...SE571 Course Project: Security Assessment and Recommendations SE571 Course Project: Security Assessment and Recommendations Charlie Furze Professor: Eddie Wachter SE571 Principles of Information Security and Privacy Keller Graduate School of Management July 24, 2015 Table of Contents Executive Summary 1 Company Overview 1 Security Vulnerabilities 3 A Hardware Example Title 3 A Software Example Title 4 Recommended Solutions 5 A Hardware Example Solution 6 A Software Example Solution 8 Impact on Business Processes 9 Budget 10 Summary 11 References 12 Executive Summary The executive summary can’t really be completed until the course project is completed. This is because the section should summarize BRIEFLY the entire paper. There should be one or two sentences about the purpose of the report, a one to two-sentence description of the company and then a quick summary of the two vulnerabilities and the two solutions that you have identified. Company Overview Here you should identify which of the two company scenarios you are using and briefly summarize the organizations products or services, and business processes. Two Security Vulnerabilities Software Vulnerability Remember, you need to choose only two vulnerabilities from the three categories: hardware, software and policy. It is recommended that you make them limited in scope and very specific. Also, before starting on this section, be sure you have a very clear...
Words: 1180 - Pages: 5
...SE571 Principles of Information Security and Privacy James Smikonis Week 3 Project March 18, 2012 Professor George Danilovics Security Assessment and Recommendations A report needs to be assessed for Aircraft Solutions. This report consists of a security assessment that exhibits all founding flaws in their system, as well as giving AS a report regarding their current infrastructure. Aircraft Solutions is a component fabrication and equipment company that delivers different architectural designs. One of their specialties is establishing communications and solutions to defense, commercial, aerospace industries. The employees at AS are fully qualified for the tasks they entail hence making their workforce more efficient and supplying outstanding service. The purpose of this assessment is to investigate the weaknesses that are presented in the operations of Aircraft Solutions (AS). While conducting this assessment, we will expose vulnerabilities; give an analysis of any relative threats, risks that will be addressed and a comprehensive analysis of the relative threats and consequences pertaining to this mission. Assessment and Investigation After carefully examining the three sections pertaining to Aircraft Solutions, we found that policy and hardware related issues require special attention. We found that Aircraft Solutions does not utilize any firewall between the commercial division and the Internet Gateway. In fact, we exhibited that the Department Defense routes...
Words: 907 - Pages: 4
...Security Assessment and Recommendations for Aircraft Solutions Principles of Information Security and Privacy Keller Submitted: December 11, 2013 Executive Summary The purpose of this report is to investigate the vulnerabilities of Aircraft Solutions (AS) in the areas of hardware and policy. Furthermore, it provides recommended solutions to the security weaknesses mentioned in Phase 1. Aircraft Solutions is a well known leader in the design and production of component products and services for companies ranging from commercial industry to the aerospace industry. In addition, Aircraft Solutions maintains a large capacity plant filled with an extensive variety of equipment, which is mostly automated alongside skilled specialists in a range of fields to ensure they meet their customers’ needs. The weaknesses that are being addressed are hardware and policy. Company Overview Aircraft Solutions is a leader in the planning and production of component products and services for companies in the electronics, commercial, defense, and aerospace industry. The headquarters of Aircraft Solutions is located in San Diego, California. The goal of Aircraft Solutions is to use machined products and related services to supply customer success, and to achieve cost, quality, and schedule requisites. They have a Defense Division (DD) of Aircraft Solutions located in Orange County, California and a Commercial Division (CD) located in San Diego County, California. Aircraft...
Words: 1560 - Pages: 7
...Running head: Security Assessment and Recommendations Week 6: Weaknesses Assignment Phase II- Security Assessment and Recommendations SE571 Principles of Information Security and Privacy Introduction Aircraft Solutions (AS) is a renowned equipment and component fabrication company with the capability to provide full range designs and implantation solutions to different sectors such as defense, aerospace, commercial and electronics industries. This paper discusses the possible recommendations based on the security assessment conducted in Phase 1, and proposes possible changes in order to ensure the safety of AS networks. The Company owns an enormous production plan which promises to deliver high quality solutions for targeted at various industries. It is equipped with a team of excellent and highly qualified professionals who cater to various needs of different industries. This paper intends to find possible solutions to bridge the gaps as found in the investigation in Phase 1. The weaknesses that are being addressed are the firewall configuration, virtualization of their hardware assets and defining and revisiting their security policy regarding firewall configuration and updated software at least twice a year. Brief overview of the Vulnerabilities in AS After a thorough investigation of the IT architecture and systems of the Aircraft Solutions, two main concerns were identified as the priority items that needed attention. The first was hardware related concern and was...
Words: 1692 - Pages: 7
... Security Assessment Report November 7, 2015 Report Prepared by: {YOUR NAME}, {YOUR CREDENTIALS} {YOUR EMAIL ADDRESS} {YOUR PHONE NUMBER} {YOUR ORGANIZATION} {YOUR MAILING ADDRESS} Executive Summary 5 Top-Ten List 5 1. Information Security Policy 5 2. {Security Issue #2} 5 3. {Security Issue #3} 5 4. {Security Issue #4} 5 5. {Security Issue #5} 5 6. {Security Issue #6} 6 7. {Security Issue #7} 6 8. {Security Issue #8} 6 9. {Security Issue #9} 6 10. {Security Issue #10} 6 Introduction 7 Scope 7 Project Scope 7 In Scope 7 Out of Scope 7 Site Activities Schedule 7 First Day 7 Second Day 7 Third Day 7 Background Information 8 {CLIENT ORGANIZATION} 8 Asset Identification 9 Assets of the {CLIENT ORGANIZATION} 9 Threat Assessment 9 Threats to the {CLIENT ORGANIZATION} 9 Laws, Regulations and Policy 10 Federal Law and Regulation 10 {CLIENT ORGANIZATION} Policy 10 Vulnerabilities 10 The {CLIENT ORGANIZATION} has no information security policy 10 {State the Vulnerability} 10 Personnel 11 Management 11 Operations 11 Development 11 Vulnerabilities 11 There is no information security officer 11 {State the Vulnerability} 11 Network Security 12 Vulnerabilities 12 The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12 {State the Vulnerability} 13 System Security 13 ...
Words: 3242 - Pages: 13
...Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS Security Assessment and Recommendations for Quality Web Design Mike Mateja October 9, 2011 Submitted to: Dean Farwood SE571 Principles of Information Security and Privacy Keller Graduate School of Management 1 SECURITY ASSESSMENT AND RECOMMENDATIONS 2 Table of Contents Executive Summary ............................................................................................ 3 Company Overview............................................................................................. 4 Security Vulnerabilities ....................................................................................... 4 Hardware Vulnerability: Unrestrained Components .................................................................. 4 Software Vulnerability: Unsecure Wireless Access Points .......................................................... 6 Recommended Security Solutions ....................................................................... 7 Hardware Solution: Physical Restraints ...................................................................................... 7 Impact: Hardware Solution ..................................................................................................... 8 Budget: Hardware Solution ..................................................................................................... 9 Software Solution: Configuring the Wireless access points for security ............
Words: 2829 - Pages: 12
...cost, and schedule of the overall project and develop an action plan that handles individual risk. RISK PLAN OBJECTIVES The scope of this risk assessment assessed the system’s use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to the Project. If exploited, these vulnerabilities could result in: • Unauthorized disclosure of data • Unauthorized modification to the system, its data, or both • Denial of service, access to data, or both to authorized users This Risk Assessment Report evaluates the confidentiality (protection from unauthorized disclosure of system and data information), integrity (protection from improper modification of information), and availability (loss of system access) of the system. Recommended security safeguards will allow management to make decisions about security-related initiatives. PROJECT RISKS This risk assessment methodology and approach was conducted using the guidelines in NIST SP 800-30, Risk Management Guide for Information Technology Systems. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability. The assessment recommends appropriate security safeguards, permitting management to make knowledge-based decisions about security-related initiatives. The methodology addresses the following types of controls: • Management Controls: Management of the...
Words: 1565 - Pages: 7
...complete? Where is it located?If not done, what are the recommendations for completing? Where should the results be saved? |External documents needed for task| RMF Step 1: Categorize Information Systems| 1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.|Not done|As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.|FIPS 199 for nonnational security systems, CNSS 1253 for national security systems| 1.2Information System DescriptionIs a description of the information system included in the security plan?|||| 1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices.|||| RMF Step 2: Select Security Controls| 2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? |||| 2.2Security Control SelectionAre selected security controls for the information system documented in the security plan?|||| 2.3Monitoring StrategyWhat security control monitoring strategies should be used to protect...
Words: 540 - Pages: 3
... Business Impact Analysis and Risk Assessment for Information Resources General Information & Process Description Introduction The IT Security and Policies area within Information Technology Services is responsible for establishing policies to ensure that Iowa State University has a secure information technology environment. This document defines a process for departments to perform a business impact analysis and risk assessment for their information resources. Once an assessment has been done, the resulting documents should be maintained and regularly reviewed by the department. By using the business impact analysis and risk assessment tool defined in this document, departments have the capability to identify and respond to risks for their systems and information resources. Departments are encouraged to contact the Information Technology Security and Policies area at 4-2588 if they have specific questions or if they would like to arrange a meeting to discuss the process on an individual basis. Business Impact Analysis and Risk Assessment Guaranteed absolute security in today’s information technology environments is not realistic. However, it is important to have a process of identifying resources and associated risks, determining their magnitude, and identifying what safeguards are needed. That process is what we are referring to as business impact analysis and risk assessment. It is the department’s responsibility...
Words: 3038 - Pages: 13
...RISK ASSESSMENT REPORT Template Information Technology Risk Assessment For Risk Assessment Annual Document Review History The Risk Assessment is reviewed, at least annually, and the date and reviewer recorded on the table below. | Review Date |Reviewer | | | | | | | | | | Table of Contents 1 INTRODUCTION 1 2 IT SYSTEM CHARACTERIZATION 2 3 RISK IDENTIFICATION 6 4 CONTROL ANALYSIS 8 5 RISK LIKELIHOOD DETERMINATION 11 6 IMPACT ANALYSIS 13 7 RISK DETERMINATION 15 8 RECOMMENDATIONS 17 9 RESULTS DOCUMENTATION 18 LIST OF EXHIBITS Exhibit 1: Risk Assessment Matrix 18 List of Figures Figure 1 – IT System Boundary Diagram 4 Figure 2 – Information Flow Diagram 5 List of Tables Table A: Risk Classifications 1 Table B: IT System Inventory and Definition 2 Table C: Threats Identified 4 Table D: Vulnerabilities, Threats, and Risks 5 Table E: Security Controls...
Words: 1518 - Pages: 7
...Computing Benefits, risks and recommendations for information security Rev.B – December 2012 2 Cloud Computing Benefits, risks and recommendations for information security Document History Date December 2009 Version 1.0 Modification Initial Release, Rev.A Author Daniele Catteddu, Giles Hogben Thomas Haeberlen Lionel Dupré December 2012 2.0 Rev.B About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details This report has been edited by: Lionel Dupré, Thomas Haeberlen For contacting ENISA or for general enquiries about this report, please use the following details: Email: resilience@enisa.europa.eu Internet: http://www.enisa.europa.eu Cloud Computing 3 Benefits, risks and recommendations for information security Legal notice Notice must...
Words: 12166 - Pages: 49
...Audit of Business Continuity Planning (BCP) Final Audit Report Audit and Evaluation Branch June 2006 Tabled and approved by DAEC on January 9, 2007 Audit of Business Continuity Planning (BCP) Industry Canada (IC) TABLE OF CONTENTS 1.0 EXECUTIVE SUMMARY .............................................................................................. 2 1.1 INTRODUCTION ................................................................................................................ 2 1.2 OVERALL ASSESSMENT.................................................................................................... 2 1.3 MAIN FINDINGS, CONCLUSIONS AND RECOMMENDATIONS ............................................. 2 1.3.1 Business Continuity Plan Governance (See Section 3.1 of the BCP Standard) ......... 2 1.3.2 Business Impact Analysis (See Section 3.2 of the BCP Standard).............................. 3 1.3.3 Business Continuity Action Plans and Arrangements (See Section 3.3) .................... 4 1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard) .............................. 5 1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard) ...................... 5 2.0 INTRODUCTION............................................................................................................. 7 2.1 BACKGROUND .................................................................................................................. 7 2...
Words: 5659 - Pages: 23
...INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force. However, the components have not consistently incorporated all recommended key elements. For example, three of the six components have developed a baseline of normal activity—a key element that...
Words: 17616 - Pages: 71
...Volha Yarmolina Nancy Riccio, CSRM 2/29/2016 Area Vice President, Public Entity School Security On July 15, 2015 the New Jersey Legislature approved the final report of the School Security Task Force which the purpose of the Task Force was to study and develop recommendations to improve school security and safety and to ensure a safe learning environment for students and school employees. This report and its recommendations will guide all New Jersey Public Schools with improving security, physical and cyber. The Task Force was charged with the identifying physical and cyber vulnerabilities and potential breaches of security in New Jersey’s public schools. Afterwards their research they were to make recommendations to improve school safety and security. The Task Force’s charge was to study a number of issues including, but not limited to, the following: 1. Placing screening systems at school entrances; 2. Stationing police officers in each school building; 3. Improving response times to emergency situations, including lockdowns, active shooter incidents, and bomb threats; 4. Requiring advanced student and visitor identification cards; 5. Using biometric, retina, and other advanced recognition systems for authorized entrance into school buildings; 6. Installing panic...
Words: 1516 - Pages: 7
...Risk Assessment Plan | IS3110 | | | 11/7/2013 | [Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.] | Risk Assessment Plan A.) Identify key personnel- Involved personnel are CEO, CRO, and CITO. B.) Identify assets – Determined assets are hardware, software, systems, and data. C.) Identify threats- This will identify threats that are a potential danger to data, hardware, and systems D.) Identify vulnerabilities- The process to identify is by implementing and assessment and once identified a penetration test will be implemented E.) Identify and evaluate countermeasures- Identified risks will be counter measured to reduce the risk. F.) Assess threats vulnerabilities, and exploits- Test will be implemented to reduce the threat and help identify the problem. G.) Evaluate risks- The counter measure will be implemented to reduce the impact of the threat. H.) Develop recommendations to mitigate risks- Data taken will be used to reduce the threat and evaluate it. I.) Present recommendations to management- Threats and vulnerabilities and the risk that impacts will be presented. Key Personnel The personnel involved in making the key decisions will be the CEO, CRO, and CITO. No other personnel other than the above mention will play in a role in any of the...
Words: 695 - Pages: 3