UrRISK04
SRA 311.00x
SP15
Table/Row # ____
1st Student Name [abc123]
2nd Student Name [def456]
18
Table of Contents
I. Introduction 3
A) Purpose 3
B) Scope of the Risk Assessment 3
II. Risk Assessment Approach 4
III. System Characterization 5
IV. Threat Statement 6
V. Risk Assessment Results 6
A. Vulnerability Analysis 6
B. Existing Risk Controls 6
C. Risk Scenario Likelihood: Discussion and Evaluation 6
D. Risk Scenario Impact: Discussion and Evaluation 7
E. Risk Rating 7
F. Recommended Treatments/Controls 7
VI. Summary 7
Reference List 8
Appendix A: Literature Evidence 9
Appendix B: Structured Analytic Evidence 10
Appendix C: Threat Analysis 11
Appendix D: Vulnerability Analysis 12
Appendix E: Risk Scenario Likelihood Scorecard 13
Appendix F: Risk Scenario Impact Scorecard 14
Appendix G: Risk Matrix 15
Appendix H: Risk Rating 16
Appendix I: Safeguard Implementation Plan 17
TIP
To update the above “table of contents” (TOC), simply 1) Right-click the TOC, 2) Select “Update Field,” and 3) “Update Entire Table.” Note that typing on this TOC will not work!
This TOC is linked to Word Styles Heading1 and Heading2 that appear in the paper
I. Introduction
It is recommended to complete this introduction paragraph(s) last. Using full sentences and paragraphs to briefly introduce and summarize contents of this paper. Note that the introduction changes for each UrRISK project!
A) Purpose
Pick and describe a real location (e.g., Atherton Hotel) that can either be visited in person, or by photograph/video. Indicate a fictitious name and credible title of the protector that has “hired” your team as a consultant to conduct the risk assessment. In this section you could cross-reference Appendix A: Literature Evidence.
Explain why this risk assessment is important. From the literature that provides the information you CITE, quantify the importance of the risk assessment (i.e., use data, such as number of hotel rooms, number of guests, annual revenue).
It is often easier to select a familiar protector’s point of view, such as hotel guest. Hotel Manager might be more difficult.
B) Scope of the Risk Assessment
Specify what is within and not within the scope of your risk assessment.
Select a very narrow scope area that is supported by your literature (e.g., for topic “hotel,” scope area could be pest control in hotel guest rooms).
Also specify what is not within your scope statement. For example, reference the top level categories from the general enterprise risk map at http://bit.ly/1icMuln to indicate areas that are NOT within scope. If desired, you may include this image in your scope statement, or build your own image.
Figure 1 below should NOT be included in your submission. It is only included here to illustrate how to cross-reference a figure, and include a full caption below the figure! A figure is not required for UrRISK.
Figure 1: The Four-Step Risk Assessment Process (McGill, 2010, p. 1)
II. Risk Assessment Approach
Paragraph(s) should introduce the research assessment team by presenting student bios including: Names, Education, Internships, Certifications and other qualifications
Introduce and describe all three parts of the approach to hazard identification (i.e., literature review, structured analytics, and virtual site visit). This is a good place to cite references, as well as cross-reference Appendix 2.
Cross-reference and include the risk matrix you will be using to evaluate the risk impacts and likelihoods, such as Figure 1. It is better if each axis includes a numerical scale, and the cells include the product of these numbers. Note that you can right-click on a figure or table and select “insert caption.” A full caption includes the APA source (if not original), and since specific, also needs to include the page number!
EXAMPLE: Required to create your own color-coded/gray-scaled matrix with values; please do NOT copy/paste this one
Figure 1: Risk Matrix (Johnson, 2012, p. 3)
III. System Characterization
Describe the system you will be evaluating as an input-process-output (IPO) model. A different figure, similar to Figure 2 (e.g., Word Shapes), might be used to help illustrate the system. The IPO diagram helps to focus the threat/vulnerability and asset identification.
For example, if my risk assessment is for a hot tub in a hotel, I might focus on physical access and safety. The input would be people getting into the tub, the process is being in the tub, and output getting out of the tub. Railings, slipping, storage, cracks in floor, steps/treads, etc. all start to become more visible!
EXAMPLE: Required to build your own IPO model; do NOT copy this one. IPO needs to be narrowly limited to your project scope.
Figure 2: Input Process Output Diagram (Binduswetha, 2010, p. 3)
IV. Threat Statement
Define threat, and describe threats being considered in your assessment. Note that NIST references three types of threats: natural, human, and environmental (NIST 800-30, 2002, pg. 13).
· Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
· Human Threats—Events that are either enabled by--or caused by--human beings, such as unintentional acts (e.g., inadvertent data entry), or deliberate actions (e.g., network based attacks, malicious software upload, unauthorized access to confidential information).
· Environmental/System Threats—Long-term power failure, pollution, chemicals, liquid leakage.
Appendix C: Threat Analysis should be a summary of your threat analysis including threat sources, motivations, and actions. Threat motivations can be accidental, intentional, or other (e.g., system failure, weather-related). Threat actions describe how the threats may occur.
Cross-reference Appendix C: Threat Analysis in this section of your paper, and include a brief summary paragraph in the top of that Appendix.
V. Risk Assessment Results
Summarize the following sections that reference hazards identified in Appendix A: Literature Evidence in UrRISK01, and Appendix B: Structured Analytic Evidence in UrRISK02.
A. Vulnerability Analysis
Define vulnerability, and describe vulnerabilities being considered in your assessment.
Appendix D: Vulnerability Analysis is the summary of your vulnerability analysis, including vulnerability sources, corresponding threats, and vulnerability actions. Vulnerability actions describe how the threat/vulnerability pairs (i.e., “risk scenarios”) may occur.
Cross-reference Appendix D: Vulnerability Analysis in this section of your paper listing all vulnerabilities, sources of vulnerabilities, and actions from the perspective of your specific assessment. Include a brief summary paragraph in the top of that appendix.
B. Existing Risk Controls
From your research, indicate any known existing risk controls in use at the location you are using for your risk assessment, if any. Although not required, an appendix could be used to explain existing risk controls in detail.
C. Risk Scenario Likelihood: Discussion and Evaluation
Discuss and evaluate the likelihood of each risk scenario. Likelihoods are often qualitatively scaled, such as high, medium, and low, but also need to include a quantitative scale. The quantitative scale should match the one used in the risk matrix likelihood axis. Cross-reference Appendix E: Risk Scenario Likelihood Scorecard in this section of your paper, and include a brief summary paragraph in the top of that Appendix.
D. Risk Scenario Impact: Discussion and Evaluation
Discuss and evaluate the impact of each risk scenario. Impacts are often qualitatively scaled, such as high, medium, and low, but also need to include a quantitative scale. The quantitative scale should match the one used in the risk matrix impact axis. Cross-reference Appendix F: Risk Scenario Impact Scorecard, in this section of your paper, and include a brief summary paragraph in the top of that Appendix.
E. Risk Rating
In this section, explain how Appendix G: Risk Matrix was used to rank the final risk scenario results in Appendix H: Risk Rating. Cross-reference both Appendix G and Appendix H in this section of your paper. Also include a brief summary paragraph in the top of each of those Appendices. Note that Appendix H should list the ranked risks, highest to lowest.
F. Recommended Treatments/Controls
This is the most important section of the risk analysis. Recommend controls for the most critical (i.e., highest ranked) risk scenarios. Cross-reference Appendix I: Safeguard Implementation Plan in this section of your paper, and include a brief summary paragraph in the top of that Appendix.
VI. Summary
Summarize the entirety of the risk assessment results into a BLUF summary. DO NOT be overly wordy here. Use very clear and succinct language as this will the part of the assessment that many people will look at first before diving into the report.
Reference List
Euchner, J. (2014). Occupational hazards. Research Technology Management, 57(2), 9-10. Retrieved from http://search.proquest.com/docview/1507798819?accountid=13158
McComb, S. D. (1932). HAZARDS. Marine Engineering & Shipping Age (1923-1935), 37(12), 514. Retrieved from http://search.proquest.com/docview/855857303?accountid=13158
REFERENCE TIPS
Start reference list on a new page. Use Word’s paragraph option “hanging indent” for each reference. Double-space between each reference, and single-space each reference itself. Sort list alphabetically by author’s last name. Sources listed here must be cited in the text. Move others to Appendix A: Literature Evidence as needed.
CITATION TOOLS
· APA reference list: http://www.calvin.edu/library/knightcite/index.php?standard=APA
· APA end-of-text reference: https://owl.english.purdue.edu/owl/resource/560/05/
· APA in-text citations: https://owl.english.purdue.edu/media/pdf/20110928111055_949.pdf
Appendix A: Literature Evidence
You may use as many appendices as necessary. Start each appendix on a new page. Note that the title (above) includes a letter and description. Some appendices are required, such as this one.
Be sure to cross-reference all appendices in the body of the paper (i.e. Appendix A: Literature Evidence shows…). Also, each appendix itself must begin with an explanatory paragraph, as some people read these papers from back to front!
Three quality supporting references need to be listed, using APA end-of-paper citation style described in UrRISK folder. Beneath each reference list appropriate information that might be used later to complete the body of the paper.
· At least one (1) location-specific source should be included. This will be general information regarding the chosen location.
· At least two (2) other sources should be risk-related to the sub-topic. For example, a study of commercial kitchen fire control might include National Fire Prevention Association white papers describing commercial kitchen fire control. NOTE: Do NOT expect to find resources describing risks and risk controls specifically at your chosen location.
Appendix B: Structured Analytic Evidence
You may use as many appendices as necessary. Start each appendix on a new page. Note that the title above includes a number and description. Some appendices are required, such as this one. Be sure to cross-reference appendices in the body of the paper (i.e. Appendix B: Structured Analytic Evidence shows…). Also, each appendix itself must begin with an explanatory paragraph (i.e., some people read these papers from back to front!).
It is required to include and complete this appendix. In Appendix B, present the divergent/convergent creative results for your topic of investigation. Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix B.
This would be a good appendix to include a photo of your whiteboard divergent structured analytic technique!
Dish Washing Hazards[1]
Divergent Results
· Cut
· Slip
· Pruning hands
· Water too cold, bacteria not killed
· Water too hot, burns
· Water contaminated with e. Coli
· Earthquake
· Hurricane
· Hail storm
· Tornado
· Electric shock
Convergent Results
1. Physical harm
· Electric shock
· Water too hot, burns
· Cut
2. Environmental
· Tornado
· Earthquake
· Hurricane
Appendix C: Threat Analysis
Start each appendix on a new page. In Appendix C, provide a table listing threat sources, motivations, and actions. Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix C: Threat Analysis.
Each appendix must begin with at least one introductory/explanatory paragraph (i.e., for people that read the appendices first, or read these reports backwards).
TIP
Refer to the NIST 800-30 for guidance on finding and creating your appendices. This document is critical in completing UrRISK and provides excellent examples of required appendices.
Appendix D: Vulnerability Analysis
Start each appendix on a new page. In Appendix D, list vulnerabilities, corresponding threats, and actions needed for the risk scenario to occur. Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix D: Vulnerability Analysis.
Each appendix must begin with at least one introductory/explanatory paragraph (i.e., for people that read the appendices first, or read these reports backwards).
TIP
Refer to the NIST 800-30 for guidance on finding and creating your appendices. This document is critical in completing UrRISK and provides excellent examples of required appendices.
Appendix E: Risk Scenario Likelihood Scorecard
Start each appendix on a new page. In Appendix E, provide a table that ranks, from highest to lowest, the likelihood of each vulnerability and threat (i.e., “risk scenario”).
Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix E: Risk Scenario Likelihood.
Each appendix must begin with at least one introductory/explanatory paragraph (i.e., for people that read the appendices first, or read these reports backwards).
TIP
Refer to the NIST 800-30 for guidance on finding and creating your appendices. This document is critical in completing UrRISK and provides excellent examples of required appendices.
Appendix F: Risk Scenario Impact Scorecard
Start each appendix on a new page. In Appendix F, provide a table that ranks potential impact, from highest to lowest, for each vulnerability and threat (i.e., risk scenario).
Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix F: Risk Scenario Impact.
Each appendix must begin with at least one introductory/explanatory paragraph (i.e., for people that read the appendices first, or read these reports backwards).
TIP
Refer to the NIST 800-30 for guidance on finding and creating your appendices. This document is critical in completing UrRISK and provides excellent examples of required appendices.
Appendix G: Risk Matrix
Start each appendix on a new page. In Appendix G, include the risk matrix from UrRISK02. Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix G: Risk Matrix.
The risk matrix must include a quantitative scale for impact and likelihood, and the cells must include the product of those scales. The scales must increase from left-to-right, and bottom-to-top. The cells should be color-coded, although gray-scales are acceptable for black and white printing.
Each appendix must begin with at least one introductory/explanatory paragraph (i.e., for people that read the appendices first, or read these reports backwards). Cross reference items, such as Figure 1, in the preceding paragraph.
Figure 1: Risk Matrix used to determine risk rating (NIST 800-30, 2002)
Appendix H: Risk Rating
Start each appendix on a new page. In Appendix H, provide a table that ranks from highest-to-lowest the risk scenarios (impact x likelihood). Cross-reference (i.e., refer to) this appendix in the main body of the paper as Appendix H: Risk Rating.