Create an inventory of resources for your [fictitious] organization.

1. Web Server
2. Data server
3. Email Server
4. Application server
5. Network routers
6. Network cables
7. Network server
8. IP address
9. Power back up
10. Water Supply system
11. Air Conditioning
12. Security scanners
13. Biometric sensors
14. Security cameras
15. Security monitoring stations
16. Work stations
17. Keyboards
18. Mouse
19. External storage devices
20. Tapes
21. Printers
22. Chairs and Cubicles
23. Cleaning Vendor
24. Network AMC Vendor
25. Print AMC Vendor
26. Staffing Vendor
27. Food Vendor
28. Security Guards Vendor
29. Power Supply AMC Vendor
30. Permanent Employees
31. Temporary Employees
32. Customer Data
33. Employee Data
34. Research Data
35. Competition Data
36. Security Audit Data
37. In house developed Applications
 38. Licensed Applications
39. Operating Systems
40. Databases
41. Antiviruses
42. Firewall software

Classify and categorize your assets.

1. Servers and Backup

2. Network Accessories
3. Workstations and Accessories
4. Security Equipment
5. Third party vendors
6. Employees
7. Applications and Software
8. Business Data
9. Office Supply and support system

Assign relative values to assets.

Assets Value
Business Data 100
Employees 100
Servers and Backup 100
Application and Software 50
Security Equipment 50
Workstations & Accessories 50
Network Accessories 50
Office Supply & support system 10
Third Party vendors 10

Rank your assets.

Assets Rank
Business Data 1
Employees 2
Servers and Backup 3
Application and Software 4
Security Equipment 5
Workstations & Accessories 6
Network Accessories 7
Office Supply & support system 8
Third Party vendors 9

Perform a vulnerability assessment.

QUESTION ANSWER
1 Has your emergency response plan been updated within the last 12 Yes ☒ No ☐ N/A ☐
months?
2 Is access to all components of your data centre system restricted to Yes ☐ No ☒ N/A ☐
authorized personnel only?
3 Are warning signs (tampering, unauthorized access, etc.) posted on Yes ☒ No ☐ N/A ☐
all components of your office? (For example, servers and storage
tapes.)
4 Do you have emergency contact information posted at all data Yes ☒ No ☐ N/A ☐
centre components?
5 Are facilities (Servers, Server rooms, workstations, etc) auto locked, Yes ☐ No ☒ N/A ☐
and are doors, security cams, hatches, and gates locked and
routinely checked where appropriate?
6 Are all doors, windows, and other points of human access kept Yes ☐ No ☒ N/A ☐
closed and locked?
7 Are server rooms, vents, roof hatches, etc, all locked or otherwise Yes ☐ No ☒ N/A ☐
secured from intrusion?
8 Is the area around the components of your office free of objects that Yes ☒ No ☐ N/A ☐
may be used for breaking and entering?
9 Is there external lighting around the key components of your RnD Yes ☒ No ☐ N/A ☐
centre?
10 Are all entries to your office easily observable by system personnel? Yes ☒ No ☐ N/A ☐
11 Is your power supply secured with fences or gates? Yes ☐ No ☒ N/A ☐
12 Do water system personnel visit the power supply regularly? Yes ☒ No ☐ N/A ☐
13 Do you routinely inspect your power intake, buildings, storage, Yes ☒ No ☐ N/A ☐
equipment, and other critical components?
14 Do you have an alarm system that will detect unauthorized entry or Yes ☐ No ☒ N/A ☐
attempted entry at critical components?
15 Are fire/smoke alarms provided within all structures? Yes ☐ No ☒ N/A ☐
16 Are your power supply cables sealed properly? Yes ☐ No ☒ N/A ☐
17 Are well vents and caps screened and securely attached? Yes ☒ No ☐ N/A ☐
18 Are all observation/test and abandoned systems properly secured to Yes ☒ No ☐ N/A ☐
prevent tampering?
19 Do you monitor raw and processed data so that you can detect Yes ☒ No ☐ N/A ☐
changes in data quality?
20 Are all elevators, stairs, and entry points properly secured? Yes ☐ No ☒ N/A ☐
21 Are all vents and cooling pipes properly protected with screens Yes ☒ No ☐ N/A ☐
and/or grates?
22 Can you isolate and dispose any infected system without using any Yes ☐ No ☒ N/A ☐
of the distribution system?
23 Do you control the use of office space and access by third parties? Yes ☒ No ☐ N/A ☐
24 Does your system secure areas of the data system that are exposed Yes ☒ No ☐ N/A ☐
or vulnerable during repair or construction activities?
25 Does your system monitors for, and maintain, incoming and Yes ☒ No ☒ N/A ☐
outgoing data traffic?
26 Has your system implemented a intrusion prevention program? Yes ☒ No ☐ N/A ☐
27 Are all existing emergency interconnections to other work station Yes ☐ No ☒ N/A ☐
functional and exercised on a regular basis?
28 Do you have an updated Operations and Maintenance (O&M) Yes ☒ No ☐ N/A ☐
manual?
29 Does your O&M manual include periodic, routine evaluation of Yes ☒ No ☐ N/A ☐
security systems?
30 Do you have Standard Operating Procedures (SOPs) available so that Yes ☒ No ☐ N/A ☐
unfamiliar staff or outside support could help run your system?
31 When hiring personnel, do you request local police to perform a Yes ☒ No ☐ N/A ☐
criminal background check, and do you verify employment eligibility
(as required by the Immigration and Naturalization Service, Form I-
9)?
32 Are your personnel issued photo-identification cards? Yes ☒ No ☐ N/A ☐
33 Do you have a key control and accountability policy? Yes ☒ No ☐ N/A ☐
34 Are entry codes and keys limited to current company personnel Yes ☒ No ☐ N/A ☐
only?
35 When terminating employment, do you require employees to turn in Yes ☒ No ☐ N/A ☐
photo IDs, keys, access codes, and other security-related items?
36 Have water company personnel been advised to report security Yes ☒ No ☐ N/A ☐
concerns and to report suspicious activity?
37 Do your personnel (including those who answer phones) have a Yes ☒ No ☐ N/A ☐
checklist to use for threats or suspicious calls or to report suspicious
activity?
38 Do your computers have restricted Internet access? Yes ☐ No ☒ N/A ☐
39 Is computer access “password protected?” Yes ☒ No ☐ N/A ☐
40 Is virus protection installed and operating and is your operating Yes ☒ No ☐ N/A ☐
software upgraded regularly?
41 Do you implement back up procedures for your computers? Yes ☒ No ☐ N/A ☐
42 Do you regularly review your utility, local community, and other web Yes ☒ No ☐ N/A ☐
sites for security sensitive information related to your system that
could be used to disrupt your system or reputation?
43 Are copies of records, client data, and other sensitive information Yes ☒ No ☐ N/A ☐
labeled “CONFIDENTIAL”?
44 Are research data and backup tapes stored in a secure location? Yes ☒ No ☐ N/A ☐

Identification of Information Assets and Weightage

Information Asset Weightage

Employee Data 100
Customer Information 100
Research Data 100
Competition Data 40
Customer Seismic Data 100
Application Data 60
Achieved Data 100

Identification of Threats

Threats Identified Details

Hackers Those people who are trying to illegally breach in to the company
from outside or with help from inside.
Unauthorised Personal This type of threat can be those people who don’t have access to
a certain area or certain network but they are trying to get it.
Insider threat These are people who have access to the company office and may
utilize that access to plant bug or illicit programs in the office
system.
Natural Disaster These are types of threats which are also accounted as Act of God
and we don’t have any control over it.
Fire Disaster This also type of disaster where fire accident takes place in the
office floor.
Outdate Software Version Hackers always tries to find loop holes in the existing software
and they will try to exploit those loop holes to grant themselves
access to the company network who are using those software.
That’s why it’s necessary to keep the software properly updated
and patched.
 Pests Pests like cockroaches and mice can inflict damage to the
network cables and office supplies.

Produce a Threat-Vulnerability assessment worksheet.

POSSI COMPRO
RIS CURR
PROT BLE MISING RISK PROPOS
CONSEQUE RISK K ENT PRI
ECTE THRE AREAS OF LIKEL ED
RISK NCE OF SEVE LE SAFEG ORI
D ATS IHOO SAFEGA
BREACH RITY VE UARD TY
ASSET THE THE D URDS
L S
ASSET ASSET
Applicati
on of
Loss of different
There is threat of company Firewall layers of
getting the data image, s, domains, EX
Hackers Workstation INTO
Busines stolen by some business POSSI HI antiviru implemen TR
or s, Internet or LERA
s Data entity or losing it to critical data, BLE GH s, tation of EM
Disaster servers BLE
some kind of customer authenti honey pot E
disaster loss, cation system,
monitory loss full
encryptio
n
Full
backgrou
In case of any
Company INTO ME nd check
Employ disaster there is a Office or POSSI HI
Disaster critical LERA DIU None and
ees threat of wellbeing locality BLE GH
dependency BLE M transporta
of the employees
tion
facilitates
Applicati
on of
Loss of different
The servers and company Firewall layers of
backup contains the Workstati image, s, domains, EX
Servers Hackers INTO
essential business ons, Internet business POSSI HI antiviru implemen TR
and or LERA
data plus they have or direct critical data, BLE GH s, tation of EM
Backup Disaster BLE
monitory value access customer authenti honey pot E
attached too. loss, cation system,
monitory loss full
encryptio
n
Loss of
Any outdated Updating
Illegal company Firewall
application or and
Applica access image, EX s, EX
software have the INTO patching
tion and or Internet or business PROB TR antiviru TR
risk of data breach LERA regularly
Softwar outdate direct access critical data, ABLE EM s, EM
or they can be the BLE for
e d customer E authenti E
contact point of any potential
version loss, cation
illegal activity. backdoors
monitory loss
These items are
present to protect the Security
organization from system
Security Hackers UNDE ME
any type of breach Internet or compromise IMPRO Routine LO
Equipm or SIRA DIU None
but they itself have direct access and direct BABLE Check W
ent Disaster BLE M
the risk of being threat to
compromised by company
some entity
Workst These items can Hackers Internet or Loss of INTO PROB EX Firewall Full EX
ations provide direct access or direct access company LERA ABLE TR s, encryptio TR
& to business critical Disaster image, BLE EM antiviru n, no EM
Accesso data so have the risk business E s, access to E
 of getting
critical data,
compromised if any external
customer authenti
ries potentially harmful memory
loss, cation
entity gets their device
monitory loss
hands on these.
These items have the Metal
Networ
risk of getting TOLE shielding
k Disaster Direct Monitory and IMPRO LO Locked LO
damaged due to RABL and
Accesso or pests access effort loss BABLE W access W
some disaster or E regular
ries
even pests checking
These items are
important for the
Office
organization to Loss of office Proper
Supply TOLE
operate properly and Direct and life IMPRO LO and LO
& Disaster RABL None
have the risk of access support BABLE W trustable W
support E
getting effected due system AMCB
system
to ongoing crisis or
disaster
They sometimes
Authent
have the clearance to Loss of
ication Proper
go in sections of the company
Badges, monitorin
office which are Potentia image,
Third INTO third g and
very critical and if lly business PROB HI HI
Party Personals LERA party more
they get harmful critical data, ABLE GH GH
vendors BLE backgro rigorous
compromised then it entity customer
und backgrou
can result in loss,
verificat nd check
potential harm for monitory loss
ion
the organization

Quantitative Risk Assessment

RISK LEVEL
Description Weightage
KEY
LOW Ok To Proceed. 0

MEDIUM Have to take mitigation steps. 1

HIGH Will have to seek support and fix the issue immediately. 2
EXTREME Place the event on hold and fix the issue immediately. 3

Severity
Likelihood ACCEPTABLE TOLERABLE UNDESIRABLE INTOLERABLE

IMPROBABLE 1 4 6 10

POSSIBLE 2 5 8 11

PROBABLE 3 9 9 12

Extreme = Extreme_ Likelihood_Severity * Extreme_Risk_Level

 = 12 x 3 = 36
Risk % = (Risk Level * Likelihood_Severity)/Extreme

Risk Rating = Asset Weightage * Risk %

RISK Likelihood x Risk % Risk

Assets Weightage
LEVEL Severity (RL*LS/Extreme) Rating
Business Data 100 2 11 61% 61.11
Employees 100 1 11 31% 30.56
Servers and Backup 100 2 11 61% 61.11
Application and
50 3 12 100% 50.00
Software
Security Equipment 50 1 6 17% 8.33
Workstations &
50 3 12 100% 50.00
Accessories
Network Accessories 50 0 4 0% 0.00
Office Supply &
10 0 4 0% 0.00
support system
Third Party vendors 10 2 12 67% 6.67

Imagine limited resources; decide where to assign resources to protect

your assets.

 If we have limited number of servers then we can use servers to do multiple type of task like a
single server can work as application server and data server.
 If we have limited number of network IP address then we have number of solutions like using a
single gateway server to pass through a single IP address and we can also create different
collision domains to multiple usage.
 If we have limited number of workstations then we can assign the same system to different
people according to their shifts.
 If the cooling system has some limitation then we can redirect the resources towards safe
guarding the servers where the business critical data resides.
 If there is a shortage of employees then only the business critical task will be performed.