Risk analysis for a Company – Magerit practice 3.1

1. Practice statement.


In the proposed exercise, we will undertake a risk analysis for a small to medium-sized enterprise (SME) in the refurbishment and repair sector known as “Quick and Effective Solutions.” The analysis will be developed following the standards of the Magerit methodology, a benchmark in computer risk management.

The company director, Mrs. Carmen, has informed us during a preliminary interview about the operational structure of the company. She personally takes care of accounting and legal matters from her personal laptop. Additionally, she has an office assistant, Jaime, who handles communications, including emails and calls, and executes marketing strategies to attract new clients. The company’s IT infrastructure is overseen by the systems technician, Mr. Torres, who is responsible for maintenance and the implementation of security measures. On the ground, maintenance technicians, Luis and Ana, are equipped with smartphones that provide them access to the necessary information to carry out their work, such as customer addresses and assigned tasks.



The company’s headquarters is equipped with Windows 10 laptops, antivirus, and Microsoft Office software packages. The office has a robust internet connection via a 600 MB fiber optic line, ensuring efficient connectivity.

Furthermore, they have dedicated a room to house a rack with two Windows Server 2019 servers, one exclusively for email/DNS and the other hosting a web portal with http/https protocols and a MySQL database. To strengthen security, they have implemented two firewalls: one that acts as a barrier against external threats and another that protects the internal network.

With this information, we will address the following tasks:

  1. Identification of all company assets, classifying them according to the categories defined by Magerit.
  2. Determination of the possible threats each of these assets could face.
  3. Conducting a subjective assessment of the value of each asset and the probability of occurrence of the threats, as well as the potential impact in case they materialize.

For the evaluation, we will use a standardized valuation table that will allow us to homogenize and compare the results of the risk analysis.


ClassificationEconomic RangeFrequencyImpactValue
Very HighAsset > 15,000€Once a day> 80%3.5
High5,000€ < Asset < 15,000€Once every two weeks50% < x < 80%2.5
Normal1,000€ < Asset < 5,000€Once every two months20% < x < 50%1.5
Low300€ < Asset < 1,000€Once every six months5% < x < 10%1
Very LowAsset < 300€Once a yearx < 5%0

  1. Calculate the intrinsic risk.
  2. Identify/enumerate safeguards and assess their impact.
  3. Calculate the residual risk.
  4. In response to Carmen’s query on how to increase security at the office, present three security measure recommendations, including the reasons for your choice.

2. Proposed solution 1-6


The solution to these points is gathered in the following table. However, subsequent explanations are provided on specific points to give a better understanding of the results obtained.



Intrinsic risk is the level of risk before applying security measures (safeguards). The formula for calculating intrinsic risk is as follows:

  • Intrinsic Risk = (Threat Probability) x (Event Impact).

In the case at hand, it has been estimated that the percentage of impact that can affect the business already includes the economic value of the asset. Therefore, the intrinsic risk has been calculated by multiplying the value of the impact by the probability of the threat materializing. To perform these calculations, only the value table provided in the exercise was needed.

With the result obtained from the previous operation, the corresponding type of risk has been assigned based on a risk table that I have developed from the previous one. And based on this new risk table, a risk scale has been developed as shown below:




Regarding how the calculation of residual risk was carried out, it should be said that residual risk is the level of risk that persists after having applied security measures (safeguards) to reduce the initial (intrinsic) risk. The formula for calculating residual risk is as follows:

  • Residual Risk = Intrinsic Risk x (Effectiveness of Controls).

To establish a value for “effectiveness of controls,” the following table has been created:



3. Proposed solution 7.


Based on the report I have prepared, the following safeguards can be proposed to improve the security of the office:

  1. Regularly perform data backups and store them in a secure location. This important information security practice can minimize the impact of data loss due to technical failures, human errors, natural disasters, or other situations. It is necessary to define the frequency, type of backup, storage location, and conduct periodic data recovery tests to ensure the effectiveness of the backups.
  2. Training the company’s staff in cybersecurity and raising awareness about good practices in the use of equipment and data is essential to prevent security incidents and protect the organization’s information. Some measures that can be implemented to achieve this are:
    • Create cybersecurity training programs: Specific training programs for the company’s staff can be developed, with content adapted to their roles and responsibilities. These programs can include information on the most common security threats, good password practices, safe internet browsing, secure email, among others.
    • Conduct attack simulations (phishing campaigns): Attack simulations can help raise staff awareness of security risks and identify potential vulnerabilities in the organization’s systems. These simulations can be performed by the company’s computer security team or by specialized providers.
    • Establish security policies and action protocols: Security policies and action protocols that establish the rules and procedures to follow to ensure the security of the organization’s information must be defined. These policies must be effectively communicated to the company’s staff and updated periodically.
    • Establish disciplinary measures: It is important to establish disciplinary measures for employees who violate the organization’s security policies and protocols. This will help reinforce the importance of information security and foster a cybersecurity culture within the company.
  3. Install access controls with proximity cards, PIN codes, or biometric systems in the facilities. This is an important measure to protect the company’s premises against unauthorized access (thieves, etc.). These controls allow access to be limited only to authorized persons and provide an additional layer of security. Some important considerations when implementing these controls are:
    • Define access levels: It is important to define the access levels for each company employee based on their role and responsibility. This will allow access to be limited only to the areas necessary for the performance of their duties.
    • Verify the identity of individuals: Access control systems must be able to verify the identity of individuals before allowing access. Biometric systems are a good option to ensure the authenticity of the person trying to access.
  4. Monitor access: It is important to monitor access to the facilities to detect possible unauthorized access attempts. Surveillance systems and access logs can be used to verify that the people accessing the facilities are authorized.

These safeguards can help improve the security of the office by protecting sensitive systems and data, both physically and cybernetically.


To conduct audit processes, it is crucial to perform good prior planning, as we show in our article “Principles, Program, and Planning of ICT Audit and Governance“.

If you need an audit plan, you can contact us through our contact form.

Spain

No puedes copiar el contenido