IAM Exercise 2 Due: April 6, 2012 1.For the OOPS case identify organizational critical information.

IAM Exercise 2Due:  April 6, 2012 1.​For the OOPS case identify organizational critical information. 2.​Identify the “impact attributes” of confidentiality, integrity, and availability as the minimum for the column identifiers, more can be added.  Write these as the column headers.   3.​Define the “impact” values of High, Medium, and Low.  Each definition will cover all the identified impact attributes identified in #2.  The definitions are normally qualitative but can be quantitative.   4.​Develop the information criticality matrix.  Assign impact values to each block of the matrix.  Each value is independent of other blocks. 5.​Determine the high water mark. 6.​Develop system information criticality matrices.  Review of the system diagram may help. 7.​The customer has shared the following concerns during preassessment: a.​Management is concerned about session controls because the current system does not implement automatic logouts or password protected screen savers.  They are concerned that operators are leaving stations without logging out and potentially leaving the system vulnerable. b.​Management is concerned that they are lacking proper disaster recovery (DR) and contingency plans (CP).  This concern is rooted in the fact that the system does not seem particularly redundant and they have not tested contingency plans. c.​Management is concerned that they may not be practicing proper control of their media.  The media destruction and labeling practices are ad hoc. d.​Management is concerned about security concerns associated with older equipment and software. 8.​Develop a list of individuals that you would interview during the on-site visit.  Indicate those individuals by position within the organization. 9.​Complete a draft of the following: ​Findings – vulnerabilities identified​Discussion – description of vulnerabilities and consequences of each vulnerability being exploited.​Recommendations – countermeasures for elimination or mitigation of the vulnerabilities preferably with more than one alternative countermeasure for each vulnerability.   OOPS Case The Organization for Optimal Power Supply (OOPS) provides electricity to one twentieth of the United States’ Citizens.  They constantly monitor power consumption and redirect power according to demands.  This includes initiating or terminating operations of generator stations. ​Historically, OOPS has had a difficult time starting up idle generator stations when they are needed.  Therefore, they have decided to place servers in each station to control the generator’s output and status.  To activate a generator station, the regional office calls into the server and logs onto the machine.  After a generator station has been activated, it updates its status and output to the regional server by hourly dial-up connections. ​The control of all the OOPS generators is run through a main control center at corporate headquarters.  The control center decides when to activate any generators and which areas are in need of power.  All of the regional offices are connected to the main server via frame relay lines which allows for rapid updates of the current situation.  All updates are done automatically by the servers, but can be initiated by authorized users if necessary. ​OOPS has corporate headquarters located in Colorado Springs, Colorado.  Regional sites are located in Albuquerque, New Mexico; Provo, Utah; Seattle, Washington; and Boise, Idaho.  There are eight generator stations located across the region.  Access to the generator stations is through dialup modem. ​OOPS plans to install wireless networks at headquarters but they haven’t yet focused on the security implications of that decision.  Currently user systems are typically running the Windows XP operating system and Servers are running Windows 2000 Server.