Vulnerability Assessment Matrix & Policy Recommendations Memo
This assignment is based upon a vulnerability assessment and mitigation methodology developed by the RAND Corporation. Before you begin, make sure that you have read Chapters 2, 3, and 4, of
Finding and fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology
by Philip Anton (RAND MR1601).
The objective of this assignment is to perform a threats and vulnerabilities analysis based upon the process methodology presented in RAND MR1601. The purpose of the analysis process is to help you determine the requirements for an
Infrastructure Protection Policy
. The results of your analysis will be used in the second part of this assignment to develop policy recommendations which you will then use to write a policy recommendations memorandum for the senior leadership of the organization (see Scenario).
To document your analysis, you will complete the assessment matrix shown in Table 4.1
Matrix of Vulnerability Attributes and System Object Types
found in Chapter 4 of the RAND document. For each type of threat or vulnerability listed in the assessment matrix, you are required to provide a brief, concise description (a few words or a key phrase) and a recommendation for one or more actions (including implementation of specific security controls) which should be taken to correct or remediate the problem. A sample of a completed matrix, documenting portions of a threats and vulnerabilities assessment, is found in table 4.2 (RAND MR1601).
After completing your assessment matrix, you will write a policy recommendation memo which includes 10 to 15 policy statements that can be used to implement your recommendations (as documented in your table). Your memorandum should begin with a brief introduction to the policy issue being addressed (see Scenario). Your recommendations should cover the broad spectrum of actions which will address the threats and vulnerabilities discussed in your analysis. From your recommendations, it should be clear that you performed the following actions:
·
Identified
threats and vulnerabilities (risk identification)
·
Assigned security controls to
protect
the enterprise infrastructure (risk management)
·
Incorporated capabilities for future
detection
of threats, vulnerabilities, and attacks
·
Formalized incident
response
as a business process (policies, plans, procedures)
·
Formalized disaster
recovery
and business continuity policies, plans, procedures
Each policy statement should be phrased in the form of a shall statement which specifies the actions that must be taken to implement your recommendations. For example, DoDI 5200.44,
Protection of Mission Critical Functions to Achieve Trusted Systems and Networks
(TSN)
, includes the following shallstatements:
·
Risk to the trust in applicable systems
shall
be
managed throughout the entire system lifecycle.
·
The identification of mission critical functi.
1. Vulnerability Assessment Matrix & Policy Recommendations
Memo
This assignment is based upon a vulnerability assessment and
mitigation methodology developed by the RAND Corporation.
Before you begin, make sure that you have read Chapters 2, 3,
and 4, of
Finding and fixing Vulnerabilities in Information Systems: The
Vulnerability Assessment and Mitigation Methodology
by Philip Anton (RAND MR1601).
The objective of this assignment is to perform a threats and
vulnerabilities analysis based upon the process methodology
presented in RAND MR1601. The purpose of the analysis
process is to help you determine the requirements for an
Infrastructure Protection Policy
. The results of your analysis will be used in the second part of
this assignment to develop policy recommendations which you
will then use to write a policy recommendations memorandum
for the senior leadership of the organization (see Scenario).
To document your analysis, you will complete the assessment
matrix shown in Table 4.1
Matrix of Vulnerability Attributes and System Object Types
found in Chapter 4 of the RAND document. For each type of
threat or vulnerability listed in the assessment matrix, you are
required to provide a brief, concise description (a few words or
a key phrase) and a recommendation for one or more actions
(including implementation of specific security controls) which
should be taken to correct or remediate the problem. A sample
of a completed matrix, documenting portions of a threats and
vulnerabilities assessment, is found in table 4.2 (RAND
MR1601).
After completing your assessment matrix, you will write a
2. policy recommendation memo which includes 10 to 15 policy
statements that can be used to implement your recommendations
(as documented in your table). Your memorandum should begin
with a brief introduction to the policy issue being addressed
(see Scenario). Your recommendations should cover the broad
spectrum of actions which will address the threats and
vulnerabilities discussed in your analysis. From your
recommendations, it should be clear that you performed the
following actions:
·
Identified
threats and vulnerabilities (risk identification)
·
Assigned security controls to
protect
the enterprise infrastructure (risk management)
·
Incorporated capabilities for future
detection
of threats, vulnerabilities, and attacks
·
Formalized incident
response
as a business process (policies, plans, procedures)
·
Formalized disaster
recovery
and business continuity policies, plans, procedures
Each policy statement should be phrased in the form of a shall
statement which specifies the actions that must be taken to
3. implement your recommendations. For example, DoDI 5200.44,
Protection of Mission Critical Functions to Achieve Trusted
Systems and Networks
(TSN)
, includes the following shallstatements:
·
Risk to the trust in applicable systems
shall
be
managed throughout the entire system lifecycle.
·
The identification of mission critical functions and critical
components as well as TSN planning and implementation
activities, including risk acceptance as appropriate,
shall be
documented in …
·
Risk management shall include TSN process, tools, and
techniques to … Reduce vulnerabilities in the system design
through system security engineering …
Deliverables
1.
Completed Assessment Matrix
2.
Recommendation Memo (no more than 5 pages)
Submit each deliverable in a separate file. Attach both files to
your Project 5 assignment folder entry.
4. Scenario
In the organization, there is an insider threat. The employee
who is the
insider threat
was overheard discussing a perceived vulnerability in the
enterprise infrastructure. Several members of the IT Operations
and Support staff believed that this report (of the alleged
vulnerability as perceived / reported by the
insider threat
employee) represents an actual vulnerability in a key IT system
and are attempting to create a patch.
Meanwhile, the insider threat employee has released malware
into an enterprise IT system which is separate from the alleged
vulnerability. While the technical team is searching for the
alleged vulnerability, the malware has escaped from the
compromised enterprise IT system and is traveling through the
enterprise infrastructure disrupting all network traffic.
What are the issues that need to be addressed in your analysis of
the threats and vulnerabilities present in this scenario?
Instructions
Complete the matrix from table 4.1 of RAND MR1601 using
information provided in the scenario below. A blank copy of the
table is provided at the end of this file for your convenience.
Required Template
You must use the table template as provided in this assignment.
Copy the table on the next page into a separate MS Word
document file. You may wish to format your document for
landscape presentation (to give you more width in each
5. column). Do not modify the column or row headings. Do not
delete unused rows or columns (leave them blank).
Grading
For a “C” on this assignment, you must complete at least one
entry in the matrix (table) for 10 or more characteristics (rows)
spread across two or more categories (columns). This is a total
of 10 points of analysis or 10 cells. (You must have at least one
cell filled in for two of the four columns.)
For a “B” on this assignment, you must complete at least one
entry in the matrix for 12 or more characteristics (rows) spread
across three or more categories (columns). This is a total of 12
points of analysis or 12 cells. BUT, for the “B” you must
perform your analysis against at least three of the categories
(columns). (You must have at least one cell filled in for three of
the four columns.)
For an “A” on this assignment, you must complete at least one
entry in the matrix for 16 or more characteristics (rows) and
those entries must be spread across all four categories
(columns). This is a total of 16 points of analysis. BUT, for the
“A” you must perform your analysis against all four categories.
(You must have at least one cell filled in for each of the four
columns.)
Please see the grading rubric for additional requirements for
this assignment.
APA Formatting
APA formatting is NOT required for this assignment. Your work
should have a professional appearance and should use consistent
fonts, font sizes, and font colors. Your font size in the matrix
(table) should be no smaller than 9 points.
6. TurnItIn Submission
Your memorandum must be submitted to TurnItIn for originality
checking. Do not submit the matrix to TurnItIn.
Table4.1
MatrixofVulnerabilityAttributesandSystemObjectTypes
RAND
MR1601-table4.1
Object of
Vulnerability
Physical
Cyber
Human/Social
Enabling
Infrastructure
Attributes
Hardware
(data
storage,
input/output,
clients,
servers),
network
and
communications,
locality