Home‎ > ‎CIS 75‎ > ‎

Project 2: Understanding Risk

Introduction

What are you protecting and what are you protecting it from? Are central questions for a security expert. In this project you will perform an analysis of the CIS datacenter in room 830 (the STEM center). The datacenter contains the infrastructure we use to teach many CIS and CS classes. You analysis will help you understand the value of the assets of the CIS/CS programs and explore the consequences of various threats. 

Like the last project it's essential that you work with your peers. At first glance this project may seem simple but the there are many details that are easy to overlook. Working with teams creates a diversity of opinion. Diversity suits a security team by reducing groupthink. There will be times when a team member notices something you would never have thought of. Good working teams learn how to capture it all into a strong security plan. Unless there's a problem you should work with the same group from project 1.

This project is the last group project in the class. You have three weeks to do it. Be sure to get some work done every week. 

Part 1: Take Inventory

Your group's first task is to take a complete inventory of every item in the CIS datacenter. The CIS datacenter is located in room 830 (the STEM center). You will build a spreadsheet with the inventory. Not every member of the group needs to be physically able to do this but at least one person should start the spreadsheet with all items they discovered. For every item you find the spreadsheet should contain the following information:
  • Item Description. This should contain the manufacturer and model if possible. For example "Dell R620 Server" or "Cisco 2901 Router" or simply "2 post rack"
  • Item Count. 
  • Unit Cost. Look online for the price of the item. It may not be possible to find an exact figure (e.g. server prices depend on processors, RAM). Make an estimate based on a "middle" cost. 
  • Total Cost. This is Unit Cost times Item Count
Try to be as thorough as possible. When you have all items listed total the costs and figure out how much the whole datacenter costs. 

There's more to a datacenter than just equipment. The CIS datacenter must be operable for the computers 828 and 829 to function. Also, the Dell servers host Opus, Jeff and Pengo. For this part you will do a risk analysis that includes the cost losing function of the datacenter. As a group answer the following questions:
  • What classes have you taken that require the datacenter? Think about classes where you've had VLab accounts, used Opus, Jeff or Pengo, classes where you've used the switches and routers or any class that meets in 830 or 831.
  • What would happen in class if the datacenter was down for:
    • 1 day?
    • 1 week?
    • 1 month?
In a business the cost of losing computer capacity might be more clear than it is with Cabrillo.

Part 2: Risks Analysis

Now that you have an idea of the value of the datacenter it's time to do risk analysis. Risk analysis has three parts:
  1. Risk identification
  2. Risk assessment 
  3. Risk control
Identify one risk to analyze. Discuss with your group the following questions:
  • What is the threat and threat agent associated with the risk we chose? 
  • Where might the datacenter be vulnerable?
  • What is the likelihood of a successful attack? 
  • What could be done to reduce the possibility of a successful attack? 
  • What could be done to reduce the losses associated with a successful attack? 
When you answer the last question bear in mind that not all attacks are preventable. No computer system is completely secure and natural disasters may be larger than any defense. When you consider defenses remember that they should be appropriate for what you're protecting. The cost of defending systems should not be higher than the systems themselves and loss of access due to security measures has real costs. 

Grading

Your grade on the project will be pass/fail. A passing grade will be given to groups that show that they've thought about and discussed what they've presented.
Comments