COLLEGE
OF TECHNOLOGY
SEC
6040: Web and Data Security
Week
2 – Review Assignment
Risk
Analysis Exercise
Pts:
100 pts
Review NIST SP 800-30 Rev1. Please review
this document. Based on the review
answer the following questions:
1)
What are the five tasks required to get ready
for a risk assessment? Explain each one
in your own terms and why the task is important. (25 points)
Risk assessment is the process of
identifying risks to organizational operations, organizational assets, individuals,
other organizations, and the Nation, resulting from the operation of an
information system. It is the part of the risk management, incorporates threat
and vulnerability analyses, and considers mitigations provided by security
controls planned or in place. In a nutshell, risk assessment is the overall
process of threat identification, risk analysis, and risk evaluation.
Here are the five tasks that are required
to get ready for a risk assessment:
i.
Identify the Threats
Identify the threats means anything that
may cause harm. We can find out by doing different survey on the organization
operations, assets, and with the employees. We can also simply ask the
employees and walk round the workplace to identify the threats.
ii.
Analyze the Risk
Once we identified many threats, then we
need to understand the consequences of it. What is the weighted risk factor
based on the threat, short and long - term impacts based on the probability
from the threat.
iii.
Evaluate the Risk
After identifying the threats and analyzing
it, we should then require protecting the people and the physical assets from
harm. The threats can either be removed completely or the risks controlled so
that the injury is unlikely. Precisely, in this task, we should identify
actions necessary to eliminate the threat, or control the risk using the
hierarchy or risk control methods and evaluate to confirm if the threat has
been eliminated or if the risk is appropriately controlled.
iv.
Record the Risk
In this task, we keep any documents that
may be necessary. Documentation may include detailing the process used to
assess the risk, outlining any evaluations, or detailing how conclusions were
made. Once we established the priorities, the organization can decide on ways
to control each specific threat. Threat controls methods can be grouped into
categories like elimination, engineering controls, administrative controls and
personal protective equipment’s.
v.
Monitor and Review the Risk
This task is about to know either the risk
assessment was complete and accurate or not. Similarly, this task helps to find
out that any changes in the workplace have not introduced new threats or
changed threads that were once ranked as lower priority to higher priority.
2)
Discuss the threats associated with privileged
user accounts? Please support your views
from sources other than the assigned reading and also the text book. (25
points)
Privileged user accounts are the insiders
of the organization who are in the superior place of their field. They are
usually the most trusted ones and have a full control over their systems,
putting them in the best position to commit malicious actions. What makes
privileged accounts dangerous is not the extent of their access, but rather how
easy it is for them to perform malicious action and how hard it can be to
detect those. Some of the threats associated with privileged user accounts are:
-
Elevated level of privileges allows users to
perform a wide variety of malicious actions, form data misuse to completely
compromising the system.
-
Privileged users may use their administrative
access to steal sensitive client data and financial information to sell it or
even simply leak it online.
-
Privileged accounts can also be used to modify
or delete sensitive data, opening possibilities for fraud.
-
Tech savvy users use such accounts to install
backdoors or exploits allowing them full access to the system.
-
Disgruntled employees can even bring the whole
system down, by altering critical settings.
-
If perpetrators will manage to use social
engineering or hacking to obtain a privileged account, it will give them access
to the whole system.
3)
Using fig 3 – the generic risk model in the
document and the threat identified in question 2. Identify the risks at the Organizational
level, business process level and information system level. (25 points)
From the threat identified on the question
number 2, the risks at the organizational level are:
-
Disgruntled employees can even bring the whole
system down, by altering critical settings.
-
It’s very hard to find out the real problem
creating.
-
Organization is losing it’s plus part slowly.
The risks at the business process level
are:
-
Sensitive financial and personal information of
the business might be leaked.
-
It takes long time to find what’s going wrong until
that time business is in great loss.
-
Great loss of money.
The risks at the information system level
are:
-
All the one who are related to access and manage
databases, perform setup and maintenance of the information system are in the
risks like share of the passwords, data and important information to others.
There will be risk of steal of sensitive information.
4)
Based on the risks identified, recommend the
information system policies that would be required. You do not need to write the policy in detail,
simply provide the title and one sentence describing the policy. (25 points)
Policy Title: Privilege Users Accounts
Description: Privilege users can be
classified on to different accounts such as personal, administration, service,
emergency in the information system where they have to handle the sensitive
information of the organization.
Policy Title: Privilege User Access Control
Description: Privilege users are controlled
when the access control and purpose are categorized from the management and will
allow to protect from the unauthorized access and precisely identify anyone who
uses such accounts.
References
Gogan Marcell, G.M., (2016), The Threat of
Privileged User Access- Monitoring and Controlling Privilege Users, SC Media,
Referred from https://www.scmagazineuk.com/the-threat-of-privileged-user-access--monitoring-and-controlling-privilege-users/article/568624/