Project on Information Security
shahrukhjunaidi
GroupProject2template.xlsxSheet1
| Weakness Violates a policy or procedure | Threat What is the danger that exploits the weakness | Risk What ASSET could be lost (qualitative/quantitative) | Countermeasure How can it be safeguarded | Risk Factor & Reason “1” Critical: impacts company viability “2” Major: impacts asset or IT infrastructure “3” Minor: impacts productivity / availability | |
| Ex1 | Client records left out in the office after hours | Janitors or others having access to the building after hours can gain access to files in the cabinets | a. Client sensitive information to include social security numbers can be stolen and used to open new accounts. b. Client financial account numbers can be obtained and finances can be stolen. c. Negative publicity can impact company's reputation. | 1. Enforce policies requiring client records to be stored securely. 2. Discipline employess who left records out. | "1" (company may have to pay penalities for each incident; negative publicity could destroy company's reputation) "3" (stolen files must be replaced) |
| EX2 | Office areas unlocked after everyone left for day | Visitors and others can gain access to office areas without being seen | a. Company assets can be stolen or vandalized b. IT infrastruture can be destoyed c. File cabinets can be broken into and client files can be stolen or destroyed d. Negative publicity can impact company's reputation. | 1. Enforce policies requiring securing offices. 2. Discipline employess who left offices unlocked. 3. Add contact information to office entryways so janitors or others can call to report unsecured offices. | "1" (company may have to pay penalities for each incident; negative publicity could destroy company's reputation) "2" (stolen company assets and destroyed IT Infrastructure must be replaced) "3" (stolen files must be replaced) |
| 1 | Employee taped password to screen | ||||
| 2 | LAN/WAN UPS not operational | ||||
| 3 | Regular Firewall maintenance not conducted | ||||
| 4 | SysAdmin has little-to-no security awareness training | ||||
| 5 | Servers does not contain latest patches | ||||
| 6 | Databases/systems not backed-up | ||||
| 7 | Computer always left logged-in | ||||
| 8 | Computer login shared by everyone | ||||
| 9 | Employee uses a very simple password | ||||
| 10 | InfoSec audits not conducted | ||||
| 11 | Employees using personal laptops to do corporate business | ||||
| 12 | Client files left out on the desk overnight | ||||
| 13 | Client personal data shared with everyone via email | ||||
| 14 | Password hasn't been changed in over a year | ||||
| 15 | Office left unlocked during lunch/breaks and overnight | ||||
| 16 | Retired employee able to login | ||||
| 17 | Inventory control and access control policies not followed | ||||
| 18 | Record cabinets cannot be locked or are left unlocked | ||||
| 19 | Computers do not have latest software patches | ||||
| 20 | Unauthorized software discovered on corporate computers | ||||
| 21 | Default password still being used | ||||
| 22 | Laptops with sensitive data not encrypted | ||||
| 23 | Master login created by IT and used by offices | ||||
| 24 | Users can download data to USB drives |
Student Name: ISOL 533 &P of &N
