Information Security Office SAMPLE Risk Assessment and Compliance Report Restricted Information (RI). Submitted to: SAMPLE CISO CIO CTO Submitted: SAMPLE DATE Prepared by: SAMPLE Appendices attached: Appendix B: Appendix B Tenable Server Vulnerability Report.pdf Appendix C: Appendix C Acunetix Web App Vulnerability Report.pdf Appendix D: Appendix D - Safeguard Implementation Plan Table.xlsx This sample UCF Risk Assessment and Compliance Report is the sole property of the University of Central Copyright 2010 The University of Central Florida
Table of Contents SAMPLE Risk Assessment and Compliance Report...1 Executive Summary...4 Introduction...4 Purpose...4 Scope...4 Risk Assessment Approach...4 Assessment Kickoff and Information Gathering...4 Overview...4 Risk Assessment Information Gathering...4 System Characterization...4 Overview...4 System Description...4 Functional Description...4 System Environment...4 System Users...5 System Dependencies...5 Information Sensitivity...5 Protection Requirement Findings...5 Vulnerability Assessment Results...5 Overview...5 Description of the Server Vulnerability Results...5 Server Name/IP: Server1 / 10.10.10.10...6 Server Name/IP: Server2 / 10.10.10.20...6 Description of the Compliance Results Data...7 Server Name/IP: Server1 / 10.10.10.10...7 Description of the Web Application Code Alerts / Vulnerabilities...8 Risk Analysis, Results, and Safeguard Recommendations...9 Overview...9 Identified Threat Vectors...9 Risk Results Legend...9 Overview...9 Risk Assessment Compliance Report Restricted Information (RI). Page 2
Determining the Weighted Cumulative Risk Scores...9 Safeguard Recommendations...9 Risk Assessment Results and Safeguard Recommendations...9 Risk Results:... 10 Safeguard Implementation Plan/ Results Documentation... 10 Appendix A: Definitions... 10 Appendix B: Full report of Server Vulnerabilities and Compliance Checks... 10 Appendix C: Full report of Web Application Code Alerts / Vulnerabilities... 10 Appendix D: Sample Safeguard Implementation Plan Summary Table... 10 Risk Assessment Compliance Report Restricted Information (RI). Page 3
Executive Summary Introduction Purpose Scope Risk Assessment Approach The ISO conducts risk assessments using an approach outlined in the NIST SP 800-30 guidelines, Risk Management Guide for Information Technology Systems. The assessment recommends appropriate security safeguards permitting colleges and/or departments and DSCs to make knowledgeable decisions for security related initiatives. The methodology addresses the following types of controls: Management Controls Operational Controls Technical Controls Assessment Kickoff and Information Gathering Overview This step initiates the risk assessment. The ISO solicits and collects information based on questionnaires, meetings, and other information gathering means. Risk Assessment Information Gathering System Characterization Overview The intent of this step is to define the boundaries of the IT system. System Description This section lists the operation dates and staff involved. Functional Description The functional description lists the purpose of the system, the software it runs, dependencies, interfaces, server names, etc. System Environment The System Environment section describes physical locations, hardware requirements, network requirements, databases, storage, etc. Risk Assessment Compliance Report Restricted Information (RI). Page 4
System Users System Users lists the primary users of the system. System Dependencies This section explains the infrastructure the systems rely on to function. Information Sensitivity Finally, the last section under System Characterization lists and assigns sensitivity values to the types of data stored on the system so that proper protection requirements can aid in factoring impact scores. System Information Types Information Type Confidentiality Integrity Availability Low/Moderate/ High Low/Moderate/ High Low/Moderate/ High Overall Rating Protection Requirement Findings Confidentiality: Integrity: Availability: Vulnerability Assessment Results Overview The report bases vulnerability results on several different types of network scanning techniques capable of searching for network and code level vulnerabilities. The tools feature high-speed discovery of configuration auditing, asset profiling, sensitive data, and vulnerability analysis of a college and/or department s security posture. The descriptions below further detail each section of the results. Description of the Server Vulnerability Results The scan assesses each server for vulnerabilities based on NIST and vendor best practices as well as Tenable plugins. The scanned vulnerability results provide a Common Vulnerability Scoring System (CVSS) score to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation information. The report compiles the compliance checks and vulnerability results into a separate table for each server. Vulnerability scanning uncovered 3 High and 2 Moderate level vulnerabilities on the sample servers. Risk Assessment Compliance Report Restricted Information (RI). Page 5
Server Name/IP: Server1 / 10.10.10.10 10.10.10.10 Scan Time Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities Open ports : 1 High : 2 Medium : 2 Low : 0 Remote host information Operating System : NetBIOS name : DNS name : Server1 Server Name/IP: Server2 / 10.10.10.20 10.10.10.20 Scan Time Start time : Wed Sep 08 10:12:46 2010 End time : Wed Sep 08 10:23:30 2010 Number of vulnerabilities Open ports : 2 High : 1 Medium : 0 Low : 0 Remote host information Operating System : NetBIOS name : DNS name : Server2 Risk Assessment Compliance Report Restricted Information (RI). Page 6
Description of the Compliance Results Data The scan assesses each server individually for compliance checks based on NIST and vendor best practices as well as tenable plugins. The scan returns policy settings and remote server settings for the systems administrator to compare and resolve. The results provide a compliance chart that indicates the percentage a particular server is in compliance. Server Name/IP: Server1 / 10.10.10.10 10.10.10.10 Scan Time Start time : Wed Sep 08 09:42:07 2010 End time : Wed Sep 08 10:00:26 2010 Number of vulnerabilities Open ports : 1 High : 48 Medium : 19 Passed : 87 Remote host information Operating System : NetBIOS name : DNS name : Server1 System Compliance 31% High : Medium : 57% Passed : 12% Risk Assessment Compliance Report Restricted Information (RI). Page 7
Description of the Web Application Code Alerts / Vulnerabilities The scan assesses the website for vulnerabilities based on OWASP best practices, the Google Hacking Database, and other best practices from vendors. The scanned vulnerability results provide three ratings (High, Medium, and Low) to aid in prioritizing the remediation steps and in most cases a link to patches, settings, and other remediation information. Scan details for https://sampleinsecurelogin.aspx Scan information Starttime Finish time Scan time Profile 9/7/2010 9:39:00 AM 9/7/2010 10:34:53 AM 55 minutes, 53 seconds Default Server information Responsive True Server banner Server OS Server technologies ASP.NET Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface a website. Alerts distribution Total alerts found 70 High 1 Medium 3 Low 2 Informational 64 Executive summary Alert group Severity Alert count SSL 2.0 deprecated protocol High 1 ASP.NET application trace enabled Medium 1 TLS1/SSLv3 Renegotiation Vulnerability Medium 1 Login page password-guessing attack Low 1 Possible sensitive directories Low 1 Broken links Informational 6 Risk Assessment Compliance Report Restricted Information (RI). Page 8
Risk Analysis, Results, and Safeguard Recommendations Overview Risk analysis is the process of establishing a method to rate the severity, impact, and likelihood of an exploitable risk. Identified Threat Vectors The NIST risk-scoring model pairs the risks with appropriate threats. Each threat receives a risk score based on its likelihood and impact ratings Risk Results Legend Overview The risk results legend briefly explains how to interpret the risk results: (likelihood, impact, weighted cumulative risk scores, and safeguards). Determining the Weighted Cumulative Risk Scores The risk formula calculates each threat vector s individual score, weights each score, and combines the scores resulting in an assigned risk value and overall risk severity rating. Possible risk scores range from 1 to 101.08. Risk Score Range Table Safeguard Recommendations Risk Scores Risk Score Range Note 1-4.99 Low 5-24.99 Moderate 25-69.99 High 70-101.08 Risk Assessment Results and Safeguard Recommendations The top line of each risk contains the risk number, the location and/or question number where the risk was identified, and the risk description. Following the top line is a list of threat vectors capable of exploiting the risk, their likelihood and impact scores, and the overall risk rating. Included at the bottom of each risk is a list of recommended safeguards to mitigate or reduce risk. Risk Assessment Compliance Report Restricted Information (RI). Page 9
Risk Results: Risk #1: Question D8 The system does not have a "hot" standby site to prevent downtime. Threat Vectors Likelihood Impact Risk Acts of nature Low Moderate Low Hazardous conditions Low Low Note Dependency failures Low Moderate Low Errors and omissions Moderate Moderate Moderate Physical intrusion and/or theft Low High Low Overall Risk Severity (Low, Moderate, High) Moderate Overall Risk Score (1~101.08) 25 Recommended Safeguard(s): S1 Arrange a "Hot Site" recovery location where servers have the installed programs needed to bring the application online quickly. S2 Develop, document, test, and practice a restore and recovery plan. Safeguard Implementation Plan/ Results Documentation Appendix A: Definitions Appendix B: Full report of Server Vulnerabilities and Compliance Checks See attached file: Appendix B Tenable Server Vulnerability Report.pdf Appendix C: Full report of Web Application Code Alerts / Vulnerabilities See attached file: Appendix C Acunetix Web App Vulnerability Report.pdf Appendix D: Sample Safeguard Implementation Plan Summary Table See attached file: Appendix D - Safeguard Implementation Plan Table.xlsx Risk Assessment Compliance Report Restricted Information (RI). Page 10