back to topSoftArc Engineering Ltd (SEL) is a civil engineering company which works across Australia as well as in New Zealand, Fiji, Vanuatu, Indonesia, Timor Leste and Papua New Guinea.

SEL has a small data centre at its main site in Bathurst where the company’s servers and data storage is located. The company has the following server infrastructure:

The company has some 70 engineering and support staff that work on different projects for clients in various locations in Australia and overseas. The support staff are mainly based in Bathurst, but engineering staff are located in different parts of Australia, New Zealand, an d Papua New Guinea. Most of the support staff have access to a PC, although some support staff share a PC with other staff. The engineering staff all connect remotely to the SEL data centre from their laptops. The SEL data centre infrastructure has not been updated for some time and the SEL Board is concerned that they may be exposed to a cyber attack as they are now starting to work on various Government projects in different countries.


You have been employed by SEL as their first ever Chief Information Security Officer (CISO). You have been tasked by the Board to conduct a review of the company’s risks. You are required to produce for the next SEL Board meeting:

  1. A document that summarises the major IT risks that SEL currently faces. This document should identify the major risks and their impact, likelihood and consequence. It should also discuss the possible controls to mitigate these risks.
  2. A complete Risk Register for SEL. This risk register must contain, as a minimum:
    1. A description of all risks identified for each IT asset, data set or process. This must not be restricted just to major risks.
    2. A summary of the impact or consequence to each IT asset, data set or process, if the identified risk was to arise.
    3. The likelihood of this risk occurring.
    4. The inherent risk assessment (this is the assessed, raw/untreated risk inherent in a process or activity without doing anything to reduce the likelihood or consequence).
    5. The key controls to mitigate the risk (NOTEit is possible that there may be more than one (1) control needed. Each control should be listed on a separate line)
    6. The residual risk assessment (this is the assessed risk in a process or activity, in terms of likelihood and consequence, after controls are applied to mitigate the risk)
    7. Prioritisation of the risk (what is the priority order for the risks to be addressed).

Your Risk Register should be in table format using the following column headings:

Your summary document should provide references in APA 7 format.