Information Security Assignment

When the assessment took place, I interviewed the branch manager of department of information. During the interview, the information asset we assessed were employees account information. However, there was a limitation in the process of the assessment. The purpose of assessing employee’s account information was to see what are the chance that that account information would be compromised.

There was some area of concerns that I have discovered while the assessment was in progress. One of those concerns was a disgruntle employee may release employee account information. Other areas of that were also a concern was a hacker may gain access to employee account information. Other areas were how do they manage the employee accounts.

The common thing to do when you are mitigating risk is first start with the basic assessment. A basic assessment can be something like evaluating the system setting that has been set by default such as a type of encryption, is the computer’s hard drive encryption enabled or disabled, internet security setting configured or not, etc. Those are the general things that would need to be examined before deciding which security controls to implement to the computer system.

I used Octave Allegro methodology to help me to get a better understanding on what areas to assess and see what the potential impact on those areas are would be. For example, Aneel has provided me the information such as the percentage for worksheet 1 through 3 on the different level of each impact are. The usage of the Octave Allegro worksheet has provided me a better insight as to what kind of question I could as Aneel.

The following impact areas are what Aneel and I determined needed to be assessed such as reputation and individual confidence, financial, and safety. In each of these areas, Aneel and I have agreed that safety will ranked number 4 which mean that areas is the most important. Follow by individual confidence which rank number 4, the second most important. The reputation was ranked number 2. While financial was ranked number 1

I identified employees’ account information as an information asset. The employee account information contains personal information. It also includes social security number, bank account, routing number, credit/debits card information. More than that, for foreign workers, they also have their foreign address and bank account information.

In the table below, state how you assessed each control and the results of the assessment.

Fully describe all areas of concern. You must describe at least 5 areas of concern using the header and bulled statements.

· Threat statement: Use a threat statements to describe the area of concern.

· Finding: Give an appropriately worded finding for the area of concern.

· Evidence: Give an appropriately worded list of evidence for the area of concern. You should describe which security control(s) is(are) not providing the needed protection or are absent.

· Impact: Provide an analysis of any impact upon the organization were the area of concern to be realized

Produce a heat map that shows the security posture of the organization. You should plot all Areas of Concern with the probability as the Y-axis and the Relative Risk Score as the X-axis. See the sample heat map for more guidance.

All Areas of Concern (aka risks) should be discussed in one of following four paragraphs. The information you provide should match and expand upon the corresponding Worksheet 10s.

For the risks that will be accepted, discuss why the acceptance decision was made and who made the decision.

For the risks that will be deferred, discuss why the deferral decision was made and who made the decision. Also, indicate when the risk will be reevaluated.

For risks that will be transferred, discuss how the transfer of risk will be made. Identify who made the decision to transfer the risk, when the transfer activities will take place, and when follow-up will occur to ensure the risk has been transferred.

For the risks that will be mitigated, discuss why the mitigation decision was made and who made the decision. For each risk that will be mitigated, produce a detailed list of activities that are necessary to properly mitigate the risk. For each activity, indicate the start and end date. Also, indicate who is responsible for completing the activity and when a follow-up assessment will be performed for the risk. Finally, describe the residual risk that the company will then accept after the mitigation efforts are complete.