26 Oct For this project, you will continue your research from Project #1 by reviewing and then analyzing your chosen companys risk statements as published each year in the companys Annual Report

Project 2 –Risk Analysis

Description

For this project, you will continue your research from Project #1 by reviewing and then analyzing your chosen company’s risk statements as published each year in the company’s Annual Report to Investors (also published in the company’s annual filing of SEC Form 10-K). After analyzing the company’s IT operations and its risk statements about those activities, you will construct and document your own IT focused risk analysis including both its primary operations and all supporting business processes. Your risk analysis will also address information risks and technology risks which you identify in your research about the company.

Note: before beginning this assignment, you should review NIST SP 800-30 R1: Guide for Conducting Risk Assessments. Pay special attention to Appendix D: “Threat Sources: Taxonomy of Threats Sources Capable of Initiating Threat Events” and Appendix H: “Impact: Effects of Threat Events on Organizations, Individuals, and the Nation.”

Conduct Additional Research for Your Chosen Company

1. Extend the research that you did for Project #1 by reviewing the company’s website to learn more about the company’s business areas and operations.

2. Retrieve the Hoovers profile for the company. You should use the same company and profile that you used for Project #1. The base URL for Hoover’s is http://ezproxy.umgc.edu/login?url=http://www.mergentonline.com/Hoovers You will need to login to the library using your UMGC SSO login credentials.

3. Review the SWOT and Technologies in Use sections of the Hoover’s profile.

4. Retrieve the Form 10K for the company using the URL provided in Project #1.

5. Identify 3 or more additional sources of information about the company and how it uses Information Technologies to conduct its business operations. These sources can be news articles, data breach reports, etc.

6. Using the information obtained from your sources, identify the types of information and business operations which drive this company’s need for cybersecurity products and services. (What information or information infrastructures need to be protected?)

Analyze the Information and Information Technology Risks for Your Company

1. Retrieve the Form 10K for the company you reviewed for Project #1.

2. Read and analyze the Risk Factors section in the company’s most recent Form 10-K (pay close attention to Item 1.A). This Form 10-K contains a professionally written risk analysis that has been written for a specific audience (investors and shareholders). Pay close attention to what the company includes as risk factors and how the writers chose to present this information.

3. Analyze the risk factors, as stated by the company, to determine which ones are related to information and information technology used in its business operations or which are otherwise affected by the use of information in digital form and Information Technology systems and infrastructures (e.g. financial risks associated with digital currency transactions).

4. Review the SWOT Analysis from the Hoovers report. Identify information or IT related risk factors presented in this analysis.

5. Review the Technologies in Use section of the Hoovers report. Choose 5 or more specific technologies in use by the company which contribute to the company’s risk factors. You may need to research specific vulnerabilities or recent attacks against these technologies. Use the product name followed by “vulnerabilities” in an Internet search engine to retrieve vulnerabilities reports.

6. Complete your research by reviewing news stories and cybersecurity analyst reports of how this company or the technologies it uses can be attacked or compromised in ways that adversely impact its IT security posture. (Use recent news stories and blogs from IT security analysts at companies such as Sophos, SC Magazine, Norton, Mandiant, etc.). If you need additional suggestions for sources, check the UMGC library’s LibGuide for Cybersecurity Resources https://libguides.umgc.edu/cybersecurity

Develop and Document Your Risk Profile

1. Begin by copying Table 1 from this assignment file into a new file (for your assignment submission). This table will become your Risk Profile Table. (Delete the example text.)

2. Transfer your identified risk factors and technology vulnerabilities into the Risk Profile table (one item or risk factor per row).

a. Enter a unique Risk ID for each row.

b. Enter a brief but unique title for each risk factor or technology vulnerability

c. Enter a description that briefly explains what the risk or vulnerability is. Identify the information, digital assets, and/or business operations (processes) affected by this risk, e.g. people, processes, or technologies that need to be protected from threats and attacks (including insiders and external threats).

d. In the category column, categorize the type of risk or threat that could affect the item. You can use the basic “People, Processes, Technologies” framework or create a set of categories of your own choosing.

e. In the impact column, rate the potential for loss or harm should this risk materialize (an attack occurs). You can use “low, medium or high” but remember that rating everything at the same level is not helpful when executives with limited budgets need to allocate funding for risk remediation (which you will address in Project #3).

3. When you are finished, you should have identified and documented 15 or more risks related to the company’s business operations, use of the Internet, the company’s IT systems and infrastructures (including “technologies in use”), and the types and collections of information used by the company.

Write

1. An introduction section which identifies the company being discussed and provides a brief introduction to the company (you may reuse some of your narrative from Project #1). Your introduction should include a brief overview of the company’s business operations.

2. A separate analysis section in which you describe this company’s needs or requirements for IT security. What are the likely sources of threats or attacks for each type of information or business operation? What information and/or business operations need to be protected? Make sure to identify and discuss the sources of information used in your analysis.

3. A separate analysis section in which you present your risk profile in table format. Provide an introductory paragraph that explains the risk profile, e.g. what information is contained in the table and what sources were used to obtain this information. In your introductory paragraph, identify the sources used to provide the information presented in the table. This attribution will take the place of in-text citations in the description column and makes the table easier to read.

4. A separate closing section which provides a summary of the risk analysis, the identified risks, and potential impacts of risks upon the company’s operations as a whole.

Submit Your Work for Grading and Feedback

Before you submit your work, check the rubric (displayed in the Assignment Folder entry) to make sure that you have covered all required content including citations and references.

Submit your work in MS Word format (.docx or .doc file) using the Project #2 Assignment in your assignment folder. (Attach the file.)

Additional Information

1. Your 8 to 10 page Risk Analysis should be professional in appearance with consistent use of fonts, font sizes, colors, margins, etc. You should use headings and sub-headings to organize your paper. Use headings which correspond to the content rows in the rubric – this will make it easier for your instructor to find required content elements and will help you ensure that you have covered all required sections and content in your paper.

2. The stated page length is a recommendation based upon the content requirements of the assignment. All pages submitted will be graded but, for the highest grades, your work must be clear, concise, and accurate. Exceeding the recommended length will not necessarily result in a higher grade. Shorter submissions may not fully meet the content requirements resulting in a lower grade.

3. The INFA program requires that graduate students follow standard APA style guidance for both formatting and citing/reference sources. Your file submission must be in MS Word format (.docx). PDF, ODF, and other types of files are not acceptable.

4. You must include a cover page with the course, the assignment title, your name, your instructor’s name, and the due date. Your reference list must be on a separate page at the end of your file. These pages do not count towards the assignment’s minimum page count.

5. You are expected to write grammatically correct English in every assignment that you submit for grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c) verifying that your punctuation is correct and (d) reviewing your work for correct word usage and correctly structured sentences and paragraphs.

6. You are expected to credit your sources using in-text citations and reference list entries. Both your citations and your reference list entries must follow APA Style guidance. Use of required readings from the course as sources is expected and encouraged. Where used, you must cite and provide references for these readings.

7. When using Security and Privacy controls from NIST SP 800-53, you must use the exact numbering and names (titles) when referring to those controls. This information does not need to be treated as quotations. You may paraphrase or quote from the descriptions of the controls provided that you appropriately mark copied text (if any) and attach a citation for both quoted and paraphrased information.

8. Consult the grading rubric for specific content and formatting requirements for this assignment.

9. All work submitted to the Assignment Folder will be scanned by the Turn It In service. We use this service to help identify areas for improvement in student writing.

INFA 610 Foundations of Information Security and Assurance

Copyright © 2022 by University of Maryland Global Campus. All rights reserved.

Table 1. Risk Profile for [company]

Risk ID	Risk Title	Description	Risk Category	Impact Level
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015