3 Jones & Bartlett Lecture Presentation and Assignment: Application of Risk Management Techniques
To complete this activity, go to the Jones & Bartlett Learning website.
Review the Lecture Presentation: Risk Management Fundamentals, then complete the Assignment: Application of Risk Management Techniques.
For this assignment, you will download a Microsoft Word document from JBL. Fill out your answers directly in this document, then submit the completed Word document here.
APA reminders – In your Discussions and Assignments –
* Use less than 10% direct quotes
* Quotes over 40 words not allowed in this classes (by exception only ahead of time)
* Every quote needs a specific page or paragraph number
* Ideas and concepts from articles on websites need to be re-written in your own thoughts, vocabulary, and ideas and not simply paraphrased.
Microsoft Word document with double spacing, 12-point Times New Roman font, and one-inch margins. Make sure you cite if you take a piece of someone’s work, very important and your reference should relate to your writing (don’t cite a reference because it relates to the course and not this very paper) at least 4 current and relevant academic references. No heavy paraphrasing of others work.
www.citationmachine.net to format references into the APA style if necessary. Extremely important. Intext citations is very essential and highly needed as well.
ISE 510 Security Risk Analysis & Plan
Week 1 HW
1-3 Jones & Bartlett Lecture Presentation and Assignment: Application of Risk Management Techniques
<Last Name, First Name>
Submitted on <DATE>
If late let me know why:
Delete these instructions in blue font before submission:
Change file name to HW#1_LAST_FIRST
A few comments up front: – The Jones and Bartlett Learning, TOPIC 1, does not contain enough information to complete this exercise. You’ll need to research several topics related to a) Risks Threats and Vulnerabilities; and b) Risk Mitigation Techniques. See Chapter 1 in our Textbook for a comprehensive presentation of the material.
– I encourage you to read the HW problems below and if you have questions *about* the problem, please ask either through the Classroom or via email.
– If you are rusty on security fundamentals then now is a good time to brush up! Let me know and I can point you to refresher resources
YieldMore is a small agricultural company that produces and sells fertilizer products. The company is headquartered in a small town in Indiana.
The company has three servers located at its headquarters—an Active Directory server, a Linux application server, and an Oracle database server. The application server hosts YieldMore’s primary software application, a proprietary program that manages inventory, sales, supply chain, and customer information. The database server manages all data stored locally with direct attached storage.
All three major sites use Ethernet-cabled LANs to connect the users’ Windows Vista workstations through industry-standard-managed switches. The remote production facilities connect to the headquarters through routers and T-1 LAN connections provided by an external Internet service provider (ISP) and share an Internet connection through a firewall at the headquarters. Individual salespersons of YieldMore throughout the country use their individual Internet connections, to connect to YieldMore’s network through virtual private network (VPN) software.
1) The table below has a list of Risks, Threats, and Vulnerabilities related to YeildMore. State the primary Domain and the number that is associated with the Risk, Threat or Vulnerability (see Appendix).
The first one is done as an example.
|#||Risks Threats and Vulnerabilities||Domain (primary)|
|EX||Technician (user) stores his personal photos on PC||#1 – USER domain|
|1||Unauthorized access from Internet to corporate servers and applications|
|2||Hacker penetrates IT system by a phishing attach|
|3||LAN switch has default username and password|
|4||Denial of service attack on email server|
|5||User turns off screensaver on PC|
|6||Corporate Data server has no backups|
|7||VPN tunneling between remote computer and ingress/egress router|
|8||Internet Service Provider has major outage, no employees can access Internet|
|9||Web browser vulnerabilities exist on client machines|
|10||Install general-purpose sniffer on organization-controlled client PCs|
|11||DNS cache poisoning|
|12||The Telecommunications closet where the switches and routers reside is unlocked and open because the AC is broken.|
|13||Attacker tries brute force attack against Corporate Portal|
Discussion: Problem 2 is about how Risk Management Techniques are applied to YieldMore case study. The definition of the 6 Risk Management Techniques is given in JBL TOPIC 1 | DISCOVER | PROCESS: Avoidance, Mitigation, Cost-benefit analysis, Transfer, Acceptance, and Residual risk; Or, see Appendix 2.
2) Yeildmore has poor electrical power supplied by the city. The city can’t provide enough quality electrical power and it’s costing Yeildmore time, manpower, and data loss because PCs and servers suffer hard power cycles without warning.
a) How would Yeildmore do ‘Risk Avoidance’ to mitigate the risk due to low quality power? (60-100 words)
b) How would Yeildmore ‘Mitigate’ the risk due to low quality power? (60-100 words)
c) How would Yeildmore ‘Transfer’ the risk due to low quality power? (60-100 words)
Discussion: Problem 3 is about how YieldMore decides what is tolerable risk. In other words, what factors do they consider, what factors are most important, what might be a logical approach. Do not offer solutions to YeildMore now. You are encouraged to read sections “B” and “C” in Risk management vs. Risk avoidance in power systems planning and operation (Oren, 2007).
3) Considering Yeildmore’s poor quality power problem, how might Yeildmore decide what is tolerable ‘Residual risk’ due to low quality power? (100-300 words)
Appendix 1 Seven major areas of risk in IT infrastructure
From: Jones and Bartlett Learning, TOPIC 1.
Here are the seven major areas of risk in IT infrastructure: (See Image below).
1. USER: The user domain risk areas include user names, passwords, biometric or other authentication, and social engineering.
2. WORKSTATION: In the workstation domain, the risk areas include end user systems, laptops, desktops, and cells phones. The “desktop domain” where most users enter the IT infrastructure
3. LAN: In the local area network (LAN) domain, the risk areas include the equipment required to create an internal LAN, such as hubs, switches, and media. Small network organized by function or department, allowing access to all resources on the LANs.
4. LAN-to-WAN: The risk areas in the LAN-to-wide area network (WAN) domain include the transition area between the LAN and the WAN, including the router and the firewall. The point at which the IT infrastructure joins a WAN and the Internet
5. WAN: The WAN domain risk areas include the routers and circuits connecting the WAN. The point at which the WAN connects to other WANs via the Internet
6. APPLICATION: In the system, or application, domain, the risk areas include the applications you run on your network, such as e-mail, database, and Web applications. Holds all of the mission-critical systems, applications, and data
7. REMOTE ACCESS: The risk areas in the remote access domain include applications, such as a virtual private network (VPN) to guide remote or travelling users. Connects remote employees and partners to the IT infrastructure
Seven major areas of risk in IT infrastructure
Appendix 2 Risk Management Techniques
From: Jones and Bartlett Learning, TOPIC 1.
Avoidance: To avoid the risk by eliminating the cause of the risk and the consequence.
Example: You move your organization out of a flood zone.
Mitigation: To institute measures to eliminate or reduce vulnerabilities.
Example: You prioritize, evaluate, and implement the appropriate
Cost-benefit analysis (CBA ): To compare the impact of a realized risk to the cost associated with its mitigation. A CBA will include an estimation of the likelihood of occurrence and the impact of loss.
Example: You do not purchase flood insurance because your organization is located on a mountaintop.
Transfer: To move the risk impact from the organization to another entity.
Example: You transfer the risk by using other options such as purchasing insurance to compensate for a loss.
Acceptance: To recognize that the risk cannot be economically mitigated and accept it as a “cost of doing business.”
Example: You accept that you cannot control the power outage caused by the weather, which has temporarily disabled your organization.
Residual risk: The risk that remains after you apply controls.
Example: You use add-on security software to secure a stand-alone computer containing confidential and sensitive information. However, because physical access to the computer is not restricted, the risk of unauthorized access still remains.