Information Security Risk Management ITC6315 Assignment 2 Assignment For this exercise, read the provided case study about AcmeHealth, and rate the risk exposure for each finding related to the following assets: 1. Code Repository 2. QA Server 3. Production Application Server You will need to assess the severity of each violation and also the likelihood that it would cause a breach of security. Use the severity and likelihood scales from Appendix B in the book (Tables 6.11 and 6.12) to evaluate each finding. A mapping table is provided (Figure 6.2) to calculate the Risk Exposure value for each severity/likelihood pair without taking sensitivity into account for now. Along with the ratings, describe in words why you rated the severity and likelihood this way. Review the provided example as a guideline. Next, write down 3-5 questions for each finding that you might ask the resource owner or SME to further qualify the risk. If you don't understand the technical details of any of the findings, ask the instructor to clarify. You can turn in the assignment electronically through Blackboard. Use this worksheet to capture each critical asset and describe the business value (see examples in the first row below): # 1 Resource Code Repository Finding Severity Likelihood Exposure Resource administrators don't verify the integrity of the information resource patches through such means as comparisons of cryptographic hashes to ensure the patch obtained is the correct, unaltered patch. High Low Moderate If malicious code is allowed onto the system through an application patch, this could compromise that application potentially allowing backdoor access to attackers or allow sensitive data to be sent from the application to the attackers. The malicious code may also cause the application to be unstable, causing it to crash periodically. Although it is possible for attackers to place fake application patch updates on sites that look legitimate, for most commercial software this would be more difficult and the attacker would have to be very motivated and have a high level of skill. Network connections from the offshore developers' workstations to the code repository server are not encrypted. 2 Code Repository _High______ __High_____ _High______ Code Repository store the stores metadata for a set of files and/or directory structure, the whole set of information in the repository may be duplicated on every user's system. Code Repository is important for developing the ASP model. So, if the hacker hack into the code repository, he can stole all the things. Employees can copy the code from the company code repository, which can make code repository explored in the high risk. 3 4 Client data is copied from production servers to this server regularly for QA testing. _______ _______ _______ No one notifies the Help Desk of terminations for support personnel in order to ensure that their access is disabled. _______ _______ _______ QA Server Production Application Server Table 1 - Initial Finding Ratings Next write down your follow up questions for each finding using the space provided below. These questions should include the information you would need to better rate each of the findings: Finding 1: Are updates tested in a non-production environment prior to implementation? Where are updates downloaded from? Are systems scanned for vulnerabilities post-update? Will the system install a corrupted update? Is there a back-out procedure for bad updates? Etc. Record your follow up questions to further qualify each finding here: Finding 2: ________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ Finding 3: ________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ Finding 4: ________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________ _________________________________________________________________________________________