Risk Assessment Report
The purpose of conducting this risk assessment was to identify potential threats and vulnerabilities related to OPM System. The risk assessment will be used to identify possible risk mitigation plans related to Agency. The network was identified to have a potential high-risk during security assessment. Therefore, risk assessment is needed to be conducted to measure the impact of any breach that can result from the vulnerabilities discovered.
The company’s system comprises several infrastructural components. The external interface is a series interactive web page that allows users to input data and receive the required information from the application. The system is built using Internet Information Server that uses Active Server Pages. The network infrastructure helps in the management of information transaction in the entire system. The web application, database and operating systems that support these components are all included in the scope. Making sure that the servers require several firewalls which are set up in almost all the network interconnection boundaries.
Cybercrime have been a major source of leak of personal, corporation and governmental leak. The OPM operates without a proper risk governance structure. The OPM does not have a structured and standardized monitoring system for security controls. The OPM failed to maintain accurate IT inventory that undermines all attempts at securing their information systems.
Insider threats to information systems may be the biggest threats that any organization might face. The reason why they are said to be the biggest is that it becomes very difficult to determine who would betray your organization among the trusted employees. It is always very easy to ignore the threat within on the assumption that there is always that loyalty within only to realize that the root cause of the threats is from within. The common insider threats are:
Theft of unsecured personal device is a very big threat as the mobile devices use in organizations are out of control. These devices can be used to access vital information about the organization not limited to Intellectual Property and Defense plan theft.
Some of the examples of external security threats to the information system of the organization are:
Phishing attacks is an external attack where a hacker uses the scam to trick an employee into giving them their login details. They send emails that are embedded with a link that captures the details when entered by the employee.
Denial of Service attack where the attacker gains access to the network of the organization and keeps users from having access to certain services. The hackers achieve this by disrupting how the host system functions. When the attacker floods all the computer ports instead of only certain port is called Direct denial of service attack.
Spoofing occurs when an attacker masquerades as a legit host and steals the IP address, spoofs a website or hijacks a network system and by that means inject malicious codes that are developed to create damage to the system operations. They include Trojan horses, viruses, key-loggers, spyware and many others. Once they are planted in the system, they interrupt the functionality of the system by disabling the firewalls and giving access to the hackers (Catteddu & Hogben, 2013).
Known Unpatched Exploit
Hackers / DDoS/ Malicious Codes
Insiders / Phishing Attacks
Partners / Competitors /Terrorists / Spoofing
Theft of IT equipment
Man in the middle
Above is the risk matrix of threats that exist in many organizations. This includes their likeliness of occurrence and their level of impact of the attack.
The OPM allows information systems to operate indefinitely without been subjected to a strict security controls assessment. The FISMA requirements, OMB policies and applicable NIST guidelines have not been followed through appropriately such as dated system inventory which includes the organization and contractor-operated systems.
The Risk Assessment Matrix below shows the threat source, threat action likelihood of occurrence and the impact of the vulnerabilities involved.
Likelihood of occurrence
OPM applications do not require PIV authentication
Unauthorized users and terminated employees
Dialing into the company’s database and access of critical information.
Loss of crucial data, loss of revenues through litigation expenses in case this information is misused.
Terminated employees, Hackers and computer criminals
Getting into the system using the unsupported software or any other software
This may lead to loss of sensitive files from the system of the company.
Lack of annual assessment of its systems
Unauthorized users, hackers and computer criminals
Accessing the database of the company through hacking or any other way such as getting used to the pattern
Remote access of the data which may lead to the access of the data.
Impact assessments for exploitation of security weaknesses
The weakness of security makes the OPM exposed to data loss. The evaluation shows that OPM does not have a process to record or track security status making the process vulnerable. This also showed the need for OCIO to centrally track the current status of security weakness.
On performance standards, systems owners had to be modified to fit the FISMA compliance systems. These were few remediation forwarded among others. OIG recommends that the OCIO develop and maintain a comprehensive inventory of all servers, databases, and network devices that reside on the OPM network. All active systems in OPM’s inventory must have a complete and current Authorization. OPM must ensure that an annual test of security controls has been completed for all systems.
Use of Access control is very important in making sure that access to information in the system is controlled. The use of passwords and usernames help the organization protect private data from landing the hands of authorized personnel. This technique is important in protection against threats like spoofing, packet hijacking, malicious codes and many others. RDBMS help in making the transactions within the systems quite efficient and effective because they provide the ACID tests that provide security to the transactions. The use of transaction logs also helps in tracking the changes that are made to the database. Firewall log files help in protecting the transaction within the system secure from attacks.
Cryptography also applies complex mathematics and logic to design high-end encryption methods that allows system administrators to maintain confidence of the clients in the organization’s operations. People are assured that their data is kept private using cryptography and very important in making sure that the database transactions are kept secured and lock out the attackers (Filipek & Hudec, 2015).
Cost/benefit analyses of remediation
The OPM is working to improve their comprehensive security control system that will, later on, need periodic system authorization. Even though it may cost the organization high to have this work, it will be a win due to the security threats and vulnerabilities they face. Proper governance is needed to proactively implement cost-effective controls to protect critical information systems that support the mission and changing the risk management.
High-level plan of action with interim milestones (POAM)
The action was done through auditing standards accepted by the government. The standards requirement includes the systems that allows efficient auditing in order to extract sufficient information’s and conclusion on any activities in the network. Considering OPM, internal controls were examined for various systems which had varying degrees of computer generated data.
This is a report on OPM Authorization program have concluded that OPM has not substantially defined the roles and responsibilities of all positions of the IT management structure. With the existent threats and vulnerabilities, there have been significant improvements to the monitoring program.
Catteddu, D., & Hogben, G. (2013). Cloud computing risk assessment: benefits, risks and recommendations for information security, ENISA report.
Filipek, J., & Hudec, L. (2015, June). Distributed firewall and cryptography using PKI in mobile Ad Hoc networks. In Proceedings of the 16th International Conference on Computer Systems and Technologies (pp. 292-298). ACM.