We need Paper on Risk Assessment for the organization (NASA). The risk should be listed in one of the following links.
http://oig.nasa.gov/audits/reports/FY10/IG-10-018-R.pdf
https://oig.nasa.gov/audits/reports/FY14/IG-14-023.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-002A.pdf
The following sections are missing:
• Roles: who will respond to the incident and notification/escalation procedures? Who is responsible for writing the IRP?
• Training: specify a training frequency
• Plan testing: How (and how often) will you test the plan?
• Incidents: What defines an “incident”? Define some security incidents that you may encounter on your network.
• Incident Notification: What happens when an incident is detected?
• Reporting/tracking: How will you report and track incidents? What about capturing “lessons learned”?
Read about the Final Project, "Inclusive Voices," Instructions
Purpose:
to show how a not-so-well-known person or movements’ emergent truth pushes back against dominant cultures’ non-inclusive or discriminatory narrative through using their voice and actions to disrupt, and create positive change.
Method:
1. Conduct research and write an APA formatted Research Essay using 3-5 sources
2. Then from the content of the Research Essay create your Final Presentation. Your Final Presentation, "Inclusive Voices," will teach your reader/viewer what you discovered from conducting your research through a recorded poster presentation, video presentation, or voice-narrated PowerPoint presentation.
3. Create a Script that you will use to present your Final Presentation
Ultimately, you will use the questions below to write your paper and drive the content and organization of your presentation. Completing your research should be organized in the following way and answer the following questions about your person/movement:
The introduction should briefly introduce and state the issue to be examined. It should start with creative, attention-getting hook then state why you chose the person/movement, show how you will critically evaluate the person or movement you chose, and provide a clear thesis statement.
The body of your paper contains information that explains who the person/movement is, what they did, and then provides a status update. The sub-headers used in APA formatting provide your divisions.
(Sub-header:) Who are/were they?
This sections answers the question who are they? This defines them and their power and limitations in the culture of the time. This section provides any historical information that is relevant about them personally.
(Sub-header:) What was happening in culture of the time?
Here you will give some perspective about events and attitudes of the time and what happened that allowed a space for their voice. What was going on in dominant culture at the time that allowed for their entry point into the cultural narrative?
(Sub-header:) What did they do?
This.
We need Paper on Risk Assessment for the organization (NASA). Th.docx
1. We need Paper on Risk Assessment for the organization
(NASA). The risk should be listed in one of the following links.
http://oig.nasa.gov/audits/reports/FY10/IG-10-018-R.pdf
https://oig.nasa.gov/audits/reports/FY14/IG-14-023.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-002A.pdf
The following sections are missing:
• Roles: who will respond to the incident and
notification/escalation procedures? Who is responsible for
writing the IRP?
• Training: specify a training frequency
• Plan testing: How (and how often) will you test the plan?
• Incidents: What defines an “incident”? Define some
security incidents that you may encounter on your network.
• Incident Notification: What happens when an incident is
detected?
• Reporting/tracking: How will you report and track
incidents? What about capturing “lessons learned”?
Read about the Final Project, "Inclusive Voices," Instructions
Purpose:
to show how a not-so-well-known person or movements’
emergent truth pushes back against dominant cultures’ non-
inclusive or discriminatory narrative through using their voice
and actions to disrupt, and create positive change.
Method:
1. Conduct research and write an APA formatted Research
2. Essay using 3-5 sources
2. Then from the content of the Research Essay create your
Final Presentation. Your Final Presentation, "Inclusive Voices,"
will teach your reader/viewer what you discovered from
conducting your research through a recorded poster
presentation, video presentation, or voice-narrated PowerPoint
presentation.
3. Create a Script that you will use to present your Final
Presentation
Ultimately, you will use the questions below to write your paper
and drive the content and organization of your presentation.
Completing your research should be organized in the following
way and answer the following questions about your
person/movement:
The introduction should briefly introduce and state the issue to
be examined. It should start with creative, attention-getting
hook then state why you chose the person/movement, show how
you will critically evaluate the person or movement you chose,
and provide a clear thesis statement.
The body of your paper contains information that explains who
the person/movement is, what they did, and then provides a
status update. The sub-headers used in APA formatting provide
your divisions.
(Sub-header:) Who are/were they?
This sections answers the question who are they? This defines
them and their power and limitations in the culture of the time.
This section provides any historical information that is relevant
about them personally.
(Sub-header:) What was happening in culture of the time?
Here you will give some perspective about events and attitudes
of the time and what happened that allowed a space for their
voice. What was going on in dominant culture at the time that
allowed for their entry point into the cultural narrative?
(Sub-header:) What did they do?
This section should specifically explain what was their action
that disrupted dominant culture.
3. (Sub-header:) Where are they now?
Here you will explain what happened as a result of their action
or voice. What is the trajectory or lasting effects?; provide
a status update about them or their movement.
(Sub-header:) Conclusion
The conclusion of the paper should cover the three major parts.
· Answer: the thesis statement, revisited.
· Summary: main points and highlights from the body
paragraphs.
· Significance: the relevance and implications of the essay's
findings and what further actions could still be taken.
More details of Requirements and Execution:
1. Your essay should be typed and double-spaced on standard-
sized paper (8.5" x 11"), with 1" margins on all sides.
2. Title Page is required. The title page should contain
the title of the paper, the author's name, and the institutional
affiliation including course name, professor's name, and date.
(centered)
3. NO ABSTRACT REQUIRED
4. Page number on each page
5. Acceptable fonts are 11-point Calibri, 11-point Arial, and 10-
point Lucida Sans Unicode as well as serif fonts such as 12-
point Times New Roman, 11-point Georgia
6. For citation information take a look at this particular page of
the Perdue OWL site. (Links to an external site.)
Risk Assessment
In this assignment, you will perform a qualitative risk
assessment, using a template that has been provided below.
Your last assignment in the course will be to take one of these
risks and develop a section for your Incident Response Plan or
Disaster Recovery Plan that address that risk.
1. Groups will work on a risk assessment using one of the
agencies as assigned, below:
Organization
4. Link to Audit Reports
Groups
National Aeronautics and Space Administration (NASA)
http://oig.nasa.gov/audits/reports/FY10/IG-10-018-R.pdf
https://oig.nasa.gov/audits/reports/FY14/IG-14-023.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-010.pdf
https://oig.nasa.gov/audits/reports/FY17/IG-17-002A.pdf
1, 8, 15
Veterans Administration (VA)
http://www.va.gov/oig/pubs/VAOIG-12-01712-229.pdf
http://www.va.gov/oig/pubs/VAOIG-11-01823-294.pdf
https://www.va.gov/oig/pubs/VAOIG-13-01391-72.pdf
https://www.va.gov/oig/pubs/VAOIG-16-01949-248.pdf
2, 9, 7
Securities and Exchange Commission (SEC)
http://www.sec.gov/about/offices/oig/reports/audits/2013/512.p
df
3, 10
USPS
https://www.uspsoig.gov/sites/default/files/document-library-
files/2015/usps_cybersecurity_functions.pdf
https://www.uspsoig.gov/document/mobile-system-review
https://www.uspsoig.gov/sites/default/files/document-library-
files/2017/IT-AR-17-007.pdf
https://www.uspsoig.gov/sites/default/files/document-library-
files/2015/usps_cybersecurity_functions.pdf
4, 11
Office of Personnel Management (OPM)
https://www.opm.gov/our-inspector-
general/reports/2016/federal-information-security-
modernization-act-audit-fiscal-year-2016-4a-ci-00-16-039.pdf
https://www.opm.gov/our-inspector-
general/reports/2015/federal-information-security-
modernization-act-audit-fy-2015-final-audit-report-4a-ci-00-15-
011.pdf
https://www.opm.gov/our-inspector-
6. determine the likelihood that vulnerability could be exploited.
The threat table shown in Table 2-2 is designed to offer typical
threats to information systems and these threats have been
considered for the organization. Not all of these will be relevant
to the findings in your risk assessment, however you will need
to identify those that are.
ID
Threat Name
Type ID
Description
Typical Impact to Data or System
Confidentiality
Integrity
Availability
T-1
Alteration
U, P, E
Alteration of data, files, or records.
Modification
T-2
Audit Compromise
P
An unauthorized user gains access to the audit trail and could
cause audit records to be deleted or modified, or prevents future
audit records from being recorded, thus masking a security
relevant event. Also applies to a purposeful act by an
Administrator to mask unauthorized activity.
Modification or Destruction
Unavailable Accurate Records
7. T-3
Bomb
P
An intentional explosion.
Modification or Destruction
Denial of Service
T-4
Communications Failure
U, E
Cut of fiber optic lines, trees falling on telephone lines.
Denial of Service
T-5
Compromising Emanations
P
Eavesdropping can occur via electronic media directed against
large scale electronic facilities that do not process classified
National Security Information.
Disclosure
T-6
Cyber Brute Force
P
Unauthorized user could gain access to the information systems
by random or systematic guessing of passwords, possibly
supported by password cracking utilities.
Disclosure
Modification or Destruction
Denial of Service
T-7
Data Disclosure
P, U
An attacker uses techniques that could result in the disclosure
8. of sensitive information by exploiting weaknesses in the design
or configuration. Also used in instances where misconfiguration
or the lack of a security control can lead to the unintentional
disclosure of data.
Disclosure
T-8
Data Entry Error
U
Human inattention, lack of knowledge, and failure to cross-
check system activities could contribute to errors becoming
integrated and ingrained in automated systems.
Modification
T-9
Denial of Service
P
An adversary uses techniques to attack a single target rendering
it unable to respond and could cause denial of service for users
of the targeted information systems.
Denial of Service
T-10
Distributed Denial of Service Attack
P
An adversary uses multiple compromised information systems
to attack a single target and could cause denial of service for
users of the targeted information systems.
Denial of Service
T-11
Earthquake
9. E
Seismic activity can damage the information system or its
facility. Please refer to the following document for earthquake
probability maps http://pubs.usgs.gov/of/2008/1128/pdf/OF08-
1128_v1.1.pdf .
Destruction
Denial of Service
T-12
Electromagnetic Interference
E, P
Disruption of electronic and wire transmissions could be caused
by high frequency (HF), very high frequency (VHF), and ultra-
high frequency (UHF) communications devices (jamming) or
sun spots.
Denial of Service
T-13
Espionage
P
The illegal covert act of copying, reproducing, recording,
photographing or intercepting to obtain sensitive information .
Disclosure
Modification
T-14
Fire
E, P
Fire can be caused by arson, electrical problems, lightning,
chemical agents, or other unrelated proximity fires.
Destruction
Denial of Service
T-15
Floods
10. E
Water damage caused by flood hazards can be caused by
proximity to local flood plains. Flood maps and base flood
elevation should be considered.
Destruction
Denial of Service
T-16
Fraud
P
Intentional deception regarding data or information about an
information system could compromise the confidentiality,
integrity, or availability of an information system.
Disclosure
Modification or Destruction
Unavailable Accurate Records
T-17
Hardware or Equipment Failure
E
Hardware or equipment may fail due to a variety of reasons.
Denial of Service
T-18
Hardware Tampering
P
An unauthorized modification to hardware that alters the proper
functioning of equipment in a manner that degrades the security
functionality the asset provides.
Modification
Denial of Service
T-19
Hurricane
E
A category 1, 2, 3, 4, or 5 land falling hurricane could impact
11. the facilities that house the information systems.
Destruction
Denial of Service
T-20
Malicious Software
P
Software that damages a system such a virus, Trojan, or worm.
Modification or Destruction
Denial of Service
T-21
Phishing Attack
P
Adversary attempts to acquire sensitive information such as
usernames, passwords, or SSNs, by pretending to be
communications from a legitimate/trustworthy source.
Typical attacks occur via email, instant messaging, or
comparable means; commonly directing users to Web sites that
appear to be legitimate sites, while actually stealing the entered
information.
Disclosure
Modification or Destruction
Denial of Service
T-22
Power Interruptions
E
Power interruptions may be due to any number of reasons such
as electrical grid failures, generator failures, uninterruptable
power supply failures (e.g. spike, surge, brownout, or blackout).
Denial of Service
T-23
Procedural Error
12. U
An error in procedures could result in unintended consequences.
This is also used where there is a lack of defined procedures
that introduces an element of risk.
Disclosure
Modification or Destruction
Denial of Service
T-24
Procedural Violations
P
Violations of standard procedures.
Disclosure
Modification or Destruction
Denial of Service
T-25
Resource Exhaustion
U
An errant (buggy) process may create a situation that exhausts
critical resources preventing access to services.
Denial of Service
T-26
Sabotage
P
Underhand interference with work.
Modification or Destruction
Denial of Service
T-27
Scavenging
P
Searching through disposal containers (e.g. dumpsters) to
acquire unauthorized data.
Disclosure
13. T-28
Severe Weather
E
Naturally occurring forces of nature could disrupt the operation
of an information system by freezing, sleet, hail, heat,
lightning, thunderstorms, tornados, or snowfall.
Destruction
Denial of Service
T-29
Social Engineering
P
An attacker manipulates people into performing actions or
divulging confidential information, as well as possible access to
computer systems or facilities.
Disclosure
T-30
Software Tampering
P
Unauthorized modification of software (e.g. files, programs,
database records) that alters the proper operational functions.
Modification or Destruction
T-31
Terrorist
P
An individual performing a deliberate violent act could use a
variety of agents to damage the information system, its facility,
and/or its operations.
Modification or Destruction
Denial of Service
14. T-32
Theft
P
An adversary could steal elements of the hardware.
Denial of Service
T-33
Time and State
P
An attacker exploits weaknesses in timing or state of functions
to perform actions that would otherwise be prevented (e.g. race
conditions, manipulation user state).
Disclosure
Modification
Denial of Service
T-34
Transportation Accidents
E
Transportation accidents include train derailments, river barge
accidents, trucking accidents, and airlines accidents. Local
transportation accidents typically occur when airports, sea
ports, railroad tracks, and major trucking routes occur in close
proximity to systems facilities. Likelihood of HAZMAT cargo
should be determined when considering the probability of local
transportation accidents.
Destruction
Denial of Service
T-35
Unauthorized Facility Access
P
An unauthorized individual accesses a facility which may result
in comprises of confidentiality, integrity, or availability.
Disclosure
Modification or Destruction
15. Denial of Service
T-36
Unauthorized Systems Access
P
An unauthorized user accesses a system or data.
Disclosure
Modification or Destruction
Analyze Risk
The risk analysis for each vulnerability consists of assessing
security controls to determine the likelihood that vulnerability
could be exploited and the potential impact should the
vulnerability be exploited. Essentially, risk is proportional to
both likelihood of exploitation and possible impact. The
following sections provide a brief description of each
component used to determine the risk.
Likelihood
This risk analysis process is based on qualitative risk analysis.
In qualitative risk analysis the impact of exploiting a threat is
measured in relative terms. When a system is easy to exploit, it
has a High likelihood that a threat could exploit the
vulnerability. Likelihood definitions for the exploitation of
vulnerabilities are found in the following table.
Likelihood
Description
Low
There is little to no chance that a threat could exploit
vulnerability and cause loss to the system or its data.
Medium
There is a Medium chance that a threat could exploit
vulnerability and cause loss to the system or its data.
High
There is a High chance that a threat could exploit vulnerability
and cause loss to the system or its data.
16. Impact
Impact refers to the magnitude of potential harm that could be
caused to the system (or its data) by successful exploitation.
Definitions for the impact resulting from the exploitation of a
vulnerability are described in the following table. Since
exploitation has not yet occurred, these values are perceived
values. If the exploitation of vulnerability can cause significant
loss to a system (or its data) then the impact of the exploit is
considered to be High.
Impact
Description
Low
If vulnerabilities are exploited by threats, little to no loss to the
system, networks, or data would occur.
Medium
If vulnerabilities are exploited by threats, Medium loss to the
system, networks, and data would occur.
High
If vulnerabilities are exploited by threats, significant loss to the
system, networks, and data would occur.
Risk Level
The risk level for the finding is the intersection of the
likelihood value and impact value as depicted the table depicted
below. The combination of High likelihood and High impact
creates the highest risk exposure. The risk exposure matrix
shown in the table below presents the same likelihood and
impact severity ratings as those found in NIST SP 800-30 Risk
Management Guide for Information Technology Systems.
Impact
17. Likelihood
High
Medium
Low
High
High
Medium
Low
Medium
Medium
Medium
Low
Low
Low
Low
LowRisk Assessment Results
This section documents the technical and non-technical security
risks to the system. Complete the following risk assessment
table, ensuring that you have addressed at least 10 risks. You
will be graded on your ability to demonstrate knowledge that
the risks are relevant to the company you have identified, as
well as that the security controls are appropriate to the
controlling the risks you have identified.
The following provides a brief description of the information
documented in each column:
· Identifier: Provides a unique number used for referencing each
vulnerability in the form of R#-Security Control ID.
· Source: Indicates the source where the vulnerability was
identified (e.g., System Security Plan or Audit.)
· Threat: Indicates the applicable threat type from the table of
threats..
· Risk Description: Provides a brief description of the risk.
18. · Business Impact: Provides a brief description of the impact to
the organization if the risk is realized.
· Recommended Corrective Action: Provides a brief description
of the corrective action(s) recommended for mitigating the risks
associated with the finding.
· Likelihood: Provides the likelihood of a threat exploiting the
vulnerability. This is determined by applying the methodology
outlined in Section 3 of this document.
· Impact: Provides the impact of a threat exploiting the
vulnerability. This is determined by applying the methodology
outlined in Section 3 of this document.
· Risk Level: Provides the risk level (high, Medium, low) for
the vulnerability. This is determined by applying the
methodology outlined in Section 3 of this document.
Your deliverables, as a team, will consist of the following 2
documents (and presentation):
1. You will complete and submit the following completed table
for grading.
Organization/Agency Selected:
Organization/Agency Mission:
Identifier
Source
Threat ID
Risk Description
Business Impact
Recommended Corrective Action
Likelihood
Impact
Risk Level
19. R-01.
Audit
T-1,
T-8, T-23, T-24,
T-36
Notification is not performed when account changes are made.
The lack of notification allows unauthorized changes to
individuals who elevate permissions and group membership to
occur without detection.
Enable auditing of all activities performed under privileged
accounts in GPOs and develop a process to allow these events to
be reviewed by an individual who does not have Administrative
privileges.
Medium
Medium
Medium
R-02.
R-03.
23. 2. You will prepare a presentation in which your team presents
1) overview 2) summary of findings 3) drill down on the high
risks - discuss why you felt they presented a greater risk to the
agency 4) Recommendations for all of your significant findings
(don’t worry about the low ones). 5) Research a technical
solution (a product), that can help the agency “get healthy”.
Describe (in your own words, not the vendor’s words) how the
tool can help solve the risk it is intended to address.
Incident Response Paper
Using NIST’s SP 800-61 “Computer Security Incident Handling
Guide), develop an Incident Response Plan (IRP) that will
address one or more of your security risks that you identified in
your Risk Assessment. Google and find other actual IRPs on
the Internet and review to see what type of information is
included. At a minimum, your plan should include the
following sections:
· Roles: who will respond to the incident and
notification/escalation procedures? Who is responsible for
writing the IRP?
· Training: specify a training frequency
· Plan testing: How (and how often) will you test the plan?
· Incidents: What defines an “incident”? Define some security
incidents that you may encounter on your network.
· Incident Notification: What happens when an incident is
detected?
· Reporting/tracking: How will you report and track incidents?
What about capturing “lessons learned”?
· Procedures: Select one of your security risks identified in
your Risk Assessment. Prepare procedures for addressing the
incident in the event that the incident actually happens. In this
section, address the following subsections specific to your risk
24. that you are identifying.
· Preparation
· Detection and Analysis
· Containment
· Eradication
· Recovery and Post-Incident Activity (see Appendix A)
Note: there are several scenarios in the appendix of the NIST
document. You can use, for instance, Scenario 11: Unknown
Wireless Access Point to help develop the response procedures
for wireless access, as an example. Use any of these to help
flesh out your procedures but the procedure you agreed to use
must be one that addresses a risk you identified in your Risk
Assessment.
Grading Criteria
Criteria
Document is at least 5 - 7 double-spaced pages. Paper is well-
written with minimal typing, spelling, or grammatical errors.
10%
Required sections (above) are appropriately addressed. 25
points (5 each), 50 points for the Procedures Section. 75%
Procedures provide sufficient information to enable recovery
and mission restoration. 15%