Consider the scenario below and then answer the question that follows:
The HR Manager has confirmed that the wrong person in the Cc: field of an email
and attaching a document containing corporate sensitive data to the same email was
the cause of a data breach. It is alleged that the information in the attached
document was used to gain unauthorised access to attack some systems. The IT
Support administrator also confirmed that the incident was responded to, mitigated
and user training has been implemented.
Using the scenario as an example, provide a risk register and a risk matrix that
suitably represent any ONE risk in the scenario. In your answer, also briefly
explain how the register and the matrix are used to represent the risk.
NB: Provide a fully labelled risk matrix and risk table for ONLY one risk identified.
Risk Register:
Risk: Unauthorized access due to data breach
Description: The risk of unauthorized access to systems due to a data breach caused by attaching a document containing corporate sensitive data to an email with the wrong person in the Cc field.
Category: Information Security
Likelihood: Medium
Impact: High
Risk Level: High
Mitigation Actions:
1. Implement stricter email recipient verification processes to prevent sending sensitive information to the wrong recipients.
2. Enhance data encryption and access controls to protect sensitive data even if it is accessed by unauthorized parties.
3. Conduct regular user training sessions to raise awareness about the importance of handling sensitive data appropriately.
Risk Matrix:
| High | Medium | Low |
-----------|--------|--------|--------|
High | Red | Red | Orange |
-----------|--------|--------|--------|
Medium | Red | Orange | Green |
-----------|--------|--------|--------|
Low | Orange | Green | Green |
-----------|--------|--------|--------|
In the risk matrix, the vertical axis represents the impact of the risk (high, medium, low), and the horizontal axis represents the likelihood of the risk occurring (high, medium, low). Each cell in the matrix is color-coded to represent the risk level (red for high, orange for medium, green for low).
The identified risk of unauthorized access due to a data breach has been placed in the "High" impact category and the "Medium" likelihood category. This places the risk in the "High" risk level, indicated by the red color in the matrix.
The risk mitigation actions listed in the risk register can now be evaluated based on their effectiveness in reducing the impact or likelihood of the risk occurrence. The risk matrix provides a visual representation of the risk level, allowing stakeholders to prioritize mitigation actions and allocate resources accordingly.