• No results found

Information Security Office

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Security Office"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Information Security Office

SAMPLE Risk Assessment and Compliance Report

Restricted Information (RI).

Submitted to: SAMPLE CISO CIO CTO

Submitted: SAMPLE DATE

Prepared by: SAMPLE

Appendices attached:

Appendix B: Appendix B – Tenable Server Vulnerability Report.pdf Appendix C: Appendix C – Acunetix Web App Vulnerability Report.pdf Appendix D: Appendix D - Safeguard Implementation Plan Table.xlsx

This sample UCF Risk Assessment and Compliance Report is the sole property of the University of Central Florida. No portion of this document can be used, copied, or reproduced without the University’s consent.

Copyright © 2010 The University of Central Florida

(2)

Risk Assessment Compliance Report – Restricted Information (RI). Page 2

Table of Contents

SAMPLE Risk Assessment and Compliance Report ...1

Executive Summary ...4

Introduction ...4

Purpose ...4

Scope ...4

Risk Assessment Approach ...4

Assessment Kickoff and Information Gathering ...4

Overview ...4

Risk Assessment Information Gathering ...4

System Characterization ...4

Overview ...4

System Description ...4

Functional Description ...4

System Environment ...4

System Users ...5

System Dependencies ...5

Information Sensitivity ...5

Protection Requirement Findings ...5

Vulnerability Assessment Results ...5

Overview ...5

Description of the Server Vulnerability Results ...5

Server Name/IP: Server1 / 10.10.10.10 ...6

Server Name/IP: Server2 / 10.10.10.20 ...6

Description of the Compliance Results Data ...7

Server Name/IP: Server1 / 10.10.10.10 ...7

Description of the Web Application Code Alerts / Vulnerabilities ...8

Risk Analysis, Results, and Safeguard Recommendations...9

Overview ...9

Identified Threat Vectors ...9

Risk Results Legend ...9

(3)

Risk Assessment Compliance Report – Restricted Information (RI). Page 3

Determining the Weighted Cumulative Risk Scores ...9

Safeguard Recommendations ...9

Risk Assessment Results and Safeguard Recommendations...9

Risk Results: ... 10

Safeguard Implementation Plan/ Results Documentation... 10

Appendix A: Definitions ... 10

Appendix B: Full report of Server Vulnerabilities and Compliance Checks ... 10

Appendix C: Full report of Web Application Code Alerts / Vulnerabilities ... 10

(4)

Risk Assessment Compliance Report – Restricted Information (RI). Page 4

Executive Summary

Introduction

Purpose

Scope

Risk Assessment Approach

The ISO conducts risk assessments using an approach outlined in the NIST SP 800-30 guidelines, Risk Management Guide for Information Technology Systems. The assessment recommends appropriate security safeguards

permitting colleges and/or departments and DSCs to make knowledgeable decisions for security related initiatives. The methodology addresses the following types of controls:

Management Controls Operational Controls Technical Controls

Assessment Kickoff and Information Gathering

Overview

This step initiates the risk assessment. The ISO solicits and collects information based on questionnaires, meetings, and other information gathering means.

Risk Assessment Information Gathering

System Characterization

Overview

The intent of this step is to define the boundaries of the IT system.

System Description

This section lists the operation dates and staff involved.

Functional Description

The functional description lists the purpose of the system, the software it runs, dependencies, interfaces, server names, etc.

System Environment

The System Environment section describes physical locations, hardware requirements, network requirements, databases, storage, etc.

(5)

Risk Assessment Compliance Report – Restricted Information (RI). Page 5

System Users

System Users lists the primary users of the system.

System Dependencies

This section explains the infrastructure the systems rely on to function.

Information Sensitivity

Finally, the last section under System Characterization lists and assigns sensitivity values to the types of data stored on the system so that proper protection requirements can aid in factoring impact scores.

System Information Types

Information Type Confidentiality Low/Moderate/ High

Integrity

Low/Moderate/ High

Availability

Low/Moderate/ High

Overall Rating

Protection Requirement Findings Confidentiality:

Integrity: Availability:

Vulnerability Assessment Results

Overview

The report bases vulnerability results on several different types of network scanning techniques capable of searching for network and code level vulnerabilities. The tools feature high-speed discovery of configuration auditing, asset profiling, sensitive data, and vulnerability analysis of a college and/or department’s security posture. The descriptions below further detail each section of the results.

Description of the Server Vulnerability Results

The scan assesses each server for vulnerabilities based on NIST and vendor best practices as well as Tenable plugins. The scanned vulnerability results provide a Common Vulnerability Scoring System (CVSS) score to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation

information. The report compiles the compliance checks and vulnerability results into a separate table for each server.

(6)

Risk Assessment Compliance Report – Restricted Information (RI). Page 6 Server Name/IP: Server1 / 10.10.10.10

10.10.10.10

Scan Time

Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities

Open ports : 1

High : 2

Medium : 2

Low : 0

Remote host information Operating System :

NetBIOS name : Server1 DNS name :

Server Name/IP: Server2 / 10.10.10.20

10.10.10.20

Scan Time

Start time : Wed Sep 08 10:12:46 2010 End time : Wed Sep 08 10:23:30 2010 Number of vulnerabilities

Open ports : 2

High : 1

Medium : 0

Low : 0

Remote host information Operating System :

NetBIOS name : Server2 DNS name :

(7)

Risk Assessment Compliance Report – Restricted Information (RI). Page 7

Description of the Compliance Results Data

The scan assesses each server individually for compliance checks based on NIST and vendor best practices as well as tenable plugins. The scan returns policy settings and remote server settings for the systems administrator to compare and resolve. The results provide a compliance chart that indicates the percentage a particular server is in compliance.

Server Name/IP: Server1 / 10.10.10.10

10.10.10.10

Scan Time

Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities

Open ports : 1

High : 48

Medium : 19

Passed : 87

Remote host information

Operating System : NetBIOS name : Server1 DNS name :

31%

12% 57%

System Compliance

High : Medium : Passed :

(8)

Risk Assessment Compliance Report – Restricted Information (RI). Page 8

Description of the Web Application Code Alerts / Vulnerabilities

The scan assesses the website for vulnerabilities based on OWASP best practices, the Google Hacking Database, and other best practices from vendors. The scanned vulnerability results provide three ratings (High, Medium, and Low) to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation information.

Scan details for https://SampleInsecureLogin.aspx

Scan information

Starttime 9/7/2010 9:39:00 AM Finish time 9/7/2010 10:34:53 AM Scan time 55 minutes, 53 seconds Profile Default

Server information

Responsive True Server banner

Server OS

Server technologies ASP.NET

Threat level

Acunetix Threat Level 3

One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface a website.

Alerts distribution

Total alerts found 70

High 1

Medium 3

Low 2

Informational 64

Executive summary

Alert group Severity Alert count

SSL 2.0 deprecated protocol High 1

ASP.NET application trace enabled Medium 1

TLS1/SSLv3 Renegotiation Vulnerability Medium 1

Login page password-guessing attack Low 1

Possible sensitive directories Low 1

(9)

Risk Assessment Compliance Report – Restricted Information (RI). Page 9

Risk Analysis, Results, and Safeguard Recommendations

Overview

Risk analysis is the process of establishing a method to rate the severity, impact, and likelihood of an exploitable risk.

Identified Threat Vectors

The NIST risk-scoring model pairs the risks with appropriate threats. Each threat receives a risk score based on its likelihood and impact ratings

Risk Results Legend

Overview

The risk results legend briefly explains how to interpret the risk results: (likelihood, impact, weighted cumulative risk scores, and safeguards).

Determining the Weighted Cumulative Risk Scores

The risk formula calculates each threat vector’s individual score, weights each score, and combines the scores resulting in an assigned risk value and overall risk severity rating. Possible risk scores range from 1 to 101.08. Risk Score Range Table

Risk Scores Risk Score Range

Note 1-4.99

Low 5-24.99

Moderate 25-69.99

High 70-101.08

Safeguard Recommendations

Risk Assessment Results and Safeguard Recommendations

The top line of each risk contains the risk number, the location and/or question number where the risk was identified, and the risk description. Following the top line is a list of threat vectors capable of exploiting the risk, their likelihood and impact scores, and the overall risk rating. Included at the bottom of each risk is a list of recommended safeguards to mitigate or reduce risk.

(10)

Risk Assessment Compliance Report –

Restricted Information (RI).

Page 10

Risk Results:

Risk #1: Question D8 The system does not have a "hot" standby site to prevent downtime.

Threat Vectors Likelihood Impact Risk

Acts of nature Low Moderate Low

Hazardous conditions Low Low Note

Dependency failures Low Moderate Low

Errors and omissions Moderate Moderate Moderate

Physical intrusion and/or theft Low High Low

Overall Risk Severity (Low, Moderate, High) Moderate

Overall Risk Score (1~101.08) 25

Recommended Safeguard(s):

S1 Arrange a "Hot Site" recovery location where servers have the installed programs needed to bring the application online quickly.

S2 Develop, document, test, and practice a restore and recovery plan.

Safeguard Implementation Plan/ Results Documentation

Appendix A: Definitions

Appendix B: Full report of Server Vulnerabilities and Compliance Checks

See attached file: Appendix B – Tenable Server Vulnerability Report.pdf

Appendix C: Full report of Web Application Code Alerts / Vulnerabilities

See attached file: Appendix C – Acunetix Web App Vulnerability Report.pdf

Appendix D: Sample Safeguard Implementation Plan Summary Table

References

Download now ( PDF - 10 Page - 1.07 MB )

Related documents

TECHNICAL AND VOCATIONAL EDUCATION AND TRAINING (TVET) SYSTEM\ IN INDIA FOR SUSTAINABLE DEVELOPMENT

National Conference on Technical Vocational Education, Training and Skills Development: A Roadmap for Empowerment (Dec. 2008): Ministry of Human Resource Development, Department

The appropriate use of radiography in clinical practice: a report of two cases of biomechanical versus malignant spine pain

It was decided that with the presence of such significant red flag signs that she should undergo advanced imaging, in this case an MRI, that revealed an underlying malignancy, which

Introduction. Jenkins, Andrewes, Hale, & Khan: A new measure for assessing reactive depression.

Method: Twenty-seven stroke patients and partners, and a comparison group of 28 amputees and partners from a rehabilitation centre completed the Hospital Anxiety and

Disposal Practices of Unused Medications Among Patients in Public Health Centers of Dessie Town, Northeast Ethiopia: A Cross Sectional Survey

No study has so far been conducted regarding disposal practices of unused and expired pharmaceuticals among patients in public health centers of Dessie town, Northeast

UNIVERSITY OF CALIFORNIA, IRVINE DISSERTATION DOCTOR OF PHILOSOPHY. in Information and Computer Science. Roy Thomas Fielding

The next two chapters continue our discussion of background material by focusing on network-based application architectures and describing how styles can be used to guide

Comparison of Misoprostol and Dinoprostone for elective induction of labour in nulliparous women at full term: A randomized prospective study

Background: The objective of this randomized prospective study was to compare the efficacy of 50 mcg vaginal misoprostol and 3 mg dinoprostone, administered every nine hours for

Work Stress in NHS Employees: A Mixed-Methods Study

Generally, it was felt that there was insu ffi cient support and understanding around mental health issues, emphasizing not only the impact of poor work on individual wellbeing,

The scalable commutativity rule: designing scalable software for multicore processors

Furthermore, while symbolic execution systems often avoid reasoning precisely about symbolic memory accesses (e.g., access- ing a symbolic offset in an array), C OMMUTER ’s test