Vulnerability Assessment Matrix & Policy Recommendations Memo
This assignment is based upon a vulnerability assessment and mitigation methodology developed by the RAND Corporation. Before you begin, make sure that you have read Chapters 2, 3, and 4, of Finding and fixing Vulnerabilities in Information Systems: The Vulnerability Assessment and Mitigation Methodology by Philip Anton (RAND MR1601).
The objective of this assignment is to perform a threats and vulnerabilities analysis based upon the process methodology presented in RAND MR1601. The purpose of the analysis process is to help you determine the requirements for an Infrastructure Protection Policy. The results of your analysis will be used in the second part of this assignment to develop policy recommendations which you will then use to write a policy recommendations memorandum for the senior leadership of the organization (see Scenario).
To document your analysis, you will complete the assessment matrix shown in Table 4.1 Matrix of Vulnerability Attributes and System Object Types found in Chapter 4 of the RAND document. For each type of threat or vulnerability listed in the assessment matrix, you are required to provide a brief, concise description (a few words or a key phrase) and a recommendation for one or more actions (including implementation of specific security controls) which should be taken to correct or remediate the problem. A sample of a completed matrix, documenting portions of a threats and vulnerabilities assessment, is found in table 4.2 (RAND MR1601).
After completing your assessment matrix, you will write a policy recommendation memo which includes 10 to 15 policy statements that can be used to implement your recommendations (as documented in your table). Your memorandum should begin with a brief introduction to the policy issue being addressed (see Scenario). Your recommendations should cover the broad spectrum of actions which will address the threats and vulnerabilities discussed in your analysis. From your recommendations, it should be clear that you performed the following actions:
Identified threats and vulnerabilities (risk identification)
Assigned security controls to protect the enterprise infrastructure (risk management)
Incorporated capabilities for future detection of threats, vulnerabilities, and attacks
Formalized incident response as a business process (policies, plans, procedures)
Formalized disaster recovery and business continuity policies, plans, procedures
Each policy statement should be phrased in the form of a shall statement which specifies the actions that must be taken to implement your recommendations. For example, DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks
(TSN), includes the following shall statements:
Risk to the trust in applicable systems shall be managed throughout the entire system lifecycle.
The identification of mission critical functions and critical components as well as TSN planning and implementation activities, including risk acceptance as appropriate, shall be documented in
Risk management shall include TSN process, tools, and techniques to Reduce vulnerabilities in the system design through system security engineering
1.Completed Assessment Matrix
2.Recommendation Memo (no more than 5 pages)
Submit each deliverable in a separate file. Attach both files to your Project 5 assignment folder entry.
In the organization, there is an insider threat. The employee who is the insider threat was overheard discussing a perceived vulnerability in the enterprise infrastructure. Several members of the IT Operations and Support staff believed that this report (of the alleged vulnerability as perceived / reported by the insider threat employee) represents an actual vulnerability in a key IT system and are attempting to create a patch.
Meanwhile, the insider threat employee has released malware into an enterprise IT system which is separate from the alleged vulnerability. While the technical team is searching for the alleged vulnerability, the malware has escaped from the compromised enterprise IT system and is traveling through the enterprise infrastructure disrupting all network traffic.
What are the issues that need to be addressed in your analysis of the threats and vulnerabilities present in this scenario?
Complete the matrix from table 4.1 of RAND MR1601 using information provided in the scenario below. A blank copy of the table is provided at the end of this file for your convenience.
You must use the table template as provided in this assignment. Copy the table on the next page into a separate MS Word document file. You may wish to format your document for landscape presentation (to give you more width in each column). Do not modify the column or row headings. Do not delete unused rows or columns (leave them blank).
For a C on this assignment, you must complete at least one entry in the matrix (table) for 10 or more characteristics (rows) spread across two or more categories (columns). This is a total of 10 points of analysis or 10 cells. (You must have at least one cell filled in for two of the four columns.)
For a B on this assignment, you must complete at least one entry in the matrix for 12 or more characteristics (rows) spread across three or more categories (columns). This is a total of 12 points of analysis or 12 cells. BUT, for the B you must perform your analysis against at least three of the categories (columns). (You must have at least one cell filled in for three of the four columns.)
For an A on this assignment, you must complete at least one entry in the matrix for 16 or more characteristics (rows) and those entries must be spread across all four categories (columns). This is a total of 16 points of analysis. BUT, for the A you must perform your analysis against all four categories. (You must have at least one cell filled in for each of the four columns.)
Please see the grading rubric for additional requirements for this assignment.
APA formatting is NOT required for this assignment. Your work should have a professional appearance and should use consistent fonts, font sizes, and font colors. Your font size in the matrix (table) should be no smaller than 9 points.
Your memorandum must be submitted to TurnItIn for originality checking. Do not submit the matrix to TurnItIn.
Matrix of Vulnerability Attributes and System Object Types
Object of Vulnerability
AttributesHardware (data storage, input/output, clients, servers), network and communications, locality
Software, data, information, knowledgeStaff, command, management, policies, procedures, training, authentication
Ship, building, power, water, air, environment
Logic/ implementation errors; fallibility
Design sensitivity/ fragility/limits/ finiteness
BehaviorBehavioral sensitivity/ fragility
GeneralAccessible/ detectable/ identifiable/ transparent/ interceptable
Hard to manage or control
Self-unawareness and unpredictability
Our Service Charter
Excellent Quality / 100% Plagiarism-FreeWe employ a number of measures to ensure top quality essays. The papers go through a system of quality control prior to delivery. We run plagiarism checks on each paper to ensure that they will be 100% plagiarism-free. So, only clean copies hit customers’ emails. We also never resell the papers completed by our writers. So, once it is checked using a plagiarism checker, the paper will be unique. Speaking of the academic writing standards, we will stick to the assignment brief given by the customer and assign the perfect writer. By saying “the perfect writer” we mean the one having an academic degree in the customer’s study field and positive feedback from other customers.
Free RevisionsWe keep the quality bar of all papers high. But in case you need some extra brilliance to the paper, here’s what to do. First of all, you can choose a top writer. It means that we will assign an expert with a degree in your subject. And secondly, you can rely on our editing services. Our editors will revise your papers, checking whether or not they comply with high standards of academic writing. In addition, editing entails adjusting content if it’s off the topic, adding more sources, refining the language style, and making sure the referencing style is followed.
Confidentiality / 100% No DisclosureWe make sure that clients’ personal data remains confidential and is not exploited for any purposes beyond those related to our services. We only ask you to provide us with the information that is required to produce the paper according to your writing needs. Please note that the payment info is protected as well. Feel free to refer to the support team for more information about our payment methods. The fact that you used our service is kept secret due to the advanced security standards. So, you can be sure that no one will find out that you got a paper from our writing service.
Money Back GuaranteeIf the writer doesn’t address all the questions on your assignment brief or the delivered paper appears to be off the topic, you can ask for a refund. Or, if it is applicable, you can opt in for free revision within 14-30 days, depending on your paper’s length. The revision or refund request should be sent within 14 days after delivery. The customer gets 100% money-back in case they haven't downloaded the paper. All approved refunds will be returned to the customer’s credit card or Bonus Balance in a form of store credit. Take a note that we will send an extra compensation if the customers goes with a store credit.
24/7 Customer SupportWe have a support team working 24/7 ready to give your issue concerning the order their immediate attention. If you have any questions about the ordering process, communication with the writer, payment options, feel free to join live chat. Be sure to get a fast response. They can also give you the exact price quote, taking into account the timing, desired academic level of the paper, and the number of pages.