Risk Assessment Report Purpose The purpose of conducting this risk assessment was to identify potential threats and vulnerabilities related to OPM System. The risk assessment will be used to identify possible risk mitigation plans related to Agency. The network was identified to have a potential high-risk during security assessment. Therefore, risk assessment is needed to be conducted to measure the impact of any breach that can result from the vulnerabilities discovered.
Scope The company’s system comprises several infrastructural components. The external interface is a series interactive web page that allows users to input data and receive the required information from the application. The system is built using Internet Information Server that uses Active Server Pages. The network infrastructure helps in the management of information transaction in the entire system. The web application, database and operating systems that support these components are all included in the scope.
Making sure that the servers require several firewalls which are set up in almost all the network interconnection boundaries. Threats Cybercrime have been a major source of leak of personal, corporation and governmental leak. The OPM operates without a proper risk governance structure. The OPM does not have a structured and standardized monitoring system for security controls. The OPM failed to maintain accurate IT inventory that undermines all attempts at securing their information systems.
Insider threats to information systems may be the biggest threats that any organization might face. The reason why they are said to be the biggest is that it becomes very difficult to determine who would betray your organization among the trusted employees. It is always very easy to ignore the threat within on the assumption that there is always that loyalty within only to realize that the root cause of the threats is from within. The common insider threats are: Theft of unsecured personal device is a very big threat as the mobile devices use in organizations are out of control. These devices can be used to access vital information about the organization not limited to Intellectual Property and Defense plan theft. External threats Some of the examples of external security threats to the information system of the organization are: Phishing attacks is an external attack where a hacker uses the scam to trick an employee into giving them their login details.
They send emails that are embedded with a link that captures the details when entered by the employee. Denial of Service attack where the attacker gains access to the network of the organization and keeps users from having access to certain services. The hackers achieve this by disrupting how the host system functions. When the attacker floods all the computer ports instead of only certain port is called Direct denial of service attack. Spoofing occurs when an attacker masquerades as a legit host and steals the IP address, spoofs a website or hijacks a network system and by that means inject malicious codes that are developed to create damage to the system operations.
They include Trojan horses, viruses, key-loggers, spyware and many others. Once they are planted in the system, they interrupt the functionality of the system by disabling the firewalls and giving access to the hackers (Catteddu & Hogben, 2013).
The Risk Assessment Matrix below shows the threat source, threat action likelihood of occurrence and the impact of the vulnerabilities involved.
These were few remediation forwarded among others. OIG recommends that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. All active systems in OPM’s inventory must have a complete and current Authorization. OPM must ensure that an annual test of security controls has been completed for all systems. Use of Access control is very important in making sure that access to information in the system is controlled. The use of passwords and usernames help the organization protect private data from landing the hands of authorized personnel.
This technique is important in protection against threats like spoofing, packet hijacking, malicious codes and many others. RDBMS help in making the transactions within the systems quite efficient and effective because they provide the ACID tests that provide security to the transactions. The use of transaction logs also helps in tracking the changes that are made to the database. Firewall log files help in protecting the transaction within the system secure from attacks.
Cryptography also applies complex mathematics and logic to design high-end encryption methods that allows system administrators to maintain confidence of the clients in the organization’s operations. People are assured that their data is kept private using cryptography and very important in making sure that the database transactions are kept secured and lock out the attackers (Filipek & Hudec, 2015). Cost/benefit analyses of remediation The OPM is working to improve their comprehensive security control system that will, later on, need periodic system authorization. Even though it may cost the organization high to have this work, it will be a win due to the security threats and vulnerabilities they face. Proper governance is needed to proactively implement cost-effective controls to protect critical information systems that support the mission and changing the risk management.
High-level plan of action with interim milestones (POAM) The action was done through auditing standards accepted by the government. The standards requirement includes the systems that allows efficient auditing in order to extract sufficient information’s and conclusion on any activities in the network. Considering OPM, internal controls were examined for various systems which had varying degrees of computer generated data. Summary This is a report on OPM Authorization program have concluded that OPM has not substantially defined the roles and responsibilities of all positions of the IT management structure.
With the existent threats and vulnerabilities, there have been significant improvements to the monitoring program. REFERENCES Catteddu, D., & Hogben, G. (2013). Cloud computing risk assessment: benefits, risks and recommendations for information security, ENISA report.
Filipek, J., & Hudec, L. (2015, June). Distributed firewall and cryptography using PKI in mobile Ad Hoc networks.
In Proceedings of the 16th International Conference on Computer Systems and Technologies (pp. 292-298). ACM.