Mitigating Risk
.docx
keyboard_arrow_up
School
Lehigh Carbon Community College *
*We aren’t endorsed by this school
Course
527
Subject
Computer Science
Date
Feb 20, 2024
Type
docx
Pages
8
Uploaded by CommodoreField5003 on coursehero.com
Mitigating Risk
Tatiana Fleetwood-Mack
CIS 527: IT Risk Management Darcel Ford
February 11, 2024
1
Mitigating Risk
In the ever-evolving landscape of information systems, maintaining robust security measures is critical to protect sensitive data from a myriad of threats. This paper explores various
aspects of information system security, including threat, vulnerability, and exploit assessments, tools and methods for physical and logical security controls, considerations when translating risk assessments into mitigation plans, and the differences between risk mitigation plans and contingency plans.
Threat, Vulnerability, and Exploit Assessments
Threat assessment involves the identification and evaluation of potential risks and dangers that could compromise the confidentiality, integrity, and availability of information systems. Threats can come in various forms, including cyber-attacks, natural disasters, or human errors (Sommestad et al., 2021). One widely used method for threat assessment is the use of threat intelligence platforms. These platforms aggregate and analyze data from various sources to
provide real-time information on emerging threats. Tools like ThreatConnect and Recorded Future assist organizations in understanding the current threat landscape, enabling them to proactively implement security measures.
Another method for threat assessment is penetration testing, commonly known as ethical hacking. Penetration testing involves simulating a cyber-attack on a system to identify vulnerabilities that malicious actors could exploit (Sommestad et al., 2021). Tools like Metasploit and Nessus are commonly used for penetration testing, allowing security professionals to identify and address potential weaknesses in their systems.
Vulnerability assessment focuses on identifying weaknesses within the information systems that could be exploited by attackers. This process involves scanning systems for known 2
vulnerabilities, misconfigurations, or other issues that could compromise security. One effective tool for vulnerability assessment is OpenVAS (Open Vulnerability Assessment System), an open-source solution that scans networks for vulnerabilities and provides detailed reports on potential risks (Sommestad et al., 2021). Another widely used tool is Tenable's Nessus, which conducts thorough vulnerability scans and assists organizations in prioritizing and remediating identified issues.
Exploit assessment involves analyzing the potential impact of exploiting identified vulnerabilities and understanding how attackers could take advantage of weaknesses in the system. This process helps organizations prioritize and address vulnerabilities based on the potential risks they pose (Sommestad et al., 2021). One method for exploit assessment is the use of automated exploit frameworks, such as Metasploit. Metasploit not only aids in penetration testing but also provides a comprehensive framework for developing, testing, and executing exploit code against identified vulnerabilities.
Additionally, manual analysis by security experts is essential for exploit assessment. This
involves a thorough examination of the vulnerabilities to understand their potential consequences
and the likelihood of successful exploitation. This human-centric approach ensures a nuanced understanding of the specific context in which vulnerabilities exist.
Threat, vulnerability, and exploit assessments are integral components of a comprehensive information security strategy (Sommestad et al., 2021). By understanding the differences between these assessments and employing appropriate tools and methods, organizations can proactively enhance the security posture of their information systems. Continuous evaluation, adaptation, and integration of these assessments into the overall 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Related Questions
Taxonomy of security standards:
(1) Asset and data classification
(2) Separation of duties
(3) Pre-employment hiring practices
(4) Risk analysis and management
(5) Education, training, and awareness.
Provide a total of 15 standards (i.e. 3 standards for each category of the suggested taxonomy) that could be applied to a computer lab environment and improve security.
arrow_forward
Identified two cybercrime threats for 2021 and described them as follows:-
Introduction, distribution techniques, the mechanisms of control, Example cases.
Then mention three objectives of Code of Ethics for Information Security Professionals?
arrow_forward
Discuss the security implicationsFrom the perspective of your department and management level, discuss the implications of a security breach in the company's infrastructure (all forms - human, technology etc.)
1. Suggest TWO reasons why such breaches could occur and state how they can be avoided.
Based on the above requirements above, critique the below discussion:
A security breach is the loss of management, compromising, illicit public disclosure, unapproved acquiring, or acquisition, or any similar event in which sensitive data is accessed or potentially obtained by someone other than an authorized user, or in which a verified user accesses privately apparent data with a purpose other than that for which it is approved.A cyberattack and data breach at Trading could have a negative effect on the company's bottom line. It might harm your company's reputation and cause customers to lose faith in you. And both large and small businesses may be impacted by this. Furthermore, a…
arrow_forward
The Protective Security Policy Framework (PSPF) applies to non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to the extent consistent with legislation. According to PSPF, please describe the core requirements in relation to security planning and risk management to guide how entities establish effective security planning and can embed security into risk management practices. Explain in no more than 100 words.
arrow_forward
Setting up solid security policies and consistently applying them is widely acknowledged to be crucial. In this discussion, we will look at the significance of developing, implementing, and upholding security policies.
arrow_forward
Question 4: Study the scenario and complete Question 4
Why Strong, Unique Passwords MatterCybersecurity experts make the recommendation for strong, unique passwords for several reasons - the first being that every day malicious cyber threat actors compromise websites and online accounts, and post lists of usernames, email addresses, and passwords online. This exposes people’s passwords, and worse yet, they are exposed with information that uniquely identifies the user, such as an email address. That means that a malicious actor can look for other accounts associated with that same person, such as work-related, personal social media, or banking accounts. When the malicious actor finds those accounts, they can try logging in with the exposed password and if the password is reused, they can gain access. This is why unique passwords matter.Secondly, when malicious cyber threat actors can’t easily find or a guess the password, they can use a technique called brute forcing. This is a…
arrow_forward
Explain how an organization's information security policy must be integrated with policies from at least three other departments, including Human Resources, in a typical-sized corporation.
Give clear examples of how one can influence another.
arrow_forward
Specific transportation system cyber vulnerabilities are extremely implementation dependent; consequently, a complete vulnerability analysis must be done in the context of the system implementation. However, most implementations share two common functionalities that are susceptible to attack:Group of answer choices
Wireless communication and satellite based positioning
Maritime and Inter-modal operations
Dispatch and control subsystems
Passive and Active attacks
2)
According to the CIP authors, some of the currently available digital identity methods of verifying transactions in e-banking services are all of the following, except:Group of answer choices
Digital document verification
Federated ID
Mobile Transaction Authentication Numbers (mTAN)
Biometric ID
3)
The 2021 GSMA report identified all of the following as headline security topics, except for:Group of answer choices
Software & Virtualisation
Quantum Computing
Device & IoT
Supply Chain
Cloud Security
4)
The NDAA gave the…
arrow_forward
6. What is it and how are misuse or abuse cases help security engineers design measures to protect a system from specific threats?
arrow_forward
Question 1a)Using a the shopping situation, explain briefly what is all about computer security, highlighting on prevention, detection and reaction.
b) Demonstrate with a programme code structure on how to obtain security information about a computer system. c)Assuming you are the security manager of a firm and you are invited to explain key concepts about your operations to management based on; adversary, attack, countermeasure, risk, security policy, system resource, threat and vulnerability. Convince management by establishing the relevance of your role in the firm.
arrow_forward
Book title: Cybersecurity Essentials - Charles J. Brooks
Chapter 1 - Infrastructure security in the Real world
From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category.
2. Inventory creation sample of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2).
3. Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3).
4. Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3).
(Refer to screenshot for reference)
arrow_forward
study on risk management using computers. Assets, threats, vulnerabilities, risks, and mitigation should all be identified. List the elements of the system under each heading. Which critical flaws were discovered? How can you lower the risk? own security strategy for the system? Are you going to put this into action? Why or why not?
arrow_forward
The majority of individuals agree that creating proper security rules and consistently implementing them are necessary actions to take. Describe the importance of creating, implementing, and maintaining security policies.
arrow_forward
Explain why each principle is vital to security and how it permits the development of security mechanisms that can help organizations achieve desired security policies.
arrow_forward
Identify 1 Risk problem and apply the steps in Information Security Management to solve it.
arrow_forward
The following are some examples of how a security framework may help with security infrastructure design and deployment.
The definition and operation of information security governance are ambiguous.
Who in the firm should be in charge of long-term planning?
arrow_forward
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
arrow_forward
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
arrow_forward
Computer-based risk management research. Identify assets, threats, vulnerabilities, risks, and mitigation. List system components under each category. What serious vulnerabilities were found? How can you reduce risk? Your own system security plan? Will you execute? Why/why not?
arrow_forward
The majority of individuals concur that creating proper security rules and consistently implementing them are necessary actions to take. An explanation of why creating, implementing, and maintaining security rules is so important.
arrow_forward
Computer-based risk management study. Identify assets, threats, vulnerabilities, risks, and mitigation. List system elements under each category. What serious vulnerabilities were found? How can you reduce risk? Your personal system security plan? Will you execute? Why/why not?
arrow_forward
The need for appropriate Security Policies and consistent enforcement is well established. Discuss the reasons why it is important that security polices to be developed, implemented, and maintained.
arrow_forward
A security policy is a document that provides employees with clear instructions about acceptable use of company confidential information, explains how the company secures data resources and what it expects of the people who work with this information. Most importantly, the policy is designed with enough flexibility to be amended when necessary.
You are working in organization X, and you are supposed to develop an issue-specific security policy, you can pick one issue from Table.1 [1] (In the photos)
Your Task is:
To develop the different sections of your policy and adequate procedure(s), you can refer to SANS Policy Templates [2].
References:
[1] Developing an Information Security Policy: A Case Study Approach, Fayez Hussain Alqahtani. 4th Information Systems International Conference 2017, ISICO 2017, 6-8 November 2017, Bali, Indonesia.
[2] https://www.sans.org/information-security-policy/
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Related Questions
- Taxonomy of security standards: (1) Asset and data classification (2) Separation of duties (3) Pre-employment hiring practices (4) Risk analysis and management (5) Education, training, and awareness. Provide a total of 15 standards (i.e. 3 standards for each category of the suggested taxonomy) that could be applied to a computer lab environment and improve security.arrow_forwardIdentified two cybercrime threats for 2021 and described them as follows:- Introduction, distribution techniques, the mechanisms of control, Example cases. Then mention three objectives of Code of Ethics for Information Security Professionals?arrow_forwardDiscuss the security implicationsFrom the perspective of your department and management level, discuss the implications of a security breach in the company's infrastructure (all forms - human, technology etc.) 1. Suggest TWO reasons why such breaches could occur and state how they can be avoided. Based on the above requirements above, critique the below discussion: A security breach is the loss of management, compromising, illicit public disclosure, unapproved acquiring, or acquisition, or any similar event in which sensitive data is accessed or potentially obtained by someone other than an authorized user, or in which a verified user accesses privately apparent data with a purpose other than that for which it is approved.A cyberattack and data breach at Trading could have a negative effect on the company's bottom line. It might harm your company's reputation and cause customers to lose faith in you. And both large and small businesses may be impacted by this. Furthermore, a…arrow_forward
- The Protective Security Policy Framework (PSPF) applies to non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to the extent consistent with legislation. According to PSPF, please describe the core requirements in relation to security planning and risk management to guide how entities establish effective security planning and can embed security into risk management practices. Explain in no more than 100 words.arrow_forwardSetting up solid security policies and consistently applying them is widely acknowledged to be crucial. In this discussion, we will look at the significance of developing, implementing, and upholding security policies.arrow_forwardQuestion 4: Study the scenario and complete Question 4 Why Strong, Unique Passwords MatterCybersecurity experts make the recommendation for strong, unique passwords for several reasons - the first being that every day malicious cyber threat actors compromise websites and online accounts, and post lists of usernames, email addresses, and passwords online. This exposes people’s passwords, and worse yet, they are exposed with information that uniquely identifies the user, such as an email address. That means that a malicious actor can look for other accounts associated with that same person, such as work-related, personal social media, or banking accounts. When the malicious actor finds those accounts, they can try logging in with the exposed password and if the password is reused, they can gain access. This is why unique passwords matter.Secondly, when malicious cyber threat actors can’t easily find or a guess the password, they can use a technique called brute forcing. This is a…arrow_forward
- Explain how an organization's information security policy must be integrated with policies from at least three other departments, including Human Resources, in a typical-sized corporation. Give clear examples of how one can influence another.arrow_forwardSpecific transportation system cyber vulnerabilities are extremely implementation dependent; consequently, a complete vulnerability analysis must be done in the context of the system implementation. However, most implementations share two common functionalities that are susceptible to attack:Group of answer choices Wireless communication and satellite based positioning Maritime and Inter-modal operations Dispatch and control subsystems Passive and Active attacks 2) According to the CIP authors, some of the currently available digital identity methods of verifying transactions in e-banking services are all of the following, except:Group of answer choices Digital document verification Federated ID Mobile Transaction Authentication Numbers (mTAN) Biometric ID 3) The 2021 GSMA report identified all of the following as headline security topics, except for:Group of answer choices Software & Virtualisation Quantum Computing Device & IoT Supply Chain Cloud Security 4) The NDAA gave the…arrow_forward6. What is it and how are misuse or abuse cases help security engineers design measures to protect a system from specific threats?arrow_forward
- Question 1a)Using a the shopping situation, explain briefly what is all about computer security, highlighting on prevention, detection and reaction. b) Demonstrate with a programme code structure on how to obtain security information about a computer system. c)Assuming you are the security manager of a firm and you are invited to explain key concepts about your operations to management based on; adversary, attack, countermeasure, risk, security policy, system resource, threat and vulnerability. Convince management by establishing the relevance of your role in the firm.arrow_forwardBook title: Cybersecurity Essentials - Charles J. Brooks Chapter 1 - Infrastructure security in the Real world From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category. 2. Inventory creation sample of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2). 3. Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3). 4. Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3). (Refer to screenshot for reference)arrow_forwardstudy on risk management using computers. Assets, threats, vulnerabilities, risks, and mitigation should all be identified. List the elements of the system under each heading. Which critical flaws were discovered? How can you lower the risk? own security strategy for the system? Are you going to put this into action? Why or why not?arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Principles of Information Security (MindTap Cours...Computer ScienceISBN:9781337102063Author:Michael E. Whitman, Herbert J. MattordPublisher:Cengage LearningFundamentals of Information SystemsComputer ScienceISBN:9781337097536Author:Ralph Stair, George ReynoldsPublisher:Cengage LearningPrinciples of Information Systems (MindTap Course...Computer ScienceISBN:9781305971776Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
Principles of Information Security (MindTap Cours...
Computer Science
ISBN:9781337102063
Author:Michael E. Whitman, Herbert J. Mattord
Publisher:Cengage Learning
Fundamentals of Information Systems
Computer Science
ISBN:9781337097536
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning