Risk Analysis and

Assessment
Lab Manual
Department of Computer Science and Engineering
The NorthCap University, Gurugram
 Risk Analysis and Assessment | i
2019-20

Risk Analysis and Assessment

Lab Manual
CSL385
Dr.Yogita Gigras

Department of Computer Science and Engineering

NorthCap University, Gurugram- 122001, India

Session 2019-20

Published by:

School of Engineering and Technology

Department of Computer Science & Engineering

The NorthCap University Gurugram

 Risk Analysis and Assessment| ii
2019-20

• Laboratory Manual is for Internal Circulation only

© Copyright Reserved

No part of this Practical Record Book may be

reproduced, used, stored without prior permission of The NorthCap University

Copying or facilitating copying of lab work comes under cheating and is considered as use of
unfair means. Students indulging in copying or facilitating copying shall be awarded zero marks
for that particular experiment. Frequent cases of copying may lead to disciplinary action.
Attendance in lab classes is mandatory.

Labs are open up to 7 PM upon request. Students are encouraged to make full use of labs beyond
normal lab hours.
 Risk Analysis and Assessment| iii
2019-20

PREFACE

Risk Analysis and Assessment Lab Manual is designed to meet the course and program
requirements of NCU curriculum for B.Tech III year Cyber Security students of CSE branch.
The concept of the lab work is to give brief practical experience for basic lab skills to students. It
provides the space and scope for self-study so that students can come up with new and creative
ideas.

The Lab manual is written on the basis of “teach yourself pattern” and expected that students
who come with proper preparation should be able to perform the experiments without any
difficulty. Brief introduction to each experiment with information about self-study material is
provided. The laboratory case study will assist students to develop an understanding of the
fundamentals of risk management and to introduce classical as well as state-of-the-art risk
analysis techniques. Students will be able to perform risk assessment and determine mitigation
step for the same. Students are expected to come thoroughly prepared for the lab. General
disciplines, safety guidelines and report writing are also discussed.

The lab manual is a part of curriculum for the TheNorthCap University, Gurugram. Teacher’s
copy of the experimental results and answer for the questions are available as sample guidelines.

We hope that lab manual would be useful to students of CSE and IT branches and author
requests the readers to kindly forward their suggestions / constructive criticism for further
improvement of the work book.

Author expresses deep gratitude to Members, Governing Body-NCU for encouragement and
motivation.

Authors
The NorthCap University
Gurugram, India

Authors
 Risk Analysis and Assessment| iv
2019-20

The NorthCap University

Gurugram, India

CONTENTS
S.N. Details Page No.

Syllabus

1 Introduction

2 Lab Requirement

3 General Instructions

4 List of Experiments

5 Rubrics
 Risk Analysis and Assessment| v
2019-20

1. INTRODUCTION

That ‘learning is a continuous process’ cannot be over emphasized. The theoretical

knowledge gained during lecture sessions need to be strengthened through practical
experimentation. Thus, practical makes an integral part of a learning process.

The purpose of conducting experiments can be stated as follows:

● Perform a complete risk assessment.

● Assign a data owner and custodian to an information asset.
● Assign classification values to critical information assets.
● Prioritize risk remediation efforts as a result of performing a risk assessment.
● Evaluate risk management models for use in their own organization.
● Prepare Audit report for IT infrastructure.
 Risk Analysis and Assessment| vi
2019-20

2. LAB REQUIREMENTS

Requirements Details

Software Requirements NMAP, Nikto,Vega

Operating System Kali Linux

Hardware Requirements Windows and Linux:

8 GB RAM (Recommended)

80 GB hard disk space

Required Bandwidth NA
 Risk Analysis and Assessment| vii
2019-20

3. GENERAL INSTRUCTIONS

3.1 General discipline in the lab

● Students must turn up in time and contact concerned faculty for the experiment they

are supposed to perform.

● Students will not be allowed to enter late in the lab.

● Students will not leave the class till the period is over.

● Students should come prepared for their experiment.

● Experimental results should be entered in the lab report format and certified/signed

by concerned faculty/ lab Instructor.

● Students must get the connection of the hardware setup verified before switching on

the power supply.

● Students should maintain silence while performing the experiments. If any necessity

arises for discussion amongst them, they should discuss with a very low pitch
without disturbing the adjacent groups.

● Violating the above code of conduct may attract disciplinary action.

● Damaging lab equipment or removing any component from the lab may invite

penalties and strict disciplinary action.

3.2 Attendance

● Attendance in the lab class is compulsory.

● Students should not attend a different lab group/section other than the one assigned
 Risk Analysis and Assessment| viii
2019-20

at the beginning of the session.

● On account of illness or some family problems, if a student misses his/her lab

classes, he/she may be assigned a different group to make up the losses in

consultation with the concerned faculty / lab instructor. Or he/she may work in the
lab during spare/extra hours to complete the experiment. No attendance will be
granted for such case.

3.3 Preparation and Performance

● Students should come to the lab thoroughly prepared on the experiments they are

assigned to perform on that day. Brief introduction to each experiment with

information about self-study reference is provided on LMS.

● Students must bring the lab report during each practical class with written records

of the last experiments performed complete in all respect.

● Each student is required to write a complete report of the experiment he has

performed and bring to lab class for evaluation in the next working lab. Sufficient
space in work book is provided for independent writing of theory, observation,
calculation and conclusion.

● Students should follow the Zero tolerance policy for copying / plagiarism. Zero

marks will be awarded if found copied. If caught further, it will lead to disciplinary
action.

● Refer Annexure 1 for Lab Report Format.

 Risk Analysis and Assessment| ix
2019-20

4. LIST OF EXPERIMENTS

Sr. Title of the Experiment Software used Unit CO Time

No. covered Covered Required
1. Design Vulnerability Report on Nikto, Vega, 1 CO1 4 hrs
NCU NMAP
2. Design Vulnerability Report on Nikto, Vega, 1 CO1 4 hrs
E-Commerce site NMAP
3. Design Risk Assessment Report NA 2 CO2 4 hrs
on NCU
4. Policy on online teaching and NA 1 CO1 4 hrs
exam conduction.
5. Perform Risk mitigation steps on NA 3 CO3 4 hrs
risk assessment report of NCU.
6. Risk treatment and risk NA 4 CO4 4hrs
communication on risk
assessment report of NCU.

7. Discuss risk management NA 1 CO1 4hrs

scenario
8. Design ISO audit report on NCU. NA 5 CO5 6hrs
 Risk Analysis and Assessment| x
2019-20

5. RUBRICS

Marks Distribution

Continuous Evaluation (50 Marks) Project Evaluations (20 Marks)

Each experiment shall be evaluated for 10 At the end of the semester viva will be
marks and viva at the end of the semester conducted related to the subject
proportional marks shall be awarded out of knowledge and this component carries 20
total 50. marks.

Following is the breakup of 10 marks for

each
6 Marks: Observation & conduct of
experiment. Teacher may ask questions
about experiment.
2 Marks: For completing questions given at
the end of each experiment
2 Marks: For timely submission.
 Annexure 1

Risk Analysis And Assessment

(CSL 385)

Lab Practical Report

Faculty name: Student name: Sahil Bhardwaj

Roll No.: 21csu485

Semester:6th

Group:cs2

Department of Computer Science and Engineering

NorthCap University, Gurugram- 122001, India
Session 2019-20
 INDEX
S.No Experiment Page Date of Date of Marks CO Sign
No. Experiment Submission Covere
d
 Risk Analysis and Assessment | 1
2019-20

EXPERIMENT NO. 1

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective(s):

● Identify assets, threat, vulnerability

● Classify threat under different categories:-adversarial, Accidental, structural ,Environmental

Outcome:

Student will be familiarize with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:

Design Vulnerability Report on NCU

Background Study:
Vulnerability assessment report contains three columns in excel file :- assets, vulnerability and threat.
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.

Question Bank:

1. Identify Technical asset and Operational assets?

2. Identify vulnerabilities present in NCU Software’s?

3. Explain different types of Vulnerabilities?

4. What is the difference between vulnerability and threat?

 Risk Analysis and Assessment | 2
2019-20

Student Work Area

 Risk Analysis and Assessment | 3
2019-20

EXPERIMENT NO. 2

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Identify assets, threat, vulnerability

● Classify threat under different categories: -adversarial, Accidental, structural,

Environmental
Outcome:

Student will be familiarizing with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:
Design Vulnerability Report on E-Commerce site

Background Study:

Vulnerability assessment report contains three columns in excel file :- assets, vulnerability and threat.
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.

Question Bank:

1. Identify Management and infrastructure assets?

2. Identify vulnerabilities related to policies in e-commerce website?

 Risk Analysis and Assessment | 4
2019-20

Student Work Area

 Risk Analysis and Assessment | 5
2019-20

EXPERIMENT NO. 3

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: : 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Identify assets, threat, vulnerability

● Classify threat under different categories:-adversarial, Accidental, structural ,Environmental

Outcome:

Student will be familiarize with concepts of assets, threat and vulnerability and prepare report on it

Problem Statement:
Design Risk Assessment Report on NCU
Background Study:
Risk assessment report contains columns in excel file :- assets, vulnerability, threat, threat severity and
threat likelihood, Risk, type of Risk and Risk severity .
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets

Question Bank:
1.Mention two characteristics of Software risk ?

2.What do you mean by exposure factor?

3. To estimate the level of risk from a particular type of security breach, three factors are considered:
threats, vulnerabilities, and impact. An agent with the potential to CAUSE a security breach. This could be
 Risk Analysis and Assessment | 6
2019-20

either a person or an environmental condition such as fire would be ……………

4.What are the difference between quantitative risk assessment and qualitative risk assessment?

Student Work Area

 Risk Analysis and Assessment | 7
2019-20

EXPERIMENT NO. 4

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: : 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands the management requirement and formulate the requirement into high-level
statement.
● Formulate statement that are concise, brief , unambiguous and easy to understand
Outcome:
Student will be able to frame security policies.
Problem Statement:
Policy on online teaching and exam conduction.
Background Study:

Policy is a high-level statement of requirements. A security policy is the primary way in which
management’s expectations for security are provided to the builders, installers, maintainers, and
users of an organization’s information systems.
A good security policy should be a high-level, brief, formalized statement of the security practices
that management expects employees and other stakeholders to follow.
Policy should contain:-purpose, scope, responsibility and content

Question Bank:
1.What are the security documents?

2. What are the characteristics of good policy?

3. Design a policy for online banking system from customer end.

 Risk Analysis and Assessment | 8
2019-20

Student Work Area

Policy Document: Online Teaching and Exam Conduction

Purpose:
This policy outlines the framework for effective and secure delivery of online teaching
and exam conduction within the NorthCap University. It seeks to ensure that students
receive quality education and are assessed fairly while maintaining academic integrity.

Scope:

This policy applies to:

 Students
 Teachers
 Service Staffs
It also applies to:

 Online courses
 Online proctoring
 Exam administration
 Use of online learning platforms and technologies
Responsibility:

Students:

 Actively participate in online learning activities and discussions.

 Adhere to academic integrity principles and avoid any form of
cheating or plagiarism during exams.
 Seek clarification from instructors regarding course content and
assessment procedures when needed.
 Risk Analysis and Assessment | 9
2019-20

 Students should demonstrate respect for instructors, classmates, and

course materials in all online interactions.
 Students should possess basic technological skills necessary for
participating in online classes and completing online assessments.
 Students may be invited to provide feedback on the effectiveness of
online teaching methods and exam conduction procedures

Teachers:

 Following the specified procedures for online teaching methods,

assessment design, and exam proctoring.
 Teachers should be vigilant for any violations of the policy and take
appropriate action as necessary.
 Offering training and support to students on how to navigate online
learning platforms, access course materials, and participate in online
discussions.
 Teachers should also provide guidance on exam preparation and
familiarize students with the exam format and procedures.
 Teachers should provide feedback on the effectiveness of the policy
and suggest improvements or adjustments as needed.
 Keeping records of online teaching activities, assessment results, and
any incidents related to academic integrity violations.
 Teachers should maintain accurate documentation to ensure
accountability and transparency in their teaching practices.
Service Staffs:

 Providing training sessions or workshops on using online learning

platforms and exam administration tools.
 Offering technical support to troubleshoot any issues related to online
teaching platforms or exam conduction tools
 Regularly reviewing online courses and exams to ensure they align
with the guidelines provided in the policy.
 Risk Analysis and Assessment | 10
2019-20

 Collecting feedback from faculty, staff, and students regarding their

experiences with online teaching and exam conduction.
 Maintaining records of training sessions, workshops, and support
provided to faculty and students.
 Coordinating with other departments or teams involved in online
education to ensure seamless integration of policies and procedures.

Content:
Online Teaching:

 Clear objectives and structure aligned with learning outcomes.

 Engaging and diverse content delivery (video, interactive activities,
etc.).
 Regular communication and feedback mechanisms.
 Accessibility considerations for students with disabilities.
 Leveraging approved and secure learning platforms like Teams.
 Providing training and support for faculty and students.
 Fostering interactive and collaborative learning environments.
Online Exam Conduction:

 Utilizing varied assessment methods aligned with learning objectives.

 Implementing appropriate proctoring protocols.
 Using well developed software for conducting Exams.
 Clearly communicating expectations and procedures to students.
 Protecting student information and exam data according to relevant
regulations.
 Utilizing secure online testing platforms with strong data protection
measures.
 Risk Analysis and Assessment | 11
2019-20

EXPERIMENT NO. 5

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: : 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands different types of security controls: -Logical controls, physical controls,

organizational controls and personnel controls
Outcome:
Student will be able to find out all the controls for the respective risk as well as recommends the
one of the specific controls to mitigate that respective risk.
Problem Statement:
Perform Risk mitigation steps on risk assessment report of NCU.
Background Study:
Report contains columns in excel file:- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control and Recommended Control .
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Security controls categorised in the following areas:
• Logical controls (e.g. protection of data, protection of network assets, protection of access to
applications etc.)
• Physical controls (e.g. alarm systems, fire sensors, physical access control, surveillance etc.)
• Organisational controls (e.g. usage rules, administration procedures, process descriptions,
definition of roles etc.)
• Personnel controls (e.g. sanctions, confidentiality clauses in contracts, training and awareness etc.)
Question Bank:
1.Mention Controls that can substitute for the loss of primary controls and mitigate risk down to an
acceptable level.
 Risk Analysis and Assessment | 12
2019-20

2. Which type of control protects transmitted data and information as well as stored data against
unauthorized disclosure?
3. How Least cost approach impacts the risk mitigation strategy decisions?

Student Work Area

 Risk Analysis and Assessment | 13
2019-20

EXPERIMENT NO. 6

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands different options of risk treatment:- mitigation ,transfer ,avoidance and

retention of risks
Outcome:

Student will be able to find out residual risk and prepare overall summary of risk management.
Problem Statement:
Risk treatment and risk communication on risk assessment report of NCU.

Background Study:
Report contains columns in excel file :- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control , Recommended Control and Residual Risk.
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Options of risk treatment:- mitigation ,transfer ,avoidance and retention of risks

Question Bank:

1.What are the residual Risk?

 Risk Analysis and Assessment | 14
2019-20

2. What are direct and indirect method of Risk treatment?

Student Work Area

 Risk Analysis and Assessment | 15
2019-20

EXPERIMENT NO. 7

Student Name and Roll Number: Sahil Bhardwaj 21csu485

Semester /Section: 6th sem

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Discuss risk management scenario

Outcome:

Student will be able to find out residual risk and prepare overall summary of risk management.
Problem Statement:
Discuss risk management scenario on given case study:-
The Challenge When you’re a global manufacturing company, litigation comes with the territory.
And the way you manage and produce all of the documentation required for legal matters has a
major impact on the bottom line. The steps involved in eDiscovery, legal review, information
production and distribution are challenging in themselves. They are complicated by demanding
discovery timelines... the threat of penalties for non-compliance... the increasing cost of outside
counsel... and inconsistent processes used by suppliers. All of these factors contribute to the
skyrocketing costs of litigation and make it difficult for companies to manage risk across the
enterprise in the most efficient way. A few years ago, a leading manufacturer decided to tackle
these problems head-on in a bold and innovative way. At the time, the company relied on a variety
of outside suppliers for everything from database search and retrieval, eDiscovery processing,
document coding, legal review, information production, warehousing and distribution. In addition,
the company did not have direct control over these suppliers, since they were typically hired by
outside counsel for assistance on a particular matter. As a result, there was no consistent,
enterprise-wide discovery process or document management solution. And that made it difficult for
the company’s legal staff to maximize efficiency and maintain consistency in case/matter
 Risk Analysis and Assessment | 16
2019-20

productions. The company also realized that their case-by case approach to discovery and their
reliance on outside counsel were driving up costs. From their perspective, there was only one real
solution. They had to completely transform their approach to litigation support. So they began to
look for a strategic partner with the experience, expertise and wide-ranging resources necessary to
turn an inefficient business process into a benchmark operation. After a careful review of proposals
from 10 leading sources, the company decided to manage its litigation support with the business
process outsourcing experts from XYZ Services Pvt Ltd.

Background Study:
Report contains columns in excel file :- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk and Risk severity.
Asset: anything that has value to the organization.
Vulnerability:- A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Options of risk treatment:- mitigation ,transfer ,avoidance and retention of risks

Question Bank:

1.What are the residual Risk?

2. Mention Recommended control for the case study.
 Risk Analysis and Assessment | 17
2019-20

Student Work Area

 Risk Analysis and Assessment | 18
2019-20

EXPERIMENT NO. 8

Student Name and Roll Number:

Semester /Section:

Link to Code:

Date:

Faculty Signature:

Marks:

Objective:

● Understands ISO 27001 and ISO 27002 audit domains

Outcome:

Student will be able to find out residual risk and prepare overall summary of risk management.
Problem Statement:
Design ISO audit report on NCU.
Background Study:
Report contains columns in excel file:- assets, vulnerability, threat, threat severity and threat likelihood,
Risk, type of Risk , Risk severity, Control , Recommended Control and Residual Risk.
Asset: anything that has value to the organization.
Vulnerability: - A weakness of an asset that can be exploited by one or more threats.
Threat: any action or event with the potential to cause harm.
Risk=threat× Vulnerability on particular assets.
Options of risk treatment: - mitigation, transfer ,avoidance and retention of risks

Question Bank:

1.What is ISMS?
2. What are the difference between security and privacy?
 Risk Analysis and Assessment | 19
2019-20

3. What are the key benefits of ISO27001?

4.What do you mean by incident Management?

Student Work Area

Risk Analysis and Assessment | 20
2019-20