SlideShare a Scribd company logo

Final Project1

Download as DOC, PDF
C
Cory Domina
1 of 4
Cory Domina Information Security Risk Management ITC6315 Final Project Executive Summary of Risk Analysis After analyzing three risks including your assets, threats, and vulnerabilities to them, the following is an executive summary of assessments and mitigation plans to safeguard these specific assets. The default passwords that do not expire and allow access to admin accounts and workstations is a critical risk that needs to be addressed within two weeks. It is a simple fix that may require a little extra effort from employees, but the added security will be greatly worth it as there is highly sensitive information stored on the servers. The IT department working with admin staff will require new, stronger passwords that must be updated annually and also, additional security questions for confidential servers. This is not a significant expense and provides necessary security. The server where psychologist patient files are stored is unprotected and the data is vulnerable for unauthorized use. If this information were to be hacked, it would be in violation of HIPAA so repercussions and reputational harm could prove significant. In order to protect the server and data, the IT department will install a firewall and encrypt the information, respectively. The server is currently password protected and cannot, legitimately, be accessed by anyone aside from the school psychologist. With this in mind, we recommend the encryption and firewall be completed by the end of Q4 as it may be time consuming and it may require additional support in the department. Finally, the data center must have additional, physical security to protect it from a break- in type attack. Traditional key security does not bode well for a data center as it does not identify who has accessed the facility. Installation of key-card access with access given only to employees that require it, via HR, will provide essential security. An alarm system must also be installed and activated during non-use hours. Due to budget restrictions, campus police should be contacted to monitor the facilities on their nightly routes of the campus. This can be completed immediately, while the installation of key-card access and an alarm system must be completed by the end of Q2. This may be revisited at that time to discuss installation of cameras in the building and potentially other security measures if warranted and financially feasible.
Risk Evaluation Worksheet # Risk Description (Asset, Threat, and Vulnerability) Sensitivity Severity Likelihood Risk 0 Sensitive account information is discarded in the regular trash, which could lead to disclosure of customer financial accounts to unauthorized internal or external parties. Disclosure of this data violates several state privacy laws. High High Moderate High 1 The admin accounts on server and workstations use default passwords that do not go through any security check for password strength. These passwords do not expire as well. This opens up the organization to an easy hack onto the servers which could allow unauthorized access to email, web, files, databases, and credit card processing information. This could violate privacy laws and create serious reputational harm for the institution. High Critical High Critical 2 School psychologist’s patient files are kept on an unprotected server and the data is not encrypted. He is the only one that has access to the data via a folder within the faculty file server. The folder is password protected. The information kept within the folder is highly sensitive as misuse of it would be in violation of HIPAA. High Moderate Moderate Moderate 3 The data center is protected only by a locked door, accessed by a traditional key. Access to the building where the center is located is unmonitored and open to the public on campus. There are no cameras aimed at the entrance of the building or the data center and no employee stationed around the center. These leaves the data center very susceptible to a break-in, and someone could destroy servers and hardware or steal information off of them with a flash drive or something along those lines. High High High Critical
Risk Mitigation Plans Finding 0: Owner Action: Buy a shredder and install in convenient location, and publish a handling policy By Whom: Administrative Staff and Senior Management When: By end of Q2 2012 Finding 1: Owner Action: Require admin to create passwords to access servers and workstations. For confidential servers, require a security question. The password must pass a security strength check prior to being allowed. Change and update password every year. By Whom: IT Department and Admin Staff When: within two weeks Finding 2: Owner Action: Encrypt patient files and install a firewall around the faculty file server where the patient data is stored. By Whom: IT Department When: By end of Q4
Finding 3: Owner Action: Install key-card access instead of traditional key and only give specific employees that require it access. Install an alarm system within the data center turned on at the end of the day or when not being accessed. Contact campus police to include the building where the data center is on their route at night. By Whom: Facilities or contractor for installation, IT Department, HR When: By end of Q2 for installations. By end of week contact campus police

Recommended

Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
sandra sukarieh
 
Comptia security sy0 601 domain 4 operation and incident response
Comptia security sy0 601 domain 4 operation and incident responseComptia security sy0 601 domain 4 operation and incident response
Comptia security sy0 601 domain 4 operation and incident response
ShivamSharma909
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security Software
Security SoftwareSecurity Software
Security Software
bennybigbang
 
Services and Products
Services and ProductsServices and Products
Services and Products
Technecessities
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Database security
Database securityDatabase security
Database security
Zubair Rahim
 

Recommended

Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
sandra sukarieh
 
Comptia security sy0 601 domain 4 operation and incident response
Comptia security sy0 601 domain 4 operation and incident responseComptia security sy0 601 domain 4 operation and incident response
Comptia security sy0 601 domain 4 operation and incident response
ShivamSharma909
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Security Software
Security SoftwareSecurity Software
Security Software
bennybigbang
 
Services and Products
Services and ProductsServices and Products
Services and Products
Technecessities
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Database security
Database securityDatabase security
Database security
Zubair Rahim
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
SumanPramanik7
 
Information Security & Ethical Hacking
Information Security & Ethical HackingInformation Security & Ethical Hacking
Information Security & Ethical Hacking
Ishan Agarwal
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
nado-web
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injection
A. Shamel
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
Imperva
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
Cognic Systems Pvt Ltd
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
Steppa Cyber Security
 
Database Security
Database SecurityDatabase Security
Database Security
alraee
 
Database security
Database securityDatabase security
Database security
MaryamAsghar9
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
Priyanka Aash
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 
Database Security
Database SecurityDatabase Security
Database Security
RabiaIftikhar10
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
PrescottLunt386
 
Security communication
Security communicationSecurity communication
Security communication
Say Shyong
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend Them
CheapSSLsecurity
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
MTG IT Professionals
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx
standfordabbot
 

More Related Content

What's hot

Database Security Management
Database Security Management Database Security Management
Database Security Management
Ahsin Yousaf
 
Security communication
Security communicationSecurity communication
Security communication
Say Shyong
 

What's hot (20)

Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Information cyber security
Information cyber securityInformation cyber security
Information cyber security
 
Information Security & Ethical Hacking
Information Security & Ethical HackingInformation Security & Ethical Hacking
Information Security & Ethical Hacking
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
New Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: HowlandNew Developments in Cybersecurity and Technology for RDOs: Howland
New Developments in Cybersecurity and Technology for RDOs: Howland
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injection
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
It security cognic_systems
It security cognic_systemsIt security cognic_systems
It security cognic_systems
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 
SOC Cyber Security
SOC Cyber SecuritySOC Cyber Security
SOC Cyber Security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database security
Database securityDatabase security
Database security
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
Database Security Management
Database Security Management Database Security Management
Database Security Management
 
Database Security
Database SecurityDatabase Security
Database Security
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
Security communication
Security communicationSecurity communication
Security communication
 
Healthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend ThemHealthcare IT Security Threats & Ways to Defend Them
Healthcare IT Security Threats & Ways to Defend Them
 

Similar to Final Project1

2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx
standfordabbot
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
hyacinthshackley2629
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
chris odle
 
After reading chapter 10Watch.. httpswww.youtube.comwatc.docx
After reading chapter 10Watch.. httpswww.youtube.comwatc.docxAfter reading chapter 10Watch.. httpswww.youtube.comwatc.docx
After reading chapter 10Watch.. httpswww.youtube.comwatc.docx
nettletondevon
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
lmelaine
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
Roger Hagedorn
 
CNS599NLEN_RiskAssessment
CNS599NLEN_RiskAssessmentCNS599NLEN_RiskAssessment
CNS599NLEN_RiskAssessment
Taishaun Owens
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
croysierkathey
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docx
christiandean12115
 
CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurity
Taishaun Owens
 

Similar to Final Project1 (20)

6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx2. IntroductionYou are employed with Government Security Consu.docx
2. IntroductionYou are employed with Government Security Consu.docx
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
Security Auditing
Security AuditingSecurity Auditing
Security Auditing
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
After reading chapter 10Watch.. httpswww.youtube.comwatc.docx
After reading chapter 10Watch.. httpswww.youtube.comwatc.docxAfter reading chapter 10Watch.. httpswww.youtube.comwatc.docx
After reading chapter 10Watch.. httpswww.youtube.comwatc.docx
 
Information security diligence issue 4.5
Information security diligence issue 4.5 Information security diligence issue 4.5
Information security diligence issue 4.5
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
How to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptxHow to Mitigate the Cyber security Risk Posed.pptx
How to Mitigate the Cyber security Risk Posed.pptx
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security Breach
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
 
CNS599NLEN_RiskAssessment
CNS599NLEN_RiskAssessmentCNS599NLEN_RiskAssessment
CNS599NLEN_RiskAssessment
 
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
1.    TitleIT Security Risk Assessment2.    IntroductionYo.docx
 
ISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docxISE 510 Final Project Scenario Background Limetree In.docx
ISE 510 Final Project Scenario Background Limetree In.docx
 
CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurity
 

Final Project1

  • 1. Cory Domina Information Security Risk Management ITC6315 Final Project Executive Summary of Risk Analysis After analyzing three risks including your assets, threats, and vulnerabilities to them, the following is an executive summary of assessments and mitigation plans to safeguard these specific assets. The default passwords that do not expire and allow access to admin accounts and workstations is a critical risk that needs to be addressed within two weeks. It is a simple fix that may require a little extra effort from employees, but the added security will be greatly worth it as there is highly sensitive information stored on the servers. The IT department working with admin staff will require new, stronger passwords that must be updated annually and also, additional security questions for confidential servers. This is not a significant expense and provides necessary security. The server where psychologist patient files are stored is unprotected and the data is vulnerable for unauthorized use. If this information were to be hacked, it would be in violation of HIPAA so repercussions and reputational harm could prove significant. In order to protect the server and data, the IT department will install a firewall and encrypt the information, respectively. The server is currently password protected and cannot, legitimately, be accessed by anyone aside from the school psychologist. With this in mind, we recommend the encryption and firewall be completed by the end of Q4 as it may be time consuming and it may require additional support in the department. Finally, the data center must have additional, physical security to protect it from a break- in type attack. Traditional key security does not bode well for a data center as it does not identify who has accessed the facility. Installation of key-card access with access given only to employees that require it, via HR, will provide essential security. An alarm system must also be installed and activated during non-use hours. Due to budget restrictions, campus police should be contacted to monitor the facilities on their nightly routes of the campus. This can be completed immediately, while the installation of key-card access and an alarm system must be completed by the end of Q2. This may be revisited at that time to discuss installation of cameras in the building and potentially other security measures if warranted and financially feasible.
  • 2. Risk Evaluation Worksheet # Risk Description (Asset, Threat, and Vulnerability) Sensitivity Severity Likelihood Risk 0 Sensitive account information is discarded in the regular trash, which could lead to disclosure of customer financial accounts to unauthorized internal or external parties. Disclosure of this data violates several state privacy laws. High High Moderate High 1 The admin accounts on server and workstations use default passwords that do not go through any security check for password strength. These passwords do not expire as well. This opens up the organization to an easy hack onto the servers which could allow unauthorized access to email, web, files, databases, and credit card processing information. This could violate privacy laws and create serious reputational harm for the institution. High Critical High Critical 2 School psychologist’s patient files are kept on an unprotected server and the data is not encrypted. He is the only one that has access to the data via a folder within the faculty file server. The folder is password protected. The information kept within the folder is highly sensitive as misuse of it would be in violation of HIPAA. High Moderate Moderate Moderate 3 The data center is protected only by a locked door, accessed by a traditional key. Access to the building where the center is located is unmonitored and open to the public on campus. There are no cameras aimed at the entrance of the building or the data center and no employee stationed around the center. These leaves the data center very susceptible to a break-in, and someone could destroy servers and hardware or steal information off of them with a flash drive or something along those lines. High High High Critical
  • 3. Risk Mitigation Plans Finding 0: Owner Action: Buy a shredder and install in convenient location, and publish a handling policy By Whom: Administrative Staff and Senior Management When: By end of Q2 2012 Finding 1: Owner Action: Require admin to create passwords to access servers and workstations. For confidential servers, require a security question. The password must pass a security strength check prior to being allowed. Change and update password every year. By Whom: IT Department and Admin Staff When: within two weeks Finding 2: Owner Action: Encrypt patient files and install a firewall around the faculty file server where the patient data is stored. By Whom: IT Department When: By end of Q4
  • 4. Finding 3: Owner Action: Install key-card access instead of traditional key and only give specific employees that require it access. Install an alarm system within the data center turned on at the end of the day or when not being accessed. Contact campus police to include the building where the data center is on their route at night. By Whom: Facilities or contractor for installation, IT Department, HR When: By end of Q2 for installations. By end of week contact campus police