Before implementing an information security program or system, the organization must identify the assets it's trying to protect, calculate the value of those assets, understand the threats against those assets, determine how vulnerable those assets are to those threats, and assess the risk to the organization.

You are the CISO at Prestigious University, which will be opening a library in a new building. One of the university's objectives is to ensure students, faculty members, and visitors have appropriate access to library materials and services, including electronic access. The library will also be available to the local community.

As the CISO, you have been tasked to conduct a security risk assessment to ensure proper security controls are in place to protect library assets and users of the library. The program manager has provided you with the following basic design for the library.

Computer Systems

There will be $10$ staff desktop computers with access to the online library database and electronic loan system.

There will be $20$ new Windows $10$ desktops for public and administrative use.

Each includes a host$-$based firewall $($Windows Defender$).$

Each includes anti$-$virus protection.

Each hard drive uses BitLocker encryption.

There will be $12$ refurbished Windows $7$ desktops for public use.

They do not have a host$-$based firewall capability.

They do not include anti$-$virus protection.

The library's SQL database is on a Windows $2003$ server.

There is no system to back up data from any of the $42$ computers.

Security Architecture

There are $6$ wireless access points $($WAPs$)$ for Wi$-$Fi access using wired equivalent privacy $($WEP$)$ for transferring data.

There is no network monitoring, except for intrusion detection software.

Library staff user passwords allow a maximum of $8$ numbers, but no characters.

The password system passes user passwords to the authentication system in plaintext.

The password system stores the passwords in plaintext.

Based on the description of the library's design plan, write a $2-$ to $3-$page risk assessment using the Security Risk Assessment Template. Include Parts A and B below.

Part A:

Outline a basic risk assessment using the table in the template. Include the following:

Assets: List and prioritize the relevant assets that must be protected.

Vulnerabilities$/$Weaknesses: List the vulnerabilities $($security weaknesses$)$ that could be exploited.

Threats: List the threats that may be motivated and capable of exploiting those vulnerabilities.

Mitigations: List any mitigations in place to reduce the exposure from those threats.

Impact: List the potential impact to the library's objectives if a threat successfully exploits the vulnerabilities.

Probability$/$Likelihood: Describe the probability or likelihood that the threat would successfully exploit the vulnerability.

Risk: Determine the level of risk for each vulnerability using Table I$-2$: Assessment Scale $-$ Level of Risk $($Combination of Likelihood and Impact$)$ in Appendix I of NIST's Guide for Conducting Risk Assessments.

Part B:

Write a $1-$ to $2-$page risk assessment summary in the template. Address the following:

Describe how moving the library database to a cloud environment, along with moving routine backups to the cloud environment, helps mitigate the risks you calculated in Part A$.$

Summarize how the probability of a threat exploiting the database and backups in the cloud reduces or increases the risk from the current on$-$premise design.