CST 610 Proj 2
Manny4747
Project2RAR_Template-2231.docx
Project 2 – Assessing Information System Vulnerabilities and Risk
Risk Assessment Report (RAR)
CST 610: Cyberspace and Cybersecurity Foundations
{Your Name}
[date]
Professor – Section
University
RISK ASSESSMENT REPORT
TISTA Science & Technology CorporationScience and Technology
[Period of Assessment]
[Report Date]
RISK ASSESSMENT
[Note: Parts of the RAR will normally contain material found in the SAR. Feel free to reuse that SAR material, as is, here.]
1. Background[footnoteRef:1] [from the SAR] [1: Reference Security Assessment Report for Background.]
1.1 Purpose [Use the lead-in material from Project 2 “Start Here” and the project summary scenario to clearly focus the goal and purpose of the SAR]
1.2 Description of TISTA Science & Technology Corporation
1. Describe your company.
· Mission: To deliver the highest quality IT professional services and innovative solutions to the Federal, State, and Local government.
· TISTA Science & Technology Corporation provides a wide-range of services, including Application Engineering, Consulting, Cybersecurity, Data Science, Infrastructure, and Mobility support, in the Health, Defense, and Civilian sectors.
2. What is business sector and how does that effect your security?
· Science and Technology
·
3. How might the organizational structure of your company effect security?
1.3 Networks in TISTA Science & Technology Corporation
[Base the description of your network and the critical information systems you decide to include, on your work in Step 1.] Particularly as they apply to the company’s relational data base management system (RDBMS) here are areas and questions that you might include:
1. Provide network architecture diagrams for the local area network (LAN) and wide area network (WAN) for your company.
2. Indicate the critical information systems in these diagrams and explain their importance.
3. What external systems and users connect to your company?
4. Where is data at rest, in motion and in use?
5. Can you identify important system and network security boundaries and regions?
6. Discuss the security benefits and deficiencies of your chosen network design. (Include tables and diagrams as appropriate) [Your focus should be on the RDBMS and systems, connectivity, auditing, protection, such as encryption and access control, … related to the RDBMS applications]
2. Risk Assessment Approach
2.1 Risk Assessment Methods
|
Method |
Synopsis |
|
|
|
|
|
|
|
|
|
2.2 Model(s) and Method(s) Employed
Include:
· Reference standards and industry best practices, models and methods employed.
· Diagrams and/or tables showing risks will be presented for executives and others
· How risks will be quantified
· The probabilities of insider and external threats occurring and the probabilities of them being successful incidents relative to technical and physical vulnerabilities to critical system(s), information, networks and interfaces to external systems and users.
· The business impact of the threats.
3. Assessment Results1,[footnoteRef:2] [2: For critical system(s), information, networks and interfaces to external systems and users. Reference Security Assessment Report for threats and vulnerabilities.]
3.1 Insider Threats
|
Threat1 |
Synopsis |
Impact |
Probability |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.2 External Threats
|
Threat1 |
Synopsis |
Impact |
Probability |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.3 Vulnerabilities
|
Vulnerability1 |
Synopsis |
Impact |
Probability |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. Assessment Results
4.1 Rank Ordered Risk Levels (Highest to Lowest)
|
ID[footnoteRef:3] [3: ID: You may wish to label categories as S=System, N=Network, I=Interface, D=Data or Information and give number in each category (e.g., S1, S2, N1, D1) for unambiguous referencing.] |
Risk Level |
Threat or Vulnerability1 |
Current Security Posture |
Potential Security Measures |
Estimated Cost of Each |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.2 Plan of Action with Interim Milestones (POAM)
[Summarize your recommended high-level plan of action to remedy your findings in the order to be addressed in the table.]
|
Risk ID2 |
Risk Level |
Threat or Vulnerability1 |
Recommended Security Measure |
Estimated Cost |
Risks Involved in Implementation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5. Notes and Comments
______________________________ _________________
Principle Assessor Date
SUMMARY OF REFERENCES
Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)
Page 5 of 7
