...Application of Risk Management Techniques Risks Windows Vista, while relatively current is still a lacking OS when compared to Windows 7. All desktops connect to an industry standard switch via an Ethernet cable. While this can be a risk, it is not a sizable risk. (Minimal Risk) The two large production facilities are connected to the headquarters via an external ISP. Even with the firewalls in place, there is no accountability if the connection they contract is in use by anyone else. I would advise contacting the ISP and verifying if the connection is shared with other users and take further action depending on their answer. (Substantial Risk) The individual sales personnel connect via VPN software, but use their individual internet connection, usually out of their home office. This can be very dangerous as they do not fall under the blanket of protection offered by the bigger offices and their terminals are at greater risk to be tampered or infected by a malicious user. (Critical Risk) The core idea of preventing risk is to safeguard the information stored on the database server. The workers and customers of the company have private information stored there and the loss or leak of the data could be catastrophic to the company. Ergo I suggest the changes to be made to mitigate the risk of an intruder gaining access to the network. There is not a lot of information given about the entirety of the network, so much of this may not be necessary or already in place. ...
Words: 973 - Pages: 4
... namely sales personnel, could be the biggest vulnerability, but by training, utilizing AD password controls and maintaining accountability the risk of their laptop being lost, stolen or compromised decreases sharply. This is a risk that can be easily evaluated through mitigation, keeping the employees accountable for their equipment, and minimizing cost to the enterprise. With such a wide geographical area the sales employees workstations may be infected or compromised without their knowledge, which would be rare, but plausible. This can be worked with, but will leave residual risk. Equipment can be provided to users such as laptop desk locks or even increades security using biometrics. A cost-benefit analysis should be performed. The routers at the remote sites may be susceptible to intrusion attacks, if no Intrusion Detection/ Prevention system is in place. As a remote site it is also possible that iOS patches and the like may not be current. Documentation, vulnerability monitoring and mitigation by adding preventative measures, such as encryption are advisable at production and headquarters site. As the servers house a proprietary Management system, it is of the highest priority that these servers be secured, physically and logically and be protected against attacks. The risk that this will go down is inherent. WE can...
Words: 376 - Pages: 2
...In accordance with each of the threat/vulnerability pairs and their likelihood of occurrence, each of the possible risk will be listed below and how we will mitigate each: -Malware This can occur because of outdate virus protection and lack of employee knowledge. The best mitigation for this would be to update the current virus protection program and allow for constant updates through the firewall for updates for each program. -Equipment Failure This will occur when equipment isn’t maintained properly or just failure over time. This will lead to data loss due to not backing up data. The best way to mitigate this issue would be to back up data regularly and keep copies of all data to an off-site location. -Denial of Service Attacks This can occur when proper firewall and intrusion detection systems are not properly implemented. Mitigation for this would be to implement firewalls along with intrusion detection systems and monitor all traffic accordingly. -Users Users themselves that are not properly trained and kept on check can cause major damage to a company’s network. Lack of access control and giving out admin privileges to all users is dangerous. Mitigation for this issue can be implemented by add access controls and authentication parameters. In this brief report, I have included all of the possible threats and vulnerabilities and have proposed solutions for each. Upon researching and studying on probable causes of concern for you company’s assets, I have...
Words: 251 - Pages: 2
...protection of the hardware that runs the information system. Therefore, a proper understanding of risk management and all that it entails is of the utmost importance for every IT professional, regardless of specialization. The purpose of this paper is to identify what risk management is and give an overview of the three phases or undertakings that make up the risk management process and then conclude with a discussion and explanation of the six-step Risk Management Framework (RMF) developed by the Department of Defense and the National Institute of Standards and Technology (NIST) (National Institute of Standards and Technology, 2010). “Risk management is the process of Identifying risks, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level” (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Thus, risk management is merely the ability of a person or organization to implement due diligence and identify any potential issue and develop policies and security measures to combat these risks. Risk management is comprised of three phases: risk identification, risk assessment, and risk control (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Risk Identification Risk identification is simply the identification and documentation of the assets and the threats to those assets. Risk identification is an...
Words: 2778 - Pages: 12
...hardware. By moving forward with the CRM application change, the IT department is putting itself at risk. With excellent project management and analysis, the development of new CRM applications and hardware can result in a low risk high gain production if managed accordingly. Throughout this paper I will discuss the analysis, which should be conducted through project management. I will discuss the five variables of the IT department’s project management which include scope, time, cost, quality, and risk as to how they relate to the department’s decision making with the new application launch. Points that should be considered prior to selecting projects for the best business value will also be discussed. I will then conclude this paper with the factors that influence project risk and what I believe can minimize them. I will begin with the IT department scoping the project for what systems, applications, and tools will be used in this project. The company is considering to update its current CRM system which is not compatible with its corresponding out dated hardware. The department has to scope the tools necessary to support the new CRM application, which is up to date hardware. Project management should be mindful that the primary tool needed to fulfill this project is updated hardware along with CRM application training for end users to become familiar with the new systems and hardware. End users will not be familiar with the new applications and should be provided with the necessary...
Words: 1325 - Pages: 6
...of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks (National Institute of Standards and Technology, 2010). One common methodology for implementing information security is known as Certification and Accreditation. Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized (Tipton & Krause, 2007). In order to improve information security, strengthen risk management processes, guarantee standardization, and enforce federal policies, the National Institute of Standards and Technology (NIST) partnered with the Department of Defense to transform the traditional Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF) (National Institute of Standards and Technology, 2010). The Risk Management Framework provides a structured, yet flexible approach for managing risk to the business processes of a federal organization; however, these principles are crucial to both federal and commercial IT operations since they certify that the management of security risks is consistent with the organization’s mission objectives. Additionally, they ensure the risk management framework is smoothly integrated into the organization’s enterprise architecture...
Words: 1273 - Pages: 6
...Lab #2 Assessment Worksheet Align Risks, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. a. Unauthorized access from public internet - HIGH b. User destroys data in application and deletes all files - LOW c. Workstation OS has a known software vulnerability – HIGH d. Communication circuit outages - MEDIUM e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - MEDIUM 2. a. PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels. 3. a. Unauthorized access from public internet - AVAILABILITY b. User destroys data in application and deletes all files - INTEGRITY c. Workstation OS has a known software vulnerability – CONFIDENTIALITY d. Communication circuit outages - AVAILABILITY e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - INTEGRITY 4. a. Unauthorized access from public internet...
Words: 934 - Pages: 4
...Lab 2 - Align Risks, Threats, and Vulnerabilities to COBIT PO9 Risk Mgmt. Controls Part 1 4. Discuss the primary goal of the COBIT v4.1 framework. Provide a basic description of cobit. * The purpose of Control Objectives for Information and related Technology (COBIT) is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems. 5. Explain the major objective of the Control area (COBIT 4.1 Controls Collaboration link on the left side of the COBIT website) * “The COBIT Controls area within ISACA's Knowledge Center promotes collaboration and sharing of information, solutions and experience among COBIT users.” 6. From the COBIT Domains and Control Objectives section, list each of the types of control objectives and briefly describe them based on the descriptions on the website. * Plan and Organize – “This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological...
Words: 4162 - Pages: 17
...BSA 310 Application Development Project Plan Template Version [This BSA 310 project plan template is intended to be used as a guide for planning and managing real world software development projects. This plan is not a real plan and should not be used without modifications required for your unique project. Table of Contents 1 Overview 3 1.1 Project Objectives 4 1.2 Project Constraints 4 1.3 Project Risks 4 2 Proposed Solution 5 2.1 Business Requirements 5 2.2 Architecture 6 2.3 Development 6 2.4 Testing 6 2.5 Deployment 8 3 Project Resources 8 3.1 Roles and Responsibilities 8 3.2 Issue Escalation 8 3.3 Project Staffing Plan 8 3.4 Project Materials 8 4 Project Approach 9 4.1 Development Model 9 4.2 Configuration Management 9 4.3 Communication Management 10 4.4 Change Management 10 4.5 Testing 10 4.6 Documentation 10 5 Estimate 11 6 Schedule 11 1 Overview The intent of this document is to provide a sample application development project plan. The scope of this document covers the project planning phase and demonstrates how Business Systems Integration and its associated development might be incorporated into key project documents. This document also provides a possible structure for presenting: • Project deliverables • Project risks and opportunities • Estimates • Project resource information • Project delivery method • Configuration and change management A project manager would generally use this section...
Words: 2518 - Pages: 11
...Worksheet Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls Student Name: _____________________________________________________________ 1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5), High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities) a. b. c. d. e. 2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk Management control objectives are affected? • PO9.1 IT Risk Management Framework • PO9.2 Establishment of Risk Context • PO9.3 Event Identification • PO9.4 Risk Assessment • PO9.5 Risk Response • PO9.6 Maintenance and Monitoring of a Risk Action Plan 3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5), specify whether the threat or vulnerability impacts confidentiality – integrity – availability: Confidentiality Integrity Availability a. b. c. d. e. 4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure? 5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 – No More than 5), assess the risk impact or risk factor that it has on your organization in the following areas: a. Threat or Vulnerability #1: o Information – o Applications – o Infrastructure...
Words: 469 - Pages: 2
...Toussaint Chivars IS3110/Lab2 8/16/2014 Align Risks, Threats & Vulnerabilities to COBIT Lab 2 1. List indentified threats & vulnerabilities Risk Factors from Lab1 a. Unauthorized access from public Internet High risk b. User destroys data in application and deletes files High risk c. Hacker penetrates your IT infrastructure and Medium risk gains access to your internal network d. Intra-office employee romance gone bad High risk e. Fire destroys primary data center Low 2. PO9.2 IT Establishment of Risk Context; PO9.3 Event Identification; PO9.4 Risk Assessment. 3. a. Unauthorized access from public Internet Integrity b. User destroys data in application and deletes files Availability c. Hacker penetrates your IT infrastructure and Confidentiality gains access to your internal network 4. The risks potential, the current protection level and the mitigation steps needed to prepare or reduce the risks/damages. 5. a. Threat vulnerability 1: unauthorized from public internet Information---firewall and encryption. Applications---only from recommended sources (applications with encryption, antivirus protection will be used. Infrastructure—Firewalls People---IT awareness training for all employees, monitoring from IT manager b. Threat or...
Words: 719 - Pages: 3
....................................................................................................... 3 I. The Role of NIST in FISMA Compliance ................................................................................. 3 II. NIST Risk Management Framework for FISMA ..................................................................... 4 III. Application Security and FISMA .......................................................................................... 5 IV. NIST SP 800‐37 and FISMA .................................................................................................. 6 V. How Veracode Can Help ...................................................................................................... 7 VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8 VII. Summary and Conclusions ............................................................................................... 10 About Veracode .................................................................................................................... 11 © 2008 Veracode, Inc. 2 Overview The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to bolster computer and network security within the Federal Government and ...
Words: 2451 - Pages: 10
...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G)...
Words: 174530 - Pages: 699
...& Risk Analysis Date of Submission: January 29, 2014 Table of Contents Introduction 3 Scenario 4 Part I. Selection of a Suitable Development Process 5 Waterfall Approach 5 Iterative Approach 5 Agile Approach 6 Development Process for MallKiosk Development 6 Part II. Risk Analysis 8 Identification of Risk 8 Risk Analysis 9 Risk Management 10 Appendices 12 Appendix 1: Waterfall Approach 12 Appendix 2: Agile Approach 12 Appendix 3: Risk Management 13 References 14 Introduction This week’s assignment focus on the processes of system development and risk involved. For someone like me who never was part of the full design phase of the development process, I never knew the full concept of how the projects or applications were built from initiation. This assignment will allow me to have a high level understanding of the processes involved in system development, thereby allowing me to get a full grip of Project Management involved in the entire system development lifecycle. The 1st part of the assignment will allow me to identify and differentiate the 3 different development processes; waterfall, iterative and agile. I am hoping that after completing this part, I will somehow be able to identify the appropriate process for a particular application development. Among the 3 types of development approaches, the only one that I am familiar of is the waterfall approach. The 2nd part of the assignment will allow me to group the risk involved...
Words: 3617 - Pages: 15
...Lab 2 Align Risk, Treats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. Risk Factors a. Remote communications from home office (MEDIUM Risk) b. LAN server OS has known software vulnerability (HIGH Risk) c. User downloads an unknown e-mail attachment (HIGH Risk) 2. COBIT Risk Management * No. * Yes, the identified software vulnerabilities relate to risk context for both internal and external access. * Yes, the identified software vulnerabilities themselves are events that represent risk identification. Once identified, the event can be assessed for risk. * Yes, once risk events are identified (such as software vulnerabilities), they can properly assessed (quantitatively or qualitatively). * Yes, once the risk has been assessed (high, medium, low) the response that risk can be aligned appropriately. * No. 3. Vulnerability impacts a. Remote communications from home office (Confidentiality) b. LAN server OS has known software vulnerability (Integrity) c. User downloads an unknown e-mail attachment (Availability) 4. Effectiveness, Efficiency, Compliance, and Reliability 5. Mitigated and managed a. Remote communications from home office * Information – Medium Impact, Firewall, Keep up to date * Application – Low Impact, HTTPS for email websites, Make sure it is secured * Infrastructure – Medium Impact, Workstation must have malware and anti-virus detection, Keep up to date * People...
Words: 794 - Pages: 4