... Rivers October 19, 2013 Project 1 Part 1: Risk Mgmt. Plan 1. Introduction Risk Mgmt. Plan Well for starters the purpose of this risk management for DLIS (Defense Logistics Information Service) plan will be similar to the purpose of any organization would be and that would be how to better protect and secure the company’s IT environment. The importance of this is major since there is all kind of important data that is on and transmitted throughout our networks on a daily basis. DLIS we must ensure that we implement all necessary preventative security measures as well as policies and procedures. We must do this by first of all ensuring that we have really good antivirus software installed on all of our systems and ensuring that it is always up to date. The next thing is extensively configuring our firewalls making it more difficult for our networks to be hacked. Another thing is data encryption which is very vital in securing all important data for our company and clients especially when we are performing data transmission over the networks. The last thing I want to mention which will be part of policies and procedure is implementing various password and logon policies and procedures for security purposes as well. As I stated the purpose of the development of this plan is to reduce the risk of threats and vulnerabilities on our networks. This is vital because threats and vulnerabilities definitely present risk(s) to any important company and client data. We...
Words: 2058 - Pages: 9
...Risk Assessment Paper CMGT 579 September 26, 2011 Kyrstal Hall Every organization is faced with some risk or potential threat that could cause an interruption to the organization’s operations. These risks and threats can come from within or outside of the organization. To prepare for the worst that could happen, organizations must focus their attention on how to assess different types of risks to protect the organization from the possible negative effects to the daily operations. Performing a risk assessment is one of the most important steps in the risk management process (eHow, 2011). A Risk Assessment is periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. A risk assessment should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards. Many organizations perform risk assessments to measure the amount of risks that could affect their organization, and identify ways to minimize these risks before a major disaster occurs. Department of Defense Information Systems Agency (DISA) follows guidelines and policies governed by processes by which the organization assesses and manages exposure to risks. In this paper the subject to identify...
Words: 1263 - Pages: 6
...Security Risk Analysis of time in expansion of network IT projects can be many times a daunting task to both the contracted IT Company and the clients. With some short deadlines, there is usually a small window of opportunity to present skills and produce positive results. As a network administrator, the pressure to deliver top notch and a robust system is a priority. U.S. industry Inc is just a young company that has both the quality and skills and knowledge to produce excellent work considering previous contracts that have been undertaken by the company. The US government department aims to expand its network infrastructure to enlarge the capacity and enable it provide quality services. The cost estimation of the contract is approximately three $3 million dollars lasting for a period of six months. A network administrator’s roles include: Ø setting up of the network Ø Designing and planning of the network Ø Expanding the network Ø Network maintenance Designing and planning of the network a network administrator is tasked with identify the US government departments requirement that necessitates the kind of system to set up. The US department may require certain special specification of their particular network depending on its purpose and objectives. It marks the first phase of the contract. Setting up a network The second phase is where the physical is setting up, and configuration of the network begins. Hardware installation and files, data...
Words: 1088 - Pages: 5
...company invested in the network designed it to be fault tolerant and resilient from any other network failures. However, although the company’s financial status has matured and its network has expanded at a rapid pace, its network security has not kept up with company growth (NIST, 2012). GFI’s network is fairly stable as it has not experienced many outages due to network failures. Global Finance Inc. has hired three network engineers to keep up with the network growth and bandwidth demand by the company employees and the clients. However, this company has not hired any security personnel who can take care of the operational security responsibility. The trusted computing base internal network in the Global Finance Inc. hosts the company’s mission critical systems without which the company’s operation and financial situation would suffer. The Oracle database and email systems are among the most intensively used application servers in the company. Global Finance Inc. cannot afford system outages because its cash flow and financial systems heavily depend on the network stability. This company has experienced denial of service attacks (DOS) twice this year and its Oracle database and email servers has been down at one point for over a week. Concern at hand is the recovery process required Global Finance Inc. to use $25,000 to restore its operations back to normal. Global Finance Inc. estimated the loss from these network attacks at more than $100...
Words: 1073 - Pages: 5
...Management Fall 2009 Non-financial risk assessment in mergers, acquisitions and investments Identifying sources of business risk in the ICT industry Bachelors thesis Erik Allenstr¨m, 1984-11-26 o Fredrik Njurell, 1984-01-30 ¨ Tutor: Osten Ohlsson January 14, 2010 Abstract The number of company mergers and acquisition activities has increased dramatically the last two decades. The reasons for conducting these activities are many and the uncertainties of their results are high. To reduce the uncertainties when making an investment, merger or acquisition it is vital to do a thorough assessment of the risks involved with the activity. This thesis focuses on a specific part of this risk assessment, namely the non-financial risks. Mergers and acquisitions are done in almost all industries around the world and the reasons for and benefits of these activities can vary between industries. We have chosen to investigate the risk assessment of non-financial risks in the Information and Communication Technology (ICT) industry. The thesis aims at investigating what business characteristics, for companies in the ICT industry, that give rise to non-financial risks that must be assessed when doing investments, mergers or acquisitions. Further on we present a risk pattern that points out what business characteristics that are the most important when conducting a risk assessment of non-financial risks on companies in the ICT industry. From a literature study we find evidence that ten different...
Words: 24602 - Pages: 99
...Toussaint Chivars IS3110/Lab2 8/16/2014 Align Risks, Threats & Vulnerabilities to COBIT Lab 2 1. List indentified threats & vulnerabilities Risk Factors from Lab1 a. Unauthorized access from public Internet High risk b. User destroys data in application and deletes files High risk c. Hacker penetrates your IT infrastructure and Medium risk gains access to your internal network d. Intra-office employee romance gone bad High risk e. Fire destroys primary data center Low 2. PO9.2 IT Establishment of Risk Context; PO9.3 Event Identification; PO9.4 Risk Assessment. 3. a. Unauthorized access from public Internet Integrity b. User destroys data in application and deletes files Availability c. Hacker penetrates your IT infrastructure and Confidentiality gains access to your internal network 4. The risks potential, the current protection level and the mitigation steps needed to prepare or reduce the risks/damages. 5. a. Threat vulnerability 1: unauthorized from public internet Information---firewall and encryption. Applications---only from recommended sources (applications with encryption, antivirus protection will be used. Infrastructure—Firewalls People---IT awareness training for all employees, monitoring from IT manager b. Threat or...
Words: 719 - Pages: 3
...Scott J. Straw Risk Management in Information Technology Security Summer 2014 6/29/14 Week 2 Assignment – Risk Assessment In regards to the projected expansion of bandwidth and storage, I feel I should start by addressing some of the present and future potential risks. There are inherent risks to adding new nodes in the network, and some of these can be mitigated by installing and properly configuring new hardware firewalls and proper installation and configuration of Intrusion Detection Systems. In addition to the new hardware, we will also need an additional system administrator, that is not only qualified for the position, but also needs to pass a background check to ensure he/she is not a threat to the federal government’s data and in turn US Industries as a company. A qualitative risk assessment finds the following risks for the network expansion: QUALITATIVE ANALYSIS SURVEY CATEGORY PROBABILITY IMPACT RISK LEVEL Loss of Data Availability 100 100 100 From DoS/DDoS Attack Loss of data from 100 100 100 Unauthorized access Loss of data from Malware 50 100 50 Loss of data from Fire/Natural Disaster 10 100 10 Stolen/corrupt data From lack of access Controls and improper Configuration 10 100 10 Noncompliance with...
Words: 931 - Pages: 4
...we need a secure network. Once major risk we need to ensure is the bank transaction are being transferred securely. Developing a secure network means developing controls that reduce or eliminate threats to the network. Here are some of the preventions we need to review when creating preventive measures to maintain compliance Compliance Methods - All virus definition and DAT file in the organization must be up to date by performing inventory of all employees machine by using a Tool such as SCCM to ensure all machine have the correct version. Push will be performed remotely to ensure all machine have the proper version. Wireless Access- In order to access wireless within the organization all employees will be required to have a SSL certificate to enable access to wireless network. Only authorized authentication will be permitted online Desktop Firewall- To assist in protecting again spywares or a predator using employees machines as a BOT employee must ensure their Desktop firewall are activated or a Group Policy (GPO) can be setup on the administrator side to ensure they are active and restrict any modification from users. All machines will have Desktop firewall enabled to reduce the risk of remote penetration to assist in avoiding Denial-of-Service (DoS) attacks. Router restriction- We need to implement Access Control List (ACL) in the router to control network traffic. The router will look at the internal and external packages process via the Network layer of the OSI...
Words: 525 - Pages: 3
...struggling to understand what the threats to their information assets are and how to obtain the necessary means to combat them which continues to pose a challenge. The ISF’s Information Risk Analysis Methodology (IRAM) enables organizations to access business information risk and select the right set of security controls to mitigate that risk. IRAM2 Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its Members. ISF aims its products at large public and private sector organizations, and produces an annually updated Standard of Good Practice for Information Security. This approach has three phases: a business impact assessment which determines the security requirements of the business, a threat and vulnerability assessment, and control selection. IRAM2 is a simple, practical yet rigorous business essential that helps ISF Members identify, analyze and treat information risk throughout the organization. The standard and its related tools, which must be purchased from ISF, make for a thorough risk management package. The price of the materials includes user guides and attendance at some ISF events....
Words: 2215 - Pages: 9
...Lab 2 - Align Risks, Threats, and Vulnerabilities to COBIT PO9 Risk Mgmt. Controls Part 1 4. Discuss the primary goal of the COBIT v4.1 framework. Provide a basic description of cobit. * The purpose of Control Objectives for Information and related Technology (COBIT) is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems. 5. Explain the major objective of the Control area (COBIT 4.1 Controls Collaboration link on the left side of the COBIT website) * “The COBIT Controls area within ISACA's Knowledge Center promotes collaboration and sharing of information, solutions and experience among COBIT users.” 6. From the COBIT Domains and Control Objectives section, list each of the types of control objectives and briefly describe them based on the descriptions on the website. * Plan and Organize – “This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological...
Words: 4162 - Pages: 17
...ISSC 363 Risk Consultant 24 January 2016 Risk Consultant A risk assessment is a way to identify, evaluate, quantify, and prioritize risks (Gibson, 2011). They are primarily used to assess the overall security of a network from the eyes of an attacker in order to protect the network from intruders (Schmittling, n.d.). There are no regulations instructing organizations on how systems need to be controlled or secured, however there are regulations requiring systems be secure in one way or another (Schmittling, n.d.). The rationale for conducting an assessment include: cost justification, productivity, breaking barriers, self analysis, and communication (Schmittling, n.d.). Adding security adds an extra expense that may not seem justifiable to a company. Businesses may not understand that an intrusion could cost more than proper security equipment and it is important for a security risk analysist to relay this important information. Productivity can be increased by properly formalizing a formalizing a review and implementing self analysis features (Schmittling, n.d.). Conducting a risk assessment can also break down barriers between the organization's management and the IT staff as they work together to secure the network. By making the security risk assessment system easy to use, management will be able to take part in the security of the network which will in turn make security a part of the business's culture. Risk assessments can boost communication...
Words: 792 - Pages: 4
... Business Impact Analysis and Risk Assessment for Information Resources General Information & Process Description Introduction The IT Security and Policies area within Information Technology Services is responsible for establishing policies to ensure that Iowa State University has a secure information technology environment. This document defines a process for departments to perform a business impact analysis and risk assessment for their information resources. Once an assessment has been done, the resulting documents should be maintained and regularly reviewed by the department. By using the business impact analysis and risk assessment tool defined in this document, departments have the capability to identify and respond to risks for their systems and information resources. Departments are encouraged to contact the Information Technology Security and Policies area at 4-2588 if they have specific questions or if they would like to arrange a meeting to discuss the process on an individual basis. Business Impact Analysis and Risk Assessment Guaranteed absolute security in today’s information technology environments is not realistic. However, it is important to have a process of identifying resources and associated risks, determining their magnitude, and identifying what safeguards are needed. That process is what we are referring to as business impact analysis and risk assessment. It is the department’s responsibility...
Words: 3038 - Pages: 13
...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................
Words: 6057 - Pages: 25
...Executive summary The main purpose of a threat and risk assessment is to provide recommendations that maximize the protection of integrity, confidentiality and availability while still providing usability and functionality. Insider threat has become a serious information security issues within organizations. Best way to determine the answers to these questions a company or organization can perform a threat and risk assessment. This can be accomplished using either internal or external resources. It is quite important that the risk assessment should be a collaborative process. It is proven that involvement of the various organizational levels the assessment can lead to a ineffective and costly security measure. Introduction...
Words: 793 - Pages: 4
...Chapter 1: Measuring and Weighing Risk Risk Assessment Risks to which the organization is exposed Allows you to develop scenarios that can help evaluate how to deal with risks Ex. An OS, server, or application may have known risks in certain environments Create a plan for your organization. Risks that need addressing Risk assessment components allows the organization to provide a reality check on real risks and unlikely risks. Ex. Industrial espionage and theft are likely, but a risk of a pack of dogs stealing contents of payroll files is low, therefore resources should be allocated to prevent espionage. * Computing Risk Assessment Prioritize Measurements of risk assessment Annualized rate of Occurrence (ARO) This is the likelihood, often drawn from historical data, of an event occurring within a year. Used in conjunction with monetary value assigned to compute Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE). Risk Assessment formula SLE x ARO = ALE You can expect that every SLE, which is equal to Asset Valve (AV) times Exposure factor (EF), will equivalent to $1000 and that there will be seven occurrences in a year (ARO), the ALE is $7000. Conversely if there is only a 1- % chance of an event occurring in a year (ARO=0.1) then the ALE Drops to 100. Examples: You are the administrator of a web server that generates $25,000 per hour in revenue. The probablility of the web server failing is estimated to be 25 percent, and a failure would lead...
Words: 1897 - Pages: 8
