cybersecurity: Securing Critical Information Infrastructures and Supply Chains.

Zhang, X., & Ghorbani, A. A. (January 01, 2020). Human Factors in Cybersecurity

Place your order
(550 words)

Approximate price: $22

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more
error: Content is protected !!
Live Chat+1(978) 822-0999EmailWhatsApp

Order your essay today and save 20% with the discount code LEMONADE