SlideShare uma empresa Scribd logo

CNS599NLEN_RiskAssessment

Transferir como DOCX, PDF
T
Taishaun Owens
1 de 23
5/7/2014 North Lawndale Employment Network (NLEN) Information Security Risk Assessment Completed by: Phillip Lai Joseph Marchis Taishaun Owens MichelleWitcher
1 Table of Contents Executive Summary ….…………………………………………………………………………. 2 Body of Report Sections A. Payment Card Industry (PCI) Data Security Standard (DSS) Standards …….…………… 7 B. Internet Protocol Cameras (IP Cameras) ...…………………………………………...…..8 C. Server Equipment Security …………………………………………………….…...……8 D. Access Controls ………………………………………………………………..……….10 E. Wi-Fi Access ……………………………………………………………….….……….11 F. Copier Machine ………………………………………………………….……………..12 G. Inventory ...…………………………………….……………………….………………12 H. Disaster Recovery ...………………………….…………………………..……………..14 I. Device (Checkout Program) ...…………………………………………..……………….15 J. Record Files (Paper Documents) ………………………………...……..………………15 References ………………………………………………...…………………………………….17 Appendices ….…………………………………………………………………………………………….18
2 EXECUTIVE SUMMARY May 7, 2014 The team’s task was to identify security at North Lawndale Employment Network (NLEN) to reduce vulnerability of a possible breach in client information. The areas of focus in particular are: access control, access security, and training controls. Identifying current risks that may ex- pose NLEN and to propose solutions that will ensure NLEN’s business purpose and safety of its clients, employees, and volunteers was another area of focus. A few questions presented by NLEN regarding their current practices involving staff who access client sensitive information. Are NLEN employees currently following the policies and procedures that have been put in place to ensure protection of the client’s data? This initial risk assessment is based on the team’s finding of security vulnerabilities found at NLEN. The visits were conducted on April 3rd and 10th, 2014 each in duration of approximately 90 minutes in length. Upon the visit there was a walk through tour of NLEN, brief introductions, following a session of questions and answers with Daniel Rossi, NLEN; Brian Franklin and Bashir Muhammad, of Net-Intelligence Group (NTG); and team members. Currently, NLEN accepts credit card payment upon purchase of items in person and from the “Sweet Beginnings” website (SBW). It was brought to our attention that NLEN was unsure if they met Payment Card Industry (PCI) Data Security Standard (DSS) standards.1 In accordance with the PCI DSS standards, all organizations should implemented PCI DSS into business as usual (BAU) activities as part of an entity’s overall security strategy. The Qualitative Value to establish this recommended control is Very High, and without this standard it could lead to possible lawsuits, insurance claims, cancelled accounts, payment card issuing fines and/or government fines. More specific details found on Section A, page 7. NLEN accepts credit card payments for items from the SBW or in-person transactions it is required to monitor those areas where credit cardholder data devices are used. As indicated above NLEN is unsure of PCI DSS standards. The Team noticed there were no Internet Protocol (IP) cameras or closed circuit television (CCTV) cameras present in the facility when the walk through was conducted. The Qualitative Value to establish this recommended control is High, due to cardholder devices in use at NLEN facility. More specific details found on Section B, page 8. Currently NLEN does not have a Disaster Recovery Plan (DRP). Disaster planning is crucial in determining if a company can still function after serious disruptions to the organizations connectivity. One can never predict a natural or man-made disaster, so it is imperative that a DRP is created.2 We recommend implementing a DRP, upon completion the plan should ensure correctness of procedures allowing all staff members to know their designated roles for protection with-in the facility. The Qualitative Value to establish this recommended control is High due to possible loss of the entire network by cause of an outbreak of a fire, and or natural 1 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 13 2 NIST 800-30, Appendix F: Vulnerabilities and Predisposing Conditions
3 disaster. The cost to implement a DRP is dependent on the required items to support your facility. More specific details found on page Section H, page 14. The basement floor contains a room where the server equipment is located. It was noticed that the door to the server room is often kept unlocked for simplicity sake of having to constantly open and close the doors since the room contains various other items. A multi-use room where the network server is located left unlocked is not good practice. Due to the lack of available space in the facility, a recommended solution would to better protect the key and never allow it unattended for good practice. Access should be granted to Daniel and another responsible staff member who would be available during Daniel’s absence. The Qualitative Value to establish this recommended control is Very High due to possible compromise of the entire network. There is no additional cost to implement this policy to the existing operating system in use. Furthermore, since this room is for multi-use room, the server equipment should be enclosed in a secure cabinet to prevent unauthorized access to the equipment. The cost for a server cabinet is $351.00 at Staples. More details found on page Section C, page 8. Staff members when walking away from computers, and or on break are not locking or logging off their computers. With uncontrolled access throughout the facility anyone may access the network and or sensitive data from an unlocked computer when not in use. This practice is not in accordance with the NLEN policy as indicated by the Director of NLEN, NIST Special Publication 800-66 Revision 1, and HIPAA Security Awareness and Training (§ 164.308(a)(5)).3 To remedy this problem is to add an auto lock on the user’s computers after 5 minutes of non- use. Also a policy and training can be implemented to ensure that users are locking their computers when they are not in use. Although this does not completely prevent unauthorized access it does however minimize the risk of unauthorized access. This recommendation should also be implemented with laptops as well. Additionally periodic training regarding safe practices and security for all staff members is recommended. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized user. There is no additional cost to implement this policy to the existing operating system in use. More specific details found on page Section D, page 10. Official visitors and volunteer who require computer use have shared staff computers and login. This is not in accordance with the NLEN policy as indicated by the Director of NLEN, and as indicated by PCI DSS4 it is required that all users are assigned a unique ID before allowing them to access system components. All visitors who require computer use should have a specific logon with internet access use only. Logons for the visitor(s) can be created on computers designated for client use only through the control panel with restricted use for internet only; as opposed to using staff computers and having access to sensitive data. Additionally clients all share one logon; this is an unsafe practice. If there are issues with a user it is difficult to determine who may have caused the issue. Each client should have their own individual logon 3 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 4 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64
4 which can be created through the existing Windows Server 2003, active directory. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized access. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section D, page 10. NLEN Network is connected via Wi-Fi throughout the facility. This Wi-Fi connectivity is accessible to staff, clients, and visitors who visit the NLEN facility. This makes the network vulnerable to vulnerabilities that may exist on the various devices such as malware. The recommended action is to disable USB access on all computers to eliminate unauthorized extraction of data and possible infection of the network. The Qualitative Value to establish this recommended control is High. If USB access is required it should be available on one designated computer (Daniel) to control upload and or download of data. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section E, p.11. Organizational devices (laptops and tablets) which are available for use outside the facility may contain sensitive data. The devices are then returned after use to allow checkout again. The procedures taken when the device is returned is unclear. The recommended solution for the devices, upon return should be checked for functional capabilities. The user should not be given full access on devices, user level access only. This prevents loading of unauthorized software on the laptops or tablets. Maintenance of the devices should be the same as the desktop computers i.e. updates, patches, and virus protection. If the need occurs that a laptop is to replace a desktop this can be completed without delay. The Qualitative Value to establish this recommended control is Very High. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section I, page 15. The observance of several boxes located throughout the facility contains files which NLEN must retain for period of 7 years. The boxes are not secure and do not prevent unauthorized access and/or removal from the facility. To secure the files the best recommended option is to secure them in lockable file cabinets. With the tight layout of the facility and no available space to support new equipment an alternate method is recommended. All boxes should be secured with wide packaging tape along all seams and the top. Affix a signature along the top which would require a break to open the box. A log should be created for each box which will be attached to each box to manage access to the box. The Qualitative Value to establish this recommended control is High. The cost varies depending on the option selected. Best recommended option cost is $300.00 for a four drawer vertical file cabinet at staples. The alternate recommended option cost for wide packaging tape is $11.00 for a pack of 6 rolls at Staples. More details found on page Section J, page 15. The copier machine is maintained by vendor. Most copiers built since 2002 contains a hard drive in the machine. Just as the hard drive in a computer stores data the hard drive in a copier also stores images of documents copied on the machine. The hard drives should be recycled by
5 the vendor. This is a HIPAA5 requirement, when storing sensitive data to remain confidential within an organization. Ensure the copier vendor has a strict HDD6 recycling policy in place and recommend that they review the policy with you. The Qualitative Value to establish this recommended control is Very High. If the vendor currently has this procedure in place there is no cost. More details found on page Section F, page 12. The last risk is inventory of desktops, laptops, and tablets in the facility. When the question asked “how is the equipment recorded physically” there was no answer. Currently there is no inventory of the make, model, serial number, etc., of equipment. We recommend starting an inventory of all desktops, laptops, and tablets in the facility. The inventory list identifies the location and responsible users which aids in conducting maintenance and upgrading of equipment. The Qualitative Value to establish this recommended control is High. More details found on page Section G, page 12. This is an initial risk assessment report of NLEN facility. The overall level of the risks is Very High, due to PCI DSS standards not found. “The PCI DSS security requirements applies to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.”7 Examples of system components are: Server room network equipment Sweet Beginnings Website Data Center Servers Connectivity to NTG Wifi access points Network operating system Once NLEN has established PCI DSS standards many other risk will also be resolved. 5 Health Insurance Portability and Accountability Act 6 Hard Disk Drive - a data storage device used for storing and retrieving digital information 7 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.
6 Body of Report A. Payment Card Industry Data Security Standard Standards Payment Card Industry (PCI) Data Security Standard (DSS) standards is a requirement which all organizations that are making credit card transactions are thereby required to implement PCI in business as usual within their organization. Currently NLEN accepts payment via credit card for item(s) from their Sweet Beginnings Website (SBW). Upon the visit a team member made an in-person purchase from SBW with a credit card. The team noticed no cameras present in the location where the transaction took place. The Team also noticed that SBW is not a secure site which is reflected by https in the browser window. The SBW reflects http which indicates a non- secure site. An organization without PCI DSS standards is vulnerable in many ways. To ensure that NLEN meets the scope of requirements, identifying all locations, flows of cardholder data, and ensuring they are included in the PCI DSS scope. The following should be considered to ensure accuracy and appropriateness of PCI DSS scope: Identify and document the locations of where all cardholder(s) within the NLEN Facility will be used which is the NLEN CDE. Ensure no other cardholders exist outside of NLEN CDE designated areas. After identifying the location(s) where cardholders will be used, verify if the area is appropriate for PCI DSS use. All cardholder data should be in the scope of the PCI DSS assessment, and part of the CDE. Retain all documentation that supports the determination for assessor review and/or for reference for the next annual confirmation and continuity purposes.8 The Qualitative Value for this risk is Very High, due to NLEN is not meeting the PCI DSS standards at this time. The Team has determined that once NLEN has met the PCI DSS standards many other risks which are identified in this report will also be met such as: Internet Protocol Cameras Server Room Server Equipment Access control Disaster Recovery Plan Copier Machine 8 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.
7 B. Internet Protocol (IP) Cameras The PCI DSS standards is imperative to all businesses that accept credit cards. The facility is vulnerable to someone skimming off the credit card machine. Sections9 in PCI DSS manual states in multiple parts that there be some monitoring control in sensitive areas, this can be any- thing from the server room, locations where credit cardholders are used, (where data travels through, very critical parts of the infrastructure) to anything that processes sensitive information. Similarly their guidance is informative explaining how culprits avoid detection by avoiding various ways of incriminating themselves. The areas of concern in the NLEN Facility are the server room and the designated location(s) where cardholder transaction will take place. The Qualitative Value to establish this recommended control is High. The Team recommends installing cameras as the monitoring medium to minimize the risk. Utilizing video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. NLEN should focus on the long term effect of monitoring for vulnerabilities.10 The ease of access of the credit card machine and the server room should not be taken lightly. When cameras are monitoring it helps prevent someone from exploiting other means like gaining access to the server room and installing a backdoor to the network. With video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas it minimize the risk of vulnerability. It is good practice to conduct frequent network monitoring when possible.11 This risk is a recommended PCI DSS standard action. The Qualitative Value to establish this recommended control is High. C. Server Equipment The server room houses materials and equipment that are used daily for staff members and clients who work with Sweet Beginnings. It contains equipment for the internet connection from NLEN to the Data Center along with coffee supplies and various other items. Given the constraint of unavailable space this room should remain locked at all times. There are two issues, one is the key to this room is maintained in an office on the main floor, (Daniel’s office). The key is left unattended when this office is empty, which anyone may enter and remove the key thus accessing the server room. The Team was advised the door is often left open for simplicity sake of having to constantly open and close the door because others may need entry at any given time. The Qualitative Value to establish this recommended control is High. 9 PCI DSS; Section 9.1 and 9.1.1. 10 PCI DSS; Section 11.2.1. 11 PCI DSS; Section 11.2.1.
8 The above table details the risk of the server room not having secure access. The recommended control of how to ensure that access to the server room is limited. The protection of the network equipment which prevents unauthorized access and in accordance with PCI DSS standards is an issue as well. The network equipment is the backbone of your network, it is the flow point of entry and exit to your network, and any disruption to this equipment will cause loss of the network. This equipment should be secured at all times to prevent disruptions. Disruptions can be unplugging the equipment, removal of any one item, fire, water, and tampering by an authorized person. Tampering can be the connection of a key logger,12 stealing of internet bandwidth,13 input a virus, and or other malicious action. The possibilities are endless if one wishes to cause disruption or tampering of the network. Additionally with the equipment left open in an unrestricted room leaves it open to someone connecting unauthorized equipment unknowingly or for malicious reasons (tampering). This unauthorized connection can be done without disruption to the network. The equipment is generally reliable and does not require changes and therefore may be left unattended for long periods of time. Without an IT Technician onsite no one may know if or when there may have been tampering to the equipment. Again with the constraints of available space in the facility it is necessary to secure the equipment in a manner which prevents exposure to unauthorized personnel. The Team further recommends the following actions be taken to secure the equipment in a PCI certified server rack/cabinet. This will prevent unauthorized access to the equipment. The equipment should also be connected to Uninterrupted Power Source (UPS), to prevent loss of the network if a power outage is experienced. The recommended control of the server room key is to issue keys only to authorized staff. We recommend issuing a key to Daniel, and two other designated staff members who would be available when Daniel is not present. The key should not be left out for display to prevent others from taking it. When access is needed to this room one of the authorized staff members should escort the individual(s) to the room and remain with them the entire time the room is open. When the business is finished in the server room it should be locked and remain so at all times. Required Items Manufacturer/Model Item Number Cost Enclosure Server Cabinet Tripp Lite/SRW12US IMIY96346 $319 Uninterrupted Power Source APC Smart- ups/SMT1500 849858 $467 12 Key logger, a program commonly stored in a USB that keeps track of all typed information in a system network, can be used to obtain log-in credentials or users and their passwords,and credit card information. 13 Bandwidth, the speed at which data transfers across the network.
9 Total estimate cost of completion: $786 D. Access Controls Control of access/movement allows access to the resources throughout the facility. There were numerous unsafe practices observed on the tour of the facility. Staff members willingly logging on computers for volunteers. Volunteers accessing clients’ information with staff logons. This is not in accordance with NLEN policy as indicated by the Director of NLEN, and PCI DSS.14 Staff should not share their logons with anyone. Each staff member should have their own individual logon for their own use. When staff leaves from their computer they should ensure they lock the terminal every time. A computer left unlocked gives access to the network which contains sensitive personal data which should be protected by all means in accordance with HIPAA Security Awareness and Training (§ 164.308(a)(5)).15 Volunteers and or visitors who require access to a computer should have their own individual logon. No two people should have the same logon. Staff employees should only have access to the shared S drive. The access for volunteers/visitors can be restricted for a limited period of time in addition to restriction to internet use only. Are the volunteers authorized or do they have a need to know of clients’ personal sensitive information? Currently one logon is assigned to all clients. With all clients sharing the same logon, if there is malicious action on the network there is no way to identify who may have committed the action. Just as all others in the facility, each client should have their own individual logon for in-house internet access. The recommended control is to create individual logons for all volunteers, visitors, and clients. Volunteers, visitors and clients may have access to the same in-house internet access. Therefore leaving only staff with access to the sensitive shared S drive as directed by NLEN Director. To accomplish individual logons for clients, volunteers, and visitors for the in-house internet access use Windows 2003 Server R2 currently located in the server room at NLEN Flournoy office. A person who has administrative access will be able to create the logons in active directory for clients, volunteers, and visitor. To help reduce the unsafe practices further, the Team recommends security training for all staff members. The training should consist of the following: Importance of securing the facility for their own physical security. Importance of safe keeping the clients sensitive data. Importance of always locking their computers when away. Importance of network equipment in the server room. Importance as to who is and is not authorized to access network. 14Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64. 15 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
10 Required reading of the NLEN policy provided at the beginning of employment. Importance of secure and safe practices overall. The use of NLEN laptops and tablets requires monitoring and periodic maintenance. These devices connecting to the NLEN network should meet the same requirements of software updates, patches, and anti-virus as desktop computer on the network. These devices are periodically connected via remote access to the NLEN network. Without checking these devices after use leaves possible vulnerabilities to clients’ sensitive data, virus and or other malicious actions to the network. These devices should not be issued with sole user access as on the desktop computers, to prevent download of unauthorized software on the network. Disabling USB drives on all computers on the NLEN network is good and secure practice. The USB drives allows unauthorized download of sensitive data, unauthorized upload of unauthorized software, and connectivity of unprotected devices. Upon return of a device after use it should be cleared of all data to prevent unauthorized access to sensitive data. The Team recommends USB drives be disabled for all computers that attach or may attach to the NLEN network. E. Wi-Fi Access The NLEN network is supported with Wi-Fi connectivity throughout the facility. This network should be secured. The password for this access point should only be given to authorized users of the NLEN network (Staff). All volunteers, clients, and visitors should not be given this access. If the availability of this password is known to volunteers and clients the NLEN Network will not be as secure. Those who access the network with personal devices may cause vulnerabilities that exist on various devices such as viruses or malware. The Qualitative Value to establish this recommended control is High. There are no additional costs to implement this policy to the existing operating system in use. We recommend the password is changed to the network. Knowledge of the password should only be known to the NTG Technicians and designated IT Staff members. An alternate network (guest network) could be created to allow those who wish internet access on their personal devices. The guest network can be accessible by clients, volunteers, and visitors. F. Copier Machine The copier machine is maintained by a vendor. Most copiers built since 2002 contains a hard drive (HDD) in the machine. The HDD is capable of storing many images duplicated by the copier. Again more sensitive data is accessible by unauthorized access. During the questioning session it was unknown of the current practices of the vendor. The Team recommends checking with the vendor and inquire the security measures taken by the vendor to keep NLEN’s information secure. The Qualitative Value to establish this recommended control is High.
11 The table above details the risk regarding the copier machine duplicating sensitive data may not be secure and the recommended control to ensure that the data being retained in the copier is secure. G. Inventory The accountability of equipment is unknown. Daniel advised us he is unaware of an inventory of the network equipment. If there is loss of equipment or burglary in the facility how will you know how many and what items were taken? The Team recommends creating a small property inventory of all network equipment. This inventory should be updated when there is a change of equipment and or staff. The Qualitative Value to establish this recommended control is High, due to no accountability of NLEN equipment within the facility. There is no additional cost to implement this policy. Recommended log example on next page.
12 Room _______ ITEM MANUFACTURE MODEL SERIAL# MAC ADDR USER DATE Signature of Supervisor/Manager: _________________________________________________ Above an example of small property inventory.
13 H. DisasterRecovery Plan Disaster planning plays a crucial role in determining if ones company can still function after serious disruptions to the organizations connectivity. One can never predict a fire or water disaster, so it is imperative that a Disaster Recovery Plan is developed. NIST 800-30 Appendix F page F-2 would define this vulnerability as high based on the exposure and ease of exploitation. Note that a contingency plan such as Disaster Recovery is a HIPAA Standard Contingency Plan (§ 164.308(a)(7))45. All organization must meet the standards or face penalties for various violations. The following table below, which can be found in NIST SP 800-66r1, is a standard table for implementing policies responding to an occurrence such as fire, water, natural disaster, and vandalism. The implementation of this standard can range from a couple of weeks to about a month or two. Using the table questions below as samples are a good place to start as any. It is important to ask these questions to one self to see where there is a lack of information. From there you can add preemptive measures in the areas NLEN lacks. HIPAA Table 4.7 Contingency Plan HIPAA recommended steps aid in developing a Disaster Recovery Plan.
14 I. Device (Checkout Program) A laptop rental program is available to staff members and clients to accomplish their work off- site. It was noted there has been loss of control of devices from this program which cannot be accounted for. This program is vital and necessary to the clients and staff alike. Although it is a necessary program there are measures which should be made to secure the safe keeping of the equipment or it will cease if all equipment is lost. The Qualitative Value risk is rated High due to possibility of device(s) not being returned. It is understood this program exist for the clients and vital for success in the U-Turn program. To eliminate this program could be critical to both clients and staff. The Team recommend re- evaluate the program with procedures to support the clients and maintain the safe keeping of the devices. J. Record Files (Paper Documents) On a daily work day new and existing clients that come into NLEN hoping to enroll for the U- turn program, place their information in a document sheet. The document contains sensitive information such as their Social Security Number (SSN), address, family members, background history, education, status, etc. These documented files are then placed into storage boxes for accessibility. Of course, the files later get placed into a computer by volunteers and staff members where they can be reviewed for further use. This is concerning because it’s a red flag16 due to the vulnerability17 of missing files being a likelihood of occurrence.18 The issue of keeping client information in stored boxes tends to be accessible to anyone on the work site (possibly including the clients), and could be harmful to clients and assets. The method of storing information must be changed or altered for privacy and protection purposes. A proposed solution would be securing the files in containers such as locking file cabinets to minimize access. The alternate method would be to simply sealing the box files with wide tape on the top and all seams. Both solutions would require someone to administrate a log file with a sign out process of what files are being checked out. Thus records would be dated, recorded, and guarded by who last accessed a file. This would mitigate the vulnerability of an I.D. theft (red flag) in the work environment. The option of having locked file cabinets makes it easy to store and set up previous records and files on clients by dating each file by year, since each year varies the amount of clients’ records in each file; it would be ideal to have an efficient process of 16 The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations. (http://www.business.ftc.gov/privacy-and-security/red-flags-rule). 17 An existing weakness based on the work flow of internal controls, or implementations that could be exploited by a threat source.(refer: NIST SP 800-30 p. 9 Chapter 2, Vulnerabilities and Predisposing Conditions). 18 Likelihood of occurrence - Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or a set of vulnerabilities). (refer: NIST SP 800-30 p. 10 Chapter 2, Likelihood).
15 obtaining information on a certain client. With an organized method in place when shredding is required documents are easily identified. This Qualitative Value risk is rated High, due to the possible loss of sensitive information. The Team recommends either option to minimize the risk. The first option being the file cabinet(s) which is ideal, cost of $200~$450 each for a 4 drawer vertical file cabinet. This method is more secure because it grants the possibility of safe storage with a locking mechanism and key. The alternate method is more cost effective; purchase of wide packaging tape priced $11 for a pack of 6 at Staples. Although this method is not the most secure it is a way to prevent unauthorized access.
16 Appendices and References References 1) NIST SP 800-30 Revision 1 Banks, Rebecca M., and Patrick D. Gallagher. NIST SP 8000-30: Guide for Conducting Risk Assessments. N.p.: U.S. Department of Commerce, Sept. 2012. PDF. 2) PCI DSS Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, V3.0, Nov 2013 3) PCI DSS Payment Card Industry (PCI) Data Security Standard: Business-as-Usual Processes, V3.0. N.p.: n.p., Nov. 2013. PDF. 4) HIPAA – NIST SP 800-66 Revision 1 Scholl, Matthew, Joan Hash, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla D. Smith, and Daniel I. Steinberg. NIST Special Publication 800-66 Revision 1. Digital image. U.S. Department of Commerce, n.d. Web. Oct. 2008.
17 Appendices NIST SP 800-30 Table F-2: Assessment Scale – Vulnerability Severity The above table identifies the assessment scale,and a brief description of the various values used to determine the qualitative values throughout this report.
18 NIST SP 800-30 Table H-2: Examples of Adverse Impacts The above table identifies the various risk and their respective impacts.
19 PCI DSS: Section 11.2.1 The above table states the importance of monitoring the network from time to time. Verifying that high risk vulnerabilities are at a minimum.
20 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Requirement 8: The table above details the requirements for Identify and authenticate access to system components. This is a requirement that NLEN would use when assigning users to clients, volunteers, and visitors. PCI DSS requirements column states the requirements of identifying and authenticating access to system components. The requirement NLEN can focus on is 8.1.1 assigning all users a unique ID before allowing them to access system components. The Testing Procedures column are procedures NLEN can use when ensuring that all users are assigned a unique ID. The Guidance column helps NLEN enforce individual responsibility and actions and an effective audit trail per user.
21 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Requirement 9: The above table states the importance of assess to the network. To prevent unauthorized use of the network. 9.1.1 is a multi-purpose use 1) Monitor sensitive areas 2) to protect controls from tampering.
22 The above states the security awareness and training that NLEN could use as reference when incorporating training for its employees. Key activities column states the types of training to be held, the Description column explains the description of each Key activity, and the Sample Questions are questions NLEN may want to ask themselves before putting together a training class for its employees.

Recomendados

CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityTaishaun Owens
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesKristin Helgeson
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access ControlPace IT at Edmonds Community College
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET Journal
 

Recomendados

CNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityCNS599_NLEN_InformationSecurity
CNS599_NLEN_InformationSecurityTaishaun Owens
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
GBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesGBS - 8 ways to knockout network headaches
GBS - 8 ways to knockout network headachesKristin Helgeson
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
 
PACE-IT: Network Access Control
PACE-IT: Network Access ControlPACE-IT: Network Access Control
PACE-IT: Network Access ControlPace IT at Edmonds Community College
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET Journal
 
50320130403001 2-3
50320130403001 2-350320130403001 2-3
50320130403001 2-3IAEME Publication
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco
 
Assignment 1
Assignment 1Assignment 1
Assignment 1Jeewanthi Fernando
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALRonald Jackson, Jr
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assignRonald Jackson, Jr
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortFrancis Yang
 
PACE-IT, Security+3.6: Security Enhancement Techniques
PACE-IT, Security+3.6: Security Enhancement TechniquesPACE-IT, Security+3.6: Security Enhancement Techniques
PACE-IT, Security+3.6: Security Enhancement TechniquesPace IT at Edmonds Community College
 
Ijricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individualityIjricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individualityIjripublishers Ijri
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
A STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTIONA STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTIONIAEME Publication
 
IRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection SystemIRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection SystemIRJET Journal
 
MY CV
MY CVMY CV
MY CVAugustine Nwenewor
 
Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)Vinayaga Murthy
 
Vinblastine 865-21-4-api
Vinblastine 865-21-4-apiVinblastine 865-21-4-api
Vinblastine 865-21-4-apiVinblastine-865-21-4-api
 
Sistema de gestion de contenidos
Sistema de gestion de contenidosSistema de gestion de contenidos
Sistema de gestion de contenidosAlexandra Machasilla
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia RepIndia
 
Loomis Direct
Loomis DirectLoomis Direct
Loomis DirectTom Sclafani
 

Mais conteúdo relacionado

Mais procurados

3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guidelinePriyanka Aash
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALRonald Jackson, Jr
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortFrancis Yang
 
Ijricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individualityIjricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individualityIjripublishers Ijri
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
A STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTIONA STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTIONIAEME Publication
 
IRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection SystemIRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection SystemIRJET Journal
 

Mais procurados (15)

50320130403001 2-3
50320130403001 2-350320130403001 2-3
50320130403001 2-3
 
3rd party information security assessment guideline
3rd party information security assessment guideline3rd party information security assessment guideline
3rd party information security assessment guideline
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
 
Assignment 1
Assignment 1Assignment 1
Assignment 1
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
CSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINALCSEC630_TeamAssignment_TeamBlazer_FINAL
CSEC630_TeamAssignment_TeamBlazer_FINAL
 
CSEC630 individaul assign
CSEC630 individaul assignCSEC630 individaul assign
CSEC630 individaul assign
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
Research of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on SnortResearch of Intrusion Preventio System based on Snort
Research of Intrusion Preventio System based on Snort
 
PACE-IT, Security+3.6: Security Enhancement Techniques
PACE-IT, Security+3.6: Security Enhancement TechniquesPACE-IT, Security+3.6: Security Enhancement Techniques
PACE-IT, Security+3.6: Security Enhancement Techniques
 
Ijricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individualityIjricit 01-004 progressive and translucent user individuality
Ijricit 01-004 progressive and translucent user individuality
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.com
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
A STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTIONA STUDY ON INTRUSION DETECTION
A STUDY ON INTRUSION DETECTION
 
IRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection SystemIRJET- A Review on Intrusion Detection System
IRJET- A Review on Intrusion Detection System
 

Destaque

Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)Vinayaga Murthy
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia RepIndia
 
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)The Alpina Gstaad Summer Season 2015 Brochure (Web Version)
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)S Birr
 
CNS 477 Analyzing Machine Data with Splunk
CNS 477 Analyzing Machine Data with SplunkCNS 477 Analyzing Machine Data with Splunk
CNS 477 Analyzing Machine Data with SplunkTaishaun Owens
 
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρόταση
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρότασηΤην Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρόταση
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρότασηlanceloty
 
IS506 Business Continuity Disaster Recovery Exam
IS506 Business Continuity Disaster Recovery ExamIS506 Business Continuity Disaster Recovery Exam
IS506 Business Continuity Disaster Recovery ExamTaishaun Owens
 
LAWAL Resume Edith
LAWAL Resume EdithLAWAL Resume Edith
LAWAL Resume Edithfriday lawal
 

Destaque (20)

MY CV
MY CVMY CV
MY CV
 
Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)Vinayaga Murthy-Mid Jun 15 (1)
Vinayaga Murthy-Mid Jun 15 (1)
 
Vinblastine 865-21-4-api
Vinblastine 865-21-4-apiVinblastine 865-21-4-api
Vinblastine 865-21-4-api
 
Sistema de gestion de contenidos
Sistema de gestion de contenidosSistema de gestion de contenidos
Sistema de gestion de contenidos
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_Lab
 
AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia AirAsiaInDilli - RepIndia
AirAsiaInDilli - RepIndia
 
Loomis Direct
Loomis DirectLoomis Direct
Loomis Direct
 
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)The Alpina Gstaad Summer Season 2015 Brochure (Web Version)
The Alpina Gstaad Summer Season 2015 Brochure (Web Version)
 
Tioguanine 154-42-7-api
Tioguanine 154-42-7-apiTioguanine 154-42-7-api
Tioguanine 154-42-7-api
 
CNS 477 Analyzing Machine Data with Splunk
CNS 477 Analyzing Machine Data with SplunkCNS 477 Analyzing Machine Data with Splunk
CNS 477 Analyzing Machine Data with Splunk
 
Web y pagweb
Web y pagwebWeb y pagweb
Web y pagweb
 
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρόταση
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρότασηΤην Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρόταση
Την Κυριακή 5 Ιουλιου ψηφίζουμε ΟΧΙ σε αυτή την πρόταση
 
Tegaserod 145158-71-0 -api
Tegaserod 145158-71-0 -apiTegaserod 145158-71-0 -api
Tegaserod 145158-71-0 -api
 
2000000001
20000000012000000001
2000000001
 
Empresa
EmpresaEmpresa
Empresa
 
Documentos contables
Documentos contablesDocumentos contables
Documentos contables
 
IS506 Business Continuity Disaster Recovery Exam
IS506 Business Continuity Disaster Recovery ExamIS506 Business Continuity Disaster Recovery Exam
IS506 Business Continuity Disaster Recovery Exam
 
Tasocitinib 477600-75-2-api
Tasocitinib 477600-75-2-apiTasocitinib 477600-75-2-api
Tasocitinib 477600-75-2-api
 
Rakesh_resume
Rakesh_resumeRakesh_resume
Rakesh_resume
 
LAWAL Resume Edith
LAWAL Resume EdithLAWAL Resume Edith
LAWAL Resume Edith
 

Semelhante a CNS599NLEN_RiskAssessment

Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysisCARMEN ALCIVAR
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10jpmccormack
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersITExamAnswers.net
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureCalgary Scientific Inc.
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Lisa Brown
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Brianna Johnson
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET Journal
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET Journal
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudProxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudIRJET Journal
 
Security White Paper
Security White PaperSecurity White Paper
Security White PaperMobiWee
 
Computrace Laptop Security Solutions
Computrace Laptop Security SolutionsComputrace Laptop Security Solutions
Computrace Laptop Security Solutionsabe8512000
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 

Semelhante a CNS599NLEN_RiskAssessment (20)

Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
 
Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10Version 3.6 Powerpoint March10
Version 3.6 Powerpoint March10
 
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam AnswersIT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
IT Essentials (Version 7.0) - ITE Chapter 13 Exam Answers
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Guide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secureGuide Preview: Ensuring your enterprise image-viewer if fully secure
Guide Preview: Ensuring your enterprise image-viewer if fully secure
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data security
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...Information Technology Security Is Vital For The Success...
Information Technology Security Is Vital For The Success...
 
Wfh remote access tips
Wfh remote access tipsWfh remote access tips
Wfh remote access tips
 
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection SystemIRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
IRJET- Preventing of Key-Recovery Attacks on Keyed Intrusion Detection System
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
 
NAC_p3.pptx
NAC_p3.pptxNAC_p3.pptx
NAC_p3.pptx
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public CloudProxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
 
Security White Paper
Security White PaperSecurity White Paper
Security White Paper
 
Computrace Laptop Security Solutions
Computrace Laptop Security SolutionsComputrace Laptop Security Solutions
Computrace Laptop Security Solutions
 
Information security policy
Information security policyInformation security policy
Information security policy
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 

CNS599NLEN_RiskAssessment

  • 1. 5/7/2014 North Lawndale Employment Network (NLEN) Information Security Risk Assessment Completed by: Phillip Lai Joseph Marchis Taishaun Owens MichelleWitcher
  • 2. 1 Table of Contents Executive Summary ….…………………………………………………………………………. 2 Body of Report Sections A. Payment Card Industry (PCI) Data Security Standard (DSS) Standards …….…………… 7 B. Internet Protocol Cameras (IP Cameras) ...…………………………………………...…..8 C. Server Equipment Security …………………………………………………….…...……8 D. Access Controls ………………………………………………………………..……….10 E. Wi-Fi Access ……………………………………………………………….….……….11 F. Copier Machine ………………………………………………………….……………..12 G. Inventory ...…………………………………….……………………….………………12 H. Disaster Recovery ...………………………….…………………………..……………..14 I. Device (Checkout Program) ...…………………………………………..……………….15 J. Record Files (Paper Documents) ………………………………...……..………………15 References ………………………………………………...…………………………………….17 Appendices ….…………………………………………………………………………………………….18
  • 3. 2 EXECUTIVE SUMMARY May 7, 2014 The team’s task was to identify security at North Lawndale Employment Network (NLEN) to reduce vulnerability of a possible breach in client information. The areas of focus in particular are: access control, access security, and training controls. Identifying current risks that may ex- pose NLEN and to propose solutions that will ensure NLEN’s business purpose and safety of its clients, employees, and volunteers was another area of focus. A few questions presented by NLEN regarding their current practices involving staff who access client sensitive information. Are NLEN employees currently following the policies and procedures that have been put in place to ensure protection of the client’s data? This initial risk assessment is based on the team’s finding of security vulnerabilities found at NLEN. The visits were conducted on April 3rd and 10th, 2014 each in duration of approximately 90 minutes in length. Upon the visit there was a walk through tour of NLEN, brief introductions, following a session of questions and answers with Daniel Rossi, NLEN; Brian Franklin and Bashir Muhammad, of Net-Intelligence Group (NTG); and team members. Currently, NLEN accepts credit card payment upon purchase of items in person and from the “Sweet Beginnings” website (SBW). It was brought to our attention that NLEN was unsure if they met Payment Card Industry (PCI) Data Security Standard (DSS) standards.1 In accordance with the PCI DSS standards, all organizations should implemented PCI DSS into business as usual (BAU) activities as part of an entity’s overall security strategy. The Qualitative Value to establish this recommended control is Very High, and without this standard it could lead to possible lawsuits, insurance claims, cancelled accounts, payment card issuing fines and/or government fines. More specific details found on Section A, page 7. NLEN accepts credit card payments for items from the SBW or in-person transactions it is required to monitor those areas where credit cardholder data devices are used. As indicated above NLEN is unsure of PCI DSS standards. The Team noticed there were no Internet Protocol (IP) cameras or closed circuit television (CCTV) cameras present in the facility when the walk through was conducted. The Qualitative Value to establish this recommended control is High, due to cardholder devices in use at NLEN facility. More specific details found on Section B, page 8. Currently NLEN does not have a Disaster Recovery Plan (DRP). Disaster planning is crucial in determining if a company can still function after serious disruptions to the organizations connectivity. One can never predict a natural or man-made disaster, so it is imperative that a DRP is created.2 We recommend implementing a DRP, upon completion the plan should ensure correctness of procedures allowing all staff members to know their designated roles for protection with-in the facility. The Qualitative Value to establish this recommended control is High due to possible loss of the entire network by cause of an outbreak of a fire, and or natural 1 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 13 2 NIST 800-30, Appendix F: Vulnerabilities and Predisposing Conditions
  • 4. 3 disaster. The cost to implement a DRP is dependent on the required items to support your facility. More specific details found on page Section H, page 14. The basement floor contains a room where the server equipment is located. It was noticed that the door to the server room is often kept unlocked for simplicity sake of having to constantly open and close the doors since the room contains various other items. A multi-use room where the network server is located left unlocked is not good practice. Due to the lack of available space in the facility, a recommended solution would to better protect the key and never allow it unattended for good practice. Access should be granted to Daniel and another responsible staff member who would be available during Daniel’s absence. The Qualitative Value to establish this recommended control is Very High due to possible compromise of the entire network. There is no additional cost to implement this policy to the existing operating system in use. Furthermore, since this room is for multi-use room, the server equipment should be enclosed in a secure cabinet to prevent unauthorized access to the equipment. The cost for a server cabinet is $351.00 at Staples. More details found on page Section C, page 8. Staff members when walking away from computers, and or on break are not locking or logging off their computers. With uncontrolled access throughout the facility anyone may access the network and or sensitive data from an unlocked computer when not in use. This practice is not in accordance with the NLEN policy as indicated by the Director of NLEN, NIST Special Publication 800-66 Revision 1, and HIPAA Security Awareness and Training (§ 164.308(a)(5)).3 To remedy this problem is to add an auto lock on the user’s computers after 5 minutes of non- use. Also a policy and training can be implemented to ensure that users are locking their computers when they are not in use. Although this does not completely prevent unauthorized access it does however minimize the risk of unauthorized access. This recommendation should also be implemented with laptops as well. Additionally periodic training regarding safe practices and security for all staff members is recommended. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized user. There is no additional cost to implement this policy to the existing operating system in use. More specific details found on page Section D, page 10. Official visitors and volunteer who require computer use have shared staff computers and login. This is not in accordance with the NLEN policy as indicated by the Director of NLEN, and as indicated by PCI DSS4 it is required that all users are assigned a unique ID before allowing them to access system components. All visitors who require computer use should have a specific logon with internet access use only. Logons for the visitor(s) can be created on computers designated for client use only through the control panel with restricted use for internet only; as opposed to using staff computers and having access to sensitive data. Additionally clients all share one logon; this is an unsafe practice. If there are issues with a user it is difficult to determine who may have caused the issue. Each client should have their own individual logon 3 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 4 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64
  • 5. 4 which can be created through the existing Windows Server 2003, active directory. The Qualitative Value to establish this recommended control is Very High due to possible compromise of sensitive data by an unauthorized access. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section D, page 10. NLEN Network is connected via Wi-Fi throughout the facility. This Wi-Fi connectivity is accessible to staff, clients, and visitors who visit the NLEN facility. This makes the network vulnerable to vulnerabilities that may exist on the various devices such as malware. The recommended action is to disable USB access on all computers to eliminate unauthorized extraction of data and possible infection of the network. The Qualitative Value to establish this recommended control is High. If USB access is required it should be available on one designated computer (Daniel) to control upload and or download of data. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section E, p.11. Organizational devices (laptops and tablets) which are available for use outside the facility may contain sensitive data. The devices are then returned after use to allow checkout again. The procedures taken when the device is returned is unclear. The recommended solution for the devices, upon return should be checked for functional capabilities. The user should not be given full access on devices, user level access only. This prevents loading of unauthorized software on the laptops or tablets. Maintenance of the devices should be the same as the desktop computers i.e. updates, patches, and virus protection. If the need occurs that a laptop is to replace a desktop this can be completed without delay. The Qualitative Value to establish this recommended control is Very High. There is no additional cost to implement this policy to the existing operating system in use. More details found on page Section I, page 15. The observance of several boxes located throughout the facility contains files which NLEN must retain for period of 7 years. The boxes are not secure and do not prevent unauthorized access and/or removal from the facility. To secure the files the best recommended option is to secure them in lockable file cabinets. With the tight layout of the facility and no available space to support new equipment an alternate method is recommended. All boxes should be secured with wide packaging tape along all seams and the top. Affix a signature along the top which would require a break to open the box. A log should be created for each box which will be attached to each box to manage access to the box. The Qualitative Value to establish this recommended control is High. The cost varies depending on the option selected. Best recommended option cost is $300.00 for a four drawer vertical file cabinet at staples. The alternate recommended option cost for wide packaging tape is $11.00 for a pack of 6 rolls at Staples. More details found on page Section J, page 15. The copier machine is maintained by vendor. Most copiers built since 2002 contains a hard drive in the machine. Just as the hard drive in a computer stores data the hard drive in a copier also stores images of documents copied on the machine. The hard drives should be recycled by
  • 6. 5 the vendor. This is a HIPAA5 requirement, when storing sensitive data to remain confidential within an organization. Ensure the copier vendor has a strict HDD6 recycling policy in place and recommend that they review the policy with you. The Qualitative Value to establish this recommended control is Very High. If the vendor currently has this procedure in place there is no cost. More details found on page Section F, page 12. The last risk is inventory of desktops, laptops, and tablets in the facility. When the question asked “how is the equipment recorded physically” there was no answer. Currently there is no inventory of the make, model, serial number, etc., of equipment. We recommend starting an inventory of all desktops, laptops, and tablets in the facility. The inventory list identifies the location and responsible users which aids in conducting maintenance and upgrading of equipment. The Qualitative Value to establish this recommended control is High. More details found on page Section G, page 12. This is an initial risk assessment report of NLEN facility. The overall level of the risks is Very High, due to PCI DSS standards not found. “The PCI DSS security requirements applies to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.”7 Examples of system components are: Server room network equipment Sweet Beginnings Website Data Center Servers Connectivity to NTG Wifi access points Network operating system Once NLEN has established PCI DSS standards many other risk will also be resolved. 5 Health Insurance Portability and Accountability Act 6 Hard Disk Drive - a data storage device used for storing and retrieving digital information 7 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.
  • 7. 6 Body of Report A. Payment Card Industry Data Security Standard Standards Payment Card Industry (PCI) Data Security Standard (DSS) standards is a requirement which all organizations that are making credit card transactions are thereby required to implement PCI in business as usual within their organization. Currently NLEN accepts payment via credit card for item(s) from their Sweet Beginnings Website (SBW). Upon the visit a team member made an in-person purchase from SBW with a credit card. The team noticed no cameras present in the location where the transaction took place. The Team also noticed that SBW is not a secure site which is reflected by https in the browser window. The SBW reflects http which indicates a non- secure site. An organization without PCI DSS standards is vulnerable in many ways. To ensure that NLEN meets the scope of requirements, identifying all locations, flows of cardholder data, and ensuring they are included in the PCI DSS scope. The following should be considered to ensure accuracy and appropriateness of PCI DSS scope: Identify and document the locations of where all cardholder(s) within the NLEN Facility will be used which is the NLEN CDE. Ensure no other cardholders exist outside of NLEN CDE designated areas. After identifying the location(s) where cardholders will be used, verify if the area is appropriate for PCI DSS use. All cardholder data should be in the scope of the PCI DSS assessment, and part of the CDE. Retain all documentation that supports the determination for assessor review and/or for reference for the next annual confirmation and continuity purposes.8 The Qualitative Value for this risk is Very High, due to NLEN is not meeting the PCI DSS standards at this time. The Team has determined that once NLEN has met the PCI DSS standards many other risks which are identified in this report will also be met such as: Internet Protocol Cameras Server Room Server Equipment Access control Disaster Recovery Plan Copier Machine 8 Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 10.
  • 8. 7 B. Internet Protocol (IP) Cameras The PCI DSS standards is imperative to all businesses that accept credit cards. The facility is vulnerable to someone skimming off the credit card machine. Sections9 in PCI DSS manual states in multiple parts that there be some monitoring control in sensitive areas, this can be any- thing from the server room, locations where credit cardholders are used, (where data travels through, very critical parts of the infrastructure) to anything that processes sensitive information. Similarly their guidance is informative explaining how culprits avoid detection by avoiding various ways of incriminating themselves. The areas of concern in the NLEN Facility are the server room and the designated location(s) where cardholder transaction will take place. The Qualitative Value to establish this recommended control is High. The Team recommends installing cameras as the monitoring medium to minimize the risk. Utilizing video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. NLEN should focus on the long term effect of monitoring for vulnerabilities.10 The ease of access of the credit card machine and the server room should not be taken lightly. When cameras are monitoring it helps prevent someone from exploiting other means like gaining access to the server room and installing a backdoor to the network. With video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas it minimize the risk of vulnerability. It is good practice to conduct frequent network monitoring when possible.11 This risk is a recommended PCI DSS standard action. The Qualitative Value to establish this recommended control is High. C. Server Equipment The server room houses materials and equipment that are used daily for staff members and clients who work with Sweet Beginnings. It contains equipment for the internet connection from NLEN to the Data Center along with coffee supplies and various other items. Given the constraint of unavailable space this room should remain locked at all times. There are two issues, one is the key to this room is maintained in an office on the main floor, (Daniel’s office). The key is left unattended when this office is empty, which anyone may enter and remove the key thus accessing the server room. The Team was advised the door is often left open for simplicity sake of having to constantly open and close the door because others may need entry at any given time. The Qualitative Value to establish this recommended control is High. 9 PCI DSS; Section 9.1 and 9.1.1. 10 PCI DSS; Section 11.2.1. 11 PCI DSS; Section 11.2.1.
  • 9. 8 The above table details the risk of the server room not having secure access. The recommended control of how to ensure that access to the server room is limited. The protection of the network equipment which prevents unauthorized access and in accordance with PCI DSS standards is an issue as well. The network equipment is the backbone of your network, it is the flow point of entry and exit to your network, and any disruption to this equipment will cause loss of the network. This equipment should be secured at all times to prevent disruptions. Disruptions can be unplugging the equipment, removal of any one item, fire, water, and tampering by an authorized person. Tampering can be the connection of a key logger,12 stealing of internet bandwidth,13 input a virus, and or other malicious action. The possibilities are endless if one wishes to cause disruption or tampering of the network. Additionally with the equipment left open in an unrestricted room leaves it open to someone connecting unauthorized equipment unknowingly or for malicious reasons (tampering). This unauthorized connection can be done without disruption to the network. The equipment is generally reliable and does not require changes and therefore may be left unattended for long periods of time. Without an IT Technician onsite no one may know if or when there may have been tampering to the equipment. Again with the constraints of available space in the facility it is necessary to secure the equipment in a manner which prevents exposure to unauthorized personnel. The Team further recommends the following actions be taken to secure the equipment in a PCI certified server rack/cabinet. This will prevent unauthorized access to the equipment. The equipment should also be connected to Uninterrupted Power Source (UPS), to prevent loss of the network if a power outage is experienced. The recommended control of the server room key is to issue keys only to authorized staff. We recommend issuing a key to Daniel, and two other designated staff members who would be available when Daniel is not present. The key should not be left out for display to prevent others from taking it. When access is needed to this room one of the authorized staff members should escort the individual(s) to the room and remain with them the entire time the room is open. When the business is finished in the server room it should be locked and remain so at all times. Required Items Manufacturer/Model Item Number Cost Enclosure Server Cabinet Tripp Lite/SRW12US IMIY96346 $319 Uninterrupted Power Source APC Smart- ups/SMT1500 849858 $467 12 Key logger, a program commonly stored in a USB that keeps track of all typed information in a system network, can be used to obtain log-in credentials or users and their passwords,and credit card information. 13 Bandwidth, the speed at which data transfers across the network.
  • 10. 9 Total estimate cost of completion: $786 D. Access Controls Control of access/movement allows access to the resources throughout the facility. There were numerous unsafe practices observed on the tour of the facility. Staff members willingly logging on computers for volunteers. Volunteers accessing clients’ information with staff logons. This is not in accordance with NLEN policy as indicated by the Director of NLEN, and PCI DSS.14 Staff should not share their logons with anyone. Each staff member should have their own individual logon for their own use. When staff leaves from their computer they should ensure they lock the terminal every time. A computer left unlocked gives access to the network which contains sensitive personal data which should be protected by all means in accordance with HIPAA Security Awareness and Training (§ 164.308(a)(5)).15 Volunteers and or visitors who require access to a computer should have their own individual logon. No two people should have the same logon. Staff employees should only have access to the shared S drive. The access for volunteers/visitors can be restricted for a limited period of time in addition to restriction to internet use only. Are the volunteers authorized or do they have a need to know of clients’ personal sensitive information? Currently one logon is assigned to all clients. With all clients sharing the same logon, if there is malicious action on the network there is no way to identify who may have committed the action. Just as all others in the facility, each client should have their own individual logon for in-house internet access. The recommended control is to create individual logons for all volunteers, visitors, and clients. Volunteers, visitors and clients may have access to the same in-house internet access. Therefore leaving only staff with access to the sensitive shared S drive as directed by NLEN Director. To accomplish individual logons for clients, volunteers, and visitors for the in-house internet access use Windows 2003 Server R2 currently located in the server room at NLEN Flournoy office. A person who has administrative access will be able to create the logons in active directory for clients, volunteers, and visitor. To help reduce the unsafe practices further, the Team recommends security training for all staff members. The training should consist of the following: Importance of securing the facility for their own physical security. Importance of safe keeping the clients sensitive data. Importance of always locking their computers when away. Importance of network equipment in the server room. Importance as to who is and is not authorized to access network. 14Payment Card Industry (PCI) Data Security Standard, v3.0, 2006-2013 PCI Security Standards Council, LLC, page 64. 15 NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
  • 11. 10 Required reading of the NLEN policy provided at the beginning of employment. Importance of secure and safe practices overall. The use of NLEN laptops and tablets requires monitoring and periodic maintenance. These devices connecting to the NLEN network should meet the same requirements of software updates, patches, and anti-virus as desktop computer on the network. These devices are periodically connected via remote access to the NLEN network. Without checking these devices after use leaves possible vulnerabilities to clients’ sensitive data, virus and or other malicious actions to the network. These devices should not be issued with sole user access as on the desktop computers, to prevent download of unauthorized software on the network. Disabling USB drives on all computers on the NLEN network is good and secure practice. The USB drives allows unauthorized download of sensitive data, unauthorized upload of unauthorized software, and connectivity of unprotected devices. Upon return of a device after use it should be cleared of all data to prevent unauthorized access to sensitive data. The Team recommends USB drives be disabled for all computers that attach or may attach to the NLEN network. E. Wi-Fi Access The NLEN network is supported with Wi-Fi connectivity throughout the facility. This network should be secured. The password for this access point should only be given to authorized users of the NLEN network (Staff). All volunteers, clients, and visitors should not be given this access. If the availability of this password is known to volunteers and clients the NLEN Network will not be as secure. Those who access the network with personal devices may cause vulnerabilities that exist on various devices such as viruses or malware. The Qualitative Value to establish this recommended control is High. There are no additional costs to implement this policy to the existing operating system in use. We recommend the password is changed to the network. Knowledge of the password should only be known to the NTG Technicians and designated IT Staff members. An alternate network (guest network) could be created to allow those who wish internet access on their personal devices. The guest network can be accessible by clients, volunteers, and visitors. F. Copier Machine The copier machine is maintained by a vendor. Most copiers built since 2002 contains a hard drive (HDD) in the machine. The HDD is capable of storing many images duplicated by the copier. Again more sensitive data is accessible by unauthorized access. During the questioning session it was unknown of the current practices of the vendor. The Team recommends checking with the vendor and inquire the security measures taken by the vendor to keep NLEN’s information secure. The Qualitative Value to establish this recommended control is High.
  • 12. 11 The table above details the risk regarding the copier machine duplicating sensitive data may not be secure and the recommended control to ensure that the data being retained in the copier is secure. G. Inventory The accountability of equipment is unknown. Daniel advised us he is unaware of an inventory of the network equipment. If there is loss of equipment or burglary in the facility how will you know how many and what items were taken? The Team recommends creating a small property inventory of all network equipment. This inventory should be updated when there is a change of equipment and or staff. The Qualitative Value to establish this recommended control is High, due to no accountability of NLEN equipment within the facility. There is no additional cost to implement this policy. Recommended log example on next page.
  • 13. 12 Room _______ ITEM MANUFACTURE MODEL SERIAL# MAC ADDR USER DATE Signature of Supervisor/Manager: _________________________________________________ Above an example of small property inventory.
  • 14. 13 H. DisasterRecovery Plan Disaster planning plays a crucial role in determining if ones company can still function after serious disruptions to the organizations connectivity. One can never predict a fire or water disaster, so it is imperative that a Disaster Recovery Plan is developed. NIST 800-30 Appendix F page F-2 would define this vulnerability as high based on the exposure and ease of exploitation. Note that a contingency plan such as Disaster Recovery is a HIPAA Standard Contingency Plan (§ 164.308(a)(7))45. All organization must meet the standards or face penalties for various violations. The following table below, which can be found in NIST SP 800-66r1, is a standard table for implementing policies responding to an occurrence such as fire, water, natural disaster, and vandalism. The implementation of this standard can range from a couple of weeks to about a month or two. Using the table questions below as samples are a good place to start as any. It is important to ask these questions to one self to see where there is a lack of information. From there you can add preemptive measures in the areas NLEN lacks. HIPAA Table 4.7 Contingency Plan HIPAA recommended steps aid in developing a Disaster Recovery Plan.
  • 15. 14 I. Device (Checkout Program) A laptop rental program is available to staff members and clients to accomplish their work off- site. It was noted there has been loss of control of devices from this program which cannot be accounted for. This program is vital and necessary to the clients and staff alike. Although it is a necessary program there are measures which should be made to secure the safe keeping of the equipment or it will cease if all equipment is lost. The Qualitative Value risk is rated High due to possibility of device(s) not being returned. It is understood this program exist for the clients and vital for success in the U-Turn program. To eliminate this program could be critical to both clients and staff. The Team recommend re- evaluate the program with procedures to support the clients and maintain the safe keeping of the devices. J. Record Files (Paper Documents) On a daily work day new and existing clients that come into NLEN hoping to enroll for the U- turn program, place their information in a document sheet. The document contains sensitive information such as their Social Security Number (SSN), address, family members, background history, education, status, etc. These documented files are then placed into storage boxes for accessibility. Of course, the files later get placed into a computer by volunteers and staff members where they can be reviewed for further use. This is concerning because it’s a red flag16 due to the vulnerability17 of missing files being a likelihood of occurrence.18 The issue of keeping client information in stored boxes tends to be accessible to anyone on the work site (possibly including the clients), and could be harmful to clients and assets. The method of storing information must be changed or altered for privacy and protection purposes. A proposed solution would be securing the files in containers such as locking file cabinets to minimize access. The alternate method would be to simply sealing the box files with wide tape on the top and all seams. Both solutions would require someone to administrate a log file with a sign out process of what files are being checked out. Thus records would be dated, recorded, and guarded by who last accessed a file. This would mitigate the vulnerability of an I.D. theft (red flag) in the work environment. The option of having locked file cabinets makes it easy to store and set up previous records and files on clients by dating each file by year, since each year varies the amount of clients’ records in each file; it would be ideal to have an efficient process of 16 The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations. (http://www.business.ftc.gov/privacy-and-security/red-flags-rule). 17 An existing weakness based on the work flow of internal controls, or implementations that could be exploited by a threat source.(refer: NIST SP 800-30 p. 9 Chapter 2, Vulnerabilities and Predisposing Conditions). 18 Likelihood of occurrence - Weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or a set of vulnerabilities). (refer: NIST SP 800-30 p. 10 Chapter 2, Likelihood).
  • 16. 15 obtaining information on a certain client. With an organized method in place when shredding is required documents are easily identified. This Qualitative Value risk is rated High, due to the possible loss of sensitive information. The Team recommends either option to minimize the risk. The first option being the file cabinet(s) which is ideal, cost of $200~$450 each for a 4 drawer vertical file cabinet. This method is more secure because it grants the possibility of safe storage with a locking mechanism and key. The alternate method is more cost effective; purchase of wide packaging tape priced $11 for a pack of 6 at Staples. Although this method is not the most secure it is a way to prevent unauthorized access.
  • 17. 16 Appendices and References References 1) NIST SP 800-30 Revision 1 Banks, Rebecca M., and Patrick D. Gallagher. NIST SP 8000-30: Guide for Conducting Risk Assessments. N.p.: U.S. Department of Commerce, Sept. 2012. PDF. 2) PCI DSS Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, V3.0, Nov 2013 3) PCI DSS Payment Card Industry (PCI) Data Security Standard: Business-as-Usual Processes, V3.0. N.p.: n.p., Nov. 2013. PDF. 4) HIPAA – NIST SP 800-66 Revision 1 Scholl, Matthew, Joan Hash, Kevin Stine, Joan Hash, Pauline Bowen, Arnold Johnson, Carla D. Smith, and Daniel I. Steinberg. NIST Special Publication 800-66 Revision 1. Digital image. U.S. Department of Commerce, n.d. Web. Oct. 2008.
  • 18. 17 Appendices NIST SP 800-30 Table F-2: Assessment Scale – Vulnerability Severity The above table identifies the assessment scale,and a brief description of the various values used to determine the qualitative values throughout this report.
  • 19. 18 NIST SP 800-30 Table H-2: Examples of Adverse Impacts The above table identifies the various risk and their respective impacts.
  • 20. 19 PCI DSS: Section 11.2.1 The above table states the importance of monitoring the network from time to time. Verifying that high risk vulnerabilities are at a minimum.
  • 21. 20 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Requirement 8: The table above details the requirements for Identify and authenticate access to system components. This is a requirement that NLEN would use when assigning users to clients, volunteers, and visitors. PCI DSS requirements column states the requirements of identifying and authenticating access to system components. The requirement NLEN can focus on is 8.1.1 assigning all users a unique ID before allowing them to access system components. The Testing Procedures column are procedures NLEN can use when ensuring that all users are assigned a unique ID. The Guidance column helps NLEN enforce individual responsibility and actions and an effective audit trail per user.
  • 22. 21 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Requirement 9: The above table states the importance of assess to the network. To prevent unauthorized use of the network. 9.1.1 is a multi-purpose use 1) Monitor sensitive areas 2) to protect controls from tampering.
  • 23. 22 The above states the security awareness and training that NLEN could use as reference when incorporating training for its employees. Key activities column states the types of training to be held, the Description column explains the description of each Key activity, and the Sample Questions are questions NLEN may want to ask themselves before putting together a training class for its employees.