Security work
Discussion:
Discuss how Risk Management is a critical element to the Security Systems engineering.
Provide elaboration and detail in your answer.
Things to avoid to you, rely writing I agree with you will result in zero. You need to add value to the discussions.
Every discussion topic opens on Monday and closes Saturday midnight
Synthesis of Concepts – Initial Post
50
Clear Citations using APA format
10
Writing Standards
10
Timeliness
10
Peer Reviews (minimum of 2)
20
Discussion rubric
LAB 1:
1. On your local computer, create a new document. You will use this document as your Lab Report.
2. On your local computer, open a new web browser window.
3. Using your favorite search engine, search for information on the IT risk management process.
4. Briefly review at least five of the first page results.
5. In your browser, navigate to
https://www.uvm.edu/sites/default/files/UVM-Risk-Management-and-Safety/Guide_to_Risk_Opportunity_Assessment_Response
.
6. Review the PDF titled “Guide to Risk Assessment & Response.”
Note: Take special note of the University of Vermont’s “Guide to Risk Assessment & Response” document and the insightful sections titled “Things to Keep in Mind” and “Steps to Follow” for each of the assessment steps.
7. In your browser, navigate to
https://web.archive.org/web/20130418005540/http://www.education.nt.gov.au/__data/assets/pdf_file/0011/4106/risk_management_process
.
8. Review the PowerPoint slide deck titled “The Risk Management Process.”
9. In your Lab Report file, describe in what ways the risk management process in both IT and non-IT environments are similar. Briefly describe in your own words the five major steps of risk management: plan, identify, assess, respond, and monitor.
10. In your Lab Report file, describe the plan.
11. Review the seven domains of a typical IT infrastructure.
12. Assume the following table of risks, threats, and vulnerabilities were found in a health care IT infrastructure servicing patient with life-threatening conditions. Review the risks in the table. Consider how you might manage each risk and which of the seven domains each one affects:
Risks, Threats, and Vulnerabilities
Unauthorized access from public Internet
Hacker penetrates IT infrastructure and gains access to your internal network
Communication circuit outages
Workstation operating system (OS) has a known software vulnerability
Denial of service attack on organization’s e-mail
Remote communications from home office
Workstation browser has software vulnerability
Weak ingress/egress traffic-filtering degrades performance
Wireless Local Area Network (WLAN) access points are needed for Local Area Network (LAN) connectivity within a warehouse
Need to prevent rogue users from unauthorized WLAN access
User destroys data in application, deletes all files, and gains access to internal network
Fire destroys primary data center
Intraoffice employee romance gone bad
Loss of production data
server
Unauthorized access to organization-owned workstations
LAN server OS has a known software vulnerability
User downloads an unknown e-mail attachment
Service provider has a major network outage
User inserts CDs and USB hard drives with personal photos, music, and videos on organization-owned computers
Virtual Private Network (VPN) tunneling between the remote computer and ingress/egress router
13. In your Lab Report file, for each of the domains, create an outline in the scope of your risk management plan. Include the following topics—the five major parts of an IT risk management process—for each domain:
1. Risk planning 2. Risk identification 3. Risk assessment 4. Risk response 5. Risk monitoring
LAB 2:
1. On your local computer, create a new document. You will use this document as your Lab Report.
2. On your local computer, open a new web browser window.
3. Using your favorite search engine, search for information on the purpose of IT risk assessment.
4. In your Lab Report file, describe the purpose of IT risk assessment.
5. Review the following table for the risks, threats, and vulnerabilities found in a health care IT infrastructure servicing patient with life-threatening conditions:
Primary Domain Impacted |
Risk Impact/ Factor |
User destroys data in application and deletes all files |
|
Hacker penetrates your IT infrastructure and gains access to your internal network |
|
Service provider service level agreement (SLA) is not achieved |
|
Loss of production data | |
Denial of service attack on organization Demilitarized Zone (DMZ) and e-mail server |
|
Local Area Network (LAN) server OS has a known software vulnerability |
|
User downloads and clicks on an unknown e-mail attachment |
|
Workstation browser has a software vulnerability |
|
Mobile employee needs secure browser access to sales-order entry system |
|
Weak ingress/egress traffic-filtering degrades performance |
|
Virtual Private Network (VPN) tunneling between remote computer and ingress/egress router is needed |
|
Wireless Local Area Network (WLAN) access points are needed for LAN connectivity within a warehouse |
|
Need to prevent eavesdropping on WLAN due to customer privacy data access |
|
Denial of service (DoS)/distributed denial of service (DDoS) attack from the Wide Area Network (WAN)/Internet |
6. Review the seven domains of a typical IT infrastructure.
7. In your Lab Report file, using the table from step 5, identify in the table’s Primary Domain Impacted column which of the seven domains of a typical IT infrastructure will be most impacted by each risk, threat, or vulnerability listed.
Note: Qualitative Versus Quantitative
The next step requests that you assign a score to each of the risks in the table from step 6. The scoring is done qualitatively, by assigning one of several labels on a scale. In this case, the scale is provided for you, ranging from Critical to Minor.
Using qualitative scores to assess risks is comparatively easy and quick. The alternative is to assess quantitatively, using actual, numerical scores. Using qualitative words such as “critical” or “major” introduces subjective opinion, while citing numbers such as “Damage to be more than $3 million” or “Will cause an outage of under four hours” introduces quantitative objectivity.
Quantitative scoring is more objective but calculating risk assessment this way can take much more time. This is because it requires you to dig up hard facts. For instance, you can conduct quantitative scoring by referring to your organization’s history or claims records by answering such questions as “How often has this happened to us, or others?” You can also assess risks numerically by researching the costs to recover from losses.
It is possible to assess risks both quantitatively and qualitatively. For example, you could quantitatively score the likelihood and consequences of each risk, for example, “under 10% chance” and “ ‘X’ number of staff lives harmed or lost.” But you could present the final score qualitatively, for example, “critical” or “needs to be addressed immediately.”
8. In your Lab Report file, using the table from step 6, perform a qualitative risk assessment by assigning a risk impact/risk factor to each of the identified risks, threats, and vulnerabilities throughout the seven domains of a typical IT infrastructure where the risk, threat, or vulnerability resides. Assign each risk, threat, and vulnerability a priority number in the table’s Risk Impact/Factor column, where:
· “1” is Critical: A risk, threat, or vulnerability that impacts compliance (that is, privacy law requirement for securing privacy data and implementing proper security controls, and so on) and places the organization in a position of increased liability.
· “2” is Major: A risk, threat, or vulnerability that impacts the confidentiality, integrity, and availability (C-I-A) of an organization’s intellectual property assets and IT infrastructure.
· “3” is Minor: A risk, threat, or vulnerability that can impact user or employee productivity or availability of the IT infrastructure.
Note: Keep the following in mind when working on the next step: When suggesting next steps to executive management, consider your recommendations from their point of view. Be prepared to explain costs, both in implementing the controls and then in maintaining the controls.
Remember that costs come in many forms, not least of which is labor. Be sure accountability is thought out in terms of roles and responsibilities. Other potential costs outside the data center include goodwill or reputation, market share, and lost opportunity. Executive management might have these costs topmost in mind.
9. In your Lab Report file, write a four-paragraph executive summary according to the following outline:
· Paragraph #1: Summary of findings (risks, threats, and vulnerabilities found throughout the seven domains of a typical IT infrastructure).
· Paragraph #2: Approach and prioritization of critical, major, and minor risk assessment elements.
· Paragraph #3: Risk assessment and risk impact summary of the seven domains of a typical IT infrastructure.
· Paragraph #4: Recommendations and next steps for executive management.