Information Security Risk Management Assignment 3

Information Security Risk Managementitc6315assignment 3assignmentfor T

Information Security Risk Managementitc6315assignment 3assignmentfor T

For this exercise, read the provided case study about AcmeHealth, and re-rate the risk exposure for each finding related to the following assets: 1. Code Repository 2. QA Server 3. Production Application Server. Assume that additional information has been provided below by the Subject Matter Experts during the qualification process. Be sure to note any findings where you are changing your original assessment of the risk level and why.

Review the provided example as a guideline. Like the last assignment, you will need to assess the severity of each violation and also the likelihood that it would cause a breach of security. Use the severity and likelihood scales from Appendix B in the book (Tables 6.11 and 6.12) to evaluate each finding. A mapping table is provided (Figure 6.2) to calculate the Risk Exposure value for each severity/likelihood pair without taking sensitivity into account for now.

If you don’t understand the technical details of any of the findings, please post questions to the Discussion Forum and ask the instructor to clarify.

You can turn in the assignment electronically through Blackboard. Review each finding again, and assume that the following answers have been provided by the subject matter experts for that resource. Use these answers to provide a more informed assessment of the risk below:

Resource Findings and Qualifications

  • Resource 1: Code Repository
  • Resource administrators don’t verify the integrity of the information resource patches through such means as comparisons of cryptographic hashes.
  • All updates are obtained directly from the vendor's site (IBM for the AIX servers).
  • All patches are thoroughly tested in DEV and QA environments before being installed.
  • Network connections from offshore developers’ workstations are not encrypted.
  • Sessions to the server never expire.
  • Password complexity is not enforced.
  • Connections from the offshore network are across a VPN.
  • Scripts containing passwords are stored in the code repository.
  • Resource 2: QA Server
  • Client data is copied from production servers to this server regularly for QA testing.
  • Data is not stored encrypted.
  • Developers have privileged database access.
  • The server allows connections from the Internet to simulate client traffic and performance testing.
  • Resource 3: Production Application Server
  • No notification to the Help Desk when support personnel are terminated to disable access.
  • Administrative interfaces only accessible from internal network.
  • Audit logs are retained on a separate SIEM infrastructure.
  • Accounts inactive for 180 days are automatically disabled.
  • Application and database servers are behind firewalls.

Note: You are to reassess these findings based on this information.

Risk Assessment Format

For each finding, provide the following:

  • Severity: (e.g., High, Moderate, Low) and justification.
  • Likelihood: (e.g., High, Moderate, Low, Negligible) and justification.
  • Overall Risk: (e.g., High, Moderate, Low) and justification.

Example for Finding 1:

Severity: High

Justification: The potential severity has not changed. Malicious code introduced via patches could compromise the application, allow backdoor access, or lead to data exfiltration. Unstable patches could cause application crashes.

Likelihood: Negligible

Justification: Since patches are obtained directly from trusted vendors, tested thoroughly in DEV and QA environments before deployment, the chance of malicious patch creation reaching the production environment is minimal. Even if compromised, detection is likely during testing phases.

Risk: Low

Justification: The overall risk remains low due to controls in place. However, there's a residual threat if these controls fail.

Repeat the above structure for each finding, updating severity, likelihood, and risk ratings based on new information.

Additional Questions for Qualification

Finding 1 (Code Repository Patch Integrity):

  • Are updates scanned for vulnerabilities post-update?
  • Is there a back-out or rollback procedure for failed updates?
  • Are cryptographic hash comparisons routinely performed to verify patch integrity?
  • Are updates downloaded only from verified vendor sites?
  • Have there been past incidents of malicious patches being introduced?

Finding 2 (Network Connections):

  • Are network connections monitored for unusual activity?
  • Are protocols used for connections encrypted and secure?
  • Are network security policies enforced consistently?
  • Have there been incidents of eavesdropping or credential theft over these connections?
  • Is multi-factor authentication enforced for remote access?

Finding 3 (QA Server Data Handling):

  • Is QA data anonymized or masked when copied from production?
  • Are data encryption methods implemented for data at rest and in transit?
  • How often are security scans and vulnerability assessments performed on QA environments?
  • Are access controls on the QA server strictly enforced?
  • Are there automated alerts for unauthorized or unusual activities?

Finding 4 (Production Server Access Termination):

  • Is there a formal process to disable access immediately upon termination?
  • Are audit logs reviewed regularly for unauthorized access?
  • Does the internal notification process work effectively?
  • Are privileged accounts monitored for unusual activity?
  • Are multi-factor authentication and role-based access controls implemented?

Paper For Above instruction

Risk management is a foundational element of information security, especially within health sector organizations like AcmeHealth, where the protection of sensitive data is paramount. This paper reevaluates the risk exposures associated with critical assets—the Code Repository, QA Server, and Production Application Server—based on detailed findings and additional contextual information provided by subject matter experts (SMEs). The reassessment focuses on the severity, likelihood, and overall risk posture of each vulnerability, emphasizing how specific controls and operational practices influence security risk levels.

Asset 1: Code Repository

The Code Repository is vital for source code management and integrity. The initial concern centered on the inability of resource administrators to verify the integrity of patches through cryptographic comparisons, which could allow malicious code insertion. After considering the SMEs' insights—where patches are directly obtained from IBM's official site, thoroughly tested in DEV and QA prior to deployment—the threat level associated with patch integrity diminishes.

Severity is maintained as high primarily because the potential impact of malicious code remains significant; if malicious patches bypass controls, they could compromise the application or exfiltrate data. The likelihood reduces from low to negligible due to the robust controls: trusted vendor sources, rigorous testing, and established rollback procedures. Overall, the risk shifts from moderate to low, reflecting the increased confidence in process controls and supply chain trustworthiness.

Asset 2: QA Server

The QA Server is used for testing with data copied from production. Initially, concerns involved unencrypted data and privileged access, increasing vulnerability to data leaks or insider threats. The SMEs specify that data is not encrypted but that access requires privileged permissions, and the server supports external internet connections for performance testing. Additionally, data masking or encryption practices are not detailed, raising residual risk.

The severity remains high due to the criticality of the data and potential for corruption or leakage. The likelihood is now assessed as low, recognizing that access controls and encrypted storage are lacking, but the external-facing testing environment and limited data retention mitigate some threats. Overall risk remains moderate; while controls are in place for access, data security practices need enhancement, including encryption and stricter access management.

Asset 3: Production Application Server

The risk assessment for the production server initially focused on non-notification of staff terminations and access controls. After further information, the risk slightly decreases in severity because internal controls, firewalls, and log management are in place, reducing the chance of unauthorized access. However, the delay in deactivating support personnel could enable malicious insiders or attackers to exploit remaining active accounts if not promptly revoked.

Likelihood is high due to procedural lapses; thus, overall risk remains moderate. Improvements in real-time access disabling and automated deactivation procedures could further reduce this risk. The controlled access via internal network and audit logs mitigate some external threats, but insider threat and procedural weaknesses persist.

Conclusion

Reassessing these assets with additional operational context underscores that effective controls and procedural adherence significantly influence risk profiles. The explicit deployment of trusted vendors, testing, access management policies, and logging substantially reduce the likelihood and impact of potential breaches. Nonetheless, gaps, especially around data encryption on the QA server and timely account deactivations, highlight ongoing risks that require management attention. Continuous monitoring, automation of access controls, and enhanced encryption practices are recommended to further mitigate vulnerabilities.

References

  • ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements.
  • NIST SP 800-30 Revision 1. Guide for Conducting Risk Assessments. National Institute of Standards and Technology.
  • ISO/IEC 27002:2013. Code of practice for information security controls.
  • Skoudis, E., & Liston, D. (2006). counter hack reload'd: A step-by-step guide to computer security and Sofa Security. Prentice Hall.
  • Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
  • Gibson, D. (2018). Mastering cybersecurity risk management. CRC Press.
  • Higgins, B., & Liddy, E. (2013). Managing cyber risk: How to protect your organization in the digital age. Journal of Business Continuity & Emergency Planning.
  • Harper, R. (2018). Security risk management: Building an information security risk management program from the ground up. CRC Press.
  • Whitman, M. E., & Mattord, H. J. (2018). Principles of Information Security. Cengage Learning.
  • Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley Publishing.

Related Assignments