1. Title
IT Security Risk Assessment
2. Introduction
You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a member of IT security consultant team, one of your responsibilities is to ensure the security of assets as well as provide a secure environment for customers, partners and employees. You and the team play a key role in defining, implementing and maintaining the IT security strategy in organizations.
A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and analyzing information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as being the victim of several security breaches. As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive review of the agency’s information security controls and identified numerous issues.
The head of the agency has contracted your company to conduct an IT security risk assessment on its operations. This risk assessment was determined to be necessary to address security gaps in the agency’s critical operational areas and to determine actions to close those gaps. It is also meant to ensure that the agency invests time and money in the right areas and does not waste resources. After conducting the assessment, you are to develop a final report that summarizes the findings and provides a set of recommendations. You are to convince the agency to implement your recommendations.
This learning activity focuses on IT security which is an overarching concern that involves practically all facets of an organization’s activities. You will learn about the key steps of preparing for and conducting a security risk assessment and how to present the findings to leaders and convince them into taking appropriate action.
Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel are expected to possess. Information security is a significant concern among every organization and it may spell success or failure of its mission. Effective IT professionals are expected to be up-to-date on trends in IT security, current threats and vulnerabilities, state-of-the-art security safeguards, and security policies and procedures. IT professionals must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner that convincingly justifies the need to invest in IT security improvements. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by IT professionals.
3. Steps to Completion
Your instructor will form the teams. Each member is expected to contribute to the team agreementwhich documents the members’ contact information and sets goals and expectations for the team.
1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multipl.
1. 1. Title
IT Security Risk Assessment
2. Introduction
You are employed with Government Security Consultants, a
subsidiary of Largo Corporation. As a member of IT security
consultant team, one of your responsibilities is to ensure the
security of assets as well as provide a secure environment for
customers, partners and employees. You and the team play a
key role in defining, implementing and maintaining the IT
security strategy in organizations.
A government agency called the Bureau of Research and
Intelligence (BRI) is tasked with gathering and analyzing
information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as
being the victim of several security breaches. As a follow up,
the United States Government Accountability Office (GAO)
conducted a comprehensive review of the agency’s information
security controls and identified numerous issues.
The head of the agency has contracted your company to conduct
an IT security risk assessment on its operations. This risk
assessment was determined to be necessary to address security
gaps in the agency’s critical operational areas and to determine
actions to close those gaps. It is also meant to ensure that the
agency invests time and money in the right areas and does not
waste resources. After conducting the assessment, you are to
develop a final report that summarizes the findings and provides
a set of recommendations. You are to convince the agency to
implement your recommendations.
This learning activity focuses on IT security which is an
overarching concern that involves practically all facets of an
2. organization’s activities. You will learn about the key steps of
preparing for and conducting a security risk assessment and how
to present the findings to leaders and convince them into taking
appropriate action.
Understanding security capabilities is basic to the core
knowledge, skills, and abilities that IT personnel are expected
to possess. Information security is a significant concern among
every organization and it may spell success or failure of its
mission. Effective IT professionals are expected to be up-to-
date on trends in IT security, current threats and vulnerabilities,
state-of-the-art security safeguards, and security policies and
procedures. IT professionals must be able to communicate
effectively (oral and written) to executive level management in
a non-jargon, executive level manner that convincingly justifies
the need to invest in IT security improvements. This learning
demonstration is designed to strengthen these essential
knowledge, skills, and abilities needed by IT professionals.
3. Steps to Completion
Your instructor will form the teams. Each member is expected
to contribute to the team agreementwhich documents the
members’ contact information and sets goals and expectations
for the team.
1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence
(BRI) is to provide multiple-source intelligence to American
diplomats. It must ensure that intelligence activities are
consistent with U.S. foreign policy and kept totally
confidential. BRI has intelligence analysts who understand U.S.
foreign policy concerns as well as the type of information
needed by diplomats.
The agency is in a dynamic environment in which events
affecting foreign policy occur every day. Also, technology is
rapidly changing and therefore new types of security
opportunities and threats are emerging which may impact the
3. agency.
Due to Congressional budget restrictions, BRI is forced to be
selective in the type of security measures that it will implement.
Prioritization of proposed security programs and controls based
on a sound risk assessment procedure is necessary for this
environment.
The following incidents involving BRI’s systems occurred and
reported in the New York Times and other media outlets:
· BRI’s network had been compromised by nation-state-
sponsored attackers and that attacks are still continuing. It is
believed that the attackers accessed the intelligence data used to
support U.S. diplomats.
· The chief of the bureau used his personal e-mail system for
both official business purposes and for his own individual use.
· A software defect in BRI’s human resource system – a web
application – improperly allowed users to view the personal
information of all BRI employees including social security
numbers, birthdates, addresses, and bank account numbers (for
direct deposit of their paychecks). After the breach, evidence
was accidently destroyed so there was no determination of the
cause of the incident or of its attackers.
· A teleworker brought home a laptop containing classified
intelligence information. It was stolen during a burglary and
never recovered.
· A disgruntled employee of a contractor for BRI disclosed
classified documents through the media. He provided the media
with, among other things, confidential correspondence between
U.S. diplomats and the President that were very revealing.
· Malware had infected all of the computers in several foreign
embassies causing public embarrassment, security risks for
4. personnel and financial losses to individuals, businesses and
government agencies including foreign entities.
These reports prompted the U.S. Government Accountability
Office to conduct a comprehensive review of BRI’s information
security posture. Using standards and guidance provided by the
National Institute of Standards and Technology and other
parties, they had the following findings:
Identification and Authentication Controls
· Controls over the length of passwords for certain network
infrastructure devices were set to less than eight characters.
• User account passwords had no expiration dates.
• Passwords are the sole means for authentication.
Authorization Controls
· BRI allowed users to have excessive privileges to the
intelligence databases. Specifically, BRI did not appropriately
limit the ability of users to enter commands using the user
interface. As a result, users could access or change the
intelligence data.
· BRI did not appropriately configure Oracle databases running
on a server that supported multiple applications. The agency
configured multiple databases operating on a server to run under
one account. As a result, any administrator with access to the
account would have access to all of these databases; potentially
exceeding his/her job duties.
· At least twenty user accounts were active on an application’s
database, although they had been requested for removal in
BRI’s access request and approval system.
Data Security
· BRI does not use any type of data encryption for data-at-rest
but protects data-in-transit using VPN.
· A division data manager can independently control all key
aspects of the processing of confidential data collected through
intelligence activities.
5. · One employee was able to derive classified information by
“aggregating” unclassified databases.
System Security
· Wireless systems use the Wired Equivalent Privacy (WEP)
standard for ensuring secure transmission of data.
· The agency permitted the “Bring Your Own Device” (BYOD)
concept and therefore users can utilize their personal mobile
devices to connect to the agency network freely.
· In the event of a network failure due to hacking, the data
center manager has his recovery plan but has not shared it with
anyone in or out of the center. He was not aware of any
requirement to report incidents outside of the agency.
· There has never been any testing of the security controls in the
agency.
· Processes for the servers have not been documented, but in the
minds of the system managers.
· Patching of key databases and system components has not
been a priority. Patching systems have either been late or not
performed at all. Managers explained that it takes time and
effort to test patches on its applications.
· Scanning devices connected to the network for possible
security vulnerabilities are done only when the devices are
returned to inventory for future use.
· System developers involved with financial systems are
allowed to develop code and access production code.
Physical Security
· An unauthorized personnel was observed “tailgating” or
closely following an official employee while entering a secure
6. data center.
· The monthly review process at a data center failed to identify
a BI employee who had separated from BRI and did not result in
the removal of her access privileges. She was still able to access
restricted areas for at least three months after her separation.
End User Security
· Users even in restricted areas are allowed to use social media
such as Facebook. The argument used is that is part of the
public outreach efforts of the agency.
· Users receive a 5-minute briefing on security as part of their
orientation session that occurs typically on their first day of
work. There is no other mention of security during the course of
employment.
· Users are allowed to use public clouds such as Dropbox, Box,
and Google Drive to store their data.
· BRI has not performed continual background investigations on
employees who operate its intelligence applications (one
investigation is conducted upon initial employment).
· There is no policy regarding the handling of classified
information.
2) Examine Background Resources
This learning demonstration focuses on theNational Institute of
Standards and Technology's (NIST) “Guide for Conducting Risk
Assessments”
(http://csrc.nist.gov/publications/nistpubs/800-30-
rev1/sp800_30_r1.pdf). See Pg. 23 to view the description of
the risk management process.
7. Throughout this learning activity, feel free to use other
references such as:
Other NIST publications
(http://csrc.nist.gov/publications/PubsSPs.html),
SANS Reading Room (http://www.sans.org/reading-room/),
US-CERT (https://www.us-cert.gov/security-publications),
CSO Magazine (http://www.csoonline.com/),
Information Security Magazine (http://www.infosecurity-
magazine.com/white-papers/),
Homeland Security News Wire
(http://www.homelandsecuritynewswire.com/topics/cybersecurit
y)
Other useful references on security risk management include:
https://books.google.com/books?id=cW1ytnWjObYC&printsec=
frontcover&dq=security+risk+management&hl=en&sa=X&ei=_
1JFVdGIJsKkgwSG4IGgCA&ved=0CDEQ6AEwAA#v=onepage
&q=security%20risk%20management&f=false
https://books.google.com/books?id=FJFCrP8vVZcC&printsec=f
rontcover&dq=security+risk+management&hl=en&sa=X&ei=_1
JFVdGIJsKkgwSG4IGgCA&ved=0CD4Q6AEwAg#v=onepage&
q=security%20risk%20management&f=false
3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following
items:
· Purpose of the assessment,
· Scope of the assessment,
· Assumptions and constraints, and
· Selected risk model and analytical approach to be used.
Document your above analysis in the “Interim Risk Assessment
Planning Report.” (An interim report will be consolidated to a
final deliverable in a later step.)
All interim reports should be at least 500 words long and
include at least five references for each report. These reports
8. will eventually be presented to management for their review.
4) Conduct the Assessment
Again, use the NIST report to address the following:
1) Identify threat sources and events
2) Identify vulnerabilities and predisposing conditions
3) Determine likelihood of occurrence
4) Determine magnitude of impact
5) Determine risk
You are free to make assumptions but be sure to state them in
your findings.
In determining risk, include the assessment tables reflect BRI’s
risk levels. Refer to Appendix I. on risk determination in
Special Publication 800-30.
Document your analysis from this step in the “Interim Risk
Assessment Findings Report.”
5) Identify Needed Controls and Programs
Research security controls needed to close the security gaps in
BRI.
Be sure to include a description of the following programs and
others needed for securing BRI:
· Security Awareness and Training Program (i.e.,
communications to employees regarding security)
· Privacy Protection Program
· Business Continuity/Disaster Recovery Program
You should justify the need for the corporation to invest in your
recommendations.
Document your findings and recommendations from this step in
the “Interim Security Recommendations Report.”
6) Communicate the Overall Findings and Recommendations
Integrate of your earlier interim reports into a final management
report. Be sure to address:
· Summary of the Current Security Situation at BRI (from Step
1)
· Risk Assessment Methodology (from Step 2)
· Risk Assessment Plan (from Step 3)
· Risk Assessment Findings (from Step 4)
9. · Security Recommendations Report (from Step 5)
· Conclusions
Also provide a presentation to management. The presentation
should consist of 15-20 slides. It should include audio
narration (directions are found at: https://support.office.com/en-
au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-
b1e7-e47d8741161c). The narration should also be captured in
the slide notes.
As an alternate method of delivery, you can create a video using
YouTube Capture (https://www.youtube.com/capture) or a
similar tool.
Document your contribution to the team effort. Also prepare a
peer evaluation report.
4. Deliverables
1) Interim Risk Assessment Planning Report
2) Interim Risk Assessment Findings Report
3) Interim Security Recommendations Report
4) Final presentation
One member of your team is to submit the work in the
assignment area of the classroom. Title the files using this
protocol: TeamName_G-2_AssignmentName_Date. Large files
may be zipped.
Individually, submit these items to your assignment area:
· Contribution to the Team Effort (Word document)
· Completed Peer Evaluation form
Title your two files using this protocol:
· Lastname_FirstInitial_G-2_Contribution_Date
· Lastname_FirstInitial_G-2_PeerEvaluation_Date
5. Rubrics
Criteria
Weight
(%)
Score
(0-100)
Totals
(Wt x Score)
10. Identify and prevent threats and vulnerabilities associated with
information systems
55
Communicate to employees an awareness of security issues
related to IT systems
10
Evaluate organizational information systems to insure they
protect the privacy of users and of customers
10
Determine requirements for business continuity/disaster
recovery plans and backup procedures
10
Exhibit communication skills
5
Illustrate critical thinking
5
Demonstrate inclusiveness in a team setting.
5
Total
100