Information Security risk management
The following headings are indicative of what should be
included and provide a guideline:
You are required to assess the information security situation in the
selected organization and prepare a security plan that includes
recommendations for improvements. Assume that you are the
recently appointed head of security team responsible for protecting
the information holdings of a selected organization. The security
team is responsible for overseeing the security of information from
deliberate and accidental threats. Management has directed to
undertake some security analysis and planning to improve the
organization’s information security.
You must address at least the following in the report.
1. Identify and describe the main categories of information
assets that may be at risk and have to be protected.
2. Appraise the actual and potential threats and
vulnerabilities of the organization’s information assets.
3. Conduct quick, high level risk assessments (Business
Impact Analysis) for all information systems determining if
these are ‘critical’ from the perspective of Confidentiality,
Integrity or Availability
4. Develop a security plan that describes counter-measures
that will manage the threats that put the organization’s
Shows evidence of
Shows clear evidence of reflective
85 Work of a very high
80 extensive investigation of thinking about the issues presents standard
75 relevant concepts, a clear and relevant argument.
information assets at risk from a risk management
5. Draft an information security policy according to ISO
27001/27002 that should reflect the findings of the risk
6. Develop a comprehensive information security education
and awareness programme for use by management, staff
and contractors for the selected organization.
7. Recommendations you can make to improve the
information security situation of the organization.
8. Presentations in the form of PowerPoint slides
note: for doing the risk assessment and vulnerability scanning, there are many tools such as Nessus or GFI, so choose one tool to do the scanning and get the reports.