Assurance & Security Project Report

11/11/202
3
Assurance &
Security Task
Testimony

[Link]

Submitted to
Names of members:
 Assurance & Security Project Report

Table of Contents
Introduction....................................................................................................................................2
Part 1: Risk Control and Cost benefit Analysis (CLO2)..............................................................2
Calculations...................................................................................................................................3
Weighted Factor Table & Calculations........................................................................................4
Risk Analysis & Calculations........................................................................................................5
References....................................................................................................................................23

1|Page
 Assurance & Security Project Report

Introduction:

As your recently hired information security consultants, we are excited to work with CoinEx to improve
digital security and look forward to your partnership. As a medium-sized cryptocurrency exchange firm with
plans for quick international growth, we are aware of how crucial security is to preserving the integrity and
confidence of your platform. Our goal is to thoroughly evaluate CoinEx's current security environment,
finding any possible weak points and developing strong mitigation plans. The bitcoin market offers particular
problems in this dynamic and changing digital age, which calls for a proactive and flexible approach to
information security. We will foresee and be ready for any obstacles that may come up during your intended
worldwide development, in addition to concentrating on the security problems that CoinEx is now facing. Our
dedication stems from our desire to protect your platform's availability, confidentiality, and integrity in order
to protect CoinEx's interests as well as your valued users' confidence.

We will examine the complexities of your present security setup, assess possible risks, and provide thorough
fixes that adhere to industry best practices in the reports that follow. Together, we will bolster CoinEx's
defenses, solidifying your place in the cutthroat cryptocurrency market and creating a trustworthy and
dependable environment for your consumers around the globe.

Part 1: Risk Control and Cost benefit Analysis (CLO2)

Risk Management:
An organization's current information technology security environment is thoroughly
examined as part of risk management, which aims to both detect and control possible
threats. Regarding our work as an information security consultant for CoinEx, a medium-
sized cryptocurrency exchange firm that is rapidly expanding internationally, the Risk
Management approach consists of three main parts:
Risk Identification: -
Identification of risk-prone assets.
Asset classification in order to determine priority.
identifying and ranking the risks that these assets are vulnerable to.

• Risk Assessment: -

• Finding the weaknesses connected to every asset, which calls for a thorough

vulnerability assessment.
• An assessment of the possibility that these vulnerabilities will be used against them.

Risk Control: -
• The deliberate choice of risk-reduction strategies.

• Rationale for the selected controls.

2|Page
 Assurance & Security Project Report
• execution of the chosen controls and ongoing oversight of them.

Our goal will be to create a tailored and flexible risk management framework that will be in line
with CoinEx's future objectives for global development as well as the special possibilities and
challenges that come with it. In addition to addressing present security issues, this framework will
foresee and get ready for any future risks that could surface throughout the fast-paced process of
global expansion.

We want to strengthen CoinEx's security posture by working together to participate in this Risk
Management process and guarantee the availability, confidentiality, and integrity of vital assets. In
the highly competitive world of cryptocurrency exchanges, this proactive strategy will help CoinEx
achieve its strategic goals by strengthening user trust, resilience, and developing resilience.

3|Page
 Assurance & Security Project Report

[Link]

Calculations:

- The percentage loss that arises from the exploitation of a certain

vulnerability is indicated by the Exposure Factor (EF).

- The calculation of Single Loss Expectancy (SLE) involves multiplying

the asset values by EF.

- The frequency of losses in a year is represented by the Annualized Rate

of Occurrence (ARO)

- The calculation of Annualized Loss Expectancy (ALE) involves

multiplying SLE by ARO.

- CBA = ALEprior – ALEpost – ACS is the formula for cost-benefit

analysis (CBA), in which ALEprior denotes the annualized loss
expectancy prior to control deployment, ALEpost denotes the expected

4|Page
 Assurance & Security Project Report

ALE once controls are in place.

- ACS is the annualized cost of the safeguard.

The comprehensive risk analysis and weighted factor evaluations make it clear that CoinEx has been
significantly impacted by the security issues that occurred. Now let's take a closer look at each occurrence,
taking into account the weighted ratings that were awarded as well as the CBA (Cost Benefit Analysis) that
was computed:

Incident ALEprior ALEpost ACS CBA= Weighted

ALEprior- Score
ALEpost-ACS
Leakage of $ 400,000 $ 200,000 $ 100,000 $ 100,000 Information
Information leakage is
78%.
Virus attack $ 100,000 $ 100,000 $ 50,000 -$ 50,000 Virus
attack is
60%.
River Flooding $ 140,000 $ 140,000 $ 300,000 -$ 300,000 River
flooding is
59%.

Weighted Factor Table & Calculations:

Give each information asset a graded value or effect weight, then use a weighted factor
analysis worksheet to arrange the assets in order of importance.

Assigned 40 50 10 100
weight
Asset name Revenue profitability Public image Weighted
score
Information leakage 0.2 0.5 0.8 41
Virus attack 0.6 0.7 0.1 60
River flooding 0.9 0.3 0.4 55

Assigned Weight
1- Leakage of Information:

(0.2*40) +(0.5*50) +(0.8*10) = 41

2- Virus attack:

(0.6*40) +(0.7*50) +(0.1*10) = 73

3- River Flooding
5|Page
 Assurance & Security Project Report

(0.9*40) +(0.3*50) +(0.4*10) =59

Although the event involving the release of confidential information has the highest weighted score (78%),
suggesting a major impact on the company, the cost-benefit analysis demonstrates that resolving this issue is
doable, with a $100,000 positive CBA. However, the virus attack and river flooding instances show
unfavorable CBAs, indicating that the suggested remedies would not be financially feasible.

By using this thorough research as a basis for strategic decision-making, CoinEx is able to rank security
measures according to their financial effect as well as their relative importance to the company.

6|Page
 Assurance & Security Project Report

Risk Analysis & Calculations:

Vulnerabilit U V
y
Leakage of 20% V1= (0.78×0.6) −0.70× (0.78×0.6) +0.20× (0.78×0.6)
Information
V1=0.234
Attack of 60% V2= (0.67×0.8) −0.20× (0.67×0.8) +0.60× (0.67×0.8)
virus
V2=0.7168
River 70% V3= (0.57×0.3) −0.15× (0.57×0.3) +0.70× (0.57×0.3)
Flooding
V3=0.26505

The vulnerability related to information leakage gets the greatest weighted score (78%), indicating that it has a
substantial impact on the firm. However, the risk analysis indicates that fixing this problem is possible, as
indicated by the calculated risk of 0.234. On the other hand, the computed risks for the virus attack and river
flooding vulnerabilities are greater (0.7168 and 0.26505, respectively), indicating that the suggested remedies
would not be financially feasible.

This thorough analysis, which takes into account both the financial and risk perspectives, enables CoinEx to
make well-informed decisions and prioritize security solutions according to their cost-effectiveness and
possible influence on the company.

7|Page
 Assurance & Security Project Report

Answer the following questions as part of your analysis:

1.
In reference to Incident #1, the information leaking event makes it necessary to assess whether
switching server administration to a cloud provider would be financially advantageous. In fact, taking
this action not only resolves the information leaking issue but also has other benefits. Relocating
servers to a cloud environment can save time and money that would otherwise be spent on maintaining
physical infrastructure.
Adopting cloud technology also offers more accessibility and flexibility. In other words, staff
members may safely access information and programs from any location with an internet connection.
Choosing a trustworthy cloud provider with a strong security record gives assurances about the
organization's data protection policies and eases mind.

Moving servers to a cloud provider at a cost of $100,000 is a calculated strategic move meant to avert
similar mishaps in the future. The computations show that a training program in this area would be a
good addition to the cloud migration, increasing the overall efficacy of the security protocols put in
place.

[Link]

2. Regarding the malware assault in Incident #2, one can ask: Is purchasing an antivirus license
a financially responsible course of action? Acquiring an antivirus license, which costs $10,000 per day, becomes
a consideration given the substantial losses the firm suffered—$100,000 during the ten-day period that the virus
assault kept the system offline. It's important to remember that even if purchasing an antivirus license might seem
like a cost-effective option, it does not provide complete protection against infections.
The business should give top priority to creating a thorough incident response strategy in order to
8|Page
 Assurance & Security Project Report
respond to any security event efficiently. Important phases like incident detection, response,
containment, recovery, and damage assessment are included in this strategy. Having acknowledged
the restrictions of antiviral licensing, the company needs to balance the advantages against the
disadvantages and look into other, maybe more affordable choices.

Taking into account the company's recent experience with a virus assault and the likelihood of a
repeat, the suggested remedy calls for a $50,000 yearly expenditure to update the antivirus software.
CoinEx should, however, carefully consider if purchasing this specific antivirus license is actually
advantageous or whether more affordable options ought to be looked into.

3.
Regarding Incident #3, the flooding of the river, is implementing the community flood defense plan
a reasonable course of action? Natural catastrophes have long been a part of the Earth's cycle,
having an adverse effect on infrastructure, companies, and human lives by depleting resources and
interfering with daily activities. Even while we are powerless to stop such tragedies, we may lessen
their consequences by conducting a thorough investigation, which will include identifying and
controlling any related risks.
Given the event of the previous year's flooding, which caused a one-week shutdown of company
access, and the fact that floods happen roughly every twenty years, it is necessary to discuss the
financial consequences.

During such events, the predicted daily income loss from on-site activities is $20,000. The
suggested remedy is to enroll in a Community Flood Defenses Scheme, which requires a $300,000
yearly commitment. The choice to participate in this program should be carefully considered,
balancing the related financial commitment with the possible advantages of improved flood
protection.

Discussion regarding proposed solution:

Even though the firm only expects to be impacted by disasters every 20 years and the outage is
limited to 7 days, management is considering joining the Community Flood Defenses Scheme,
which would require a $300,000 yearly commitment. A viable solution—moving corporate
operations—emerges to avoid this ongoing expenditure over the course of two decades and save the
$140,000 yearly income loss resulting from possible damages. CoinEx could be able to escape the
scheme's financial burden by doing this. Even if joining the community's flood defenses may not be
the immediate priority, it is still a possibility that should be explored in the future.

Given its impracticality, moving CoinEx's headquarters to a place where flooding is rare, away from
towns that frequently flood, or perhaps offshore, might be a more sensible course of action.

9|Page
 Assurance & Security Project Report

References:

[Link]

[Link]

[Link]

10 | P a g e