Central Washington University IT 438 Risk Management / SECURITY RISK ASSESSMENT.

Document Content and Description Below

Table of Contents Executive Summary3 Overview of Assessment3 Identified Risks and Common Risk Themes3 Summary of Proposed Mitigation Activities3 Risk Assessment Report4 Overview of Risk Assessme... nt4 Risk Measurement Criteria4 Scope of Assessment 4 Security Controls Assessed 4 Areas of Concern (or Risks) 4 Disgruntled employee may access and release employees’ account information 4 Hacker gain access 5 Risk Heat Map 5 Risk Mitigation 6 Risks to Mitigate 6 References 22 Executive Summary Overview of Assessment When the assessment took place, I interviewed the branch manager of department of information During the interview, the information asset we assessed were employees account information However, there was a limitation in the process of the assessment The purpose of assessing employee’s account information was to see what are the chance that that account information would be compromised Identified Risks and Common Risk Themes There was some area of concerns that I have discovered while the assessment was in progress One of those concerns was a disgruntle employee may release employee account information Other areas of that were also a concern was a hacker may gain access to employee account information Other areas were how do they manage the employee accounts Summary of Proposed Mitigation Activities The common thing to do when you are mitigating risk is first start with the basic assessment A basic assessment can be something like evaluating the system setting that has been set by default such as a type of encryption, is the computer’s hard drive encryption enabled or disabled, internet security setting configured or not, etc Those are the general things that would need to be examined before deciding which security controls to implement to the computer system Risk Assessment Report Overview of Risk Assessment I used Octave Allegro methodology to help me to get a better understanding on what areas to assess and see what the potential impact on those areas are would be For example, Aneel has provided me the information such as the percentage for worksheet 1 through 3 on the different level of each impact are The usage of the Octave Allegro worksheet has provided me a better insight as to what kind of question I could as Aneel Risk Measurement Criteria The following impact areas are what Aneel and I determined needed to be assessed such as reputation and individual confidence, financial, and safety In each of these areas, Aneel and I have agreed that safety will ranked number 4 which mean that areas is the most important Follow by individual confidence which rank number 4, the second most important The reputation was ranked number 2 While financial was ranked number 1 Scope of Assessment I identified employees’ account information as an information asset The employee account information contains personal information It also includes social security number, bank account, routing number, credit/debits card information More than that, for foreign workers, they also have their foreign address and bank account information Security Controls Assessed Table 1 Security Control Assessment Critical Security Control Identifier Assessment of Security Control Results of Assessment CSC 11 ACCOUNT MANAGEMENT CSC 11 control has been implemented CSC 12 UNSUCCESSFUL LOGON ATTEMPTS CSC 12 control has been implemented CSC 13 DATA MINING PROTECTION CSC 13 control has been implemented CSC 14 ACCESS ENFORCEMENT CSC 14 control has been implemented Areas of Concern (or Risks) Disgruntled employee may access and release employees’ account information • Threat statement: a disgruntled employee may release employee’s account information • Finding: a disgruntled employee could use their access credential to gain access to the system and steal the data If the configuration of a firewall and malware defense software was configuration improperly, the employee could compromise administrative account or exploit server Which could lead to an alternation of employee’s information or possibly be leaked • Evidence: the evidence that I have gathered is that most of Admin office have access to employee accounts Also, the employee at department of information and human resource can access to every employee account, • Impact: employees may be very concerned if their account information was released to the public or use by criminal entities The level of confidence that the employees have would be severely impacted, which in return could harm Technado’s reputation Hacker gain access • Threat statement: A hacker may gain access to employee’s account information • Finding: One of the ways that the hacker could gain access to employee records is finding a vulnerability in one of the security controls and exploiting it to bypass the other security controls Or the security authentication services may not have been properly configured Other possible areas that could be exploited is the maintenance of the system may not be up to date • Impact: An impact on reputation of employee’s confidence category, the risk level is medium The reason why the risk value is medium because the company would do an extensive risk assessment and find out the damage done and how their reputation was affected It may require them to re-establish trust with their staff members • If a hacker were able to retrieve financial records such as employee’s account and routing numbers, it could cause them to lose a lot of money The impact value for financial area is a medium as well; because the organization can still operate even if the hacker syphon funds from their account They would still need to retrieve their funds from either other government or their own reserves Risk Heat Map Risk Mitigation • Risks to Accept • Risks to Defer • Risks to Transfer Risks to Mitigate Risk Mitigated: disgruntled employee may release employee’s account information A disgruntled employee could release employee data, so Technado decided to mitigate because it was likely this threat to occur To minimize the threat, there are various methods which could help reduce the chance of the data being released by a disgruntled employee The ways that will help reduce the impact is strengthening the security controls to the database and enabling permission controls to the files By adding permission controls to files in the database, it prevents users from being able to access files for those who does not have proper permission After mitigations efforts are in place, a comparison of the before and after results will be performed If the after results of the risk is lower than before results, then the organization will consider the risk to be acceptable and further mitigation is not necessary Risk Mitigated: hacker gain access to employee’s account information The reason mitigation is necessary for a dedicated archive database was the archive database has older information that is used by employees from time to time The information that is stored on the database still needs to be protected from outside threats Aneel said that Technado will implement two-way authentication process in the future By implement method, it will provide the necessary protection to the archive database Which minimizes the chance of a hacker or unauthorized person the ability to steal data and cause damage to the staff database [Show More]

Last updated: 1 year ago

Preview 1 out of 22 pages