Assignment No. 2 Security Risk Analysis
The purpose of this exercise is to have you think and work in terms of system security risks to the enterprise, and thereby to introduce you to the need for security policies.
Ajax Inc. hand-delivers legal documents on behalf of clients. Ajax keeps detailed records of the delivery process on behalf of clients. You have been tasked to manage the security of mobile devices and a mobile device information tracking system through http://AjaxDelivery.org (let’s say). The mobile devices are carried by employees and are location-aware. Thus, for example, a manager knows where all of his people and all of his packages are at all times.
Selected data are retained and much of it is confidential. Consider locations themselves to be sensitive data: For example, client A may not want it known that they are communicating with company B. The system enables authorized clients and authorized company personnel to access particular records created during the preceding three years. For example, logging on to http://AjaxDelivery.org and looking up John Doe’s mobile device information, an authorized user can conveniently view Doe’s movement in the Southern Illinois region during a designated time period
Restrict your response to a maximum of five pages of 12-point type and use the following sections. You may include appendices for reference. These will be read on an as-needed basis only and are excluded from page limits.
If you make assumptions that are not mentioned in this problem statement, please tell us what they are.
2.1. Identification and Description
Identify and describe what you consider to be the most important organizational security risk and the most important technical security risk that threaten the security of this system. These risks should be …
• concrete
• realistic
• specific to this application, and
• not solvable on a just single occasion or by using a remedial application alone (such as an anti-virus application)
Divide your response to this in two parts as follows.
2.1.1: Description of the Organizational Risk
2.1.2: Description of the Technical risk
2.2. Management
Explain how you would manage each of the two risks described in Part 2.1 and describe the residual risk (i.e., the risk that remains after you have carried out the actions and measures described).
Divide your response to this in two parts as follows.
2.2.1: Management of the Organizational Risk
2.2.2: Management of the Technical risk
Be as concrete as you can and express the content largely in your own words. As always, all work must conform to the academic conduct instructions referenced in the syllabus.
HINTS:
• As usual, keep in mind the criteria for all homework. Use them to self-evaluate ??” and improve accordingly ??” your own work using them before handing it in
• Be careful to distinguish between organizational and technical risks. The notes cover this but here is a brief example. Organizational: backup procedures in terms of who does what and when …; Technical: A program that scans file names and reports anomalies …. If in doubt, this is a good topic to discuss with your facilitator.
• Write in terms of the particular business in question here; avoid writing generically because the latter is not usually clear or original
• Use this week’s lecture notes referencing risk
• Greene, page 353, discusses risk assessment and business impact analysis. You may want to tailor some of this to the particular risks that you identify.
• Erbschloe discusses risk assessment data of several types on page 52. His checklist approach will give you ideas about where risks could exist in this system. Note, however, that the risks you are required to describe are system- not physical risks, which Erbschloe includes. He shows reporting forms on pp72-73.
• Peltier discusses specific measures for risk management on page 250. These should give you ideas. Notice that the procedures are concrete. Tailor yours to the problem described where possible.
• The CIA, DREAD and STRIDE checklists and methodologies may help you to identify risks.
• Consider security issues that expose the organization to violations of regulations. Could this be applicable here?
• As with all homework’s the page limits are provided as an outside limit: Don’t artificially force your response to fit the maximum number of pages. There may be many excellent responses that require fewer pages than the maximum.
There are faxes for this order.
