Risk Assessment Report


First, this paper will discuss the difference between the terms risk assessment and risk identification. Risk assessment is the operation of identifying the positive and negative risks that influence the process of achieving a goal. Risk assessment refers to gauging the collected risks both quantitatively and qualitatively. Therefore, the key difference between these two terms is that risk assessment comes after risk identification.  This report will determine and explain RIT’s risks by classifying its information assets and investigating the various threats and their weaknesses. These vices will be discussed in details later in the report (Whitman & Mattord, 2004). RIT is a successful intellectual and non-intellectual asset; this makes it an attractive target for a wide collection of attacks. The main objective of the intruders or the attackers is to cause harm, reveal privacy, misuse important information or steal ideas. As a result, such actions would lead to a negative reputation of an organization or a business enterprise.

To counter the risk of threats, we will focus on best practices of identifying threats, weaknesses, and the recommended measures of limiting their intrusion. The first thing is to identify the information assets of RIT, i.e. the assets of the institution through the process of self-evaluation. This helps to classify the information assets into several meaningful groups and prioritize them basing on their significance in the institution. Nevertheless, it will help us to identify intrusion that surrounds these assets and the impact they have on the organization. Therefore, we will be able to derive comprehensive practices and standards that can help counter these risks.  Various procedures should be followed to ensure that there is threat-free environment in RIT (Raggad, 2010).

The steps include identifying the assets exclusive to RIT’s, classification of assets in large categories and their priorities based on their significance, identifying threats or intrusions that are vulnerable to RIT’s and analyzing the existing threats and their potential weakness.

Identification of Assets

The first step RIT should conduct is to identify the possible risks. This involves defining certain information and data that are of importance in its operation. It is crucial to identify the assets that need protection, and the procedure that we should follow when protecting RIT’s information assets. RIT’s information assets may include resident communication, which is the information stored in the network, as well as RIT’s personal information, which is found in the digital assets such as hard disks. Other RIT’s information assets include their personal information assets (Dhillon, 2001).

As a chief information security officer (CISO) of RIT’s, we would classify the information assets as software and hardware, data or information, people, applications and procedures or instructions.  When we talk about people as information assets, we mean system users, system administrators, stakeholders, system analysts, system managers, system developers among others. These people may or may not be affiliated with RIT and have access to its resources, assets and information (Engineers & Board, 2010).

The table below derives the facts from the statements above.

Information Technology Components

Risk Management Components




Software, logical control measures

Operating system, system applications, i.e. Microsoft Office, devices’ drivers, business software such as enterprise resource planning (ERP), utilities inbuilt in the system, security software such as firewall.

Windows operating system, sound drivers, graphic drivers among others.


This includes both physical and administrative security measures and standards.

Printers, workstations, servers, computer labs, terminals, servers, disk drives, connection cables, monitor and system units

Laser printers, web servers, database servers such as Apache, routing equipments such as routers and gateways, network cables. We can also include physical security measures such as building strong computer labs. Examples of administrative security measures include setting up standards and policies that any person has to obey.


This includes networking devices, infrastructure and applications.

Routers, hubs, switches, communication cables or lines, wireless access points, firewall, network management software, gateways.

Various network equipment and software.


This includes system users, system analysts, stakeholders, system developers, IT experts, system managers and system administrators.

Members of the organization, administration, staff, students, outsourced personnel, visitors among others.

End-users, employees, staff, students, and people who are going to maintain the system, i.e. they oversee the system’s operations.


Operational procedures and internal security.

Information and business standards and policies, educational procedures, as well as business sensitive information and technology.


Information or data.

Personal data records from the staffs, students or faculty members.

Such data include students’ personal information, students’ identification information, employees’ identification data, university’s identification numbers, and education records such as the available books the institution possesses.

Research documents

This is pre-written information of the organization; it emerges when a research is conducted or during the intellectual property protection process.

Technical documentation

This is crucial information; it comprises technology system information, system passwords, information security plans, contingency plans among others.

Financial data

This is RIP’s financial information; it includes financial information like bank account numbers, credit or debit card numbers and PCI cardholder data.

RIT’s owned information

This is any information that is available without any restrictions. This information may come from the institution sites, information media, maps calendar, plans and the institution manuals.

Internally produced data

These data include internally sent e-mails and correspondences.

Sensitive third party data

This is the information protected by non-disclosure agreements or private contractors.

Classification of Assets

Once one identifies the assets, they must be classified into various categories. These assets could be classified as private, internal, confidential and public data. Private assets are defined as information that is used by criminals and intruders to compromise someone’s identity. Such information may include a person’s bank account number, social security number, individual taxpayer identity, and driving license number and revenue authority PIN. Confidential information includes data restricted basing on their importance. Confidential information may include personal employees’ payment details, students’ payment details, and the institution’s financial information among others. Nevertheless, internal assets refer to specific information in the RIP’s community such as staffs, students, alumni, vendors, volunteer and other business associates. Public information is the information that the organization does not restrict access to. It is the information that can be accessed by any person without restriction.

The table below describes the classification of RIP’s information assets.


Information Assets


Examples of these information assets include social security numbers, bank account number, revenue authority PINs, electronic transaction passwords and national identification number.


This is the information that should be known by the owner only. Such data may include information concerning marital status, health information of the University employees and students, third party information among others.


RIT possesses internal assets such as business associates, daily operations of the organization, and library information.


These assets may include external websites and devices in the display such as videos, journals, periodicals, newspapers and magazines.

Prioritizing of Assets

The term prioritizing of assets refers to a series of steps which are used in tailoring consistent initiatives in any business environment. This method helps organizations to create procedures that define the probability and consequences of assets. Additionally, it helps in establishing risks tolerance levels and applying the resulting guidelines to rank RIP’s assets. The table below describes the protection measure implemented in order to ensure that RIP’s information is protected properly.

Types of Threats Control

Protection Measures

% of the number of people who like to use a particular protection measure of RIP’s assets


A logical control measure

Use of passwords


This is the evidence that a large number of people (both employees and students) recommend on the use of passwords. Examples of information students access through passwords include e-mail addresses and other accounts.


Media backup


This shows that RIP’s stakeholders also prefer backing up the company’s assets.


Virus protection software


The use of antivirus programs would protect the safe use of RIP’s assets.


Use of firewall

The use of firewall to monitor information traffic is an effective and efficient method for protecting the organization’s assets.

Identification of Threats

This is the third step where we identify the potential threats. RIT may be facing a wide range of threats. The company should be aware of the potential threats that may be affecting its operations, such as viruses and dishonest employees. As a chief information security officer in the organization, one my main concerns would be to determine the susceptibility of its assets. As we have seen earlier, there exist many ways through which the threats can penetrate the organization. To counter these threats, we have to be up-to-date in the field of information security, technology and business. Threats can bring a lot of challenges to RIT’s information security.  As an expert, one of the main things to do is to conduct an information technology audit, which is investigating RIT’s vulnerabilities. Once we identify the weaknesses, we have to search for measures that could protect the organization’s information (Minoli & Kouns, 2010).  The collected information about the threats should be studied and analyzed to determine the likelihood of affecting the organization’s information.

The following information represents various threats than can be applicable to RIT’s environment.



Software failure

System crashes, program bugs, executing programs (viruses), logic resources.

Hardware Failure

Power loss, damage of equipment, resource sharing problems, system crashes.

Human error

This might occur because of the users’ mistakes, administrators’ failures, disgruntled employees, repudiation, phishing attacks, ignoring security policies, lack of inadequate training, and external factors such as competitors.

Unauthorized access of the information

These intruders spy for confidential information, i.e. bank accounts identity. They may track the traffic in the network. Spoofing and phishing are the methods used to access the organization’s information

Concerns on intellectual property

Network administrators’ errors, hacking sites and databases.

Information extortion

Blackmailing a person to access unauthorized information.


This is a situation when an individual steals the organization’s information. The intention is commonly to harm the organization, reveal its privacy.

Software attacks

These may include viruses, worms, malware, spyware, key loggers, and botnets.

Forces of nature

This factor may include natural calamities, fire, earthquakes, floods, and political violence.

Technology obsolescence

This is the use of outdated systems and software as mechanisms of security in RIT.

Suppliers and distributors in the market

The fluctuation of assets in the economy may fail to provide the assets the company needs, thus creating scarcity of raw materials RIT uses.

Quality of service providers

This may arise because of loss of power or network connectivity due to the network provider’s failure.

Potential Vulnerabilities

These are the circumstances where a chief information security officer identifies the loopholes in the organization. Vulnerability is a term that means weaknesses in the system that intruders exploit to cause security breaches such as harm or loss of data. RIT’s large number of stakeholders increases its system’s weaknesses. For example, RIT’s management information system may have a lot of susceptibilities.  You may not know whether people working in the organization have profound experience in dealing with technology.

Once we have identified the weaknesses, we have to come up with the methods that may reduce risks. Threats can cause potential risks to the RIT’s assets. Vulnerability can be found in any organization sector as well as in communication channels or the management information systems. The RIT chief information security officer’ objective is to reduce physically identifiable weaknesses.

Examples of vulnerability at RIT include flaws in software developed vendors, unskilled employees, or outsourced contractors. Therefore, it is essential that software auditing should be done regularly to reduce the number of intruders that may cause harm to the organization. When any system software is being developed, RIT should greatly emphasize on modular programming to keep off attackers who may be willing to insert covert channels in the system. An example of such attacks may be a salami attack, which is used in deducting infinite amount of money from RIT’s banking transactions. RIT should ensure that its systems are audited severally (Anto%u0301n and Agency, 2003).

Possible Vulnerabilities

Threats and Examples

Failure of hardware that can cause system crashes. For example, the failure of the hard disk.

This is a critical hardware failure as information may be lost or exposed to unauthorized individuals.

Failure of the network; it may fail due to the service provider’s inability to provide the Internet.

Hackers may access system information while security programs do not function.

Software and systems lack proper security features to withstand against cyber-attacks.

Attacks of critical software and system assets.

System configuration errors by employees (staff, faculty or even students).

Loss or exposure of data.

There may arise a circumstance where employees or people involved fail to adhere to the rules and regulations set by RIT.

This is a critical administrative failure which may cause dishonest employees disclosing personal information.

Software developed by contractors or vendors may contain flaws; this may include threats like a logic bomb, which expires after some duration.

This would lead to critical system failures.

Failure to provide a proper plan and control measures in case anticipated events emerge, such as natural calamities, i.e. drought, famine or flood.

Natural calamities can cause vast destruction of buildings and equipment, thus compromising storing of information.

Lack of enough features in edge devices such as routers, gateways, switches, hubs, firewall etc.

This may be cause malicious attacks.

Lack of inadequate mobile devices such as tablets, laptops, iPhones. This equipment is easily stolen.

Actions of thefts.

Some people from other companies may come to survey what RIP is doing in its progress, thus conducting activities that can harm the institution.

Threats from external factors such as competitors.

Some disgruntled employees may use their disguise to search for something that can benefit them. For example, employees may be paid a lot of money by the organization’s competitors in order to compromise the company.

These threats are due to internal factors.

Employees’ dissatisfaction encourages them to steal and perform other illegal activities.

Internal threats.


The main goal of the paper is to determine RIT’s information assets. It identified the possible risks in the organization. Finally, the potential vulnerabilities were determined. They were reviewed and documented. These vulnerabilities could lead to potential threats, which could be used to damage the assets. As a chief information security officer, various measures included in the report will improve RIT’s operations.

Order now

Related essays