foundation of information

 

This is an individual research project. The objective of the research project is to develop
an Information Asset
Risk Assessment Report for an organization of your choosing, and
worth 25% of your total course grade. The report will be
due by the end of the 11
th
week
. The analysis should be conducted using only publicly available information (that
is, information obta
inable on the Internet, company reports, news reports, journal
articles, etc.). The risk analysis should consider legitimate, known threats that pertain to
the subject organization. Based on the information gathered, presumed vulnerabilities of
the company
or organization’s computing and networking infrastructure will be
identified. Then, based on the identified threats and vulnerabilities, you will describe the
risk profile for the subject organization and suggest recommendations to mitigate the
risks.
Yo
ur report should be 12 pages, double
–
spaced, exclusive of cover, title page, table of
contents, endnotes and bibliography. Your paper must use APA formatting with the
exception that tables and figures can be inserted at the appropriate location rather than
added at the end. Submit the report in your Assignment Folder prior to the submission
deadline.
Project Proposal
Prior to writing your report, you must submit a short (a page and half) Project Proposal,
indicating the name and relevant aspect(s) of the
organization you intend to use as a
subject for your report. The proposal must be accompanied by an annotated
bibliography submitted via the assignment folder. Your instructor will provide feedback
as to the suitability of your subject and bibliography. Ad
ditional details are provided
below.
You will submit
a
project proposal
of your Risk Assessment Report
by the end of
Session 4
. The project proposal will account for 10% of your research paper grade
(2.5% of your total course grade).
The project proposal
should be a page and half (double spaced) description of the
organization that you propose to analyze, with a summary of the scope (e.g., entire
organization, key business area, major system, etc.) for the risk assessment you are
expected to conduct. The
proposal should identify the subject organization with a brief
explanation of why you chose the subject for this assignment. The proposal should also
describe the research methods to be used and anticipated sources of research
information sources. Your ins
tructor will use the proposal to provide feedback on the
suitability of the proposed subject organization and the scope you propose, as well as
the suitability of the proposed research methods and information sources. If you do not
provide a proposal, you
will be preparing their Risk Assessment Reports “at risk;” i.e.,
they will run the risk of delivering a report that is not suitable for this course.

2
An important step in developing your Risk Assessment Report will be the construction of
an Annotated Bi
bliography. Having developed and described a subject organization and
scope of analysis in the proposal, the next step is to identify and assess the value of
potential research material. You should identify five (5) to six (6) significant articles
relevant
to your subject organization and to identifying and assessing risks in a context
similar to the scope of your report. For a report of this nature you may expect to find
useful sources in both business
–
focused (e.g., Business Source Premier, Business and
C
ompany Resource Center, ABI/Inform) and technically
–
focused databases (e.g., ACM
Digital Library, IEEE, Gartner.com). The annotated bibliography will consist of 100
–
250
words per article, that describe the main ideas of the article, a discussion of the
use
fulness of such an article in understanding various aspects of you report, and other
comments you might have after reading the article. For each article, there should be a
complete reference in APA format. Your Annotated Bibliography will then form the bas
is
of the sources for your report. (You may also supplement the references used in your
report with additional reference material.)
Some excellent guidance on how to prepare an annotated bibliography can be found at
https://www.library.cornell.edu/researc
h/citation/tutorial.

1

Risk Assessment Report Instructions
INFA 610

Background
This is an individual research project. The objective of the research project is to develop
an Information Asset Risk Assessment Report for an organization of your choosing, and
worth 25% of your total course grade. The report will be due by the end of the 11th
week. The analysis should be conducted using only publicly available information (that
is, information obtainable on the Internet, company reports, news reports, journal
articles, etc.). The risk analysis should consider legitimate, known threats that pertain to
the subject organization. Based on the information gathered, presumed vulnerabilities of
the company or organization’s computing and networking infrastructure will be
identified. Then, based on the identified threats and vulnerabilities, you will describe the
risk profile for the subject organization and suggest recommendations to mitigate the
risks.

Your report should be 12 pages, double-spaced, exclusive of cover, title page, table of
contents, endnotes and bibliography. Your paper must use APA formatting with the
exception that tables and figures can be inserted at the appropriate location rather than
added at the end. Submit the report in your Assignment Folder prior to the submission
deadline.

Project Proposal
Prior to writing your report, you must submit a short (a page and half) Project Proposal,
indicating the name and relevant aspect(s) of the organization you intend to use as a
subject for your report. The proposal must be accompanied by an annotated
bibliography submitted via the assignment folder. Your instructor will provide feedback
as to the suitability of your subject and bibliography. Additional details are provided
below.

You will submit a project proposal of your Risk Assessment Report by the end of
Session 4. The project proposal will account for 10% of your research paper grade
(2.5% of your total course grade).
The project proposal should be a page and half (double spaced) description of the
organization that you propose to analyze, with a summary of the scope (e.g., entire
organization, key business area, major system, etc.) for the risk assessment you are
expected to conduct. The proposal should identify the subject organization with a brief
explanation of why you chose the subject for this assignment. The proposal should also
describe the research methods to be used and anticipated sources of research
information sources. Your instructor will use the proposal to provide feedback on the
suitability of the proposed subject organization and the scope you propose, as well as
the suitability of the proposed research methods and information sources. If you do not
provide a proposal, you will be preparing their Risk Assessment Reports “at risk;” i.e.,
they will run the risk of delivering a report that is not suitable for this course.

2

An important step in developing your Risk Assessment Report will be the construction of
an Annotated Bibliography. Having developed and described a subject organization and
scope of analysis in the proposal, the next step is to identify and assess the value of
potential research material. You should identify five (5) to six (6) significant articles
relevant to your subject organization and to identifying and assessing risks in a context
similar to the scope of your report. For a report of this nature you may expect to find
useful sources in both business-focused (e.g., Business Source Premier, Business and
Company Resource Center, ABI/Inform) and technically-focused databases (e.g., ACM
Digital Library, IEEE, Gartner.com). The annotated bibliography will consist of 100-250
words per article, that describe the main ideas of the article, a discussion of the
usefulness of such an article in understanding various aspects of you report, and other
comments you might have after reading the article. For each article, there should be a
complete reference in APA format. Your Annotated Bibliography will then form the basis
of the sources for your report. (You may also supplement the references used in your
report with additional reference material.)

Some excellent guidance on how to prepare an annotated bibliography can be found at
https://www.library.cornell.edu/research/citation/tutorial.

Risk Assessment Report Proposal and Annotated Bibliography should be submitted by
the end of Session 4.

The grading criteria for the proposal are as follows:
1. Organization Selected & Justification (Right Scope and Relevance): 60%

2. Research methods proposed (Bibliography): 40%

Risk Assessment Report
The Risk Assessment Report should be a polished, graduate-level paper. Be sure to
carefully cite (using correct APA-Style in-line citations) all sources of information in the
report. UMGC policies regarding plagiarism will apply to the Risk Assessment
Report as well as all other deliverables in this course. You must submit the report to
Turnitn.com to improve the originality score before submitting the report in the
Assignment Folder. The lower the originality score the better it is. You should aim for an
originality score of 10%.

Please submit questions regarding the research paper to the INFA610 “Q&A”
Conference.

The Risk Assessment Report should be submitted by the end of Session 11.

Risk Assessment Report Overview
The objective of this assignment is to develop a Risk Assessment Report for a
company, government agency, or other organization (the “subject organization”). The
analysis will be conducted using only publicly available information (e.g., information
obtainable on the Internet, company reports, news reports, journal articles, etc.) and
based on judicious, believable extrapolation of that information. Your risk analysis
should consider subject organization information assets (computing and networking
infrastructure), their vulnerabilities and legitimate, known threats that can exploit those

3

vulnerabilities. Your assignment is then to derive the risk profile for the subject
organization. Your report should also contain recommendations to mitigate the risks.

There is a wealth of business-oriented and technical information that can be used to
infer likely vulnerabilities and assets for an organization. It is recommended that
students select their organizations based at least in part on ease of information
gathering, from a public record perspective.
Steps to be followed:
1. Pick a Subject Organization: Follow these guidelines:

a. No insider or proprietary information. All the information you collect must be
readily available for anyone to access. You will describe in your proposal how you
intend to collect your information.

b. You should pick a company or organization that has sufficient publicly available
information to support a reasonable risk analysis, particularly including threat and
vulnerability identification.

2. Develop Subject Organization Information: Examples of relevant information
includes:

a. Company/Organization name and location

b. Company/Organization management or basic organization structure

c. Company/Organization industry and purpose (i.e., the nature of its business)

d. Company/Organization profile (financial information, standing in its industry,
reputation)

e. Identification of relevant aspects of the company/organization’s computing and
network infrastructure, Note: Do not try to access more information through Social
Engineering, or through attempted cyber attacks or intrusion attempts.

3. Analyze Risks

a. For the purposes of this assignment, you will follow the standard risk assessment
methodology used within the U.S. federal government, as described in NIST Special
Publication 800-30 (United States. National Institute of Standards and Technology
(2002). Risk Management Guide for Information Technology Systems (Special
Publication 800-30). Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-
30/sp800-30 ) b. In conducting your analysis, focus on identifying threats and
vulnerabilities faced by your subject organization. c. Based on the threats and
vulnerabilities you identify, next determine both the relative likelihood and severity of
impact that would occur should each of the threats materialize. This should produce
a listing of risks, at least roughly ordered by their significance to the organization.
d. For the risks you have identified, suggest ways that the subject organization might
respond to mitigate the risk.

4. Prepare Risk Assessment Report

a. Reports should be 12 pages (exclusive of cover, title page, table of contents,
endnotes and bibliography), double-spaced, and should follow a structure generally
corresponding to the risk assessment process described in NIST Special Publication
800-30.

b. The report should be prepared using the APA Style. All sources of information
should be indicated via in-line citations and a list of references.

4

c. Reports should be submitted via the Assignment Folder.

Grading Criteria
As previously stated, the Proposal and Annotated Bibliography will constitute 10% of
your Risk Assessment Report grade (2.5% of your final grade). You will demonstrate in
the final report your risk assessment subject matter competency and communication
and knowledge competencies. The Risk Assessment Report, accounting for 22.5% of
the final grade, will be assessed as follows:

• Clear statement of scope to be analyzed and appropriate coverage of that scope:
10%

• Technical Content (depth and accuracy of information and analysis): 30%

• Recommendations for risk mitigation or other conclusions supported by research
and analysis: 10%

• Communications competency: 25% (assessed using a graduate school wide rubric)

• Knowledge competency: 25% (assessed using a graduate school wide rubric