2

Rochester Institute of Technology Dubai

CSEC.468.600 – Risk Mgmt for Info Security

Fall 2021

Risk Assessment Report

(Final Exam)

Group #6:

Mohammad Mohamad #334001610

Eslam Tarrum #826002873

Due Date: December 16, 2021 at 11:30 PM

Manifesto

In this assignment, each student has studied and understood all the tasks required, Tasks 1-5. Accordingly, each student has solved all the questions and cooperated to implement them in this assignment. The same effort has been put into each student in solving this assignment according to Case 1.

Case 1: If the entire group discussed and equally contributed to solving each and every question, then the same grade will be given to each group member.

Table of Contents

Executive Summary 4

Purpose 6

Assumptions and Constraints 6

Assessment Approach 7

Risk Model 8

Assessment Approach 9

Time Frame 9

Risk Assessment Team and Participants 9

Data Sources 10

APPENDIX A 11

Questionnaire 11

IT System Boundary Diagram 11

Technology Components 12

APPENDIX B 13

Acceptable Use Policy 13

Policy 13

APPENDIX C 19

Terms and Definitions 19

APPENDIX E 20

Risk Determination 20

APPENDIX F 21

Team Member Information & Contact Details 21

Executive Summary

The risk assessment team identified in this report, coordinated by the Information Security Officer, worked during the period from December 1, 2021 to December 16, 2021 to analyze and assess the risks that threaten the information systems infrastructure of Libyana, which is owned by Libyana and managed by the Information Technology Department. The results of the overall classification of the system as an important system for the functioning of Libyana were. The information technology infrastructure system in the company is designed to contain an effective system to avoid the complete breakdown of the infrastructure. It also contains a set of security, protection, support and alternative systems to be activated in case of need. In addition, the system is characterized by the fact that there is not a single part of the infrastructure that causes the breakdown of all systems, and that each part is specialized in a specific field and has practical alternatives in the event of its failure. The information technology infrastructure supports the provision of documents and information on the progress of operations and the provision of Libyana services to employees and customers, and these documents are available in another form in cases of need by employees, and therefore the data and information contained in the system are necessary for the workflow of the company and the performance of its services, but its unlikely disruption will not lead to Completely disrupting the work of the company, the provision of its services, and the decision-making process in it.

This report contains the detailed results of the process of assessing the risks and weaknesses that threaten the system and the results of studying the control requirements necessary to protect the system, as well as an action plan to implement these controls from defining responsibilities and the schedule for implementing the plan, which was determined until mid-December 2021. The purpose and objective of the risk assessment and analysis report is to:

Identifying and evaluating the threats faced by the information system.

Determining the necessary controls and procedures to protect the information system from such threats.

Provide appropriate justifications for the material cost necessary to implement the controls and procedures for the security and protection of the information system.

Helping decision makers in Libyana to understand the consequences of information system security breaches and their impact on the workflow and company interests.

Create an action plan to respond to the risks that threaten the information system in the Libyana and work to avoid those risks or reduce their effects.

The scope of the risk assessment report includes the information systems infrastructure system of Libyana, which is located in Libyana at its headquarters in the State of Libya, and includes all parts and components of the system, hardware, software, work procedures and information security controls currently applied to the system.

Through various risk assessment approaches, qualitative assessment has been adopted in this RAR of the system. The Risk Assessment identifies the current level of risk to appropriately determine the values for risks (e.g., very low, low, moderate, high, very high) and provides risk mitigation recommendations for management review. The information systems infrastructure supports the working mechanisms of all information and communication systems in Libyana and the mechanisms for exchanging data and data between those systems. Therefore, the greatest focus will be on the third level, which includes all information and communication systems in Libyana, its location(s), security classification and borders to meet the security objectives.

Fig.1. Scope risk assessment across Tier 3

Fig.1. Scope risk assessment across Tier 3

The risk assessment identified 24 risks in all of Libyana’s critical information security components. In this report, Appendix B contains the Acceptable Use Policy which is a method that can be followed to mitigate these risks. By implementing these policies, Libyana can conserve and use information technology resources safely in its business operations. The following information categorizes the number of risks identified in Libyana with their respective levels:

1 risk were rated “Low”.

5 risks were rated “Moderate”.

7 risks were identified were rated “High”

6 risks were rated “Very High”.

Purpose

The purpose of this Risk Assessment Report (RAR) is to provide the operating administration management at the company Libyana, with an assessment of the management, operational and technical security controls that are currently in place to secure the company’s operational system (Williams, 2018). This risk assessment also aims at analyzing the risks inherent with the application of the company’s security system, which serves to protect the system used for handling business operations and support the confidentiality of the different departments in the company. The report will establish a baseline assessment of risks in order to identify the possible threats, based on the system’s vulnerabilities and their impact on the organization’s operations. 

Through various risk assessment approaches, qualitative assessment has been adopted in this RAR of the system. The Risk Assessment identifies the current level of risk to appropriately determine the values for risks (e.g., very low, low, moderate, high, very high) and provides risk mitigation recommendations for management review. Because Risk assessments are often not precise instruments of measurement, this RAR will not eliminate the risk, however, it can be minimized by the application of IT security controls. In addition, RA reflects the limitations of the techniques employed, tools, and specific assessment methodologies.

Assumptions and Constraints 

Different aspects of the organization’s operational activities and system are to be considered during this risk assessment report, therefore different assumptions and constraints are to be adopted for risk assessment. Firstly, in terms of threat sources, identifying the appropriate sources of threat will help the organization both in the current risk assessment and in future reports, where several steps will not need to be repeated during every new assessment (Stoneburner, Feringa and Goguen, 2002). The threat sources to be considered in this assessment mainly include adversarial sources which cover a wide group of possible threats. Due to the fact that the primary information system at Libyana seeks great confidentiality, where each employee must only be exposed to information to do with their specific department, adversarial threats are of great significance and could pose great danger to the company’s security. Although the adversarial threats are the most significant to the nature of Libyana’s operations, and are considered to pose the greatest risks, other threats are also valid and may include accidental threats, structural threats and environmental threats.

Different threat events must also be considered during the risk assessment as they are directly related to the threat source. For Libyana, threat events may be divided into adversarial and non-adversarial, where both types cover several scenarios that may occur. For adversarial events, threats include the creation of attack tools (phishing attacks, counterfeit certificates, injecting malicious components into the supply chain); exploiting unauthorized access and information into the system, obtaining sensitive information and modifying existing information. On the other hand, non-adversarial events include incorrect privilege systems, which is a significant point in Libyana company, where it aims to limit the access of information by different departments. Other events are fire or flood at the facility, system error, malfunctions in the system’s software products and poor performance and communication.  

The assumptions used in this risk assessment based on organizational direction and assessment team expertise in Libyana include the following:

Continuous monitoring of the components of the mission / business department and risks at the organizational level.

The common controls implemented by Libyana in meeting the specific requirements.

With regard to network, system, application, communication, and contract for IT services, this assessment should assume and take into account some of the following characteristics such as technical, environmental and operational related to Libyana’s information system.

Libyana will be assumed that it is using the VPN for secure remote connection.

Implementation and configuration of firewalls in Libyana networks instead of using IDS and IPS.

Assessment Approach

Through various risk assessment approaches, qualitative assessment has been adopted in this RAR of the system. The Risk Assessment identifies the current level of risk to appropriately determine the values for risks (e.g., very low, low, moderate, high, very high) and provides risk mitigation recommendations for management review. Because Risk assessments are often not precise instruments of measurement, this RAR will not eliminate the risk, however, it can be minimized by the application of IT security controls. In addition, RA reflects the limitations of the techniques employed, tools, and specific assessment methodologies.

Time Frame

The effectiveness time frame of the risk assessment gives the company an idea of how long the risk assessment is valid for before it must be conducted once again (Fikri, Putra, Suryanto and Ramli, 2019). In the case of this report, it is to provide a comprehensive assessment of the different Tiers of the organization while giving special attention to the security of the information system technologies. Therefore, this risk assessment is expected to remain valid as a source of decision support for 18 months, unless new risk assessments will be required in the case of introducing new technologies or security controls to the system or launching new editions and updates to the already existing system used at Libyana.

Risk Model

Risk Assessment Methodology:

The risk assessment methodology was selected according to the method attached to the special publication, A Guide to Conducting Risk Assessments, (SP) 800-30R1 issued by the National Institute of Standards and Technology (NIST). This methodology is one of the specialized methods for assessing the risks of information systems and determining the level of importance of the system to the workflow in Libyana. In this risk assessment report, we will conduct the risk assessment by following these steps:

1. Prepare for assessment by identifying scope

2. Identify threat sources

3. Identify vulnerabilities and predisposing conditions

4. Determine likelihood

5. Determine impact

6. Determine risks and uncertainties

7. Detailed results

8. Monitor risk factors going forward

Risk Assessment Team and Participants

The work team that carried out the process of assessing risks and determining the necessary controls for information security and protection of the information system, and prepared and reviewed the final report, consisting of:

Name

Department

Job Description

The Role

Ahmed Zain

Information Technology Management

IT department manager

Consultant

Mohammed Mohamed

Information Technology Management

IT technician

Team Member

Eslam Tarrum

Information Technology Management

IT technician

Team Member

Data Sources

IT System Boundary Diagram

Technology Components

Sensitivity

In this RAR, we used Federal Information Processing Standards 199 (FIPS) to provide security categorization of Libyana information systems as shown in the figure below (See Appendix G). The general formula for expressing the security category for an information system is (where impact values can be low, moderate or high):

SC Information Type = {(confidentiality, impact), (Integrity, impact), (Availability, impact)}

Physical Location(s)

This figure represents the physical locations of information system components:

Data Used by System

This figure shows the Data categorization which used by the system besides a brief description for each category and what it contains:

Users

This figure shows the users categorization in Libyana information systems:

Users

Description

Libyana Employees

The employees will be able o perform their daily Libyana business processes and missions by having the access to the system through server rooms, computer systems, and data centers.

Libyana Customer

Limited services such as tracking information and payment facilities will be provided to customers through accessing the system either by a mobile application or a web browser.

Libyana Operations

Utilize information contained in the Libyana database for

management reporting. Generate reports and database

queries.

Libyana Security Team

Managing Libyana information systems and maintain security configuration of the system at tier 3, and coordinating with level (Tier2) based on defined organizational risk frame at Tier 1.

Flow Diagram

The flow diagram is representing the direction of information flow within Libyana network which defines the scope of the risk assessment effort.

Threat Source

The main sources of threat to the company include, as mentioned, adversarial threats, where based on the company’s operation, it seeks to keep each department confidential from other departments. In addition, the company deals with many suppliers, manufacturers and customers, therefore keeping its information system secure is top priority. In this case, individuals from both inside the company and outside may attempt to access unauthorized information, including competitors, and even trusted insiders who are the employees of the company. Unintentional acts can also represent threat sources where they can be indeliberate such as incorrect data entry and negligence. Furthermore, the non-adversarial sources can be environmental sources or natural threats such as long-term power failure, floods, earthquakes or fires which cannot be controlled by humans and pose danger to the system’s security. Such threats however are of lower risk and are much less likely to happen compared to other adversarial threats and vulnerabilities. One of the significant vulnerabilities of a company such as Libyana, is the access privileges where usernames and passwords must be set to expire in addition to enforcing regular password changes. This strengthens the system and makes unauthorized access more difficult. Such a vulnerability leads to a high risk of malicious use and computer crime effecting the company’s confidentiality. Another vulnerability to the system is the existence of idle accounts belonging to previous employees or guests, in addition to the poor use of encryption within the system, thus making it easier for crime to occur. Malicious use and crime are one of the highest risks affecting the company, as the company possesses several vulnerabilities to encourage the risks of these threats. This table summarize threat sources and a brief description of each source.

Threat Identification

Threat identification is the process of identifying potential threat events that could be caused by threat sources identified for Libyana as an organization. The identified threat sources are assessed based on its capability, intent and targeting. The identified threat events are classified based on various values of relevance to the organization and are characterized based on its tactics, techniques, and procedures. This table represents Threat Sources, Threat Event, Capability, Intent and Targeting.

APPENDIX A

Questionnaire

APPENDIX B

Acceptable Use Policy

Policy

General Use and Ownership

All the proprietary information of Libyana that are stored on electronic and computing devices are protected in accordance with the Data Protection Standard.

Users are permitted to use the Libyana’s information resources only for the purposes of the work they are authorized to perform. Any unauthorized use of the Libyana’s information systems and resources such as personal use or on behalf of any third party (such as a personal client, family member, political, charitable, school or other purposes) is strictly prohibited, and the user who violates this will be subject to disciplinary action and/or appropriate legal.

All computer data generated, received or sent using the Libyana’s information systems are owned by the Libyana and are not considered to be owned by the user. The Libyana reserves the right to examine all data for any reason and without notice, for example when there are suspicions of violating these rules or any policies and procedures of the Libyana.

Libyana employees and third-party users who use or have access to Libyana information should be aware of the current limits of their use of the Libyana’s information systems, and are responsible for their use of information systems and any use that is made under their responsibility.

Giving the right to authorized personnel within Libyana to monitor equipment, systems and network traffic at any time for the purposes of security and network maintenance.

No user is allowed to exceed the permitted and necessary amount of access to private property information to carry out the job and tasks attributed to him.

Libyana reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

It should allow all Libyana users to access only the information systems and processes needed to perform their business tasks.

Accessing, entering or connecting to server rooms will be allowed only for authorized individuals.

Accessing, entering or connecting to data centers will be allowed only for authorized individuals.

Providing server rooms with physical security mechanisms that include security locks that work with fingerprint or iris recognition to prevent unauthorized access.

Providing data centers with physical security mechanisms that include security locks that work with fingerprint or iris recognition to prevent unauthorized access.

Movement between company facilities for employees requires an access card that proves the person’s validity, while visitors are given an access card that is limited in validity and time.

Security and Proprietary Information

Access Control

All Libyana users should only have access to the information systems and processes needed to perform their business tasks.

Each information system user must obtain authorization from the information system administrator in order to have access to the Libyana information systems.

Allows access to information systems and activation of user accounts for each of the employees, contractors, consultants, temporary workers, or supplier employees in the event that the person performs services for the benefit of Libyana only.

Username and Password

All user names and passwords must be stored and distributed to the systems securely.

Each user of any information system must have a unique user name and password.

Common usernames and common and generic usernames should not be used.

The minimum allowed password length is 9 characters.

The user is not allowed to share his username and password with other people under any circumstances. The user shall bear full direct responsibility for all activities that take place through his user account on any of the systems he is permitted to use.

Third Party Access to Libyana Information Systems

The Director of the Information Security Department should conduct an assessment to determine the potential risks to Libyana’s information systems arising from access to them by third parties.

It should be taken into account that the aforementioned evaluation includes the following criteria:

The type and level of access to be granted to the other party.

Classification of information systems risks to which access will be permitted.

The reasons on which access to information systems is granted.

Reference information about the other party.

Availability and effectiveness of the controls to be applied to regulate and control the access of the other party.

Third party access to Libyana’s information systems is granted based on a formal contract between Libyana and the said party.

The contract must include the following conditions as a minimum:

Terms and conditions under which access is granted.

The level of security that is natural and logical to be provided by the (third party) to maintain the confidentiality, integrity and integrity of the Libyana information/data being processed.

Responsibilities of employees of contractors, consultants or suppliers.

An expiration date for the username shall be specified for Contractor, Consultant and all other third-party employees, provided that it does not exceed the expiry date of the contracted project.

Remote Access

Grants remote access to the Libyana network using users’ login procedures.

Remote access is granted on an as-needed basis and for business purposes only.

Libyana grants remote access only to essential operational needs and documents the justification for such access.

Users with remote access should ensure that their Libyana owned or personal computer or workstation, remotely connected to the Libyana Network, have the following:

Not connected to any other network at the same time, except for personal networks that are under the full control of that user.

Includes the latest anti-virus, anti-spyware and firewall software.

The user is responsible for any consequences or negative effects arising from the misuse of access.

Unacceptable Use

This policy applies to the employees of Libyana and any third party, whether they are working on a permanent or temporary basis, regardless of their work locations. This policy covers all information system environments that Libyana operates or that Libyana has contracted to operate with a third party.

In the event that any of the Libyana employees or a third party (suppliers, contractors, business partners, etc.) violates this policy, he will be subjected to regular procedures in accordance with the policies of Libyana, which include – without limitation – the work and workers system, the information crime control system, the electronic transactions system, and others.

System and Network Activities

It is forbidden to introduce malicious programs (such as viruses, worms, Trojan horses, etc.) into the Libyana’s information systems.

It is prohibited to introduce free or shared programs into the Libyana’s network, whether downloaded from the Internet or obtained from other media, without authorization from the Dean of Information Technology.

It is prohibited to use the Libyana’s information systems to store, process, upload, or send data that could be considered biased (political, religious, racial, ethnic, partisan, etc.) or harassing.

It is prohibited to provide offers, products, items, or services that involve fraud or deception using the Libyana’s system resources.

It is forbidden to disclose the passwords used by others to access their accounts or to allow the use of those accounts by third parties.

It is prohibited to conduct a port survey or a security survey of the Libyana’s information network or information system unless it is authorized by the Director of Information Security and prior notices have been sent to the concerned persons.

It is prohibited to carry out any form of network monitoring during which data that does not pertain to the host machine of the employee’s account is intercepted, unless such activity is part of the authorized job/task of the employee.

It is prohibited to circumvent or circumvent the identification of a user or the security of any host, network or computer.

It is prohibited to use any program / language / command, or send messages of any kind, for the purpose of interfering with or disrupting its ends, any user, through any means, locally or via the Internet / intranet / extranet.

It is prohibited to provide information related to Libyana employees or lists of their names to any parties outside the Libyana without authorization from the concerned authorities inside the Libyana.

E-mail and Communication Activities

Sending any unsolicited e-mail messages, including sending “junk mail” or other advertising materials to persons who have not specifically requested such material (e-mail SPAM), is prohibited.

Prevent harassment via email, phone, or fax, whether in language, frequency, or volume of messages.

Unauthorized use or falsification of email header information or its contents is strictly prohibited.

It is forbidden to create or edit “chain letters”, “Ponzi” or “pyramid schemes” of any kind.

It is strictly forbidden to register and correspond with news groups and blogs (newsgroup SPAM).

Libyana employees should not expect any privacy for anything they store, send or receive via the Libyana email system. The Libyana may monitor messages without prior notice.

Blogging and Social Media

Libyana values ​​and respects the intellectual property rights (including copyright, design rights, patent rights and licenses for source code for software and documentation) associated with its information systems. Accordingly, it is strictly forbidden to blog or use social media to disclose any intellectual property or any information Special Confidentiality Libyana’s Intelligent Security Systems.

Violation of any rights of any person or company protected by copyright, patent or other intellectual property rights, or similar rules and regulations through social media or blogging sites using Libyana systems, or other non-Libyan systems but connected with the information technology environment of the Libyana is prohibited. Libyana.

APPENDIX C

Terms and Definitions

Libyana: It is a trading company that sells medicines and medical equipment.

SMTP:

FTP:

SSL:

RAR:

Threat Source:

Threat Event:

Risk:

Vulnerability:

Likelihood:

NIST:

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/.

Access

Authentication

Authorization

Malware

Blogging

Spam

Confidentiality

Proprietary Information

Intranet

Extranet

APPENDIX E

Risk Determination

Reference: NIST Special Publication 800-30R1, Guide for Conducting Risk Assessments

Table: assessment scale – level of risk (combination of likelihood and impact)

APPENDIX F

Team Member Information & Contact Details

APPENDIX G

NIST Federal Information Processing Standards 199

Table 7: Categorization of Federal Information and Information Systems (NIST 800-60 Volume I Revision 1)

The post 2 Rochester Institute of Technology Dubai CSEC.468.600 – Risk Mgmt for Info appeared first on PapersSpot.