Complete a number of tasks for Manawa Architecture Limited to identify risks and vulnerabilities in their organizational setup
- Country :
Australia
This assessment consists of two parts:
- Develop a risk register to identify current risks based on the company details provided below, including recommended controls to minimise those risks.
- Carry out vulnerability scanning on some core areas of the business and write up a report of your findings.
Scenario
Manawa Architecture Limited is a renowned architecture company. They offer services throughout New Zealand. The company has recently completed some organisational restructuring and a new Board of Directors has been appointed. The new management team has a strong interest in Information Security and is keen to improve organisational security and compliance measures at Manawa to provide a secure and effective service to all of their clients throughout the country.
Manawa employs approximately 160 employees in three cities across the country. The main office is in Wellington, which houses 90 employees. The Auckland and Palmerston North offices have 30-40 employees respectively. Each of the offices is tied to its Tier-1 Data Centre in Wellington.
You have recently been employed as their Information Security Team Lead.
Check out the Case Study below to get a feel for their infrastructure set up and known issues. This will give you some context before you start working on the tasks below.
Task 1: Risk Register
Based on Manawa Architecture Limited’s set up, outlined in the Case Study above, identify any obvious security risks that may impact the organisation and/or its clients. Populate the Risk Register provided with these risks, including an assessment of each risk, and what risk control/s should be put in place to minimise them.
At minimum, your Risk Register should contain the following columns:
- Unique Identifier
- Risk Description
- Risk Impact
- Risk Indicator/Trigger
- Likelihood
- Severity
- Priority Level
- Risk Control/s
- Cost Implications
For your Severity, Likelihood and Priority Levels, please include a separate tab/page that defines how you determined these levels.
Your manager has also shared that Manawa are currently not aligned to any industry related standard; their approach is quite ad hoc. She would like you to align the risk register to an industry standard of your choosing, e.g. NIST, ISO, etc, so that it is easy to see how the risks identified map to a particular category, or policy family. You may need to add extra columns or modify existing columns in your Risk Register to demonstrate alignment.
Task 2: Vulnerability Scan Report
Using your own computer or virtual environment, carry out two vulnerability scans from the list below.
- Cloud vulnerabilities (public or private)
- Host vulnerabilities
- Network vulnerabilities
- Database vulnerabilities
In your report:
- Identify which vulnerability scanning tools you chose, or would choose for each area, and rationalise your decision/s. Please choose open-source free tools.
- Analyse your findings from the two scans you ran, and identify:
- How these risks can be addressed
- What level level of attention each risk needs, e.g. immediate attention (High Risk), moderate attention (Medium Risk) and/or low attention (Low Risks), and why.
- For the remaining two areas that you did not do a vulnerability scan for, highlight common vulnerabilities to look out for and the potential impact these could have if not addressed.
