SlideShare a Scribd company logo

Vulnerability Assessment Matrix & Policy Recommendations MemoThi.docx

Download as DOCX, PDF
A
alehosickg3

Vulnerability Assessment Matrix & Policy Recommendations Memo This assignment is based upon a vulnerability assessment and mitigation methodology developed by the RAND Corporation. Before you begin, make sure that you have read Chapters 2, 3, and 4, of Finding and fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology by Philip Anton (RAND MR1601). The objective of this assignment is to perform a threats and vulnerabilities analysis based upon the process methodology presented in RAND MR1601. The purpose of the analysis process is to help you determine the requirements for an Infrastructure Protection Policy . The results of your analysis will be used in the second part of this assignment to develop policy recommendations which you will then use to write a policy recommendations memorandum for the senior leadership of the organization (see Scenario). To document your analysis, you will complete the assessment matrix shown in Table 4.1 Matrix of Vulnerability Attributes and System Object Types found in Chapter 4 of the RAND document. For each type of threat or vulnerability listed in the assessment matrix, you are required to provide a brief, concise description (a few words or a key phrase) and a recommendation for one or more actions (including implementation of specific security controls) which should be taken to correct or remediate the problem. A sample of a completed matrix, documenting portions of a threats and vulnerabilities assessment, is found in table 4.2 (RAND MR1601). After completing your assessment matrix, you will write a policy recommendation memo which includes 10 to 15 policy statements that can be used to implement your recommendations (as documented in your table). Your memorandum should begin with a brief introduction to the policy issue being addressed (see Scenario). Your recommendations should cover the broad spectrum of actions which will address the threats and vulnerabilities discussed in your analysis. From your recommendations, it should be clear that you performed the following actions: · Identified threats and vulnerabilities (risk identification) · Assigned security controls to protect the enterprise infrastructure (risk management) · Incorporated capabilities for future detection of threats, vulnerabilities, and attacks · Formalized incident response as a business process (policies, plans, procedures) · Formalized disaster recovery and business continuity policies, plans, procedures Each policy statement should be phrased in the form of a shall statement which specifies the actions that must be taken to implement your recommendations. For example, DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) , includes the following shallstatements: · Risk to the trust in applicable systems shall be managed throughout the entire system lifecycle. · The identification of mission critical functi.

Education
1 of 10
Vulnerability Assessment Matrix & Policy Recommendations Memo This assignment is based upon a vulnerability assessment and mitigation methodology developed by the RAND Corporation. Before you begin, make sure that you have read Chapters 2, 3, and 4, of Finding and fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology by Philip Anton (RAND MR1601). The objective of this assignment is to perform a threats and vulnerabilities analysis based upon the process methodology presented in RAND MR1601. The purpose of the analysis process is to help you determine the requirements for an Infrastructure Protection Policy . The results of your analysis will be used in the second part of this assignment to develop policy recommendations which you will then use to write a policy recommendations memorandum for the senior leadership of the organization (see Scenario). To document your analysis, you will complete the assessment matrix shown in Table 4.1 Matrix of Vulnerability Attributes and System Object Types found in Chapter 4 of the RAND document. For each type of threat or vulnerability listed in the assessment matrix, you are required to provide a brief, concise description (a few words or a key phrase) and a recommendation for one or more actions (including implementation of specific security controls) which should be taken to correct or remediate the problem. A sample of a completed matrix, documenting portions of a threats and vulnerabilities assessment, is found in table 4.2 (RAND MR1601). After completing your assessment matrix, you will write a
policy recommendation memo which includes 10 to 15 policy statements that can be used to implement your recommendations (as documented in your table). Your memorandum should begin with a brief introduction to the policy issue being addressed (see Scenario). Your recommendations should cover the broad spectrum of actions which will address the threats and vulnerabilities discussed in your analysis. From your recommendations, it should be clear that you performed the following actions: · Identified threats and vulnerabilities (risk identification) · Assigned security controls to protect the enterprise infrastructure (risk management) · Incorporated capabilities for future detection of threats, vulnerabilities, and attacks · Formalized incident response as a business process (policies, plans, procedures) · Formalized disaster recovery and business continuity policies, plans, procedures Each policy statement should be phrased in the form of a shall statement which specifies the actions that must be taken to
implement your recommendations. For example, DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) , includes the following shallstatements: · Risk to the trust in applicable systems shall be managed throughout the entire system lifecycle. · The identification of mission critical functions and critical components as well as TSN planning and implementation activities, including risk acceptance as appropriate, shall be documented in … · Risk management shall include TSN process, tools, and techniques to … Reduce vulnerabilities in the system design through system security engineering … Deliverables 1. Completed Assessment Matrix 2. Recommendation Memo (no more than 5 pages) Submit each deliverable in a separate file. Attach both files to your Project 5 assignment folder entry.
Scenario In the organization, there is an insider threat. The employee who is the insider threat was overheard discussing a perceived vulnerability in the enterprise infrastructure. Several members of the IT Operations and Support staff believed that this report (of the alleged vulnerability as perceived / reported by the insider threat employee) represents an actual vulnerability in a key IT system and are attempting to create a patch. Meanwhile, the insider threat employee has released malware into an enterprise IT system which is separate from the alleged vulnerability. While the technical team is searching for the alleged vulnerability, the malware has escaped from the compromised enterprise IT system and is traveling through the enterprise infrastructure disrupting all network traffic. What are the issues that need to be addressed in your analysis of the threats and vulnerabilities present in this scenario? Instructions Complete the matrix from table 4.1 of RAND MR1601 using information provided in the scenario below. A blank copy of the table is provided at the end of this file for your convenience. Required Template You must use the table template as provided in this assignment. Copy the table on the next page into a separate MS Word document file. You may wish to format your document for landscape presentation (to give you more width in each
column). Do not modify the column or row headings. Do not delete unused rows or columns (leave them blank). Grading For a “C” on this assignment, you must complete at least one entry in the matrix (table) for 10 or more characteristics (rows) spread across two or more categories (columns). This is a total of 10 points of analysis or 10 cells. (You must have at least one cell filled in for two of the four columns.) For a “B” on this assignment, you must complete at least one entry in the matrix for 12 or more characteristics (rows) spread across three or more categories (columns). This is a total of 12 points of analysis or 12 cells. BUT, for the “B” you must perform your analysis against at least three of the categories (columns). (You must have at least one cell filled in for three of the four columns.) For an “A” on this assignment, you must complete at least one entry in the matrix for 16 or more characteristics (rows) and those entries must be spread across all four categories (columns). This is a total of 16 points of analysis. BUT, for the “A” you must perform your analysis against all four categories. (You must have at least one cell filled in for each of the four columns.) Please see the grading rubric for additional requirements for this assignment. APA Formatting APA formatting is NOT required for this assignment. Your work should have a professional appearance and should use consistent fonts, font sizes, and font colors. Your font size in the matrix (table) should be no smaller than 9 points.
TurnItIn Submission Your memorandum must be submitted to TurnItIn for originality checking. Do not submit the matrix to TurnItIn. Table4.1 MatrixofVulnerabilityAttributesandSystemObjectTypes RAND MR1601-table4.1 Object of Vulnerability Physical Cyber Human/Social Enabling Infrastructure Attributes Hardware (data storage, input/output, clients, servers), network and communications, locality
Software, data, information, knowledge Staff, command,management, policies, procedures, training, authentication Ship, building, power, water, air, environment Design/Architecture Singularity Uniqueness Centrality
Homogeneity Separability Logic/ implementation errors; fallibility Design sensitivity/ fragility/limits/ finiteness Unrecoverability Behavior Behavioral sensitivity/ fragility
Malevolence Rigidity Malleability Gullibility/ deceivability/naiveté Complacency Corruptibility/controllability General Accessible/
detectable/ identifiable/ transparent/ interceptable Hard to manage or control Self-unawareness and unpredictability Predictability

Recommended

75629 Topic prevention measures for vulneranbilitiesNumber of.docx
75629 Topic prevention measures for vulneranbilitiesNumber of.docx75629 Topic prevention measures for vulneranbilitiesNumber of.docx
75629 Topic prevention measures for vulneranbilitiesNumber of.docx
sleeperharwell
 
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docxGG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
shericehewat
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.com
donaldzs8
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.com
DavisMurphyA97
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.com
Baileyabw
 
Cmgt 430 cmgt430
Cmgt 430 cmgt430Cmgt 430 cmgt430
Cmgt 430 cmgt430
GOODCourseHelp
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.com
McdonaldRyan79
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.com
robertlesew6
 

Recommended

75629 Topic prevention measures for vulneranbilitiesNumber of.docx
75629 Topic prevention measures for vulneranbilitiesNumber of.docx75629 Topic prevention measures for vulneranbilitiesNumber of.docx
75629 Topic prevention measures for vulneranbilitiesNumber of.docx
sleeperharwell
 
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docxGG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
GG Freightways (GGFRT) IT Decision Paper AssignmentBefore you be.docx
shericehewat
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.com
donaldzs8
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.com
DavisMurphyA97
 
Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.com
Baileyabw
 
Cmgt 430 cmgt430
Cmgt 430 cmgt430Cmgt 430 cmgt430
Cmgt 430 cmgt430
GOODCourseHelp
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.com
McdonaldRyan79
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.com
robertlesew6
 
Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.com
PrescottLunt385
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
claric241
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.com
Davis11a
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
tienboileau
 
IT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will suIT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will su
TatianaMajor22
 
project Proposal guidelines
project Proposal guidelinesproject Proposal guidelines
project Proposal guidelines
samueldancan
 
Using rcm
Using rcmUsing rcm
Using rcm
laxmanmande
 
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
KarenMiner
 
Srs
SrsSrs
Srs
Juan Carlos Olivares Rojas
 
Watch the movie Dirt. Write a note. The notes do not have to be in .docx
Watch the movie Dirt. Write a note. The notes do not have to be in .docxWatch the movie Dirt. Write a note. The notes do not have to be in .docx
Watch the movie Dirt. Write a note. The notes do not have to be in .docx
alehosickg3
 
Watch the PBS video, States Grapple with Funding Education amid Bu.docx
Watch the PBS video, States Grapple with Funding Education amid Bu.docxWatch the PBS video, States Grapple with Funding Education amid Bu.docx
Watch the PBS video, States Grapple with Funding Education amid Bu.docx
alehosickg3
 
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docx
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docxWatch the 1985 movie Fletch, starring Chevy Chase, and write.docx
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docx
alehosickg3
 
Watch the documentary and answer one or more of the following qu.docx
Watch the documentary and answer one or more of the following qu.docxWatch the documentary and answer one or more of the following qu.docx
Watch the documentary and answer one or more of the following qu.docx
alehosickg3
 
Watch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docxWatch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docx
alehosickg3
 
Watch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docxWatch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docx
alehosickg3
 
Watch BNET Videos video titled Modernizing Inventory Management o.docx
Watch BNET Videos video titled Modernizing Inventory Management o.docxWatch BNET Videos video titled Modernizing Inventory Management o.docx
Watch BNET Videos video titled Modernizing Inventory Management o.docx
alehosickg3
 

More Related Content

Similar to Vulnerability Assessment Matrix & Policy Recommendations MemoThi.docx

Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
tienboileau
 
IT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will suIT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will su
TatianaMajor22
 

Similar to Vulnerability Assessment Matrix & Policy Recommendations MemoThi.docx (15)

Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.com
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 
Many companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docxMany companies and agencies conduct IT audits to test and assess the.docx
Many companies and agencies conduct IT audits to test and assess the.docx
 
IT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will suIT 510 Milestone Four Guidelines and Rubric You will su
IT 510 Milestone Four Guidelines and Rubric You will su
 
project Proposal guidelines
project Proposal guidelinesproject Proposal guidelines
project Proposal guidelines
 
Using rcm
Using rcmUsing rcm
Using rcm
 
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
Solved Practice questions for Microsoft Querying Data with Transact-SQL 70-76...
 
Srs
SrsSrs
Srs
 

More from alehosickg3

Watch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docxWatch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docx
alehosickg3
 
Watch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docxWatch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docx
alehosickg3
 
War and Peace Please respond to the followingBased on the lect.docx
War and Peace Please respond to the followingBased on the lect.docxWar and Peace Please respond to the followingBased on the lect.docx
War and Peace Please respond to the followingBased on the lect.docx
alehosickg3
 
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docxW4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
alehosickg3
 
Vulnerable Population Summary and Proposed ProgramThe first of you.docx
Vulnerable Population Summary and Proposed ProgramThe first of you.docxVulnerable Population Summary and Proposed ProgramThe first of you.docx
Vulnerable Population Summary and Proposed ProgramThe first of you.docx
alehosickg3
 
Voices of DemocracyThe documents created at the inception of Ameri.docx
Voices of DemocracyThe documents created at the inception of Ameri.docxVoices of DemocracyThe documents created at the inception of Ameri.docx
Voices of DemocracyThe documents created at the inception of Ameri.docx
alehosickg3
 
Vital statistics collected by federal, state, & local governments ar.docx
Vital statistics collected by federal, state, & local governments ar.docxVital statistics collected by federal, state, & local governments ar.docx
Vital statistics collected by federal, state, & local governments ar.docx
alehosickg3
 
Visual Representation and Analysis of DataStateTotal.docx
Visual Representation and Analysis of DataStateTotal.docxVisual Representation and Analysis of DataStateTotal.docx
Visual Representation and Analysis of DataStateTotal.docx
alehosickg3
 
Vissing (2011) explains culture as an organized system of living an.docx
Vissing (2011) explains culture as an organized system of living an.docxVissing (2011) explains culture as an organized system of living an.docx
Vissing (2011) explains culture as an organized system of living an.docx
alehosickg3
 
Visit the Endeavour Space Shuttle (I Already went there) at the .docx
Visit the Endeavour Space Shuttle (I Already went there) at the .docxVisit the Endeavour Space Shuttle (I Already went there) at the .docx
Visit the Endeavour Space Shuttle (I Already went there) at the .docx
alehosickg3
 
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docx
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docxVisit the Endeavour Space Shuttle (any day) at the Science Cente.docx
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docx
alehosickg3
 

More from alehosickg3 (20)

Watch the movie Dirt. Write a note. The notes do not have to be in .docx
Watch the movie Dirt. Write a note. The notes do not have to be in .docxWatch the movie Dirt. Write a note. The notes do not have to be in .docx
Watch the movie Dirt. Write a note. The notes do not have to be in .docx
 
Watch the PBS video, States Grapple with Funding Education amid Bu.docx
Watch the PBS video, States Grapple with Funding Education amid Bu.docxWatch the PBS video, States Grapple with Funding Education amid Bu.docx
Watch the PBS video, States Grapple with Funding Education amid Bu.docx
 
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docx
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docxWatch the 1985 movie Fletch, starring Chevy Chase, and write.docx
Watch the 1985 movie Fletch, starring Chevy Chase, and write.docx
 
Watch the documentary and answer one or more of the following qu.docx
Watch the documentary and answer one or more of the following qu.docxWatch the documentary and answer one or more of the following qu.docx
Watch the documentary and answer one or more of the following qu.docx
 
Watch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docxWatch one or more of the following videos discussing randomness, sta.docx
Watch one or more of the following videos discussing randomness, sta.docx
 
Watch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docxWatch one of the following moviesA Beautiful Mind (2001).docx
Watch one of the following moviesA Beautiful Mind (2001).docx
 
Watch BNET Videos video titled Modernizing Inventory Management o.docx
Watch BNET Videos video titled Modernizing Inventory Management o.docxWatch BNET Videos video titled Modernizing Inventory Management o.docx
Watch BNET Videos video titled Modernizing Inventory Management o.docx
 
Was the Scientific Revolution intended to be a war on tradition and .docx
Was the Scientific Revolution intended to be a war on tradition and .docxWas the Scientific Revolution intended to be a war on tradition and .docx
Was the Scientific Revolution intended to be a war on tradition and .docx
 
WarehousingCompanies use cross-docking to improve the performanc.docx
WarehousingCompanies use cross-docking to improve the performanc.docxWarehousingCompanies use cross-docking to improve the performanc.docx
WarehousingCompanies use cross-docking to improve the performanc.docx
 
War and Peace Please respond to the followingBased on the lect.docx
War and Peace Please respond to the followingBased on the lect.docxWar and Peace Please respond to the followingBased on the lect.docx
War and Peace Please respond to the followingBased on the lect.docx
 
Wang, Woo, Choon, Quek, Yang, and Liu (2012) found that using Facebo.docx
Wang, Woo, Choon, Quek, Yang, and Liu (2012) found that using Facebo.docxWang, Woo, Choon, Quek, Yang, and Liu (2012) found that using Facebo.docx
Wang, Woo, Choon, Quek, Yang, and Liu (2012) found that using Facebo.docx
 
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docxW4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
W4 Assignment DeterrenceIntroduction to CriminologyCrime and C.docx
 
Vulnerable Population Summary and Proposed ProgramThe first of you.docx
Vulnerable Population Summary and Proposed ProgramThe first of you.docxVulnerable Population Summary and Proposed ProgramThe first of you.docx
Vulnerable Population Summary and Proposed ProgramThe first of you.docx
 
Voices of DemocracyThe documents created at the inception of Ameri.docx
Voices of DemocracyThe documents created at the inception of Ameri.docxVoices of DemocracyThe documents created at the inception of Ameri.docx
Voices of DemocracyThe documents created at the inception of Ameri.docx
 
Vital statistics collected by federal, state, & local governments ar.docx
Vital statistics collected by federal, state, & local governments ar.docxVital statistics collected by federal, state, & local governments ar.docx
Vital statistics collected by federal, state, & local governments ar.docx
 
Visual Representation and Analysis of DataStateTotal.docx
Visual Representation and Analysis of DataStateTotal.docxVisual Representation and Analysis of DataStateTotal.docx
Visual Representation and Analysis of DataStateTotal.docx
 
Vladimir Putin was recently reelected to another term as President o.docx
Vladimir Putin was recently reelected to another term as President o.docxVladimir Putin was recently reelected to another term as President o.docx
Vladimir Putin was recently reelected to another term as President o.docx
 
Vissing (2011) explains culture as an organized system of living an.docx
Vissing (2011) explains culture as an organized system of living an.docxVissing (2011) explains culture as an organized system of living an.docx
Vissing (2011) explains culture as an organized system of living an.docx
 
Visit the Endeavour Space Shuttle (I Already went there) at the .docx
Visit the Endeavour Space Shuttle (I Already went there) at the .docxVisit the Endeavour Space Shuttle (I Already went there) at the .docx
Visit the Endeavour Space Shuttle (I Already went there) at the .docx
 
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docx
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docxVisit the Endeavour Space Shuttle (any day) at the Science Cente.docx
Visit the Endeavour Space Shuttle (any day) at the Science Cente.docx
 

Recently uploaded

The basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptxThe basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptx
heathfieldcps1
 
ppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyesppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyes
ashishpaul799
 

Recently uploaded (20)

Morse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptxMorse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptx
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdfPost Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
 
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdfTelling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
 
MichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdfMichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdf
 
....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf
 
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 2 STEPS Using Odoo 17
 
The basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptxThe basics of sentences session 4pptx.pptx
The basics of sentences session 4pptx.pptx
 
Open Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPointOpen Educational Resources Primer PowerPoint
Open Educational Resources Primer PowerPoint
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17
 
Gyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptxGyanartha SciBizTech Quiz slideshare.pptx
Gyanartha SciBizTech Quiz slideshare.pptx
 
size separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceuticssize separation d pharm 1st year pharmaceutics
size separation d pharm 1st year pharmaceutics
 
Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17Features of Video Calls in the Discuss Module in Odoo 17
Features of Video Calls in the Discuss Module in Odoo 17
 
ppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyesppt your views.ppt your views of your college in your eyes
ppt your views.ppt your views of your college in your eyes
 
The Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. HenryThe Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. Henry
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
factors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptxfactors influencing drug absorption-final-2.pptx
factors influencing drug absorption-final-2.pptx
 

Vulnerability Assessment Matrix & Policy Recommendations MemoThi.docx

  • 1. Vulnerability Assessment Matrix & Policy Recommendations Memo This assignment is based upon a vulnerability assessment and mitigation methodology developed by the RAND Corporation. Before you begin, make sure that you have read Chapters 2, 3, and 4, of Finding and fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology by Philip Anton (RAND MR1601). The objective of this assignment is to perform a threats and vulnerabilities analysis based upon the process methodology presented in RAND MR1601. The purpose of the analysis process is to help you determine the requirements for an Infrastructure Protection Policy . The results of your analysis will be used in the second part of this assignment to develop policy recommendations which you will then use to write a policy recommendations memorandum for the senior leadership of the organization (see Scenario). To document your analysis, you will complete the assessment matrix shown in Table 4.1 Matrix of Vulnerability Attributes and System Object Types found in Chapter 4 of the RAND document. For each type of threat or vulnerability listed in the assessment matrix, you are required to provide a brief, concise description (a few words or a key phrase) and a recommendation for one or more actions (including implementation of specific security controls) which should be taken to correct or remediate the problem. A sample of a completed matrix, documenting portions of a threats and vulnerabilities assessment, is found in table 4.2 (RAND MR1601). After completing your assessment matrix, you will write a
  • 2. policy recommendation memo which includes 10 to 15 policy statements that can be used to implement your recommendations (as documented in your table). Your memorandum should begin with a brief introduction to the policy issue being addressed (see Scenario). Your recommendations should cover the broad spectrum of actions which will address the threats and vulnerabilities discussed in your analysis. From your recommendations, it should be clear that you performed the following actions: · Identified threats and vulnerabilities (risk identification) · Assigned security controls to protect the enterprise infrastructure (risk management) · Incorporated capabilities for future detection of threats, vulnerabilities, and attacks · Formalized incident response as a business process (policies, plans, procedures) · Formalized disaster recovery and business continuity policies, plans, procedures Each policy statement should be phrased in the form of a shall statement which specifies the actions that must be taken to
  • 3. implement your recommendations. For example, DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN) , includes the following shallstatements: · Risk to the trust in applicable systems shall be managed throughout the entire system lifecycle. · The identification of mission critical functions and critical components as well as TSN planning and implementation activities, including risk acceptance as appropriate, shall be documented in … · Risk management shall include TSN process, tools, and techniques to … Reduce vulnerabilities in the system design through system security engineering … Deliverables 1. Completed Assessment Matrix 2. Recommendation Memo (no more than 5 pages) Submit each deliverable in a separate file. Attach both files to your Project 5 assignment folder entry.
  • 4. Scenario In the organization, there is an insider threat. The employee who is the insider threat was overheard discussing a perceived vulnerability in the enterprise infrastructure. Several members of the IT Operations and Support staff believed that this report (of the alleged vulnerability as perceived / reported by the insider threat employee) represents an actual vulnerability in a key IT system and are attempting to create a patch. Meanwhile, the insider threat employee has released malware into an enterprise IT system which is separate from the alleged vulnerability. While the technical team is searching for the alleged vulnerability, the malware has escaped from the compromised enterprise IT system and is traveling through the enterprise infrastructure disrupting all network traffic. What are the issues that need to be addressed in your analysis of the threats and vulnerabilities present in this scenario? Instructions Complete the matrix from table 4.1 of RAND MR1601 using information provided in the scenario below. A blank copy of the table is provided at the end of this file for your convenience. Required Template You must use the table template as provided in this assignment. Copy the table on the next page into a separate MS Word document file. You may wish to format your document for landscape presentation (to give you more width in each
  • 5. column). Do not modify the column or row headings. Do not delete unused rows or columns (leave them blank). Grading For a “C” on this assignment, you must complete at least one entry in the matrix (table) for 10 or more characteristics (rows) spread across two or more categories (columns). This is a total of 10 points of analysis or 10 cells. (You must have at least one cell filled in for two of the four columns.) For a “B” on this assignment, you must complete at least one entry in the matrix for 12 or more characteristics (rows) spread across three or more categories (columns). This is a total of 12 points of analysis or 12 cells. BUT, for the “B” you must perform your analysis against at least three of the categories (columns). (You must have at least one cell filled in for three of the four columns.) For an “A” on this assignment, you must complete at least one entry in the matrix for 16 or more characteristics (rows) and those entries must be spread across all four categories (columns). This is a total of 16 points of analysis. BUT, for the “A” you must perform your analysis against all four categories. (You must have at least one cell filled in for each of the four columns.) Please see the grading rubric for additional requirements for this assignment. APA Formatting APA formatting is NOT required for this assignment. Your work should have a professional appearance and should use consistent fonts, font sizes, and font colors. Your font size in the matrix (table) should be no smaller than 9 points.
  • 6. TurnItIn Submission Your memorandum must be submitted to TurnItIn for originality checking. Do not submit the matrix to TurnItIn. Table4.1 MatrixofVulnerabilityAttributesandSystemObjectTypes RAND MR1601-table4.1 Object of Vulnerability Physical Cyber Human/Social Enabling Infrastructure Attributes Hardware (data storage, input/output, clients, servers), network and communications, locality
  • 8. Homogeneity Separability Logic/ implementation errors; fallibility Design sensitivity/ fragility/limits/ finiteness Unrecoverability Behavior Behavioral sensitivity/ fragility
  • 10. detectable/ identifiable/ transparent/ interceptable Hard to manage or control Self-unawareness and unpredictability Predictability