`# GRC Risk Assessment Home Lab Cybersecurity relates works in Risk Assessment are contained in this portfolio item.

Description

Overview

• Conducted a comprehensive risk assessment to enhance data security practices within an organization.

Key Points

• Assessment: Develop and document risk mitigation strategies based on audit findings NIST SP 800-53 3.1 Media Protection family (MP-1 through MP-8).

• Prioritization: Objectively identify high-priority risks and effectively communicate them to the organization, fostering an informed and proactive risk management strategy.

• Frameworks: Employed the assessment scales outlined in NIST SP 800-30, providing a quantifiable framework for identifying and prioritizing risks.

Objectives

• Combine threat modeling results with existing Standard Operating Procedures (SOP) and System Security Plan (SSP) to understand the organization's risks.

• Tailor risk explanations to resonate with a non-technical audience.

• Develop strategies to mitigate identified risks.

Project Walkthrough

For the purpose of this project, I will be using the findings from an audit previously conducted, combined with threat modeling, to understand the risks involved with the organization.

Step 1: Understanding Control Status

Based on NIST SP 800-53, my disposition was that control MP-1 (Media Protection Policy and Procedures) was not in place.

Based on the interview with the Director of IT, the review of the SOP and SSP, and the threat modeling conducted prior to the audit, I determined that the biggest risk of not having Media Protection policies and procedures in place is unauthorized access.

Step 2: Identifying Mitigating Factors

From the evidence I gathered in the interview, I can say that a mitigating factor for this risk is "Tribal knowledge in place" for people within the organization.

Step 3: Quantitative Risk Assessment

I then used NIST SP 800-30 assessment scales for the quantitative determination of the impact and likelihood of this risk. Understanding these values allows me to consistently determine the risk for each control.

Using these values, I can objectively determine that the likelihood of unauthorized access would be a 5 (low), and the impact if it were to happen would also be a 5 (low); the overall impact for this risk is 25/100 (low).

Step 4: Objective Risk Explanation

My objective, defensible explanation for this risk: "Staff do not know what expectations or standards are, and no process around media protection, storage, or sanitization is documented, so may not be done properly. Without standards and policy, no process can be repeated consistently, and staff will develop their own individual processes."

Step 5: Repetition for Each Control

After completing the risk assessment for Media Access control MP-1, I repeated steps 1-4 for controls MP-2 through MP-8.

(reference image for evidence gathering...)

Step 6: Prioritizing Risks

I then sorted the spreadsheet by overall risk to prioritize the controls that have the highest risk.

Now that I had an organized list of the risks, I created an executive report to effectively communicate the risks with the organization.

Portfolio Piece: [Risk Assessment Worksheet](https://docs.google.com/spreadsheets/d/1jQR1PamUc_pIrJh2ZrTXUHRLDr-6X21qSU-_bdhj4EA/edit?usp=sharing_

Optional Step: Risk Mitigation Recommendations

The risk assessment could also include next steps to mitigate the risks in scope.

Perhaps the organization I work for offers a solution to mitigate a specific risk, then I could include it in the risk assessment and add additional value for the organization.

End of Risk Assessment

`