Your Details


[ Vulnerability Analysis]

Certification and Accreditation of Information Systems

Vulnerability: – Vulnerability is a weakness of a system which allows the intruders to reduce a systems information assurance. It includes three parts first is flaw, intruder’s access to the flaws, and intruder’s capability to exploit the flaw. An intruder to be vulnerable should have at least one technique which connects to the systems weakness. They are classified according to the asset class which are







As a part of a formal risk assessment of desktop systems in a small accounting firm with limited IT Support, you have identified the asset “integrity of customer and financial data files on desktop systems” and the threat “corruption of these files due to import of a worm/virus onto system.” Suggest reasonable values for the items in the risk register for this asset and threat, and provide justifications for your choices 

The Risk Register is shown below

Assets Threat Controls Likelihood Consequences

Level of Risk Risk Priority

Integrity of customer and financial data files on desktop systems Corruption of these files due to import of a worm/virus onto system Firewall, Antivirus, e-mails, downloading files Almost Certain Major Extreme 2

The three strategies of managing risk are:

(1) Reduce the probability of an unfavourable event: – These can be accomplished by effective strategic planning. Management skills and knowledge of managers can be developed either directly through self improvement or indirectly by outside advisors.

(2) Self-insure and accept the impact if an unfavourable event occurs: – Following options are included:

Modification of revenue-related risks by diversifying the enterprise mix. The outcome can be lower average revenue or added costs in the course of a loss of efficiency.

Reduction of production risk due to spread of production geographically. This can result in increase of cost of production.

Building net worth will help a business to survive in adverse events.

Building excess production capacity which will reduce the likelihood of delay of production-related activities

(3) Reduce the impact on the business if an unfavourable event occurs by shifting risk to others: – Costs are incurred in the form of Insurance premiums.

Qualitative risk analysis: – An analysis that adjudicators an organization’s risks to pressure, which is based on decision, perception, and the knowledge versus transmission real numbers to this possible risks and their potentials loss margins.

Quantitative risk analysis: – A process that attempts to allocate real numbers to the costs of countermeasures and the quantity of harm that can take place.

Differences between these two are

S No. Quantitative Risk Analysis Qualitative Risk Analysis

1. Results are expressed in management specific terminology They do not determine financial values of assets.

2. Risks are analyzed in financial terms Risks are analyzed in terms of quality of risk that is ranking the risks.

Quantitative Risk Analysis is more effective as it tells the monetary value of the Risk.

The two models are

Security Steering Group (Leverage Model)

Maintaining the information of the industry, sustaining technology, and security model is not a part-time plan. Developing an useful security architecture that is built on the inclusive familiarity of the business is a non-trivial activity that requires active advertising to multiple resources that can sufficiently characterize the business objectives and/or needs of the organization. The organization of an Internal Security Steering Group will help ease the measures necessary to design, build, implement and maintain a pragmatic security architecture model.

This leverage model can successfully decrease the overall level of effort in scheming, implementing, and managing all of the serious mechanism that an venture security architecture is comprised of thus increasing the Return On Investment (ROI), reducing the Total Cost of Ownership (TCO), and effectively managing risks.

Basic Security Requirement Model

An incorporated risk management program is serious in securing business objectives requiring the enforcement of secrecy, reliability, accessibility, and liability.


Secrecy ensures the safety of data from illegal access throughout an organization’s information planning, which extends to all data directly linked with the architecture’s applications, data stores, communication links and/or processes.


Reliability ensures that data, services, and other restricted resources are not altered and/or destroyed in an unlawful manner. Reliability based controls provide safeguards against unplanned, unlawful, or nasty actions that could result in the change of security defense mechanisms, security sorting levels, addressing or steering information, and/or audit information.


Accessibility ensures the trustworthy and right process of information and system capital for which the loss of information and/or resource access would cause unfavorable results. Accessibility based security necessities include controls to stop, sense, and/or monitor unintended, unlawful, and/or nasty activities that could negatively impact the accessibility of serious information.


Liability requirements ensure that events can be linked to exact users and/or processes accountable for those actions. The largely goal is to be able to confirm, with 100% certainty, that a picky electronic message can be associated with a particular individual, just as a handwritten signature on a blank check is tied back to the account owner. Liability based controls include detection and validation mechanisms, and access control.

The steps are:-

Knowledge base: A good tool will come with letter templates, appeals strategies, and other content to arm providers with the information that only experience can provide.

Workflows: MAC appeals can involve many departments and individuals collaborating to meet deadlines. Look for tools that have both prebuilt workflows as well as the flexibility to modify or design processes to fit an organization’s specific needs.

Hosted software-as-a-service model: Keeping up with changing requirements and incorporating new best practices is difficult with software that arrives on CD. Hosted applications offer frequent content and functionality updates as well as fully functional remote access.

Easy-to-use streamlined interface: Good tools must be fast and easy to use, with controls that are intuitive enough that even the technologically handicapped can use them.

The three steps in the security process are:

Plan: – The first step is to plan the whole structure of the requirements. Nothing can be done without planning so the first step is to plan what all is there and how to work on the security of the required data. Security process is to be followed according to the plan made.

Delegate: – This is the step which lets the plan made to be followed in reality. Implementation of the security plan is done in this step.

Audit: – This is the step in which all the security measures are tested and if any loop wholes are found they are rectified to provide the correct security measures.

The steps involved in conducting an assessment are

Define Extent of the Change: – The assessment being done is laid down in detail and all the procedure required are defined in this step.

Determine Key Differences: – All the key differences are determined in this step, where all the requirements are laid down and separated from each other.

Focus on Effects: – This step lays down the processes and main focus is laid down in implementing them.

Sort and Prioritize: – The main processes are first listed and all those who have higher priorities are dealt first.

Make a Decision: – This is the step which lets the user make the effective decision of his assessment.

Mobile devices though being portable and have the dual facility to access calls and e-mails (internet) have some risks which are as follows.

Due to their small sizes they can be easily stolen or lost which leads to loss of the complete data.

The files still exist on the cells memory which can be misused.

If the mobile software’s or any download is virus stuck, they can harm the handset itself.

The handsets are prone to many malwares which come due to different downloads being done over the mobiles.

There can be excessive spams which come in the mobile devices.

Thus using official information over mobile phones should be minimized only when its actually and increasing necessary as this can lead to leakage and misuse of information of the organization which can be a risk factor for them.

The main benefits associated with the approach to IT planning are

Releasing the possessions for improved operation

The capability to nurture the business devoid of considerable increase to workforce all the way through improved and large efficiency and output

Concentrated delays in vocation stream process

Concentrated delivery rejoinder instance

Concentrated records

A risk is any happening and occurrence of actions, which can be internally or externally generated, which prevents an association from achieving its objectives and goals. Risk assessment will aid in planning decisions such as:

The character, degree, and timing of review measures

The business functions to be audited.

The quantity of time and capital to be owed to a review

With the information Eric Raffin had at that time, the other alternatives could he have considered are

Developing a database to record the actions which can be referred to at the time of need

Taking timely backup which can help store the data which can be useful in days to come

Forming a system which stores every minute details so that without any missing information the process can be followed.

Taking into account the possible system working time which would have increased its working and efficiency.

The bowtie analysis is a popular structured method which helps in assessing risk, in this methodology qualitative approach is not enviable. The achievement and accomplishment of using the diagram is its uncomplicated and trouble-free method for any non- expert to comprehend. The design is an easy one to combine the reason (fault tree) and the result (event tree). The fault tree is wan on the left side and the event tree is wan on the right side and the risk is wan as a “knot” in the centre, the diagram appears like a bowtie. An example of the same is shown below:

Consequence 2

Consequence 1

Mitigation 2

Mitigation 1


Prevention 2

Prevention 1

Hazard 2

Hazard 1

To create a bowtie diagram following needs to be defined:

Events which needs to be prevented.

Threats that might root the event to take place.

Consequences which occur due to the event.

Controls required avoiding the event from being occurred.

Controls to moderate alongside the consequences.

The bowtie methodology is used for every kind of risk examination and investigation, from major accidents, all the way through work-related and ecological to industry, IT and safety risks.

Using web as a medium of exchange either associated with buying or selling of goods and services involve transactions of money from an account to the other. The customers are on a very high risk undertaking these shopping’s over net, the risks are

The customer is not sure whether the web page which he is trying to do over net shopping is a valid one or not. Generally people make fake web pages and just try to cheat on general public and take lots of money from them and don’t deliver the products.

They can risk their money which they are giving in exchange of the commodity.

They can risk their bank account details or their credit card details.

They are not sure of even getting their desired product which they have purchased over net.

They cannot fight for the quality of product which was sent to them or if a product is broken.

So there are various risks involved in shopping over net, thus it should be avoided to a great extent.

Outsourcing is forming a contract with another company or person to do a particular task or provide some service. Naturally, the purpose being outsourced is measured non-core to the business. Today almost every organization outsources in some way or the other.

Following are some positive effects of outsourcing on an organization are


Offshore Expansion

Variety of Options

Reduced Risks

Competitive Spirit

Fulfill Business Objectives

Better Results

Resource Utilization


Share Business Risks

Fast Turnaround Time

Following are some negative effects of outsourcing on an organization

Loss of jobs in developed counties

Huge lay-offs by companies

Risk of heavy losses to companies who outsource without proper planning

Rise of fear and dissatisfaction among employees in companies that outsource

Risk of the outsourcing company stopping its operations

The project may not be completed well in time. As the whole group has not worked over this technology and we have no documentation to refer for this technology we face real difficulties in estimating the time required to complete the project. We can even go wrong in the people required for completing this project. Doing this project is like “Aiming in the Dark”. We are in this situation that we have put our foot forward without even know where is our goal and how much time we need to reach our goal. There is the biggest problem here that will be deliver the project well in time because the organization is waiting for the new deliverable and things and the processes currently in the organization are being done hoping of getting the deliverable well in time. As we know every step undertaken within an organization are interdependent, so the dependency of work on this new technology is also expected.

The development of this technology may lead to losses in shares of the company for which the technology is being made. Now when the organizations is expecting a new technology after six months they might have started managing their work in the hope to get the new technology well in time but if this does not happen obviously the company is going to be struck hard in losses and if a company goes in loss it for sure to have a depreciation in the shares. The probability of this risk is very high it’s like more than 50%. The risk exposure is high because it directly affects the stake of the company. The best way to avoid this risk is to take as long time period for its completion but it should be adequate and within reach.

Another risk is will the deliverable be efficient enough to provide what’s required out of it. Here is the biggest risk, whether we will be able to provide the project in the way it’s required. Even if we take long time to do the project we are not sure of its success as the system takes data from three systems which no one is aware of except one of the team members. This situation is like being lead by one who is also not sure about the things. We are just doing a process of hit and try. If it works out its well and good, else all in vain.

The risk here is very high as taking this technology for development we are not sure to give the desired deliverable because it’s a new technology and new systems are involved which has no reference to be taken help from. Now if this thing happens the company can face a situation to stop its work because they might have started their processing according to the new technology hoping to let it work fine. The probability to this risk is maximum because it’s what the exact system is all about. The best way to avoid or risk this down is to do a thorough study and analysis of the systems required. Every possible data and information should be gathered and should be considered to help make a productive deliverable.

The next risk is about the inflow required in this project. As I told you that we are working on the bases of hit and try we may require more inflow in the project as what was planned or estimated. This is really a thing to worry because an organization can only spent a particular amount on a project. And here is the case that even if they spent more they are not sure of the final deliverable.

If this is the thing it’s for sure that the company can go in losses. The risk exposure is high because if the company will utilize its funds here and that also without even having a budget for that they will go in huge losses which might create a situation for the company to shut down its business. The best way to avoid this risk is to first clearly discuss with the developers how much capital is required and will they be able to give the desired deliverable within that budget. And what will be the maximum expenditure for this. A through planning should be done and only then the decision should be taken for undertaking such a new project.

The risks involved in this project are high and it’s really not feasible and ethical to undertake such a project because it do not gives a desired deliverable, it also harms the managers/ companies goodwill. It can make the company a loss too, which is not right. If the company goes in loss it will affect the market of the company, which will lead to fall in the share rates, loss of customers of the company which is not good at all. On the part of the organization they should also take care of what they are expecting from a project is approachable and valid.








ebookFIRE SAFETY RISK ASSESSMENT http://www.communities.gov.uk/documents/fire/pdf/151102.pdf



Leave a Reply

Your email address will not be published. Required fields are marked *

× How can I help you?