Information Security Management: Risk Assessment

Information Security Management
The student will be given a scenario where they must perform a risk assessment on some given hardware (student will be given hardware list with part numbers) and be given needed software components where risk should be assessed from an attack surface perspective and other security-relevant criteria. Students will be given value of data contained on this one computer system and must perform a qualitative analysis on the entirety of the assets and what risks need to be mitigated, accepted (too expensive to address), transferred (such as purchasing data breach protection), or avoidance (the risk is too high and avoided by senior mgmt.).
Scenario:
InfoTegrity is a new startup firm that has discovered an innovative way to encrypt data for protecting the confidentiality of clients’ data, yet the system containing the algorithms, initialization vectors, and keys needs to be secured to prevent unauthorized access to the data. A risk assessment must be performed to find all the risk that is present on the system. The system uses operating system Windows 10 build 1703 and has multiple C++ redistributables that are used for other software applications installed on the system used by the organization. The system is also freely accessible on the company network by employees on-site that need access to the system. By observing the supplied HW/SW list provided by local IT administrators and this information, perform a risk assessment based on the information given to you and provide guidance as to the best solution to assist in ensuring that confidentiality, integrity, and availability of the system is kept at an acceptable level of risk. Use google and any other web browsing applications to research this scenario and write three paragraphs, the first to present the way you are going to organize your risk assessment (i.e. identify assets, valuate them, assign levels of risk, etc.). The second describing the risk elements and findings for the assessment for the system. The last paragraph providing guidance as to the best path forward to address the risk that is present and what needs to be addressed for each risk (for instance high risk items should be mitigated as oppose to low risk items that would be accepted by the organization).