30

Group Project G-2
1. Title
IT Security Risk Assessment

2. Introduction
You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As
a member of IT security consultant team, one of your responsibilities is to ensure the security of
assets as well as provide a secure environment for customers, partners, and employees. You
and the team play a key role in defining, implementing, and maintaining the IT security strategy
in organizations.

A government agency called the Bureau of Research and Intelligence (BRI) is tasked with
gathering and analyzing information to support U.S. diplomats.

In a series of New York Times articles, BRI was exposed as being the victim of several security
breaches. As a follow up, the United States Government Accountability Office (GAO) conducted
a comprehensive review of the agency’s information security controls and identified numerous
issues.

The head of the agency has contracted your company to conduct an IT security risk assessment
on its operations. This risk assessment was determined to be necessary to address security gaps
in the agency’s critical operational areas and to determine actions to close those gaps. It is also
meant to ensure that the agency invests time and money in the right areas and does not waste
resources. After conducting the assessment, you are to develop a final report that summarizes
the findings and provides a set of recommendations. You are to convince the agency to
implement your recommendations.

This learning activity focuses on IT security which is an overarching concern that involves
practically all facets of an organization’s activities. You will learn about the key steps of
preparing for and conducting a security risk assessment and how to present the findings to
leaders and convince them into taking appropriate action.

Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT
personnel are expected to possess. Information security is a significant concern among every
organization, and it may spell success or failure of its mission. Effective IT professionals are
expected to be up to date on trends in IT security, current threats and vulnerabilities, state-of-
the-art security safeguards, and security policies and procedures. IT professionals must be able
to communicate effectively (oral and written) to executive level management in a non-jargon,
executive level manner that convincingly justifies the need to invest in IT security
improvements. This learning demonstration is designed to strengthen these essential
knowledge, skills, and abilities needed by IT professionals.

31

3. Steps to Completion
Your instructor will form the teams. Each member is expected to contribute to the team
agreement which documents the members’ contact information and sets goals and
expectations for the team.

1) Review the Setting and Situation
The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiple-
source intelligence to American diplomats. It must ensure that intelligence activities are
consistent with U.S. foreign policy and kept totally confidential. BRI has intelligence analysts
who understand U.S. foreign policy concerns as well as the type of information needed by
diplomats.

The agency is in a dynamic environment in which events affecting foreign policy occur every
day. Also, technology is rapidly changing and therefore new types of security opportunities and
threats are emerging which may impact the agency.

Due to Congressional budget restrictions, BRI is forced to be selective in the type of security
measures that it will implement. Prioritization of proposed security programs and controls
based on a sound risk assessment procedure is necessary for this environment.

The following incidents involving BRI’s systems occurred and reported in the New York Times
and other media outlets:

• BRI’s network had been compromised by nation-state-sponsored attackers and that
attacks are still continuing. It is believed that the attackers accessed the intelligence
data used to support U.S. diplomats.

• The chief of the bureau used his personal e-mail system for both official business
purposes and for his own individual use.

• A software defect in BRI’s human resource system – a web application – improperly
allowed users to view the personal information of all BRI employees including social
security numbers, birthdates, addresses, and bank account numbers (for direct deposit
of their paychecks). After the breach, evidence was accidently destroyed so there was
no determination of the cause of the incident or of its attackers.

• A teleworker brought home a laptop containing classified intelligence information. It
was stolen during a burglary and never recovered.

• A disgruntled employee of a contractor for BRI disclosed classified documents through
the media. He provided the media with, among other things, confidential
correspondence between U.S. diplomats and the President that were very revealing.

32

Malware had infected all of the computers in several foreign embassies causing public
embarrassment, security risks for personnel and financial losses to individuals,
businesses and government agencies including foreign entities.

These reports prompted the U.S. Government Accountability Office to conduct a
comprehensive review of BRI’s information security posture. Using standards and guidance
provided by the National Institute of Standards and Technology and other parties, they had the
following findings:

Identification and Authentication Controls

• Controls over the length of passwords for certain network infrastructure devices were
set to less than eight characters.

• User account passwords had no expiration dates.
• Passwords are the sole means for authentication.

Authorization Controls

• BRI allowed users to have excessive privileges to the intelligence databases.
Specifically, BRI did not appropriately limit the ability of users to enter commands
using the user interface. As a result, users could access or change the intelligence
data.

• BRI did not appropriately configure Oracle databases running on a server that
supported multiple applications. The agency configured multiple databases operating
on a server to run under one account. As a result, any administrator with access to the
account would have access to all of these databases; potentially exceeding his/her job
duties.

• At least twenty user accounts were active on an application’s database, although they
had been requested for removal in BRI’s access request and approval system.

Data Security

• BRI does not use any type of data encryption for data-at-rest but protects data-in-
transit using VPN.

• A division data manager can independently control all key aspects of the processing of
confidential data collected through intelligence activities.

• One employee was able to derive classified information by “aggregating” unclassified
databases.

• Hackers infiltrated transactional data located in a single repository and went ahead
and corrupted it.

System Security

• Wireless systems use the Wired Equivalent Privacy (WEP) standard for ensuring secure
transmission of data.
• The agency permitted the “Bring Your Own Device” (BYOD) concept and therefore
users can utilize their personal mobile devices to connect to the agency network freely.

33

• In the event of a network failure due to hacking, the data center manager has his
recovery plan but has not shared it with anyone in or out of the center. He was not
aware of any requirement to report incidents outside of the agency.
• There has never been any testing of the security controls in the agency.
• Processes for the servers have not been documented, but in the minds of the system
managers.
• Patching of key databases and system components has not been a priority. Patching
systems have either been late or not performed at all. Managers explained that it takes
time and effort to test patches on its applications.
• Scanning devices connected to the network for possible security vulnerabilities are
done only when the devices are returned to inventory for future use.
• System developers involved with financial systems are allowed to develop code and
access production code.

Physical Security

• Unauthorized personnel were observed “tailgating” or closely following an official
employee while entering a secure data center.
• The monthly review process at a data center failed to identify a BI employee who had
separated from BRI and did not result in the removal of her access privileges. She was
still able to access restricted areas for at least three months after her separation.

End User Security
• Users even in restricted areas are allowed to use social media such as Facebook. The
argument used is that is part of the public outreach efforts of the agency.
• Users receive a 5-minute briefing on security as part of their orientation session that
occurs typically on their first day of work. There is no other mention of security during
employment.
• Users are allowed to use public clouds such as Dropbox, Box, and Google Drive to
store their data.
• BRI has not performed continual background investigations on employees who
operate its intelligence applications (one investigation is conducted upon initial
employment).
• There is no policy regarding the handling of classified information.
An internal audit report indicated that the organization needed several security
programs including a security awareness and training program, a privacy protection
program and a business continuity/disaster recovery programs. These programs will
need special attention.

2) Examine Background Resources
This learning demonstration focuses on the National Institute of Standards and Technology’s
(NIST) “Guide for Conducting Risk Assessments” See Pg. 23 to view the description of the risk
management process.

34

Throughout this learning activity, feel free to use other references such as:
Other NIST publications: (http://csrc.nist.gov/publications/PubsSPs.html)
SANS Reading Room: https://www.sans.org/white-papers/)
US-CERT (https://www.us-cert.gov/security-publications)
CSO Magazine (http://www.csoonline.com/)
Information Security Magazine (http://www.infosecurity-magazine.com/white-papers/)
Homeland Security News Wire

(http://www.homelandsecuritynewswire.com/topics/cybersecurity)

Other useful references on security risk management include:
https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&source=gbs_ge_su
mmary_r&cad=0#v=onepage&q&f=false

https://books.google.com/books?id=FJFCrP8vVZcC&printsec=frontcover&source=gbs_ge_sum
mary_r&cad=0#v=onepage&q&f=false

3) Prepare the Risk Assessment Plan
Using the NIST report as your guide, address the following items:

• Purpose of the assessment,
• Scope of the assessment,
• Assumptions and constraints, and
• Selected risk model and analytical approach to be used.

Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim
report will be consolidated to a final deliverable in a later step.)

All interim reports should be at least 500 words long and include at least five references for
each report. These reports will eventually be presented to management for their review.

4) Conduct the Assessment
Again, use the NIST report to address the following:

1) Identify threat sources and events
2) Identify vulnerabilities and predisposing conditions
3) Determine likelihood of occurrence
4) Determine magnitude of impact
5) Determine risk

You are free to make assumptions but be sure to state them in your findings.

In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I.
on risk determination in Special Publication 800-30.

35

Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be
sure to include the final risk evaluations in this report.

5) Identify Needed Controls and Programs
Research and specify security controls needed to close the security gaps in BRI.

Also, be sure to include a description of the following programs for securing BRI:

• Security Awareness and Training Program (i.e., communications to employees
regarding security)
• Privacy Protection Program
• Business Continuity/Disaster Recovery Program

You should justify the need for the agency to invest in your recommendations.
Document your findings and recommendations from this step in the “Interim Security
Recommendations Report.”

6) Communicate the Overall Findings and Recommendations
Integrate of your earlier interim reports into a final management report. Be sure to address:

• Summary of the Current Security Situation at BRI (from Step 1)
• Risk Assessment Methodology (from Step 2)
• Risk Assessment Plan (from Step 3)
• Risk Assessment Findings (from Step 4)
• Security Recommendations Report (from Step 5)
• Conclusions

Also provide a presentation to management. The presentation should consist of 15-20 slides. It
should include audio narration (directions are found at: https://support.office.com/en-
au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c). The
narration should also be captured in the slide notes.

Prepare a peer evaluation report.

4. Deliverables

• Final Management report (as described in Step 6)

• PowerPoint Presentation

Except for the presentation, combine all the files into one Word document. Provide an abstract,
introduction, table of contents and conclusion in this one document.

Title your files using this protocol: GroupNumber_G-2_AssignmentName_Date.

36

In lieu of submitting the presentation, the team leader may provide a link to the presentation
file.

NOTE: At the end of the project, each member of the team should email a completed Peer
Evaluation form to your instructor.

5. Rubric

Criteria Weight Score
Identify threats and vulnerabilities associated with information
systems and assess their risks

30

Formulate the appropriate security controls to address the identified
threats and vulnerabilities

30

Communicate to employees an awareness of security issues related to
IT systems

10

Evaluate organizational information systems to ensure they protect
the privacy of users and of customers

10

Determine requirements for business continuity/disaster recovery
plans and backup procedures

10

Exhibit communication skills (e.g., APA compliance, grammar, ability to
development of ideas in writing)

10

Total 100

Additional References
Ross, R. (2014). Security and privacy controls for federal information systems and organizations. NIST
Special Publication 800-53. http://dx.doi.org/10.6028/NIST.SP.800-53r4

Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J. & Thomas, R. (2002). Contingency planning guide
for information technology systems. NIST Special Publication 800-34.
http://ithandbook.ffiec.gov/media/22151/ex_nist_sp_800_34.pdf

Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training
program. NIST Special Publication 800-50. http://csrc.nist.gov/publications/nistpubs/800-50/NIST-
SP800-50.