StudyDaddy Computer Science Information Security Risk Management assignment

Information Security Risk Management assignment

Information Security Risk Management

ITC6315

Assignment 2



Assignment

For this exercise, read the provided case study about AcmeHealth, and rate the risk exposure for each finding related to the following assets:

  1. Code Repository

  2. QA Server

  3. Production Application Server

You will need to assess the severity of each violation and also the likelihood that it would cause a breach of security. Use the severity and likelihood scales from Appendix B in the book (Tables 6.11 and 6.12) to evaluate each finding. A mapping table is provided (Figure 6.2) to calculate the Risk Exposure value for each severity/likelihood pair without taking sensitivity into account for now. Along with the ratings, describe in words why you rated the severity and likelihood this way. Review the provided example as a guideline.

Next, write down 3-5 questions for each finding that you might ask the resource owner or SME to further qualify the risk. If you don’t understand the technical details of any of the findings, ask the instructor to clarify.

You can turn in the assignment electronically through Blackboard.



Use this worksheet to capture each critical asset and describe the business value (see examples in the first row below):


#

Resource

Finding

Severity

Likelihood

Exposure

1

Code Repository

Resource administrators don’t verify the integrity of the information resource patches through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch.

High

Low

Moderate

If malicious code is allowed onto the system through an application patch, this could compromise that application potentially allowing backdoor access to attackers or allow sensitive data to be sent from the application to the attackers. The malicious code may also cause the application to be unstable, causing it to crash periodically.

Although it is possible for attackers to place fake application patch updates on sites that look legitimate, for most commercial software this would be more difficult and the attacker would have to be very motivated and have a high level of skill.

2

Code Repository

Network connections from the offshore developers’ workstations to the code repository server are not encrypted.

High

Moderate

Moderate

If the network connection from the external workstation to the code repository is not encrypted. It is possible that someone may monitor the sniff or port packets. We might be use the protocols which are TCP or FTP. An attacker could fake a packet to steal the source code of our application.

3

QA Server

Client data is copied from production servers to this server regularly for QA testing.

High

Low

Moderate

Should test QA before the customer use the application. If there are some bugs or unknown errors, the customer might be notice it first. An attacker could find a way to break through a firewall based on those bugs and errors. Therefore, the client data must be tested before updating to the application server.

4

Production Application Server

No one notifies the Help Desk of terminations for support personnel in order to ensure that their access is disabled.

Moderate

High

Moderate

The connection between the Help Desk of terminations and customers’ PDA is from outside to the application server. This means that if the attacker has access, he may have time to break the firewall and get advanced permissions. It would be dangerous if there is no one to notifies the supporter.

Table 1 – Initial Finding Ratings

Next write down your follow up questions for each finding using the space provided below. These questions should include the information you would need to better rate each of the findings:

Finding 1:

  • Are updates tested in a non-production environment prior to implementation?

  • Where are updates downloaded from?

  • Are systems scanned for vulnerabilities post-update?

  • Will the system install a corrupted update?

  • Is there a back-out procedure for bad updates?

  • Etc.


Record your follow up questions to further qualify each finding here:

Finding 2:

  1. Does the network security group create any of the security policies for this?

  2. Does the network security group has been encrypted for this finding?

  3. Have these policies been effective in ensuring security on connection?

Finding 3:

  1. Did we test QA before the customer use the application?

  2. How often perform QA tests on a regular basis?

  3. Are QA tests automatic or manual?

Finding 4:

  1. Does the security group create any policies to ensure that the supporter is notified?

  2. Is there any division of responsibilities and duties?

  3. What access control systems are installed in the network?




Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!