Risk assessment in information security
This report comprises of carefully conducted evaluation on the Bureau of Research and Intelligence (BRI) information systems after they experienced a massive cyber attack which leads to data leakage and system compromise. This document also demonstrates the risk assessment methodology under the NIST SP 800 – 30 guidelines, the appendix in this report clearly documents the guidelines used to perform this exercise (Sadgrove, K. 2016). The reason for choosing this methodology is that for any enterprise regardless of cyber threat size, company size, or information system sophistication they can apply it and guarantee accurate results in practicing risk management in evaluating and upgrading current information security and resilience. The framework NIST SP 800 -30 has multiple sub approaches in response to cyber security, that are very useful in this complex world today. The guidelines and standard in these directives and practices provide the ability and road mad required in performing this risk assessment exercise at BRI. The framework guarantees;
1. Guide in describing the current organization cyber security posture
2. Describing the current cybersecurity target state.
3. Identifying and prioritizing improvement opportunities in the setting of repeatable and continuous processes.
4. Monitor the target state progress.
5. Give a better mechanism of communication with both internal and external stakeholders on the cybersecurity threat.
The aim it to complement not replacing the current organization risk assessment strategy and cybersecurity policies in place. Once in place, this framework plan allows continuous assessing, identifying and responds to threats that are there and those that arise in the future. This framework looks at the current cybersecurity system flaws and tries to recommend improvements to the vulnerable areas.
Cybersecurity risk management
The Bureau of Research and Intelligence (BRI) core mission is providing numerous intelligence to the American Diplomats worldwide. Due to ever reducing the congressional budget, BRI is forced to be selective in choosing its information systems and cyber security policies and frameworks (Sadgrove, K. 2016). Based on this they use sub-standard systems and strategies, that in the past few years has seen them experience the following cyber security vulnerability exploits as published in the New York Times:
• External hackers compromised the BRI network infrastructure, and this practice is ongoing. The information used in supporting the diplomats was accessed.
• The CIO of the BRI uses his personal email for both individual and cooperate use.
• The BRI human resource system is compromised as it authorized all users in the system to view other employee personal data including critical information like their social security pins, addresses, bank accounts’ numbers and more. After identifying this breach the management sort to destroy any evident, that would implicate them in procuring this sub-standard system.
• A state worker brought with them cooperate issue notebook with classified data home, which evidently ended up getting stolen and never recovered.
• ABRI contractor employee was published to the public classified files including communications between the President and the diplomats.
• The malware was planted on the information system infrastructure embarrassing the embassies, putting most personnel at security risks including assets and their missions in the foreign states.
From this finding, many risk assessment activities followed in evaluating the current risk threat and the extent of the damages experienced by this vulnerability attacks. This report details the risk assessment carried out on this extensive system and what it is looking for and finally giving a recommendation for using and upgrading the system in future.
Risk management framework
This section seeks in achieving the following about the risk management framework:
• The agents and their roles about this risk evaluation exercise.
• The risks classification.
• The methodologies and tools used in gathering the appropriate information.
Mostly interviews and questionnaires were used in giving a broader scope into the; threats, vulnerabilities, risk impacts and risks likelihood. This report follows the NIST SP 800 – 30 risk management guidelines (Sadgrove, K. 2016). The following table demonstrates the risks levels that were implemented in identifying and classifying the risks about the BRI incidents.
Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the enterprise processes and risks assets and personnel.
Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the company processes and risks assets and staff.
Confidentiality, Integrity and Availability unavailability or compromise will have dire consequences on the business processes and risks assets and employees.