Threat and Vulnerability Assessment Tool

Similar documents
Certified Information Security Manager (CISM) Course Overview

CYBERSECURITY RISK ASSESSMENT

TEL2813/IS2820 Security Management

ITG. Information Security Management System Manual

Developing a Model for Cyber Security Maturity Assessment

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

01.0 Policy Responsibilities and Oversight

Information Technology Branch Organization of Cyber Security Technical Standard

Information Security Policy

Department of Management Services REQUEST FOR INFORMATION

INFORMATION ASSURANCE DIRECTORATE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Security Program

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Crown Jewels Risk Assessment: Cost- Effective Risk Identification

EXAM PREPARATION GUIDE

Security Management Models And Practices Feb 5, 2008

AUDIT UNITED NATIONS VOLUNTEERS PROGRAMME INFORMATION AND COMMUNICATION TECHNOLOGY. Report No Issue Date: 8 January 2014

ITG. Information Security Management System Manual

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Unit Compliance to the HIPAA Security Rule

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Turning Risk into Advantage

TSC Business Continuity & Disaster Recovery Session

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

_isms_27001_fnd_en_sample_set01_v2, Group A

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

NIST Security Certification and Accreditation Project

Position Description IT Auditor

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Business Continuity Management Standards A Side-by-Side Comparison

LABOR CATEGORIES, EDUCATION AND YEARS OF EXPERIENCE Years No. Labor Categories Education Experience

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

ISC2. Exam Questions CAP. ISC2 CAP Certified Authorization Professional. Version:Demo

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

EXAM PREPARATION GUIDE

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

EXAM PREPARATION GUIDE

Cyber Resilience. Think18. Felicity March IBM Corporation

Protecting your data. EY s approach to data privacy and information security

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

EXAM PREPARATION GUIDE

CCISO Blueprint v1. EC-Council

National Information Assurance (IA) Policy on Wireless Capabilities

6 CONCLUSION AND RECOMMENDATION

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Manchester Metropolitan University Information Security Strategy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Port Facility Cyber Security

The Common Controls Framework BY ADOBE

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

CompTIA CASP (Advanced Security Practitioner)

EXAM PREPARATION GUIDE

Table of Contents. Sample

Information Security Policy

CISM Certified Information Security Manager

Introduction to ISO/IEC 27001:2005

SECURITY & PRIVACY DOCUMENTATION

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Security Standards for Electric Market Participants

Security and Privacy Governance Program Guidelines

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Critical Infrastructure Protection Version 5

Effective Threat Modeling using TAM

HIPAA RISK ADVISOR SAMPLE REPORT

Standard for Security of Information Technology Resources

EXAM PREPARATION GUIDE

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

What is BS 7799? BS 7799 is the most influential, globally recognised standard for information security management.

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

How to Conduct a Business Impact Analysis and Risk Assessment

Service Description: CNS Federal High Touch Technical Support

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Total Protection for Compliance: Unified IT Policy Auditing

INFORMATION ASSURANCE DIRECTORATE

Lakeshore Technical College Official Policy

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

EXAM PREPARATION GUIDE

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Physical Security Reliability Standard Implementation

Corporate Information Security Policy

POSITION DESCRIPTION

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

Cybersecurity & Privacy Enhancements

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Security Continuous Monitoring (ISCM) Program Evaluation

SECURITY PLAN CREATION GUIDE

Information Security Office. Server Vulnerability Management Standards

Leveraging COBIT to Implement Information Security

Transcription:

TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards... 5 Threat Analysis... 5 Threat and Risk Assessment Matrix... 6 Threat & Vulnerability Assessment Work Plan... 7 Threat and Vulnerability Assessment Form... 9 What s New... 13 2

THREAT & VULNERABILITY ASSESSMENT PROCESS Risk management is a process to identify, assess, manage and control potential events to provide reasonable assurance regarding the achievement of business objectives. The risk management process has five key objectives: Identify and prioritize risk arising from business strategies and activities Determine the level of risk acceptable to the university (risk appetite) Design and implement risk mitigation activities designed to reduce risk Perform on-going monitoring activities to re-assess risk and the effectiveness of controls Communicate periodic risk management process reports to management To complete a compressive assessment there are six components in the planning and execution: 1. Define the scope of the process (Internal and external resource identification) 2. Data gathering via questionnaires, interviews, and analysis of existing data 3. Review of existing policies and procedures 4. Identification of potential threats 5. Analysis of vulnerabilities faces 6. Review and summarization of risks and acceptability of the risks with proposed solutions The risk management process should not be treated primarily as a technical function carried out by IT staff but rather as an essential management function of the enterprise. The principal goal of the Threat and Vulnerability Assessment Process is to protect enterprise assets and the enterprise s ability to carry out its mission in the face of potential threats to these assets. Successful threat and vulnerability assessments require the full support of senior management and be conducted by teams that include both functional managers and information technology administrators. As business operations, workflow, or technologies change, periodic reviews must be conducted to analyze these changes, to account for new threats and vulnerabilities created by these changes, and to determine the effectiveness of existing controls. 3

PURPOSE The purpose of the IT Security Risk Management Program is to: Comply with the enterprise s security policy, as well as other mandated regulations/requirements, to develop, implement, and maintain a security plan with appropriate and auditable security controls; Provide a governance framework for understanding potential risks to enterprise assets based on the security plan; Provide guidelines for evaluating and documenting the management, operational and technical security environment of enterprise assets; and Provide management with direction, planning, and guidance in the area of information security COMPONENTS OF A THREAT & VULNERABILITY ASSESSMENT ADMINISTRATIVE SAFEGUARDS Classification of data handled and identification of controls to protect those assets; Documentation of procedures, standards, and recommended practices to ensure that applicable policies and controls are implemented appropriately for a given business process; Identification of personnel who are authorized to access systems; Assurance that appropriate authorization controls are implemented; Security awareness training and education for all personnel; and Background checks prior to the selection and hiring of new personnel into critical positions. LOGICAL SAFEGUARDS Ensure access to only authorized users and session termination when finished; Enforce secure password management; Manage tracking of development, maintenance, and changes to application software and information systems; Manage access to the network; and Ensure event logging. 4

THREAT AND RISK ASSESSMENT MATRIX High = 5 4 3 2 Low = 1 Score Organizational Uncertainty The business unit has no plan. Management is uncertain about responsibility there is no business sponsor The business unit has no specific and has designated, but not committed, resources to the initiative The business unit has a plan but has not committed resources The business unit has no specific plan but has committed resources The business unit has a plan and has committed resources Technical Uncertainty No knowledge or experience Emerging area Some experience Understood in a different area Understood Skills Required Extensive new skills for both staff & management Extensive new skills for staff; some new skills for management Some new skills required for both staff & management Some new skills for staff; none for management No new skills for staff & management Hardware Dependencies Hardware is immature; just emerging from vendor labs Hardware exists but is not yet used within the organization Hardware exists and has been tested, but is not yet operational In use in a different application In use in similar applications Software Dependencies Non-standard software with complex interfaces Non-standard software Standard software; multiple interfaces and dependencies exist Standard software; complex programming is required Standard software; routine programming is required Application Software No package or solution exists. Complex design and development is required Programs available commercially, but highly complex. Complex design and development Programs available commercially with extensive modifications OR Programs can be developed inhouse with moderate complexity Programs available commercially with minimal modifications OR Programs can be developed inhouse with minimal complexity Programs exist & need minimal modification Total Technical Uncertainty Score Infrastructure Uncertainty Total Risk Score Major changes to the existing infrastructure are needed Significant changes to the existing infrastructure are needed Moderate changes to the existing infrastructure are needed Small changes are required to the existing infrastructure. Investment is needed The solution will use existing infrastructure and services no investment is required 6

THREAT AND VULNERABILITY ASSESSMENT FORM Page 1 9

Page 4 Threat and Vulnerability Assessment Physical and Electronic Sites Risk Ranking Vulnerability (Probability of Threat) Impact of Loss Will Occur over 90% Extreme 90%< >75% High 75%< >25% Moderate 25%< >10% Low Under 10% Catastrophic Very High Noticeable to ENTERPRISE Minor None Risk Point Value Impact of Loss Will Occur over 90% Extreme 90%< >75% High 75%< >25% Moderate 25%< >10% Low Under 10% Catastrophic 8 7 6 5 4 Very High 7 6 5 4 3 Noticeable to ENTERPRISE 6 5 4 3 2 Minor 5 4 3 2 1 None 0 0 0 0 0 6 to 8 5 3 to 4 1 to 2 0 Interpretation of scores These risks are extreme. Countermeasure actions to mitigate these risks should be implemented immediately. These risks are very high. Countermeasure actions to mitigate these risks should be implemented as soon as possible. These risks are moderate. Countermeasure actions to mitigate these risks should be implemented in the near term. These risks are low. Countermeasure actions to mitigate these risks should be implemented as convenient as they will enhance security overall. These currently pose no risk but should continue to be monitored. 12

WHAT S NEW VERSION 4.0 Updated to reflect the latest security and mandated requirements of US Federal, US States, EU, and ISO Specific work plan steps identified VERSION 3.3 Update the introduction to include a purpose section Updated electronic forms VERSION 3.2 Converted Risk Assessment Matrix to EXCEL Electronic Form VERSION 3.1 Added Risk Assessment Matrix with scoring definition VERSION 3.0 Section Added Components of a Threat & Vulnerability Assessment Section Added Threat & Vulnerability Assessment Work Plan Threat and Vulnerability Assessment tool provided in PDF, WORD 2007, and EXCEL 2007 formats 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback