1. Cory Domina
Information Security Risk Management
ITC6315
Final Project
Executive Summary of Risk Analysis
After analyzing three risks including your assets, threats, and vulnerabilities to them, the
following is an executive summary of assessments and mitigation plans to safeguard these
specific assets.
The default passwords that do not expire and allow access to admin accounts and
workstations is a critical risk that needs to be addressed within two weeks. It is a simple fix that
may require a little extra effort from employees, but the added security will be greatly worth it as
there is highly sensitive information stored on the servers. The IT department working with
admin staff will require new, stronger passwords that must be updated annually and also,
additional security questions for confidential servers. This is not a significant expense and
provides necessary security.
The server where psychologist patient files are stored is unprotected and the data is
vulnerable for unauthorized use. If this information were to be hacked, it would be in violation
of HIPAA so repercussions and reputational harm could prove significant. In order to protect the
server and data, the IT department will install a firewall and encrypt the information,
respectively. The server is currently password protected and cannot, legitimately, be accessed by
anyone aside from the school psychologist. With this in mind, we recommend the encryption
and firewall be completed by the end of Q4 as it may be time consuming and it may require
additional support in the department.
Finally, the data center must have additional, physical security to protect it from a break-
in type attack. Traditional key security does not bode well for a data center as it does not
identify who has accessed the facility. Installation of key-card access with access given only to
employees that require it, via HR, will provide essential security. An alarm system must also be
installed and activated during non-use hours. Due to budget restrictions, campus police should
be contacted to monitor the facilities on their nightly routes of the campus. This can be
completed immediately, while the installation of key-card access and an alarm system must be
completed by the end of Q2. This may be revisited at that time to discuss installation of cameras
in the building and potentially other security measures if warranted and financially feasible.
2. Risk Evaluation Worksheet
# Risk Description (Asset, Threat, and Vulnerability) Sensitivity Severity Likelihood Risk
0
Sensitive account information is discarded in the regular trash, which could lead to
disclosure of customer financial accounts to unauthorized internal or external parties.
Disclosure of this data violates several state privacy laws.
High High Moderate High
1
The admin accounts on server and workstations use default passwords that do not go
through any security check for password strength. These passwords do not expire as
well. This opens up the organization to an easy hack onto the servers which could
allow unauthorized access to email, web, files, databases, and credit card processing
information. This could violate privacy laws and create serious reputational harm for
the institution.
High Critical High Critical
2
School psychologist’s patient files are kept on an unprotected server and the data is
not encrypted. He is the only one that has access to the data via a folder within the
faculty file server. The folder is password protected. The information kept within the
folder is highly sensitive as misuse of it would be in violation of HIPAA.
High Moderate Moderate Moderate
3
The data center is protected only by a locked door, accessed by a traditional key.
Access to the building where the center is located is unmonitored and open to the
public on campus. There are no cameras aimed at the entrance of the building or the
data center and no employee stationed around the center. These leaves the data center
very susceptible to a break-in, and someone could destroy servers and hardware or
steal information off of them with a flash drive or something along those lines.
High High High Critical
3. Risk Mitigation Plans
Finding 0:
Owner Action: Buy a shredder and install in convenient location, and publish a handling policy
By Whom: Administrative Staff and Senior Management When: By end of Q2 2012
Finding 1:
Owner Action: Require admin to create passwords to access servers and workstations. For confidential servers, require a security question. The
password must pass a security strength check prior to being allowed. Change and update password every year.
By Whom: IT Department and Admin Staff When: within two weeks
Finding 2:
Owner Action: Encrypt patient files and install a firewall around the faculty file server where the patient data is stored.
By Whom: IT Department When: By end of Q4
4. Finding 3:
Owner Action: Install key-card access instead of traditional key and only give specific employees that require it access. Install an alarm system
within the data center turned on at the end of the day or when not being accessed. Contact campus police to include the building where the data center
is on their route at night.
By Whom: Facilities or contractor for installation, IT Department, HR When: By end of Q2 for installations. By end of week
contact campus police