IT Security Risk Assessment Course Paper
Order ID 53003233773 Type Essay Writer Level Masters Style APA Sources/References 4 Perfect Number of Pages to Order 5-10 Pages
IT Security Risk Assessment Course Paper
You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a member of IT security consultant team, one of your responsibilities is to ensure the security of assets as well as provide a secure environment for customers, partners and employees. You and the team play a key role in defining, implementing and maintaining the IT security strategy in organizations.
A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and analyzing information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as being the victim of several security breaches. As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive review of the agency’s information security controls and identified numerous issues.
The head of the agency has contracted your company to conduct an IT security risk assessment on its operations. This risk assessment was determined to be necessary to address security gaps in the agency’s critical operational areas and to determine actions to close those gaps.
It is also meant to ensure that the agency invests time and money in the right areas and does not waste resources. After conducting the assessment, you are to develop a final report that summarizes the findings and provides a set of recommendations. You are to convince the agency to implement your recommendations.
This learning activity focuses on IT security which is an overarching concern that involves practically all facets of an organization’s activities. You will learn about the key steps of preparing for and conducting a security risk assessment and how to present the findings to leaders and convince them into taking appropriate action.
Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel are expected to possess. Information security is a significant concern among every organization and it may spell success or failure of its mission. Effective IT professionals are expected to be up-to-date on trends in IT security, current threats and vulnerabilities, state-of-the-art security safeguards, and security policies and procedures.
IT professionals must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner that convincingly justifies the need to invest in IT security improvements. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by IT professionals.
- Steps to Completion
Your instructor will form the teams. Each member is expected to contribute to the team agreement which documents the members’ contact information and sets goals and expectations for the team.
1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiple-source intelligence to American diplomats. It must ensure that intelligence activities are consistent with U.S. foreign policy and kept totally confidential. BRI has intelligence analysts who understand U.S. foreign policy concerns as well as the type of information needed by diplomats.
The agency is in a dynamic environment in which events affecting foreign policy occur every day. Also, technology is rapidly changing and therefore new types of security opportunities and threats are emerging which may impact the agency.
Due to Congressional budget restrictions, BRI is forced to be selective in the type of security measures that it will implement. Prioritization of proposed security programs and controls based on a sound risk assessment procedure is necessary for this environment.
The following incidents involving BRI’s systems occurred and reported in the New York Times and other media outlets:
- BRI’s network had been compromised by nation-state-sponsored attackers and that attacks are still continuing. It is believed that the attackers accessed the intelligence data used to support U.S. diplomats.
- The chief of the bureau used his personal e-mail system for both official business purposes and for his own individual use.
- A software defect in BRI’s human resource system – a web application – improperly allowed users to view the personal information of all BRI employees including social security numbers, birthdates, addresses, and bank account numbers (for direct deposit of their paychecks). After the breach, evidence was accidently destroyed so there was no determination of the cause of the incident or of its attackers.
- A teleworker brought home a laptop containing classified intelligence information. It was stolen during a burglary and never recovered.
- A disgruntled employee of a contractor for BRI disclosed classified documents through the media. He provided the media with, among other things, confidential correspondence between U.S. diplomats and the President that were very revealing.
- Malware had infected all of the computers in several foreign embassies causing public embarrassment, security risks for personnel and financial losses to individuals, businesses and government agencies including foreign entities.
These reports prompted the U.S. Government Accountability Office to conduct a comprehensive review of BRI’s information security posture. Using standards and guidance provided by the National Institute of Standards and Technology and other parties, they had the following findings:
Identification and Authentication Controls
- Controls over the length of passwords for certain network infrastructure devices were set to less than eight characters.
- User account passwords had no expiration dates.
- Passwords are the sole means for authentication.
- BRI allowed users to have excessive privileges to the intelligence databases. Specifically, BRI did not appropriately limit the ability of users to enter commands using the user interface. As a result, users could access or change the intelligence data.
- BRI did not appropriately configure Oracle databases running on a server that supported multiple applications. The agency configured multiple databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties.
- At least twenty user accounts were active on an application’s database, although they had been requested for removal in BRI’s access request and approval system.
- BRI does not use any type of data encryption for data-at-rest but protects data-in-transit using VPN.
- A division data manager can independently control all key aspects of the processing of confidential data collected through intelligence activities.
- One employee was able to derive classified information by “aggregating” unclassified databases.
- Wireless systems use the Wired Equivalent Privacy (WEP) standard for ensuring secure transmission of data.
- The agency permitted the “Bring Your Own Device” (BYOD) concept and therefore users can utilize their personal mobile devices to connect to the agency network freely.
- In the event of a network failure due to hacking, the data center manager has his recovery plan but has not shared it with anyone in or out of the center. He was not aware of any requirement to report incidents outside of the agency.
- There has never been any testing of the security controls in the agency.
- Processes for the servers have not been documented, but in the minds of the system managers.
- Patching of key databases and system components has not been a priority. Patching systems have either been late or not performed at all. Managers explained that it takes time and effort to test patches on its applications.
- Scanning devices connected to the network for possible security vulnerabilities are done only when the devices are returned to inventory for future use.
- System developers involved with financial systems are allowed to develop code and access production code.
- Unauthorized personnel was observed “tailgating” or closely following an official employee while entering a secure data center.
- The monthly review process at a data center failed to identify a BI employee who had separated from BRI and did not result in the removal of her access privileges. She was still able to access restricted areas for at least three months after her separation.
End User Security
- Users even in restricted areas are allowed to use social media such as Facebook. The argument used is that is part of the public outreach efforts of the agency.
- Users receive a 5-minute briefing on security as part of their orientation session that occurs typically on their first day of work. There is no other mention of security during the course of employment.
- Users are allowed to use public clouds such as Dropbox, Box, and Google Drive to store their data.
- BRI has not performed continual background investigations on employees who operate its intelligence applications (one investigation is conducted upon initial employment).
- There is no policy regarding the handling of classified information.
An internal audit report indicated that the organization needed several security programs including a security awareness and training program, a privacy protection program and a business continuity/disaster recovery program. These programs will need special attention.
2) Examine Background Resources
This learning demonstration focuses on the National Institute of Standards and Technology’s (NIST) “Guide for Conducting Risk Assessments”
(http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf). See Pg. 23 to view the description of the risk management process.
Throughout this learning activity, feel free to use other references such as:
Other NIST publications (http://csrc.nist.gov/publications/PubsSPs.html),
SANS Reading Room (http://www.sans.org/reading-room/),
CSO Magazine (http://www.csoonline.com/),
Information Security Magazine (http://www.infosecurity-magazine.com/white-papers/),
Homeland Security News Wire (http://www.homelandsecuritynewswire.com/topics/cybersecurity)
Other useful references on security risk management include: https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&dq=security+risk+management&hl=en&sa=X&ei=_1JFVdGIJsKkgwSG4IGgCA&ved=0CDEQ6AEwAA#v=onepage&q=security%20risk%20management&f=false
3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following items:
- Purpose of the assessment,
- Scope of the assessment,
- Assumptions and constraints, and
- Selected risk model and analytical approach to be used.
Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim report will be consolidated to a final deliverable in a later step.)
All interim reports should be at least 500 words long and include at least five references for each report. These reports will eventually be presented to management for their review.
4) Conduct the Assessment
Again, use the NIST report to address the following:
1) Identify threat sources and events 2) Identify vulnerabilities and predisposing conditions 3) Determine likelihood of occurrence 4) Determine magnitude of impact 5) Determine risk
You are free to make assumptions but be sure to state them in your findings.
In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I. on risk determination in Special Publication 800-30.
Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be sure to include the final risk evaluations in this report.
5) Identify Needed Controls and Programs
Research and specify security controls needed to close the security gaps in BRI.
Also, be sure to include a description of the following programs for securing BRI:
- Security Awareness and Training Program (i.e., communications to employees regarding security)
- Privacy Protection Program
- Business Continuity/Disaster Recovery Program
You should justify the need for the agency to invest in your recommendations.
Document your findings and recommendations from this step in the “Interim Security Recommendations Report.”
6) Communicate the Overall Findings and Recommendations
Integrate of your earlier interim reports into a final management report. Be sure to address:
- Summary of the Current Security Situation at BRI (from Step 1)
- Risk Assessment Methodology (from Step 2)
- Risk Assessment Plan (from Step 3)
- Risk Assessment Findings (from Step 4)
- Security Recommendations Report (from Step 5)
Also provide a presentation to management. The presentation should consist of 15-20 slides. It should include audio narration (directions are found at: https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c). The narration should also be captured in the slide notes.
As an alternate method of delivery, you can create a video using YouTube Capture (https://www.youtube.com/capture) or a similar tool.
Prepare a peer evaluation report.
1) Interim Risk Assessment Planning Report
2) Interim Risk Assessment Findings Report
3) Interim Security Recommendations Report
4) Final presentation
Create a folder to hold all of your deliverables.
Title your files using this protocol: GroupNumber_G-2_AssignmentName_Date.
Please zip (compress) the folder containing all of the files and the team leader is to submit the zipped file in the Assignments area.
In lieu of submitting the presentation, the team leader may provide a link to the presentation file.
NOTE: At the end of the project, each member of the team should email a completed Peer Evaluation form to your instructor.
Criteria Weight Score Identify threats and vulnerabilities associated with information systems and assess their risks 30 Formulate the appropriate security controls to address the identified threats and vulnerabilities 30 Communicate to employees an awareness of security issues related to IT systems 10 Evaluate organizational information systems to insure they protect the privacy of users and of customers 10 Determine requirements for business continuity/disaster recovery plans and backup procedures 10 Exhibit communication skills 10 Total 100
Ross, R. (2014). Security and privacy controls for federal information systems and organizations. NIST Special Publication 800-53. Retrieved from http://dx.doi.org/10.6028/NIST.SP.800-53r4
Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J. & Thomas, R. (2002). Contingency planning guide for information technology systems. NIST Special Publication 800-34. Retrieved from http://ithandbook.ffiec.gov/media/22151/ex_nist_sp_800_34.pdf
Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
IT Security Risk Assessment Course Paper
QUALITY OF RESPONSE NO RESPONSE POOR / UNSATISFACTORY SATISFACTORY GOOD EXCELLENT Content (worth a maximum of 50% of the total points) Zero points: Student failed to submit the final paper. 20 points out of 50: The essay illustrates poor understanding of the relevant material by failing to address or incorrectly addressing the relevant content; failing to identify or inaccurately explaining/defining key concepts/ideas; ignoring or incorrectly explaining key points/claims and the reasoning behind them; and/or incorrectly or inappropriately using terminology; and elements of the response are lacking. 30 points out of 50: The essay illustrates a rudimentary understanding of the relevant material by mentioning but not full explaining the relevant content; identifying some of the key concepts/ideas though failing to fully or accurately explain many of them; using terminology, though sometimes inaccurately or inappropriately; and/or incorporating some key claims/points but failing to explain the reasoning behind them or doing so inaccurately. Elements of the required response may also be lacking. 40 points out of 50: The essay illustrates solid understanding of the relevant material by correctly addressing most of the relevant content; identifying and explaining most of the key concepts/ideas; using correct terminology; explaining the reasoning behind most of the key points/claims; and/or where necessary or useful, substantiating some points with accurate examples. The answer is complete. 50 points: The essay illustrates exemplary understanding of the relevant material by thoroughly and correctly addressing the relevant content; identifying and explaining all of the key concepts/ideas; using correct terminology explaining the reasoning behind key points/claims and substantiating, as necessary/useful, points with several accurate and illuminating examples. No aspects of the required answer are missing. Use of Sources (worth a maximum of 20% of the total points). Zero points: Student failed to include citations and/or references. Or the student failed to submit a final paper. 5 out 20 points: Sources are seldom cited to support statements and/or format of citations are not recognizable as APA 6th Edition format. There are major errors in the formation of the references and citations. And/or there is a major reliance on highly questionable. The Student fails to provide an adequate synthesis of research collected for the paper. 10 out 20 points: References to scholarly sources are occasionally given; many statements seem unsubstantiated. Frequent errors in APA 6th Edition format, leaving the reader confused about the source of the information. There are significant errors of the formation in the references and citations. And/or there is a significant use of highly questionable sources. 15 out 20 points: Credible Scholarly sources are used effectively support claims and are, for the most part, clear and fairly represented. APA 6th Edition is used with only a few minor errors. There are minor errors in reference and/or citations. And/or there is some use of questionable sources. 20 points: Credible scholarly sources are used to give compelling evidence to support claims and are clearly and fairly represented. APA 6th Edition format is used accurately and consistently. The student uses above the maximum required references in the development of the assignment. Grammar (worth maximum of 20% of total points) Zero points: Student failed to submit the final paper. 5 points out of 20: The paper does not communicate ideas/points clearly due to inappropriate use of terminology and vague language; thoughts and sentences are disjointed or incomprehensible; organization lacking; and/or numerous grammatical, spelling/punctuation errors 10 points out 20: The paper is often unclear and difficult to follow due to some inappropriate terminology and/or vague language; ideas may be fragmented, wandering and/or repetitive; poor organization; and/or some grammatical, spelling, punctuation errors 15 points out of 20: The paper is mostly clear as a result of appropriate use of terminology and minimal vagueness; no tangents and no repetition; fairly good organization; almost perfect grammar, spelling, punctuation, and word usage. 20 points: The paper is clear, concise, and a pleasure to read as a result of appropriate and precise use of terminology; total coherence of thoughts and presentation and logical organization; and the essay is error free. Structure of the Paper (worth 10% of total points) Zero points: Student failed to submit the final paper. 3 points out of 10: Student needs to develop better formatting skills. The paper omits significant structural elements required for and APA 6th edition paper. Formatting of the paper has major flaws. The paper does not conform to APA 6th edition requirements whatsoever. 5 points out of 10: Appearance of final paper demonstrates the student’s limited ability to format the paper. There are significant errors in formatting and/or the total omission of major components of an APA 6th edition paper. They can include the omission of the cover page, abstract, and page numbers. Additionally the page has major formatting issues with spacing or paragraph formation. Font size might not conform to size requirements. The student also significantly writes too large or too short of and paper 7 points out of 10: Research paper presents an above-average use of formatting skills. The paper has slight errors within the paper. This can include small errors or omissions with the cover page, abstract, page number, and headers. There could be also slight formatting issues with the document spacing or the font Additionally the paper might slightly exceed or undershoot the specific number of required written pages for the assignment. 10 points: Student provides a high-caliber, formatted paper. This includes an APA 6th edition cover page, abstract, page number, headers and is double spaced in 12’ Times Roman Font. Additionally, the paper conforms to the specific number of required written pages and neither goes over or under the specified length of the paper.
GET THIS PROJECT NOW BY CLICKING ON THIS LINK TO PLACE THE ORDER
Do You Have Any Other Essay/Assignment/Class Project/Homework Related to this? Click Here Now [CLICK ME]and Have It Done by Our PhD Qualified Writers!!