Risk Assessment for XYZCLOUD IT Infrastructure

• Select and use applicable standards and methods for information security and risk management.
• Conduct and properly document risk assessment based on a given scenario.
• Find and evaluate appropriate published information to remain up-to-date about threats, vulnerabilities and patches.

The XYZCLOUD scenario (note: this scenario is completely fictitious).

XYZCLOUD is a new cloud service company in Preston, and its current IT infrastructure is depicted in Figure 1. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organisations.     

Figure 1. The IT infrastructure of XYZCLOUD

The IT infrastructure comprising

• Employees computers (Human Resource and Admin PCs) running Windows XP SP2.
• A machine running SQL server, which stores all personal information about customers and employees (Running MySQL).
• A DMZ (Demilitarized Zone) containing a mail server (Microsoft Exchange Server version 12) and stores all emails and attached files, and a web server (IIS 5) hosting the websites of the company. Note that the most recent version of Microsoft Exchange Server is version 20.
• A Windows-based authentication server for authenticating the customers and employees.
• A firewall with the firmware version 1.2 to protect the internal network from the outside world (internet).  Note that the recent firmware version of the firewall is version 2.0.  
• The servers hosting the documents of customers (cloud storage services).
• The servers hosting the virtual machines for providing cloud computing services.
• All the servers and PCs are connected to switches and routers so that they can communicate with each other. The router serves as a gateway between the internal network and the internet.  Note that the recent firmware version of the switches and routers is version 1.2. 

After some attack incidents and financial loss, the company realized that it should carry out a risk assessment and improve its IT infrastructure with security controls.    

In this assignment you have to:

• Conduct a risk assessment on the network in Figure 1, based on the ISO 27005 standard.
• Write a detailed risk assessment report (see Section 4 for the required structure).   

As you can see, there are no specific hardware and software details given in Figure 1. To avoid working in the entirely same network (and hence copying from each other), before doing the risk assessment, you have to specify the system parameters and the system boundaries, including the used operating systems, hardware, software/applications and firmware. Ideally, each of you will work with different sets of system parameters/scope that you chose or specified.

To meet the requirements your report must have a professional look. In order to help you in this regard the following structure is provided as a guideline. The report must contain the following main sections, however, you are allowed to add subsections as you find reasonable.

1. Introduction

Here you will specify the risk assessment method that you use, discuss the advantages of this risk assessment method. Finally, highlight the certain tasks that you will perform during the risk assessment on the given system.

2. Risk Assessment

• This section contains the main part (result) of the report, namely, the whole risk assessment process made on the system in Figure 1, besides your chosen system parameters. The section can include several sub-sections:
• Owner specification,
• Assets (primary and secondary). You should explain briefly why the assets are primary or secondary. You can give a collective explanation for a group of assets instead of explaining for each asset.
• One threat for each asset.
• One vulnerability for each asset. The vulnerabilities have to be taken from one of the online vulnerability databases (e.g. NVD), and have to be given with the official CVE- number.
• Likelihood level computation, using Boston gird
• Impact table specification
• Risk identification with the risk level, using risk matrix (Boston grid).  
  • At most 10 risks should be given.   

3. Summary and Recommendations

In this section you summarize the main findings and write a non-technical recommendation (executive summary) for the management/director board, summarizing why they should invest in security and follow the ISO 27001 standards.