USA: +1(669)289-8683 
Sign in
You work at the XYZ Financial Bank, and a fellow co-worker approaches you and states the only safeguard controls needed for the bank are the physical controls. Based on what you have learned about safeguard controls, reflect on whether you support your co-worker’s position, or refute the claim of just using physical controls. Explain why you do or do not refute the claim. Your journal entry must be at least 200 words in length. No references or citations are necessary.
SEC 4301, IS Disaster Recovery 1
Upon completion of this unit, students should be able to:
3. Analyze an impact assessment for organization threat analysis.
3.1 Deconstruct the system function assets.
3.2 Generalize the aspects between historical data and threat modeling.
3.3 Interpret the findings from the threat, vulnerabilities, and exploits assessment.
Chapter 7: Identifying Assets and Activities to Be Protected
Chapter 8: Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Chapter 9: Identifying and Analyzing Risk Mitigation Security Controls
Asset Accessibility and Availability
Previously, the hardware and software assets were identified in the risk assessment. Now these assets need
be protected and addressed; these assets are within the business continuity plan (BCP). The BCP helps the
organization to address and document a set of plans in the event of a disaster to the organization. All
employees and individuals who need access to information from the network infrastructure must have 100%
accessibility and availability to organizational data. However, in a real word scenario, 100% is usually
equated to 99.999% of the time; the 0.001% is negligible downtime (Gibson, 2015). Nevertheless, how does
an organization even maintain a 99.999% system access and availability? The answer is redundancy of
devices to create what is known as a failover cluster system. Backup systems are important in order to avoid
system access failure that causes system unavailability to all employees who need information to do their jobs
for the organization.
Organizations can utilize manual or automated methods for system functions to aid in system uptime. Some
of these methods are used in a hybrid method such as combining both methods of manual and automation for
system functions. These services are important to such areas for hardware, software, and people assets
(Gibson, 2015). These are the basic critical assets of the organization.
UNIT IV STUDY GUIDE
Identifying Key Components of
Risk Assessment
SEC 4301, IS Disaster Recovery 2
UNIT x STUDY GUIDE
Title
The assets shown in Figure 4.1 are susceptible to both access and availability and are explained further
below.
Figure 4.1: System Function Assets
(Gibson, 2015)
• Hardware assets: Think of these assets as tangible devices. Any device that can be seen, touched,
and sometimes smelled are assets that need to be identified. Attributes—the assets’ location, model
number, or manufacturer—need to be acknowledged, as no two devices are identical (Gibson, 2015).
• Software assets: Coding software, operating systems (OS), and applications are software
applications that physically cannot be accessed but can be used through input devices. Such
software has attributes, such as the version number, name of application, patches, and equipment on
which the software is installed, that need to be inventoried and identified for each device (Gibson,
2015).
• Personnel assets: People, just like hardware and software, are prone to failure. Such failure could be
lack of personnel, single point of failure of the only person who has access to a device, or lack of skill
development because of stagnate job position (Gibson, 2015). Like hardware and software,
personnel are subject to viruses, emergencies, and non-emergency issues.
Other areas that are important to the access and availability are information data assets, inventory
management, and facilities and supplies (Gibson, 2015). Although not as critical as the hardware, software,
and people assets, the other areas play an important role in the identification of the assets for risk
management.
Threats, Vulnerabilities, and Exploits Identification
Previously, the threats, vulnerabilities, and exploits (TVE) were introduced and defined. With this information,
the TVE needs to be identified and analyzed throughout the seven domains of the information technology (IT)
infrastructure.
The threat assessment is to identify as many potential threats to the infrastructure as possible (Gibson, 2015).
The assessment aligns with the confidentiality, integrity, and availability or the CIA triad to identify the threats.
Risks can be calculated by the following formula: risk = vulnerability x threat (Gibson, 2015). The figure below
represents the diverse threats to the organization.
SEC 4301, IS Disaster Recovery 3
UNIT x STUDY GUIDE
Title
Figure 4.2: Typical Organizational Threats (Modified)
The external and internal attacks are people intrusions to the organizational network, either through
unintentional or intentional penetration attacks. One might think the external attacks are numerous; however,
a large number of attacks are unintentional from employees within the organization. Below are a few
examples of unintentional attack by employees:
• misconfigured devices allowing unauthorized entry,
• weak passwords,
• disgruntled employees,
• employees who are terminated from organization and still have access to computer systems, and
• not enforcing privilege escalation regarding need to know versus least privilege access (Gibson,
2015).
These are just a few of many reasons why there are attacks within the organizations’ IT infrastructure. The
external attackers are those hackers who seek to gain access into the organization’s devices for several
reasons such as profit, ego, manipulation/destruction, or just for fun!
As mentioned prior, there are two methods that can be used in identifying the threat assessment assets by
either historical data or modeling (Gibson, 2015). The image below briefly articulates the difference between
the two methods.
SEC 4301, IS Disaster Recovery 4
UNIT x STUDY GUIDE
Title
Figure 4.3: Historical Data versus Threat Modeling Method
(Gibson, 2015)
Vulnerabilities look into the weaknesses of different assets within the IT infrastructure. Identification of these
vulnerabilities is an integral part of vulnerability assessment (Gibson, 2015). IT devices and personnel are
plagued by vulnerabilities. For example, servers can easily be subjected to buffer overflows or social
engineering by personnel. There are, however, regulations and compliance acts that help keep vulnerability
weaknesses in check. The Health Insurance Portability and Accountability Act (HIPAA) provides compliance
requirements that must be met to protect and distribute patient information. There are two methods that can
be used for vulnerability assessments. The first is the internal assessment in which security personnel will try
to exploit vulnerabilities within the organization and then report the results of what was found in vulnerable
assets. The external assessment is the second method, and traditionally, this method of assessment is
conducted by outside personnel who are not part of the organization (Gibson, 2015). The advantage of an
external assessment is it eliminates personal bias; however, the disadvantage is there is no real-time
reporting as the outside parties must first gather the information and format that information into a report,
which could take time to process for review.
Exploit assessments are conducted on the seven domains to determine where exploited vulnerabilities will
occur (Gibson, 2015). Although, historical data and modeling could provide information on known exploits, it
cannot examine areas that have never been exploited for threats. In-other words, the security team must
conduct a simulated attack by exploiting the weaknesses in the seven domains. The findings from the exploit
assessment will provide information:
• exploit identification findings,
• how to mitigate exploits using gap analysis and remediation plan,
• updating the mitigated configuration for change management,
• mitigation of the validated and verified exploit(s), and
• exploit assessment best practices (Gibson, 2015).
Controls
The safeguarding of controls was covered in Unit III and is represented in Figure 4.4 below for illustration
purposes.
SEC 4301, IS Disaster Recovery 5
UNIT x STUDY GUIDE
Title
Figure 4.4: Safeguard Controls
(Gibson, 2015)
The above controls are important since the in-place controls determine which controls are in place for
operational assets. The planned controls are those assets that are physically on hand but not as yet
implemented as determined by management (Gibson, 2015). The control categories are governed by certain
categories or security initiatives such as the National Institute Standards and Technology (NIST) that provide
controls that need to be implemented in operational systems (Gibson, 2015). These security initiatives are
covered in the Unit II lesson.
The procedural controls are the administrative controls that are administered by personnel, such as
supervisors and managers, who develop the security policies and plans. Administrators that fall in the role as
system, database, firewall, and email administrators are responsible for the technical controls of the assets
within the organization (Gibson, 2015). These controls also include software such as the use of encryption
and/or public key infrastructure (PKI), and the physical controls, which include hardware such as locks, gates,
closed-circuit TV, and fire suppression equipment, or biological, such as security guards and guard dogs
(Gibson, 2015).
Scanning Applications
There are several types of scanners that can be used to identify vulnerabilities; two will be mentioned here:
Nessus and Zenmap applications. The Nessus application is a security vulnerability assessment scanner,
while the Zenmap is a graphical user interface for the Nmap Security Scanner. Both of these scanners are
easy to use and will help identify the vulnerabilities of organizational assets.
Summary
Before knowing what threats, vulnerabilities, and exploits are needed to protect a typical IT infrastructure, the
assets must be identified. Remember, assets are not just the hardware and software but people as well. Once
the identification process has been completed, security controls must be put into place for those assets
already approved for immediate operational use, and approved controls are set to be implemented. The
initiatives to use for the risk management assessment will be determined by the business strategy that has
been deployed by the organization. For instance, a medical facility would use HIPAA, or a financial institution
would consider the Gramm-Leach-Bliley Act. The organization should use all the safeguard risks as
mentioned here to ensure all risks have been identified and can be mitigated in a timely manner.
SEC 4301, IS Disaster Recovery 6
UNIT x STUDY GUIDE
Title
Reference
Gibson, D. (2015). Managing risk in information systems (2nd ed.). Jones and Bartlett Learning.
https://online.vitalsource.com/#/books/9781284107753
In order to access the following resources, click the links below.
The following presentations will summarize and reinforce the information from Chapters 7, 8, and 9 in
your textbook.
Chapter 7 PowerPoint Presentation
PDF Version of Chapter 7 PowerPoint Presentation
Chapter 8 PowerPoint Presentation
PDF Version of Chapter 8 PowerPoint Presentation
Chapter 9 PowerPoint Presentation
PDF Version of Chapter 9 PowerPoint Presentation
Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit
them. If you have questions, contact your instructor for further guidance and information.
The following learning activities provide additional information that will assist you with the mastery of the
learning objectives for this unit.
Go to the CSU Online Library, and use the Discovery Search feature.
Utilize the Discovery Search feature in the CSU Online Library, and type in the following phrases: “security
controls, network vulnerabilities, business continuity planning, disaster recovery planning, NIST.” Select and
read two articles. Use the criteria of peer-reviewed article (scholarly) and less than 5 years old. Here is a link
straight to the CSU Online Library Discovery Search.
The internet can provide you with a wealth of information concerning the topics in this unit. For example, the
following video is from CSU Films on Demand database and provides additional information about Internet
security.
Cambridge Educational (Producer). (2008). Problems with internet security (Segment 1 of 6) [Video]. In
CyberSecurity. Films on Demand.
https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla
ylists.aspx?wID=273866&xtid=38815&loid=50327
The transcript for this video can be found by clicking the “Transcript” tab to the right of the video in the Films
on Demand database.
https://online.columbiasouthern.edu/bbcswebdav/xid-145286823_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286822_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286826_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286825_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286829_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286828_1
http://libguides.columbiasouthern.edu/?b=p
https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPlaylists.aspx?wID=273866&xtid=38815&loid=50327
SEC 4301, IS Disaster Recovery 7
UNIT x STUDY GUIDE
Title
Check Your Knowledge
These questions will help you assess whether or not you have mastered the unit content. Can you answer
them without looking in the textbook?
• Answer the Chapter 7 Assessment questions at the end of Chapter 7 in your textbook. After you have
answered the questions, you can find out how well you did by viewing the Chapter 7 Answer Key.
• Answer the Chapter 8 Assessment questions at the end of Chapter 8 in your textbook. After you have
answered the questions, you can find out how well you did by viewing the Chapter 8 Answer Key.
• Answer the Chapter 9 Assessment questions at the end of Chapter 9 in your textbook. After you have
answered the questions, you can find out how well you did by viewing the Chapter 9 Answer Key.
Word Search
Some of this unit’s key terms and phrases (written as one word) have been hidden in the word search puzzle.
Access the Unit IV Word Search puzzle, and see if you can find them.
https://online.columbiasouthern.edu/bbcswebdav/xid-145286859_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286860_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145286861_1
https://online.columbiasouthern.edu/bbcswebdav/xid-145458182_1
-
Course Learning Outcomes for Unit IV
Required Unit Resources
Unit Lesson
Asset Accessibility and Availability
Threats, Vulnerabilities, and Exploits Identification
Controls
Scanning Applications
Summary
Reference
Suggested Unit Resources
Learning Activities (Nongraded)
