Information Security Office



Similar documents
Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

SECURITY. Risk & Compliance Services

Attachment A. Identification of Risks/Cybersecurity Governance

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Penetration Testing Report Client: Business Solutions June 15 th 2015

OCIE CYBERSECURITY INITIATIVE

Server Security Checklist (2009 Standard)

External Penetration Assessment and Database Access Review

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Security Testing and Vulnerability Management Process. e-governance

Information Technology Security Review April 16, 2012

The Protection Mission a constant endeavor

THE TOP 4 CONTROLS.

Evaluation Report. Office of Inspector General

Risk Management Guide for Information Technology Systems. NIST SP Overview

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Security Standard: Servers, Server-based Applications and Databases

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Office of Inspector General

Sample Vulnerability Management Policy

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Pentests more than just using the proper tools

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Pentests more than just using the proper tools

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How To Monitor Your Entire It Environment

PCI Compliance Considerations

IBM. Vulnerability scanning and best practices

AHS Flaw Remediation Standard

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

Guide to Vulnerability Management for Small Companies

Understanding Vulnerability Management Life Cycle Functions

Four Top Emagined Security Services

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Pragmatic Metrics for Building Security Dashboards

STATE OF NEW JERSEY IT CIRCULAR

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

NIST National Institute of Standards and Technology

Cisco Security Optimization Service

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Vulnerability management lifecycle: defining vulnerability management

VULNERABILITY MANAGEMENT

A Decision Maker s Guide to Securing an IT Infrastructure

An Introduction to Network Vulnerability Testing

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Data Security Incident Response Plan. [Insert Organization Name]

Software Vulnerability Assessment

The Value of Vulnerability Management*

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Penetration Testing and Vulnerability Scanning

Deep Security Vulnerability Protection Summary

Looking at the SANS 20 Critical Security Controls

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Network and Host-based Vulnerability Assessment

UF Risk IT Assessment Guidelines

UoB Risk Assessment Methodology

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

IT Security & Compliance. On Time. On Budget. On Demand.

Outcome Based Security Monitoring in a Continuous Monitoring World

Protecting Your Organisation from Targeted Cyber Intrusion

NETWORK PENETRATION TESTING

The Business Case for Security Information Management

Extreme Networks Security Vulnerability Manager User Guide

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Intelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference

WHITE PAPER. An Introduction to Network- Vulnerability Testing

CDM Vulnerability Management (VUL) Capability

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Software Asset Management (SWAM) Capability Description

Symantec Control Compliance Suite Standards Manager

GFI White Paper PCI-DSS compliance and GFI Software products

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Security Module v2.0. White Paper. April 2011

Server Management-Scans & Patches

How To Compare Your Web Vulnerabilities To A Gamascan Report

Vulnerability Management

N-Dimension Solutions Cyber Security for Utilities

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

Critical Security Controls

April 11, (Revision 2)

AN OVERVIEW OF VULNERABILITY SCANNERS

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Management (CSM) Capability

Cyber R &D Research Roundtable

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

In Brief. Smithsonian Institution Office of the Inspector General

Transcription:

Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix B: Appendix B Tenable Server Vulnerability Report.pdf Appendix C: Appendix C Acunetix Web App Vulnerability Report.pdf Appendix D: Appendix D - Safeguard Implementation Plan Table.xlsx This sample UCF Risk Assessment and Compliance Report is the sole property of the University of Central Copyright 2010 The University of Central Florida

Table of Contents SAMPLE Risk Assessment and Compliance Report...1 Executive Summary...4 Introduction...4 Purpose...4 Scope...4 Risk Assessment Approach...4 Assessment Kickoff and Information Gathering...4 Overview...4 Risk Assessment Information Gathering...4 System Characterization...4 Overview...4 System Description...4 Functional Description...4 System Environment...4 System Users...5 System Dependencies...5 Information Sensitivity...5 Protection Requirement Findings...5 Vulnerability Assessment Results...5 Overview...5 Description of the Server Vulnerability Results...5 Server Name/IP: Server1 / 10.10.10.10...6 Server Name/IP: Server2 / 10.10.10.20...6 Description of the Compliance Results Data...7 Server Name/IP: Server1 / 10.10.10.10...7 Description of the Web Application Code Alerts / Vulnerabilities...8 Risk Analysis, Results, and Safeguard Recommendations...9 Overview...9 Identified Threat Vectors...9 Risk Results Legend...9 Overview...9 Risk Assessment Compliance Report Restricted Information (RI). Page 2

Determining the Weighted Cumulative Risk Scores...9 Safeguard Recommendations...9 Risk Assessment Results and Safeguard Recommendations...9 Risk Results:... 10 Safeguard Implementation Plan/ Results Documentation... 10 Appendix A: Definitions... 10 Appendix B: Full report of Server Vulnerabilities and Compliance Checks... 10 Appendix C: Full report of Web Application Code Alerts / Vulnerabilities... 10 Appendix D: Sample Safeguard Implementation Plan Summary Table... 10 Risk Assessment Compliance Report Restricted Information (RI). Page 3

Executive Summary Introduction Purpose Scope Risk Assessment Approach The ISO conducts risk assessments using an approach outlined in the NIST SP 800-30 guidelines, Risk Management Guide for Information Technology Systems. The assessment recommends appropriate security safeguards permitting colleges and/or departments and DSCs to make knowledgeable decisions for security related initiatives. The methodology addresses the following types of controls: Management Controls Operational Controls Technical Controls Assessment Kickoff and Information Gathering Overview This step initiates the risk assessment. The ISO solicits and collects information based on questionnaires, meetings, and other information gathering means. Risk Assessment Information Gathering System Characterization Overview The intent of this step is to define the boundaries of the IT system. System Description This section lists the operation dates and staff involved. Functional Description The functional description lists the purpose of the system, the software it runs, dependencies, interfaces, server names, etc. System Environment The System Environment section describes physical locations, hardware requirements, network requirements, databases, storage, etc. Risk Assessment Compliance Report Restricted Information (RI). Page 4

System Users System Users lists the primary users of the system. System Dependencies This section explains the infrastructure the systems rely on to function. Information Sensitivity Finally, the last section under System Characterization lists and assigns sensitivity values to the types of data stored on the system so that proper protection requirements can aid in factoring impact scores. System Information Types Information Type Confidentiality Integrity Availability Low/Moderate/ High Low/Moderate/ High Low/Moderate/ High Overall Rating Protection Requirement Findings Confidentiality: Integrity: Availability: Vulnerability Assessment Results Overview The report bases vulnerability results on several different types of network scanning techniques capable of searching for network and code level vulnerabilities. The tools feature high-speed discovery of configuration auditing, asset profiling, sensitive data, and vulnerability analysis of a college and/or department s security posture. The descriptions below further detail each section of the results. Description of the Server Vulnerability Results The scan assesses each server for vulnerabilities based on NIST and vendor best practices as well as Tenable plugins. The scanned vulnerability results provide a Common Vulnerability Scoring System (CVSS) score to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation information. The report compiles the compliance checks and vulnerability results into a separate table for each server. Vulnerability scanning uncovered 3 High and 2 Moderate level vulnerabilities on the sample servers. Risk Assessment Compliance Report Restricted Information (RI). Page 5

Server Name/IP: Server1 / 10.10.10.10 10.10.10.10 Scan Time Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities Open ports : 1 High : 2 Medium : 2 Low : 0 Remote host information Operating System : NetBIOS name : DNS name : Server1 Server Name/IP: Server2 / 10.10.10.20 10.10.10.20 Scan Time Start time : Wed Sep 08 10:12:46 2010 End time : Wed Sep 08 10:23:30 2010 Number of vulnerabilities Open ports : 2 High : 1 Medium : 0 Low : 0 Remote host information Operating System : NetBIOS name : DNS name : Server2 Risk Assessment Compliance Report Restricted Information (RI). Page 6

Description of the Compliance Results Data The scan assesses each server individually for compliance checks based on NIST and vendor best practices as well as tenable plugins. The scan returns policy settings and remote server settings for the systems administrator to compare and resolve. The results provide a compliance chart that indicates the percentage a particular server is in compliance. Server Name/IP: Server1 / 10.10.10.10 10.10.10.10 Scan Time Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities Open ports : 1 High : 48 Medium : 19 Passed : 87 Remote host information Operating System : NetBIOS name : DNS name : Server1 System Compliance 31% High : Medium : 57% Passed : 12% Risk Assessment Compliance Report Restricted Information (RI). Page 7

Description of the Web Application Code Alerts / Vulnerabilities The scan assesses the website for vulnerabilities based on OWASP best practices, the Google Hacking Database, and other best practices from vendors. The scanned vulnerability results provide three ratings (High, Medium, and Low) to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation information. Scan details for https://sampleinsecurelogin.aspx Scan information Starttime Finish time Scan time Profile 9/7/2010 9:39:00 AM 9/7/2010 10:34:53 AM 55 minutes, 53 seconds Default Server information Responsive True Server banner Server OS Server technologies ASP.NET Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface a website. Alerts distribution Total alerts found 70 High 1 Medium 3 Low 2 Informational 64 Executive summary Alert group Severity Alert count SSL 2.0 deprecated protocol High 1 ASP.NET application trace enabled Medium 1 TLS1/SSLv3 Renegotiation Vulnerability Medium 1 Login page password-guessing attack Low 1 Possible sensitive directories Low 1 Broken links Informational 6 Risk Assessment Compliance Report Restricted Information (RI). Page 8

Risk Analysis, Results, and Safeguard Recommendations Overview Risk analysis is the process of establishing a method to rate the severity, impact, and likelihood of an exploitable risk. Identified Threat Vectors The NIST risk-scoring model pairs the risks with appropriate threats. Each threat receives a risk score based on its likelihood and impact ratings Risk Results Legend Overview The risk results legend briefly explains how to interpret the risk results: (likelihood, impact, weighted cumulative risk scores, and safeguards). Determining the Weighted Cumulative Risk Scores The risk formula calculates each threat vector s individual score, weights each score, and combines the scores resulting in an assigned risk value and overall risk severity rating. Possible risk scores range from 1 to 101.08. Risk Score Range Table Safeguard Recommendations Risk Scores Risk Score Range Note 1-4.99 Low 5-24.99 Moderate 25-69.99 High 70-101.08 Risk Assessment Results and Safeguard Recommendations The top line of each risk contains the risk number, the location and/or question number where the risk was identified, and the risk description. Following the top line is a list of threat vectors capable of exploiting the risk, their likelihood and impact scores, and the overall risk rating. Included at the bottom of each risk is a list of recommended safeguards to mitigate or reduce risk. Risk Assessment Compliance Report Restricted Information (RI). Page 9

Risk Results: Risk #1: Question D8 The system does not have a "hot" standby site to prevent downtime. Threat Vectors Likelihood Impact Risk Acts of nature Low Moderate Low Hazardous conditions Low Low Note Dependency failures Low Moderate Low Errors and omissions Moderate Moderate Moderate Physical intrusion and/or theft Low High Low Overall Risk Severity (Low, Moderate, High) Moderate Overall Risk Score (1~101.08) 25 Recommended Safeguard(s): S1 Arrange a "Hot Site" recovery location where servers have the installed programs needed to bring the application online quickly. S2 Develop, document, test, and practice a restore and recovery plan. Safeguard Implementation Plan/ Results Documentation Appendix A: Definitions Appendix B: Full report of Server Vulnerabilities and Compliance Checks See attached file: Appendix B Tenable Server Vulnerability Report.pdf Appendix C: Full report of Web Application Code Alerts / Vulnerabilities See attached file: Appendix C Acunetix Web App Vulnerability Report.pdf Appendix D: Sample Safeguard Implementation Plan Summary Table See attached file: Appendix D - Safeguard Implementation Plan Table.xlsx Risk Assessment Compliance Report Restricted Information (RI). Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information