Draft A Report on Risk Identification

In this assessment, you are required to identify risks and perform an analysis on the use case you selected in Assignment 01. Reasonable assumptions can be made regarding the selected scenario if they are properly documented and justified. The length of the report should not be more than 15 pages excluding title page, table of contents, and references.

To perform the risk identification and analysis, you can choose either tool or a combination of these tools.

• Factors Analysis in Information Risk (FAIR)
• NIST Privacy Risk Assessment Methodology (PRAM)
• NIST CyberSecurity Framework (CSF)

Assume that you have been hired as a cybersecurity specialist for client organisation (the use case you selected). You need to undertake a security risk assessment and prepare this report for the board members. In most organisations, the computer literacy and risk related knowledge of board members are generally quite low. You need to prepare the report by including the following details.

1. Executive Summary
2. Introduction/Context Establishment
3. Risk Assessment
   1. Risk Identification
   2. Risk Analysis
   3. Risk Evaluation
4. Conclusion
5. References

Report Organisation

In this report, you will target two types of audiences, i.e., board members or executives and cybersecurity personnel of client organisation. While preparing your report, you need to ensure the contents of each section are customised properly. Board members will expect to have a clear analysis with a focus on business interests of the organisation so they could make appropriate decisions. On the other hand, the cybersecurity personnel will require a detailed technical review to guide them implementing relevant cybersecurity controls.

The presentation of the report is an important aspect and will have sufficient marks allocated for the presentation and organisation of the report which includes the use of appropriate headings and sub-headings, appropriate use of bullet points, tables, images, etc. Appropriate use of English language is also important with a focus on the use of grammar, spelling, writing style, and correct referencing.

1. Executive Summary

This section should highlight the focus of the report and its importance for the intended audience. You also need to provide a very brief overview of what you have included in the report.

2. Introduction / Context Establishment

In this section, you need to state the purpose of this report. You also need to define the scope and boundaries of the risk assessment process. You need to provide justification for why this review is important with reference to business objectives. You can mention relevant legal compliance constraints if any. You need to explain and justify the tool you will use to evaluate risk.

3. Risk Assessment

In this section, you need to identify relevant risks, analyse their characteristics, and evaluate their potential business impacts based on the calculations of the selected tool(s). While doing the risk assessment, make sure your discussion is limited to the potential risks linked with critical vulnerabilities or faults in the client’s system and highlight the threats that may be initiated by malicious adversaries. Also, include relevant excel sheets of the selected tool to support your arguments.