Premium Essay

Application of Risk Management

In: Computers and Technology

Submitted By jsim911
Words 505
Pages 3
As an IT manager of YieldMore Company, it is our responsibility to analyze all of the risks as well as the threat/vulnerability pairs, and decide what kinds of risk management techniques will reduce the chances of vulnerabilities being exploited. We want to ensure that the risk management techniques that we choose to use will bring the greatest amount of security for the seven domains.
The user domain has risks related to lack of training employees in areas of general security knowledge. Visiting risky websites, opening infected emails or bringing infected files carelessly on their usb can result in a nightmare of security issues. To counteract this sort of risk, we will use mitigation in order to control certain restrictions for employees such as not being able to access USBs on their computers, having email go through a filtering process, and blacklisting certain risky websites.
The user domain has a close relationship with the workstation domain. For example, keeping workstations up to date with the most recent patches, as well as configuring and increasing security using firewalls are important risk management techniques. In addition, users have limited privileges when it comes to installing software. Only administrators can install software.
The LAN domain is the area inside the firewall. Each individual device must be protected. Data transferred within the LAN isn’t protected as thoroughly as if it were sent outside the LAN. This leads to a vulnerability of packet sniffing. Another vulnerability that needs to be mitigated in the LAN domain is preventing rogue users from unauthorized WLAN access.
A high level of security is required to keep the LAN-to-WAN Domain safe. The public side of the boundary is often connected to the Internet and have public IP addresses. These IP addresses are accessible from anywhere in the world, and attackers are constantly...

Similar Documents

Premium Essay

Is3110 Assignment 1 Application of Risk Management Techniques

...Risk 1 – Desktops / Local LAN This risk would best be approached via the mitigation risk technique. Since the network is maintained via Active Directory, the company should implement workgroups/user groups and control what workers have access to; if a program, file, or other application is not part of a workers job, they have no reason to be able to access that...

Words: 973 - Pages: 4

Premium Essay

Assignment One Application of Risk Management Techniques

...The Users, namely sales personnel, could be the biggest vulnerability, but by training, utilizing AD password controls and maintaining accountability the risk of their laptop being lost, stolen or compromised decreases sharply. This is a risk that can be easily evaluated through mitigation, keeping the employees accountable for their equipment, and minimizing cost to the enterprise. With such a wide geographical area the sales employees workstations may be infected or compromised without their knowledge, which would be rare, but plausible. This can be worked with, but will leave residual risk. Equipment can be provided to users such as laptop desk locks or even increades security using biometrics. A cost-benefit analysis should be performed. The routers at the remote sites may be susceptible to intrusion attacks, if no Intrusion Detection/ Prevention system is in place. As a remote site it is also possible that iOS patches and the like may not be current. Documentation, vulnerability monitoring and mitigation by adding preventative measures, such as encryption are advisable at production and headquarters site. As the servers house a proprietary Management system, it is of the highest priority that these servers be secured, physically and logically and be protected against attacks. The risk that this will go down is inherent. WE can...

Words: 376 - Pages: 2

Premium Essay

Unit 1 Assignment 1 Application of Risk Management Techniques

...In accordance with each of the threat/vulnerability pairs and their likelihood of occurrence, each of the possible risk will be listed below and how we will mitigate each: -Malware This can occur because of outdate virus protection and lack of employee knowledge. The best mitigation for this would be to update the current virus protection program and allow for constant updates through the firewall for updates for each program. -Equipment Failure This will occur when equipment isn’t maintained properly or just failure over time. This will lead to data loss due to not backing up data. The best way to mitigate this issue would be to back up data regularly and keep copies of all data to an off-site location. -Denial of Service Attacks This can occur when proper firewall and intrusion detection systems are not properly implemented. Mitigation for this would be to implement firewalls along with intrusion detection systems and monitor all traffic accordingly. -Users Users themselves that are not properly trained and kept on check can cause major damage to a company’s network. Lack of access control and giving out admin privileges to all users is dangerous. Mitigation for this issue can be implemented by add access controls and authentication parameters. In this brief report, I have included all of the possible threats and vulnerabilities and have proposed solutions for each....

Words: 251 - Pages: 2

Premium Essay

Risk Management

...Additionally, they ensure the risk management framework is smoothly integrated into the organization’s enterprise architecture...

Words: 1273 - Pages: 6

Free Essay

Hardware Replacement Project

...By moving forward with the CRM application change, the IT department is putting itself at risk. With excellent project management and analysis, the development of new CRM applications and hardware can result in a low risk high gain production if managed accordingly. Throughout this paper I will discuss the analysis, which should be conducted through project management. I will discuss the five variables of the IT department’s project management which include scope, time, cost, quality, and risk as to how they relate to the department’s decision making with the new application launch. Points that should be considered prior to selecting projects for the best business value will also be discussed. I will then conclude this paper with the factors that influence project risk and what I believe can minimize them. I will begin with the IT department scoping the project for what systems, applications, and tools will be used in this project. The company is considering to update its current CRM system which is not compatible with its corresponding out dated hardware. The department has to scope the tools necessary to support the new CRM application, which is up to date hardware. Project management should be mindful that the primary tool needed to fulfill this project is updated hardware along with CRM application training for end users to become familiar with the new systems and hardware....

Words: 1325 - Pages: 6

Premium Essay

Security Risk Management Course Paper

...Therefore, a proper understanding of risk management and all that it entails is of the utmost importance for every IT professional, regardless of specialization. The purpose of this paper is to identify what risk management is and give an overview of the three phases or undertakings that make up the risk management process and then conclude with a discussion and explanation of the six-step Risk Management Framework (RMF) developed by the Department of Defense and the National Institute of Standards and Technology (NIST) (National Institute of Standards and Technology, 2010). “Risk management is the process of Identifying risks, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level” (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Thus, risk management is merely the ability of a person or organization to implement due diligence and identify any potential issue and develop policies and security measures to combat these risks. Risk management is comprised of three phases: risk identification, risk assessment, and risk control (Michael E. Whitman, Herbert J. Mattord, 2012, p. 119.). Risk Identification Risk identification is simply the identification and documentation of the assets and the threats to those assets. Risk identification is an...

Words: 2778 - Pages: 12

Premium Essay

Is3110T Lab 2 Assessment Worksheet

...Lab #2 Assessment Worksheet Align Risks, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. a. Unauthorized access from public internet - HIGH b. User destroys data in application and deletes all files - LOW c. Workstation OS has a known software vulnerability – HIGH d. Communication circuit outages - MEDIUM e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - MEDIUM 2. a. PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels. 3. a. Unauthorized access from public internet - AVAILABILITY b. User destroys data in application and deletes all files - INTEGRITY c. Workstation OS has a known software vulnerability – CONFIDENTIALITY d. Communication circuit outages - AVAILABILITY e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - INTEGRITY 4. a....

Words: 934 - Pages: 4

Premium Essay

Bsa 310

...BSA 310 Application Development Project Plan Template Version [This BSA 310 project plan template is intended to be used as a guide for planning and managing real world software development projects. This plan is not a real plan and should not be used without modifications required for your unique project. Table of Contents 1 Overview 3 1.1 Project Objectives 4 1.2 Project Constraints 4 1.3 Project Risks 4 2 Proposed Solution 5 2.1 Business Requirements 5 2.2 Architecture 6 2.3 Development 6 2.4 Testing 6 2.5 Deployment 8 3 Project Resources 8 3.1 Roles and Responsibilities 8 3.2 Issue Escalation 8 3.3 Project Staffing Plan 8 3.4 Project Materials 8 4 Project Approach 9 4.1 Development Model 9 4.2 Configuration Management 9 4.3 Communication Management 10 4.4 Change Management 10 4.5 Testing 10 4.6 Documentation 10 5 Estimate 11 6 Schedule 11 1 Overview The intent of this document is to provide a sample application development project plan. The scope of this document covers the project planning phase and demonstrates how Business Systems Integration and its associated development might be incorporated into key project documents....

Words: 2518 - Pages: 11

Premium Essay

Lab 2 Ist

...Lab 2 - Align Risks, Threats, and Vulnerabilities to COBIT PO9 Risk Mgmt. Controls Part 1 4. Discuss the primary goal of the COBIT v4.1 framework. Provide a basic description of cobit. * The purpose of Control Objectives for Information and related Technology (COBIT) is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems. 5. Explain the major objective of the Control area (COBIT 4.1 Controls Collaboration link on the left side of the COBIT website) * “The COBIT Controls area within ISACA's Knowledge Center promotes collaboration and sharing of information, solutions and experience among COBIT users.” 6. From the COBIT Domains and Control Objectives section, list each of the types of control objectives and briefly describe them based on the descriptions on the website. * Plan and Organize – “This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives....

Words: 4162 - Pages: 17

Premium Essay

Lab 2

...IS3110 Lab #2: Assessment Worksheet Align Risk, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls Student Name: _____________________________________________________________ 1. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5), High/Medium/Low Nessus Risk Factor Definitions for Vulnerabilities) a. b. c. d. e. 2. For the above identified threats and vulnerabilities, which of the following COBIT P09 Risk Management control objectives are affected? • PO9.1 IT Risk Management Framework • PO9.2 Establishment of Risk Context • PO9.3 Event Identification • PO9.4 Risk Assessment • PO9.5 Risk Response • PO9.6 Maintenance and Monitoring of a Risk Action Plan 3. From the identified threats & vulnerabilities from Lab #1 – (List At Least 3 and No More than 5), specify whether the threat or vulnerability impacts confidentiality – integrity – availability: Confidentiality Integrity Availability a. b. c. d. e. 4. For each of the threats and vulnerabilities from Lab #1 (List at Least 3 and No More than 5) that you have remediated, what must you assess as part of your overall COBIT P09 risk management approach for your IT infrastructure? 5. For each of the threats and vulnerabilities from Lab #1 – (List at Least 3 – No More than 5), assess the risk impact or risk factor that it has on your organization in the following areas: a....

Words: 469 - Pages: 2

Premium Essay

Term Papers

...Toussaint Chivars IS3110/Lab2 8/16/2014 Align Risks, Threats & Vulnerabilities to COBIT Lab 2 1. List indentified threats & vulnerabilities Risk Factors from Lab1 a. Unauthorized access from public Internet High risk b. User destroys data in application and deletes files High risk c. Hacker penetrates your IT infrastructure and Medium risk gains access to your internal network d. Intra-office employee romance gone bad High risk e. Fire destroys primary data center Low 2. PO9.2 IT Establishment of Risk Context; PO9.3 Event Identification; PO9.4 Risk Assessment. 3. a. Unauthorized access from public Internet Integrity b. User destroys data in application and deletes files Availability c. Hacker penetrates your IT infrastructure and Confidentiality gains access to your internal network 4. The risks potential, the current protection level and the mitigation steps needed to prepare or reduce the risks/damages. 5. a. Threat vulnerability 1: unauthorized from public internet Information---firewall and encryption. Applications---only from recommended sources (applications with encryption, antivirus protection will be used. Infrastructure—Firewalls People---IT awareness training for all employees, monitoring from IT manager b....

Words: 719 - Pages: 3

Premium Essay


...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008......

Words: 174530 - Pages: 699

Premium Essay

Understanding Nist 800‐37  Fisma Requirements 

...NIST Risk Management Framework for FISMA ..................................................................... 4  III. Application Security and FISMA .......................................................................................... 5  IV. NIST SP 800‐37 and FISMA .................................................................................................. 6  V. How Veracode Can Help ...................................................................................................... 7  VI. NIST SP 800‐37 Tasks & Veracode Solutions ....................................................................... 8  VII. Summary and Conclusions ............................................................................................... 10  About Veracode .................................................................................................................... 11                                      © 2008 Veracode, Inc.  2        Overview  The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. §  3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E‐ Government Act of 2002 (Pub.L. 107‐347, 116 Stat. 2899). The Act is meant to  bolster computer and network security within the Federal Government and  affiliated parties (such as government contractors) by mandating information  security controls and periodic audits. I. ...

Words: 2451 - Pages: 10

Premium Essay

Development Process & Risk Analysis

...MET CS 682 – Module 2 Assignment 2 Development Process & Risk Analysis Date of Submission: January 29, 2014 Table of Contents Introduction 3 Scenario 4 Part I. Selection of a Suitable Development Process 5 Waterfall Approach 5 Iterative Approach 5 Agile Approach 6 Development Process for MallKiosk Development 6 Part II. Risk Analysis 8 Identification of Risk 8 Risk Analysis 9 Risk Management 10 Appendices 12 Appendix 1: Waterfall Approach 12 Appendix 2: Agile Approach 12 Appendix 3: Risk Management 13 References 14 Introduction This week’s assignment focus on the processes of system development and risk involved. For someone like me who never was part of the full design phase of the development process, I never knew the full concept of how the projects or applications were built from initiation. This assignment will allow me to have a high level understanding of the processes involved in system development, thereby allowing me to get a full grip of Project Management involved in the entire system development lifecycle. The 1st part of the assignment will allow me to identify and differentiate the 3 different development processes; waterfall, iterative and agile. I am hoping that after completing this part, I will somehow be able to identify the appropriate process for a particular application development. Among the 3 types of development approaches, the only one that I am familiar of is the waterfall approach....

Words: 3617 - Pages: 15

Premium Essay


...Lab 2 Align Risk, Treats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. Risk Factors a. Remote communications from home office (MEDIUM Risk) b. LAN server OS has known software vulnerability (HIGH Risk) c. User downloads an unknown e-mail attachment (HIGH Risk) 2. COBIT Risk Management * No. * Yes, the identified software vulnerabilities relate to risk context for both internal and external access. * Yes, the identified software vulnerabilities themselves are events that represent risk identification. Once identified, the event can be assessed for risk. * Yes, once risk events are identified (such as software vulnerabilities), they can properly assessed (quantitatively or qualitatively). * Yes, once the risk has been assessed (high, medium, low) the response that risk can be aligned appropriately. * No. 3. Vulnerability impacts a. Remote communications from home office (Confidentiality) b. LAN server OS has known software vulnerability (Integrity) c. User downloads an unknown e-mail attachment (Availability) 4. Effectiveness, Efficiency, Compliance, and Reliability 5. Mitigated and managed a....

Words: 794 - Pages: 4