Transcript
undefined
Assessing Information System Vulnerabilities and Risk
undefined
You are an information assurance management officer (IAMO) at an organization of your choosing. One morning, as you’re getting ready for work, you see an email from Karen, your manager. She asks you to come to her office as soon as you get in. When you arrive to your work, you head straight to Karen’s office. “Sorry for the impromptu meeting,” she says, “but we have a bit of an emergency. There’s been a security breach at the Office of Personnel Management.”
undefined
We don’t know how this happened, but we need to make sure it doesn’t happen again, says Karen. You’ll be receiving an email with more information on the security breach. Use this info to assess the information system vulnerabilities of the Office of Personnel Management.
undefined
At your desk, you open Karen’s email. She’s given you an OPM report from the Office of the Inspector General, or OIG. You have studied the OPM OIG report and found that the hackers were able to gain access through compromised credentials. The security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings. In addition, access to the databases could have been prevented by implementing various encryption schemas and could have been identified after running regularly scheduled scans of the systems.
undefined
Karen and the rest of the leadership team want you to compile your findings into a Security Assessment Report, or SAR. You will also create a Risk Assessment Report, or RAR, in which you identify threats, vulnerabilities, risks, and likelihood of exploitation and suggested remediation.
undefined
Your research and your Workspace exercise have led you to this moment: creating your SAR and RAR. Consider what you have learned in the previous steps as you create your reports for leadership.
undefined
Prepare a Security Assessment Report (SAR) with the following sections:
undefined
- Purpose
- Organization
- Scope
- Methodology
- Data
- Results
- Findings
undefined
The final SAR does not have to stay within this framework and can be designed to fulfill the goal of the security assessment.
undefined
Prepare a risk assessment report (RAR) with information on the threats, vulnerabilities, likelihood of exploitation of security weaknesses, impact assessments for exploitation of security weaknesses, remediation, and cost/benefit analyses of remediation.
undefined
Devise a high-level plan of action with interim milestones (POAM) in a system methodology to remedy your findings.
undefined
Include this high-level plan in the RAR.
undefined
Summarize the results you obtained from the OpenVAS vulnerability assessment tool in your report. The deliverables for this project are as follows:
undefined
- Security Assessment Report (SAR): This should be an eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Risk Assessment Report (RAR): This report should be a five- to six-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
undefined
Check Your Evaluation Criteria
undefined
Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.
undefined
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.2: Develop coherent paragraphs or points so that each is internally unified and so that each functions as part of the whole document or presentation.
- 1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.
- 1.4: Tailor communications to the audience.
- 1.5: Use sentence structure appropriate to the task, message and audience.
- 1.6: Follow conventions of Standard Written English.
- 5.2: Knowledge of architectural methodologies used in the design and development of information systems, including the physical structure of a system’s internal operations and interactions with other systems and knowledge of standards that either are compliant with or derived from established standards or guidelines.
- 5.6: Explore and address cybersecurity concerns, promote awareness, best practice, and emerging technology.
- 7.3: Knowledge of methods and tools used for risk management and mitigation of risk.
- 8.1: Demonstrate the abilities to detect, identify, and resolve host and network intrusion incidents.
- 8.2: Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle relevant digital evidence appropriately.
0 comments