Information Risk Management
Assessment title: A critical reflection on a real- world security incident
Learning outcome 1: Form deep and systematic understanding of relevant standards, such as ISO27001, in the context of Information Security Management.
Learning outcome 2: Analyse a broad range of issues related to real-world security issues that face commercial organisations and other institutions.
Learning outcome 3: Evaluate and critique the shortcomings of real-world security incidents and provide clear justification and innovation solutions for how ISMS could help mitigate future incidents.
Learning outcome 4: Assess and evaluate the appropriateness of security laws and regulations.
Learning outcome 5: Reflect on personal capabilities for the proposal of an ISMS, providing a strong rationale for the methods adopted.
Broadly speaking, the assignment requires you to produce a group presentation of 30 minutes that provides a critical reflection on a real-world security scenario provided in the case study, with evidence of risk assessment using suitable methodologies, and how this can inform mitigation of future incidents.
Working on this assignment will help you to develop your knowledge and understanding of applying risk methodologies to resolve real-world security incidents. It will also help to develop your critical thinking skills for identifying appropriate mitigation strategies to avoid future security incidents. If you have questions about this assignment, please post them to the discussion board "Information Risk Management Assignment" on Blackboard.
Task Specification
For this assignment, you are provided with the following case study built around a real-world security incident.
Case study:
Imagine you are responsible for overseeing an organizational risk management strategy spanning three distinct departments. The organization perceives risk as the potential vulnerabilities within our security landscape, which could result in exposure, thereby facilitating cyber incidents against our infrastructure, capabilities, services, and applications. Such incidents could, in turn, have adverse effects on Confidentiality, Integrity, and/or Availability, leading to reduced resilience, compromised safety, impaired capabilities, loss of business services, financial setbacks, and reputational damage to the UK Government.
These risks pertain to three primary business domains:
1. IT & Infrastructure
2. Equipment
3. Logistics & Support Services
Although each business domain operates under the purview of a separate Director, the collective ownership of the risk extends to all three departments. A dedicated Director bears responsibility for managing this risk, consistently reporting its status to the Executive Board throughout the year.
Given the intricacy and expansive nature of this risk, establishing a baseline level of risk exposure, pre-mitigation, that encompasses the entire business across all three domains proves to be a challenging endeavor. Similarly, defining a Risk Appetite (RA) presents its own complexities, owing to the domain-specific variations, differing perspectives from each Director, and resource constraints, among other factors.
*Students have the flexibility to choose any organization for their study, drawing inspiration from real-world incidents that have occurred in the past, rather than being restricted to predefined case study.
Considering all of the above, answer the following questions,
1. You are expected to analyse a broad range of issues related to real-world security issues that face commercial organisations and other institutions.
2. Assess the suitability of security laws and regulations.
3. How would a baseline risk level be established? How ISMS and FAIR can be applicable to organisation.
4. What approach could be taken to define a risk assessment and can a single approach work or it will be more appropriate to individually assess for each domain? Along with risk analysis and treatment strategies.
5. How would the effectiveness of controls (risk response) be measured? What can be risk quantification measures and metrics? How to monitor ongoing (residual) risk?