Conducting a Risk Assessment for XYZCLOUD's IT Infrastructure Following ISO 27005 Standards

THE LEARNING OUTCOMES

•    Select and use applicable standards and methods for information security and risk management.
•    Conduct and properly document risk assessment based on a given scenario.
•    Find and evaluate appropriate published information to remain up-to-date about threats, vulnerabilities and patches.

ASSESSMENT SCENARIO

The XYZCLOUD scenario (note: this scenario is completely fictitious).

XYZCLOUD is a new cloud service company in Preston, and its current IT infrastructure is depicted in Figure 1. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organisations. 

The IT infrastructure comprising 
•    Employees computers (Human Resource and Admin PCs) running Windows XP SP2.
•    A machine running SQL server, which stores all personal information about customers and employees (Running MySQL).
•   A DMZ (Demilitarized Zone) containing a mail server (Microsoft Exchange Server version 12) and stores all emails and attached files, and a web server (IIS 5 ) hosting the websites of the company. Note that the most recent version of Microsoft Exchange Server is version 20.
•    A Windows-based authentication server for authenticating the customers and employees. 
•   A firewall with the firmware version 1.2 to protect the internal network from the outside world (internet).  Note that the recent firmware version of the firewall is version 2.0.  
•    The servers hosting the documents of customers (cloud storage services).
•    The servers hosting the virtual machines for providing cloud computing services. 
•    All the servers and PCs are connected to switches and routers so that they can communicate with each other. The router serves as a gateway between the internal network and the internet.  Note that the recent firmware version of the switches and routers is version 1.2.  

After some attack incidents and financial loss, the company realized that it should carry out a risk assessment and improve its IT infrastructure with security controls.    

ASSESSMENT BRIEF

In this assignment you have to: 
•    Conduct a risk assessment on the network in Figure 1, based on the ISO 27005 standard.
•    Write a detailed risk assessment report (see Section 4 for the required structure).  

FLEXIBILITY OF THE SOFTWARE/HARDWARE/FIRMWARE PARAMETERS 
As you can see, there are no specific hardware and software details given in Figure 1. To avoid working in the entirely same network (and hence copying from each other), before doing the risk assessment, you have to specify the system parameters and the system boundaries, including the used operating systems, hardware, software/applications and firmware. Ideally, each of you will work with different sets of system parameters/scope that you chose or specified.  

SUBMISSION DETAILS

The 2000-words (excluding the entire bibliography list) risk assessment report should be submitted as a .docx to the appropriate assignment submission link through Blackboard. All references and in-text citations in the report should follow the Harvard style of referencing.

REPORT STRUCTURE

To meet the requirements your report must have a professional look. In order to help you in this regard the following structure is provided as a guideline. The report must contain the following main sections, however, you are allowed to add subsections as you find reasonable.