The document outlines the process of conducting a security risk assessment for the Bureau of Research and Intelligence (BRI) to address significant security breaches and vulnerabilities. It details the key steps to revise the risk assessment plan, emphasizing the need for improvements in security measures, data handling, and employee training. Additionally, it highlights the importance of adopting an effective risk management strategy aligned with organizational goals to ensure the protection of critical information.

1. 1. Read the RiskReport to see what requirements are.
2. Read the Interim Risk Assessment to see the current state of
paper that needs to be revised.
3. Use the RiskReport and the details below on what is missing
to revise paper.
Feedback on changes needed to the Risk Assessment Plan
Risk Assessment Plan: Purpose does not make reference to BRI
at all. Provide context. Scope, assumptions and constraints
appear reasonable, but you can add an assumption or constraint
regarding budget.
Need to elaborate on how risk is determine using the qualitative
approach.
1. Title
IT Security Risk Assessment
2. Introduction
You are employed with Government Security Consultants, a
subsidiary of Largo Corporation. As a member of IT security
consultant team, one of your responsibilities is to ensure the
security of assets as well as provide a secure environment for
customers, partners and employees. You and the team play a
key role in defining, implementing and maintaining the IT
security strategy in organizations.
A government agency called the Bureau of Research and
Intelligence (BRI) is tasked with gathering and analyzing
information to support U.S. diplomats.
In a series of New York Times articles, BRI was exposed as
being the victim of several security breaches. As a follow up,
the United States Government Accountability Office (GAO)

2. conducted a comprehensive review of the agency’s information
security controls and identified numerous issues.
The head of the agency has contracted your company to conduct
an IT security risk assessment on its operations. This risk
assessment was determined to be necessary to address security
gaps in the agency’s critical operational areas and to determine
actions to close those gaps. It is also meant to ensure that the
agency invests time and money in the right areas and does not
waste resources. After conducting the assessment, you are to
develop a final report that summarizes the findings and provides
a set of recommendations. You are to convince the agency to
implement your recommendations.
This learning activity focuses on IT security which is an
overarching concern that involves practically all facets of an
organization’s activities. You will learn about the key steps of
preparing for and conducting a security risk assessment and how
to present the findings to leaders and convince them into taking
appropriate action.
Understanding security capabilities is basic to the core
knowledge, skills, and abilities that IT personnel are expected
to possess. Information security is a significant concern among
every organization and it may spell success or failure of its
mission. Effective IT professionals are expected to be up-to-
date on trends in IT security, current threats and vulnerabilities,
state-of-the-art security safeguards, and security policies and
procedures. IT professionals must be able to communicate
effectively (oral and written) to executive level management in
a non-jargon, executive level manner that convincingly justifies
the need to invest in IT security improvements. This learning
demonstration is designed to strengthen these essential
knowledge, skills, and abilities needed by IT professionals.
1) Review the Setting and Situation

3. The primary mission of the Bureau of Research and Intelligence
(BRI) is to provide multiple-source intelligence to American
diplomats. It must ensure that intelligence activities are
consistent with U.S. foreign policy and kept totally
confidential. BRI has intelligence analysts who understand U.S.
foreign policy concerns as well as the type of information
needed by diplomats.
The agency is in a dynamic environment in which events
affecting foreign policy occur every day. Also, technology is
rapidly changing and therefore new types of security
opportunities and threats are emerging which may impact the
agency.
Due to Congressional budget restrictions, BRI is forced to be
selective in the type of security measures that it will implement.
Prioritization of proposed security programs and controls based
on a sound risk assessment procedure is necessary for this
environment.
The following incidents involving BRI’s systems occurred and
reported in the New York Times and other media outlets:
· BRI’s network had been compromised by nation-state-
sponsored attackers and that attacks are still continuing. It is
believed that the attackers accessed the intelligence data used to
support U.S. diplomats.
· The chief of the bureau used his personal e-mail system
for both official business purposes and for his own individual
use.
· A software defect in BRI’s human resource system – a
web application – improperly allowed users to view the personal
information of all BRI employees including social security
numbers, birthdates, addresses, and bank account numbers (for
direct deposit of their paychecks). After the breach, evidence
was accidentally destroyed so there was no determination of the
cause of the incident or of its attackers.

4. · A teleworker brought home a laptop containing classified
intelligence information. It was stolen during a burglary and
never recovered.
· A disgruntled employee of a contractor for BRI disclosed
classified documents through the media. He provided the media
with, among other things, confidential correspondence between
U.S. diplomats and the President that were very revealing.
· Malware had infected all of the computers in several
foreign embassies causing public embarrassment, security risks
for personnel and financial losses to individuals, businesses and
government agencies including foreign entities.
These reports prompted the U.S. Government Accountability
Office to conduct a comprehensive review of BRI’s information
security posture. Using standards and guidance provided by the
National Institute of Standards and Technology and other
parties, they had the following findings:
Identification and Authentication Controls
· Controls over the length of passwords for certain network
infrastructure devices were set to less than eight characters.
• User account passwords had no expiration dates.
• Passwords are the sole means for authentication.
Authorization Controls
· BRI allowed users to have excessive privileges to the
intelligence databases. Specifically, BRI did not appropriately
limit the ability of users to enter commands using the user
interface. As a result, users could access or change the
intelligence data.
· BRI did not appropriately configure Oracle databases
running on a server that supported multiple applications. The
agency configured multiple databases operating on a server to
run under one account. As a result, any administrator with
access to the account would have access to all of these

5. databases; potentially exceeding his/her job duties.
· At least twenty user accounts were active on an
application’s database, although they had been requested for
removal in BRI’s access request and approval system.
Data Security
· BRI does not use any type of data encryption for data-at-
rest but protects data-in-transit using VPN.
· A division data manager can independently control all key
aspects of the processing of confidential data collected through
intelligence activities.
· One employee was able to derive classified information by
“aggregating” unclassified databases.
· Hackers infiltrated transactional data located in a single
repository and went ahead and corrupted it.
System Security
· Wireless systems use the Wired Equivalent Privacy (WEP)
standard for ensuring secure transmission of data.
· The agency permitted the “Bring Your Own Device”
(BYOD) concept and therefore users can utilize their personal
mobile devices to connect to the agency network freely.
· In the event of a network failure due to hacking, the data
center manager has his recovery plan but has not shared it with
anyone in or out of the center. He was not aware of any
requirement to report incidents outside of the agency.
· There has never been any testing of the security controls
in the agency.
· Processes for the servers have not been documented, but
in the minds of the system managers.

6. · Patching of key databases and system components has not
been a priority. Patching systems have either been late or not
performed at all. Managers explained that it takes time and
effort to test patches on its applications.
· Scanning devices connected to the network for possible
security vulnerabilities are done only when the devices are
returned to inventory for future use.
· System developers involved with financial systems are
allowed to develop code and access production code.
Physical Security
· An unauthorized personnel was observed “tailgating” or
closely following an official employee while entering a secure
data center.
· The monthly review process at a data center failed to
identify a BI employee who had separated from BRI and did not
result in the removal of her access privileges. She was still able
to access restricted areas for at least three months after her
separation.
End User Security
· Users even in restricted areas are allowed to use social
media such as Facebook. The argument used is that is part of
the public outreach efforts of the agency.
· Users receive a 5-minute briefing on security as part of
their orientation session that occurs typically on their first day
of work. There is no other mention of security during the course
of employment.
· Users are allowed to use public clouds such as Dropbox,
Box, and Google Drive to store their data.
· BRI has not performed continual background

7. investigations on employees who operate its intelligence
applications (one investigation is conducted upon initial
employment).
· There is no policy regarding the handling of classified
information.
An internal audit report indicated that the organization needed
several security programs including a security awareness and
training program, a privacy protection program and a business
continuity/disaster recovery programs. These programs will
need special attention.
2) Examine Background Resources
This learning demonstration focuses on theNational Institute of
Standards and Technology's (NIST) “Guide for Conducting Risk
Assessments”
(http://csrc.nist.gov/publications/nistpubs/800-30-
rev1/sp800_30_r1.pdf). See Pg. 23 to view the description of
the risk management process.
Throughout this learning activity, feel free to use other
references such as:
Other NIST publications
(http://csrc.nist.gov/publications/PubsSPs.html),
SANS Reading Room (http://www.sans.org/reading-room/),
US-CERT (https://www.us-cert.gov/security-publications),
CSO Magazine (http://www.csoonline.com/),
Information Security Magazine (http://www.infosecurity-
magazine.com/white-papers/),
Homeland Security News Wire
(http://www.homelandsecuritynewswire.com/topics/cybersecurit
y)

8. Other useful references on security risk management include:
https://books.google.com/books?id=cW1ytnWjObYC&printsec=
frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&
f=false
https://books.google.com/books?id=FJFCrP8vVZcC&printsec=f
rontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f
=false
3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following
items:
· Purpose of the assessment,
· Scope of the assessment,
· Assumptions and constraints, and
· Selected risk model and analytical approach to be used.
Document your above analysis in the “Interim Risk Assessment
Planning Report.” This report should be 400-500 words
Risk Assessment Plan
Purpose of the Assessment
IT systems are said to be vulnerable due to the variety of
disruptions that they are exposed to in an organization. Some of
the disruptions that they are exposed to include failure of disk
drive, outage of power, equipment destruction or fire. It is
possible to minimize or eliminate these vulnerabilities through
technical, operational or management solutions as part of an
effort by the organization to manage the risk (Nicolic, 2009).
There are security gaps in the organization which affect the
organizational performance. Thus there is need to find a way in
which these security gaps can be closed. Furthermore, it is
important to have the organization spend time and money in the
right areas so that it does not waste resources. The role of the

9. security consultants is to come up with a better security
assessment plan that will help the organization in many areas
(Feng, Zhang & Zhang, 2004). The security assessment is
meant to help the organization come up with decisions on how
to protect critical information as well as be prepared for any
security threats. The plan is designed so as to mitigate the risk
of the system and unavailability of service by focusing on
effective and efficient solutions for recovery.
Scope of the Assessment
The risk assessment will inform decisions regarding the security
gaps that exists in the IT systems in the organization. The
security gaps are making the entire organization vulnerable to
external threats and the organization can lose a lot if these gaps
are not closed. The risk assessment will be conducted over a
period of six months so as to ensure that the system is closely
monitored and that there are no gaps in the system. The
considerations that will be made during this risk assessment
include making sure that all the employees that use the system
have the required security features in their computersall
endpoints (e.g., workstations, laptops, servers, mobile devices
and smart devices including “bring your own devices”). Risk
management, in this case, will include quantitative risk,
management, and control management. The procedure is
essential as it will help the organization and the IT team to be
updated on the latest events, which will help come up with
better security to protect the organization. It will also play a
significant role in determining the short-term goals and long-
term goals. Once everyone is aware of these risks, it will be
easier to act to contain the situation faced by any threat (Lo &
Chen, 2012).
Assumptions and Constraints
It is without a doubt that assumptions and constraints are
critical to the success of a risk assessment. Some assumptions
at the outset of the assessment include that adequate resources
will be dedicated to the assessment including the involvement
of key personnel, and qualified assessors will be assigned to the

10. task. Other assumptions may include but are not limited to
threat sources, threat events, vulnerabilities and predisposing
conditions, potential impacts, assessment and analysis
approaches, and which missions/business functions are primary.
The organization believes that most threats are caused by
security breaches. Thus, risk assessment should be done mainly
on security breaches on IT systems of the organization. Some of
the constraints that may be encountered during risk assessment
include inadequate funds as it is not clear how bad the security
gaps are and how much may be needed to solve the
issuesConstraints include that operations will need to continue
unimpeded during the assessment, the assessment will need to
be completed within a reasonable time limit and
recommendations from the assessment will need to be framed in
the resources available to implement the recommendations,
balanced against the potential risk.
Selected Risk Model and Analytical Approach to be used.
A qualitative risk assessment approach will be used to mitigate
the risk. Furthermore, since the risk assessment is being done to
close the security gaps, a threat-oriented approach will also be
used to as to determine the threats that the security gaps cause
to the system. The quality of the system must be determined
during risk assessment.