CST 610 Proj 2
Manny4747
Project2SAR_Template-2231.docx
Project 2 – Assessing Information System Vulnerabilities and Risk
Security Assessment Report (SAR)
CST 610: Cyberspace and Cybersecurity Foundations
{Your Name}
[date]
Professor\– Section
University
SECURITY ASSESSMENT REPORT
TISTA Science & Technology CorporationScience and Technology
[Period of Assessment]
[Report Date]
SECURITY ASSESSMENT
1. Background
1.1 Purpose [Use the lead-in material from Project 2 “Start Here” and the project summary scenario to clearly focus the goal and purpose of the SAR]
1.2 Description of TISTA Science & Technology Corporation
1. Describe your company.
· Mission: To deliver the highest quality IT professional services and innovative solutions to the Federal, State, and Local government.
· TISTA Science & Technology Corporationa wide-range of services, including Application Engineering, Consulting, Cybersecurity, Data Science, Infrastructure, and Mobility support, in the Health, Defense, and Civilian sectors.
2. What is business sector and how does that effect your security?
· Science and Technology
·
3. How might the organizational structure of your company effect security?
1.3 Networks in TISTA Science & Technology Corporation
[Base the description of your network and the critical information systems you decide to include, on your work in Step 1.] Particularly as they apply to the company’s relational data base management system (RDBMS) here are areas and questions that you might include:
1. Provide network architecture diagrams for the local area network (LAN) and wide area network (WAN) for your company.
2. Indicate the critical information systems in these diagrams and explain their importance.
3. What external systems and users connect to your company?
4. Where is data at rest, in motion and in use?
5. Can you identify important system and network security boundaries and regions?
6. Discuss the security benefits and deficiencies of your chosen network design. (Include tables and diagrams as appropriate) [Your focus should be on the RDBMS and systems, connectivity, auditing, protection, such as encryption and access control, … related to the RDBMS applications]
2. Assessment Approach
[You have been asked whether the OPM breach could happen at your company. Describe the approach to your assessment based on the security posture of your company from the above description and the lab testing and comparing that to the threats encountered in the OPM breach.]
2.1 Approach
2.2 Review of the OPM Breach(s)
2.3 Relevance of OPM Breach(s) to [Your Company Name]
2.4 Completed or In Progress Assessments (i.e., simply identify your current and prior lab tests in this and prior classes and any prior SAR completed for this company. Do not include results here.)
2.5 Scope Covered in the Assessment (include why)
3. Assessment Results[footnoteRef:1] [1: For critical system(s), information, networks and interfaces to external systems and users.]
3.1 Insider Threats
|
Threat |
Synopsis |
Impact[footnoteRef:2] [2: Quantify or provide recent relevant examples or incidents of business, safety, health… impact.] |
|
|
|
|
|
|
|
|
|
|
|
|
3.2 External Threats
|
Threat |
Synopsis |
Impact2 |
Impact Level (H,M,L) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.3 Vulnerabilities[footnoteRef:3] [3: Include results from all lab testing (e.g., network monitoring and assessment and prior OS assessments and password cracking assessments. Provide details including tools in Synopsis and Lab Reports in Appendices.]
|
Vulnerability |
Synopsis |
Impact2 |
Impact Level (H,M,L) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4. Assessment Results
4.1 Rank Ordered Threats and Vulnerabilities (Most to Least Impact)
|
ID[footnoteRef:4] [4: ID: You may wish to label categories as S=System, N=Network, I=Interface, D=Data or Information and give number in each category (e.g., S1, S2, N1, D1) for unambiguous referencing.] |
Impact Level (H,M,L) |
Threat or Vulnerability1 |
Current Security Posture |
Deficiencies in Current Posture |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5. Notes and Comments
______________________________ _________________
Principle Assessor Date
[Enter your name and date as would be done in a real SAR.]
Provide your summary list of references using proper APA format. (Remember: You must also use in-line citations with proper APA format throughout the report.)
APPENDICES
Place your lab report and screenshots here.
[The lab is to be treated as your specific testing and checking out of your company’s critical information systems and the topics you are writing about. It is not a theoretical exercise. Nor is it independent of and separate from our topic and scenario. Provide screenshots of the tools and results from your lab experiences, as well as answer any lab questions. Many students take the lab directions, eliminate everything but the section headings and questions and in each section write down what was asked for, what the results would show, how they relate to a topic in the main report, enter the screenshots obtained and point to or write out the specific key data result(s) within the screenshot.
Your specific insights, comparisons and results from the analysis of the lab data should be identified and used within the report and tables, above.
Note: A great tool for capturing your screenshots from the lab is MS SnipIt which is installed on MS Windows computers.]
Page 5 of 6
