RISK ASSESSMENT on the Department of the Army IT Systems Essay Example for Free

RISK ASSESSMENT on the part of the Army IT Systems Essay1.Introduction1.1 PurposeThis risk assessment was to identify threats and vulnerabilities related to the Department of the Army (DoA) schooling Technology (IT) bodys. It will be utilized to identify vulnerabilities in the Computer Network falsifying (CND) Capabilities and mitigation plans related to DoAs IT systems. It was realized that this was a authority high-risk system as noted by the Department of Defense ( defence force) Chief knowledge Officer (CIO). (DoD, 2012) 1.2 ScopeThis risk assessment applies to all DoA Non-secured earnings Protocol R appearer Network (NIPRNET) and Secured Internet Protocol Router Network (SIPRNET) for Regular Army and Reserve Components. This is a major system that is used by millions of Soldiers, contractors and DA civilians worldwide. The DoAs IT system is comprised of Army Global Network Operations and Security Center (A-GNOSC) which is responsible for the Armys day-to-day Tier 2 C ND Service Provider. The inquiry methods will present both quantitative and qualitative data which will identify hazards and vulnerabilities to include Inter field of study-Transnational Terrorism and Domestic Terrorism and present an assessment of the strength risks from them. study will be collected mainly from DoDs and DAs websites. SYSTEM CHARACTERIZATIONThe DoD uses DODI 8510.01, DoD Information toast Certification and Accreditation Process (DIACAP), as the process for implementing Certification and Accreditation (CA) within their info system. The Information Assurance (IA) Controls, or security measures that must be implemented on a system, as stated in the DODI 8500.2, Information Assurance (IA) Implementation. The control selection relies on the Mission Assurance Categories (MAC) and Confidentiality Levels (CL). Information Systems (IS) will be allot a MAC level which shows the importance of the information which is used to determine the IA controls for wholeness and availability regarding DODI 8500.2 and will be decided by the DoD or Army by the DIACAPteam (Information Assurance, 2009) MISSION ASSURANCE CATEGORYMAC IIs a high integrity, high availability for DoD ISs discourse information that is inflexible to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequence of loss of integrity or availability is unacceptable and could include the immediate and sustained loss of mission effectiveness. MAC IIIs a high integrity, medium availability for DoD ISs handling information that is important to the support of deployed and contingency forces. The consequence of loss of integrity is unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. MAC IIIIs a basic integrity, basic availability for DoD ISs handling information that is necessary for the conduct of day-to-day business, but does not materially affec t support to deployed or contingency forces in the short- term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness.CONFIDENTIALITY LEVELAll ISs will be assigned a confidentiality level based on the classification or sensitivity of the information processed. The confidentiality level is used to establish acceptable entranceway factors and to determine the DODI 8500.2 IA Controls applicable to the information system. DOD has defined the following three confidentiality levels 1.ClassifiedInformation designated top secret, secret or confidential in accordance with Executive Order 12356. 2.SensitiveInformation the loss, or unauthorized access to or modification of could adversely affect the national interest or conduct of Federal programs, or Privacy Act information. Includes, but is not limited to For Official Use Only (FOUO), Privacy data, nonsensitive controlled nuclear info rmation, and unclassified technical data. 3.PublicInformation has been reviewed and approved for public release. Note. Mission Assurance Categories table is taken from Information Assurance. (2009)Applications (not an inclusive list)Anti-Spyware General V4R1, 3 declension 09, Application Services V1R1, 17 Jan 06Application Security Development V3R1, 10 May 10 CITRIX Xen App, V1R1, 23 Jul 09 ESX Server -V1R1, 22 Apr 08 Database V8R1, 19 Sep 07 Desktop Applications General V4R1, 3 decline 09 Directory Services V1R1, 24 Aug 07 ERP V1R1, 7 Dec 06 ESM V1R1, 5 Jun 06 HBSS STIG V2R5, 22 Feb 10 IM V1R2, 15 Feb 08 InTFOT-V1R1, 2 Oct 09 ISA Server 2006 OWA STIG, V1R1 5 Feb 10 McAfee Antivirus V4R1 3 Dec 09 Microsoft Ex wobble 2003 V1R1, 6 Aug 09 MicrosoftIE6 V4R1, 3 Dec 09 MicrosoftIE7 V4R1, 3 Dec 09 MicrosoftIE8 V1R1, 26 Apr 10 Microsoft Office 2003 V4R1, 3 Dec 09 Microsoft Office 2007 V4R1, 3 Dec 09 Mozilla Firefox V4R1, 3 Dec 09 Symantec Antivirus V4R1, 3 Dec 09 SunRay4 Thin Client V1R1 26 Mar 09 VTC STIG V1R1 08 Jan 08 Web Server V6R1, 11 Dec 06. DISA STIG. (2012)THREAT IDENTIFICATIONData from the DoD shows a 20% rise in attacks against its information systems from 43,880 to 54,640 between 2007 to 2008. Each of these penetrations involves a series of actions that do not differ substantially whether the intruder is acting on behalf of a terrorist group, a foreign government, a corporation, or is acting as individual. The severe intrusions into cyber systems involve penetrating system security, navigating and mapping the cyber system, targeting the nodes that control the system and contain the most critical data, and often, extracting the data. (Wortzel, 2009) In February 2011, the Deputy Secretary of Defense said that more than 100 foreign intelligence agencies have tried to open frame DOD computer networks and that one was successful in breaching networks containing classified information.2 Also, the President of the United States has identified this threat as one of the most serious national security challenges facing the nation. (DAgostino, 2011, pp. 1) VULNERABILITY IDENTIFICATIONTHREAT CapabilitySecurity Test ResultsAudit CommentsSeverity SW BaselineNo SW baselineThe DA does not have a documented software inventory. A failure of this control does not lead to an immediate risk. IA Impact AssessmentConfiguration way Plan (CMP) is not completeThe hallmark team through document review, that DA does not have formal procedures for IA impact assessment.Failure to assess changes for IA impact could lead to changes universe made to the environment that unknowinglyintroduce vulnerabilities increasing the risk of compromise. Ports, Protocols, and ServicesOpen ports protocols and services (PPS)The certification team determined through interviews and device configuration reviews, that DA does not perform regular review of their open PPS.Unnecessary open PPS increase the risk of systems being compromised.CONTROL ANALYSISIncident Handling, IA Tr aining and Certification, Information Assurance Vulnerability Management (IAVM), IA Program Management, Public Key Infrastructure (PKI), Certification and Accreditation, Federal Information Security Management Act (FISMA), Wireless Security, Army Web stake Content Management, Personally Identifiable Information (PII), Portable Electronic Devices (PED), Minimal Information Assurance Technical Requirements, Classified Systems Management and Physical Security and Environmental Controls (Information Assurance, 2009)LIKELIHOOD DETERMINATIONTHREATSTerrorist (mail bomb)Denial of ServiceUnauthorized Access 1. VulnerabilityUncontrolled accessUpgrading Firmware onlineUnattended computer while logged on 2. MitigationControlled access e.g. common access card, buzzerUpgrade from trusted source onlyLog off computer before leaving area 3. holy terror Probability615Threat Probability Highest number equals highest probability Note. Threat Matrix is taken from DA Anti-Terrorism Plan (2012). (CH 5 D OD O 2000.12H) IMPACT ANAYLYSISCriticality Assessment MatrixAssetImportanceEffectRecoverabilityMission FunctionalityTotal Servers 1097834Routers875626Highest score = most critical worst score = least critical RISK DETERMINATIONValueNumeric RatingMajor Deficiency9-10Significant Deficiency7-8Moderate Deficiency5-6Minor Deficiency3-4Negligible Deficiency1-2CONTROL RECOMMENDATIONSMove the IA Program out of Technical lanes and into control lanes, clearly define functions for a Command IA Program, define Concept for the Command IA Team (technical and non-technical), develop a reporting methodology for the Command IA Program, develop and provide a Command IA Training Program, develop a Command IA Program Management Course (CIAPMC), develop a Risk Management Model for Information Protection (IP) IA/CND, establish an Acceptable Risk Criteria for the Command IA Program and transform the Armys IA Policy Formulation Process. (DAIG IA, 2009)SUMMARYRisk Vulnerability/ThreatRisk LevelRecommended ControlsAction Priority Hardware baseline inventory is incomplete. This could lead to the introduction of unauthorized into the network and also makes it difficult to maintain an effective life circle managementLowComplete current hardware baseline and continue to identify and document future assets.Low Configuration management is not complete and this could lead to changes being made to the environment that unknowingly introduce vulnerabilities. This should be assessed by an IA team before introduced to the network.LowFinalize the configuration management process and implement a plan to assess IA impact of change to the system.Low Open ports, protocols and services. Changes made to the open PPS will lead to exploits and/or data compromise.MediumEnsure that the change management process relating to PPS are developed and enforced.MediumREFERENCESBendel, B. (2006). An Introduction to Department of Defense IA Certification and Accreditation Process (DIACAP). Retrieved from http//www. xlr8technologies.com/CMS/admin/Assets/lunarline/pdfs/lunarline_diacap_process1.pdfDAgostino, D. (2011). Defense Department Cyber Efforts More Detailed Guidance needed to Ensure Military ServicesDevelop Appropriate Cyberspace Capabilities. Retrieved from http//www.gao.gov/new.items/d11421.pdfDoD CIO. (2012). Department of Defense Instruction, Number 8582.01. Security of Unclassified DoD Information on Non-DoD Information Systems. Retrieved from http//www.dtic.mil/whs/directives/corres/pdf/858201p.pdfHudson, J. (2009). Department of the Army Information Security Program. Retrieved from http//www.apd.army.mil/pdffiles/r380_5.pdfStonebumer, G., Goguen, A. Feringa, A. (2002). Risk Management hunt down for Information Technology Systems. Retrieved from http//csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdfInformation Assurance. (2009). Retrieved from www.apd.army.mil/pdffiles/r25_2.pdfDIACAP (n.d.) DoD 8500. Retrieved from http//www.securestate.com/Federal/Certification%20and%20 %20Accreditation/Pages/DIACAP-D0D8500.aspxDISA STIG. (2012). Retrieved from http//iase.disa.mil/stigs/a-z.htmlDoD Anti-Terrorism Program. (2012). Retrieved from http//www.dtic.mil/whs/directives/corres/pdf/200012p.pdfWilson, C. (2005). Computer Attack and Cyberterrorism Vulnerabilities and Policy Issues for Congress. Retrieved from http//www.history.navy.mil/library/online/computerattack.htmWortzel, L. (2009). Preventing Terrorist Attacks, Countering Cyber Intrusions, and Protecting Privacy in Cyberspace. Retrieved from