Risk Assessment Program Over the last several years, many small and medium sized businesses have been turning to cloud computing as a way of storing, retrieving and accessing vital information. This is when a third party provider will offer firms with these services at a fraction of the cost of traditional IT departments. Moreover, there is unlimited storage capacity and firms can readily protect themselves against vulnerabilities at a particular site. These benefits are leading to nearly 60% of all corporations using this to reduce expenses and improve productivity. The results are that more firms are realizing higher profit margins from effectively outsourcing these functions. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

However, the use of third party providers is also very risky. This is because they are leaving their most sensitive data with third party organizations. That may not understand the needs of the company or incorporate proper security protocols. The impact is that these firms could have their data stolen without knowing what is happening until it is too late. This is from these organizations placing too much trust in third party providers. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

As a result, these capabilities will vary from one organization to the next. In the case of Data Mart, the firm is focused on providing customers with the latest solutions to understand and troubleshoot security issues. This is accomplished by utilizing the OCTAVE Allegro protocol. The Operationally Critical Threat, Asset and Vulnerability Evaluation (i.e. OCTAVE) is focused on reducing the hazards impacting an organization. It is taking a process driven approach by identifying, managing and prioritizing risks. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

This is achieved through concentrating on a number of areas. The most notable include:

Developing qualitative risk evaluation procedures based upon the operational risks.

Identifying key assets and resources that are vital to the success of the mission and the organization.

Determining vulnerabilities and threats to key assets.

Evaluating potential adverse consequences to the organization (if these threats are realized).

Implement corrective action to reduce risks and create strategies which are embracing practice protection principles.

These different elements are showing how this approach is designed to mitigate and address any kind of threats early. This helps organizations to understand what is happening, identify the threat and respond prior to any kind of breaches. When this happens, the odds decrease of the firm experiencing these kinds of incidents. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

As far as Data Mart is concerned, this protocol is giving them an advantage in understanding and evolving with different kinds of threats. This helps them to effectively protect their clients' information utilizing the OCTAVE Allegro approach. To fully understand how this is achieved requires designing a risk assessment program for this protocol based upon international standard risks. This will be accomplished by establishing drivers, profile assets, identifying threats and discussing how they will be addressed. Together, these elements will show how the Data Mart can use the latest version of this strategy to offer their clients with greater amounts of protection. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

Stage 1: Establish Drivers

Data Mart's primary focus is on offering customers with unique solutions that will address their IT, storage and CRM needs in a cost effective manner (using the latest technology). The impact of potential threats is from having a large number of clients. This increases the probability of them becoming the target of hackers and other organizations. If they target the company's servers enough times, there is a realistic possibility of a breach occurring. This is a high risk threat to the organization with more third party providers becoming targets for these activities. (Hashizume, 2013) (Kouns, 2011) (Panda, 2013)

There are several different qualitative factors which are used to evaluate the risk on an organization. The most notable include:

The number of clients and the size of the data which is stored. This is high threat category.

The sensitivity of the information. These areas are a medium impact to the organization.

The amount of personnel to monitor and adapt to potential changes. This is a medium rated section.

These areas are showing a set of factors which can have negative effects on the firm's business model. (Cole, 2011) (Kaeo, 2004) (McCallum, 2010)

Establish Risk Assessment Criteria

Allegro Worksheet 1

Risk Measurement Criteria -- Reputation and Customer Confidence

Impact Area

Low

Moderate

High

Reputation (Staff)

The reputation of the staff is not impacted by any kind of issues. This means that not added expenses are required to help the firm recover.

The image of the organization has been damaged. This will cost between $250 thousand to $1 million to repair.

The organization is negatively impacted by one or a series of events. This will have a negative effect on the firm and how it interacts with cliental from this damage. In this case, these issues will cost in excess of $1 million.

Customer Loss

The reputation among the firm has been minimally damaged from an incident.

The company is spending between: $250 to $1 million to repair any kind of damages. However, these costs will help the organization reach out to new cliental by effectively settling any issues.

The firm is experiencing damages in excess of $1 million. This means that costs will require a new strategy to mitigate the loss of cliental to competitors.

Other:

Reputation (Community)

The community believes the...

At the same time, they have strong outreach and volunteers through a series of public projects.
The reputation of the company has been damaged. This means that it will cost it from $250 to $1 million to deal with any issues.

The reputation in the community has been severely damaged and stakeholders are walking away. This is problematic, as there is no support for the employees, the firm or its activities. This is when regulatory pressures will increase.

Allegro Worksheet 2

Risk Measurement Criteria -- Financial

Impact Area

Low

Moderate

High

Operating Costs

Costs increase by 1.3% annually

Rising costs from 3% to 6%.

Cost is increasing in excess of 8% yearly.

Revenue Loss

Revenues are less than $150 thousand in annual revenues.

Revenue losses from $500 thousand to $1.5 million.

Revenue losses in excess of $3 million.

One-Time Financial Loss

Less than $150 thousand in onetime expenses.

Between $500 thousand to $1.5 million.

More than $3 million in losses.

Allegro Worksheet 3

Risk Measurement Criteria -- Productivity

Impact Area

Low

Moderate

High

Staff Hours

Staff hours in costs increase by less than $150 thousand annually.

Staff hour expenses increase from $200 thousand to $1 million.

Labor costs have increase by over $1 million.

Other: Customer Turnover Rate

The customer turnover rate is less than 2.0% of all cliental.

Turnover rate are between 3% and 8% annually.

Turnover rates have increased by over 10%.

Allegro Worksheet 4

Risk Measurement Criteria -- Safety and Health

Impact Area

Low

Moderate

High

Life

No significant threat to the safety / health of customers and staff.

Stakeholders are impacted but can recover within a few hours. The costs are $500 thousand.

Significant loss of customer lives at a facility. This results in costs and litigation above $2 million.

Health

There is no negative impact on health.

Stakeholders are able to recover within few days. Costs are limited to $500 thousand.

Customer and staff experience permanent damages from exposure to adverse incidents. These costs exceed $2 million

Safety

There are no effects from company procedures or equipments on cliental / staff.

Safety is slightly impacted. This is resulting in expenses of $500 thousand.

There are costs in excess of $2 million damages. At the same time, the firm is experience a loss of employees and customer.

Allegro Worksheet 5

Risk Measurement Criteria -- Fines and Legal Penalties

Impact Area

Low

Moderate

High

Fines

Fines less than $100 thousand will be assessed.

Fines are between $100 thousand and $350 thousand.

Fines are greater than $500 thousand.

Lawsuits

Lawsuits of less than $100 thousand.

Litigation ranging from $200 thousand to $1 million.

Lawsuit over $1 million.

Investigations

No investigations from government regulators and consumer watchdog organizations.

Regulators are investigating the firm as part of oversight and compliance.

Investigators are opening a case into the firm's practices based upon customer complaints.

Other:

Allegro Worksheet 6

Risk Measurement Criteria -- User Defined

Impact Area

Low

Moderate

High

Customer Relations

The clients are happy with the services they are provided.

Clients have other partners who can provide similar services. The difference are they are focusing on trying o

Clients are leaving the company and going to competitors.

Employees

Employees are happy with the firm and will do more to help the organization.

Employees have some issues. However, they believe that things are moving in the right direction.

There is tension between employees and managers. This creates conflict and has an impact on the firm's. products.

Stage 2 Profile Assets

Develop an Informative Asset Profile

Allegro Worksheet 7

Impact Area Prioritization Worksheet

Priority

Impact Areas

1

Customer Confidence

3

Fiscal

5

Production

4

Health and Safety

2

Penalties and Fines

The information that is most valuable to Data Mart is the sensitive data it is storing for its customers. The day-to-day assets that will be utilized in the process includes: computers, servers, applications and communications equipment. If any of these areas were lost, it would have a negative impact on the firm's ability to achieve its mission. As there are certain times when the data was accessed without authorization or access is interrupted. (Cole, 2011) (Kaeo, 2004) (McCallum, 2010)

Identify Information Asset Containers

Allegro Worksheet 8

Critical Information Asset Profile

(1) Critical Asset

What is the critical information asset?

(2) Rationale for Selection

Why is this information asset important to the organization?

(3) Description

What is the agreed-upon description of this information asset?

Strong Customer Relations.

This helps the company to understand and address the…