Document Ogden_doc_7ad45a9ced

Risk Assessment P a g e 1 I 47 Ogden City Risk Assessment REPORT PREPARED BY: PIERCY BOWLER TAYLOR & KERN Kristina Belnap Sam Belnap 31 January 2016 ---PAGE BREAK--- Risk Assessment P a g e 2 I 47 Contents Executive Summary 4 1 Assessment Details 5 1.1 Introduction 5 Purpose 5 Scope 5 Approach 5 2 Phase I – Pre-Assessment 6 2.1 Techniques Used 6 3 Phase II – Assessment 7 3.1 Step 1: Document Review 7 3.2 Step 2: Threat Identification 7 3.3 Step 3: Vulnerability Identification 7 3.4 Step 4: Risk Determination (Calculation/Valuation) 7 Threat Likelihood Table 8 Impact Analysis Table 8 Risk Level Definition Table 10 3.5 Step 5: Risk Mitigation 10 3.6 System Characterization 10 System Environment 10 System Environment Table 11 3.7 Information Sensitivity 14 Security Categorization/Information Type(s) 14 Security Categorization Table 15 Sensitivity 15 Confidentiality, Integrity, and Availability Table 15 ---PAGE BREAK--- Risk Assessment P a g e 3 I 47 3.8 Protection Requirements 15 Protection Requirement Table 16 Data Classification Table 16 3.9 Threat Statement 17 Overview 17 Enterprise Threat Vector Table 18 3.10 Ogden City Threat Analysis 23 Non-Adversarial Threats 23 Adversarial Threats 24 3.11 Vulnerability Statement 30 List of Vulnerabilities 30 Ogden City Risk Matrix 33 Vulnerability Summary 34 4 Phase III - Post Assessment 37 4.1 Risk Mitigation/Plan of Action 37 4.2 Ongoing Monitoring 37 4.3 Plan of Action Table 38 5 Risk Analysis Tables 44 5.1 Existing Controls 44 Existing Controls Table 44 5.2 Likelihood of Occurrence 44 Adversarial Risk Table 45 Non-Adversarial Risk Table 45 Overall Likelihood 45 5.3 Severity of Impact 46 5.4 Recommended Security Safeguards 47 ---PAGE BREAK--- Risk Assessment P a g e 4 I 47 Executive Summary The scope of this risk assessment effort was limited to the security controls applicable to Ogden City’s Information Technology System in conjunction with PCI DSS 3.1. Baseline security requirements address security controls in the areas of computer hardware and software, data, administration, management, information, facility, communication, personnel, and contingency. The Ogden City Information Technology System risk assessment was conducted in accordance with the methodology described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Rev.1, Risk Management Guide for Information Technology Systems. The methodology used to conduct this risk assessment is qualitative, and no attempt was made to determine any annual loss expectancies, asset cost projections, or cost-effectiveness of security safeguard recommendations. The risk assessment of Ogden City Information System identified 84 vulnerabilities in the areas of Management, Operational and Technical Security. Vulnerabilities are weaknesses that may be exploited by a threat or group of threats. These vulnerabilities may be mitigated by implementing recommended safeguards. Safeguards are security features and controls that, when added to or included in the information technology environment, mitigate the risk associated with the operation to manageable levels. Thirty-three (33) vulnerabilities were rated “Very High”, Thirty-two (32) were rated “High”, eighteen (18) were rated “Moderate”, and one was rated as “Low”. A complete discussion of the vulnerabilities and recommended controls are found in this report. The most concerning security vulnerabilities are those that open the network to unknown users and access. These vulnerabilities include; - Lack of both physical and electronic access control. - Lack of and security around restricted data on the network. - Inbound rules on the firewall allow NAT traffic into the internal Ogden City LAN. - Rules governing Netmotion traffic are not fully understood and may allow unwanted traffic on the Ogden City LAN. The Ogden City Information System security categorization was rated in accordance with Federal Information Processing Standards 199. FIPS 199 (Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems) is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment FIPS 199 requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category. The most severe rating from any category becomes the information system's overall security categorization. The overall Ogden City Information System security categorization was rated as High. ---PAGE BREAK--- Risk Assessment P a g e 5 I 47 1 Assessment Details 1.1 Introduction Purpose The purpose of this risk assessment was to identify threats and vulnerabilities related to Ogden City Information Systems in conjunction with PCI DSS 3.1. The risk assessment will be utilized to identify risk mitigation plans related to Ogden City Information Systems. Scope The scope of this risk assessment assessed Ogden City Information Systems’ use of resources and controls to eliminate and/or manage vulnerabilities exploitable by threats internal and external to Ogden City (Ogden City). If exploited, these vulnerabilities could result in: - Unauthorized disclosure of data - Unauthorized modification to the system, its data, or both - Denial of service, access to data, or both to authorized users This Risk Assessment Report evaluates the confidentiality (protection from unauthorized disclosure of system and data information), integrity (protection from improper modification of information), and availability (loss of system access) of the system. Recommended security safeguards will allow management to make decisions about security-related initiatives. Approach The assessment is broad in approach and evaluates security vulnerabilities affecting confidentiality, integrity, and availability. The methodology addresses the following types of controls: - Management Controls: Management of the information technology (IT) security system and the management and acceptance of risk - Operational Controls: Security methods focusing on mechanisms implemented and executed primarily by people (as opposed to systems), including all aspects of physical security, media safeguards, and inventory controls - Technical Controls: Hardware and software controls providing automated protection to the system or applications (Technical controls operate within the technical system and applications.) ---PAGE BREAK--- Risk Assessment P a g e 6 I 47 2 Phase I – Pre-Assessment 2.1 Techniques Used Technique Description Risk assessment questionnaire We used a customized self-assessment questionnaire. This questionnaire assisted the team in identifying risks. Assessment forms We used several security assessment forms to review system configurations and identify vulnerabilities in the system. Review of documentation The assessment team reviewed Ogden City security policies, procedures, and system documentation. Interviews Interviews were conducted to validate information. Step 1: Define the Nature of the Risk Assessment This initial risk assessment provides a review to help Ogden City determine the appropriate level of security required for its Information Systems to meet industry standards and PCI DSS 3.1 compliance. This risk assessment is limited to the Ogden City Information Systems and PCI DSS 3.1 and other nonpublic personal information. The assessment included interviews with key employees within Ogden City Information Services, various other employees affected by PCI DSS 3.1 or other security regulations (HIPAA or CJIS) and physical security reviews of Ogden City Municipal Building, two fire stations, the Water Treatment Plant, Fleet and Facilities, and all other sites within Ogden City’s PCI DSS network. Step 2: Data Collection The data collection phase included identifying and interviewing key personnel within the organization and conducting document reviews. Interviews focused on the operating and security environment. Document reviews provided the risk assessment team with the basis on which to evaluate compliance with policy and procedure. Step 3: Assessment Forms The following forms were used by the risk assessment team and are included in the report or attachments; - Identification of Threat Sources - Identification of Threat Events - Identification of Vulnerabilities - Identification of Impacts - Adversarial Risks - Non-Adversarial Risks ---PAGE BREAK--- Risk Assessment P a g e 7 I 47 3 Phase II – Assessment 3.1 Step 1: Document Review The assessment phase began with the review of documents provided by the members of Ogden City Information Systems team. Detailed interviews with members of Ogden City team along with the completion of the questionnaires and identification of specific threats. 3.2 Step 2: Threat Identification The risk assessment team used NIST SP 800-30 Rev. 1 as a basis for threat identification. Through the interview process, it also identified “most likely” system threats. 3.3 Step 3: Vulnerability Identification In this step, the risk assessment team developed a list of system vulnerabilities (flaws or weaknesses) and predisposing conditions (Conditions that exists within an organization, or information system, which could increase the likelihood of adverse impacts.) that could be exploited by the potential threat vectors. 3.4 Step 4: Risk Determination (Calculation/Valuation) In this step, the risk assessment team determined the degree of risk to the system. In some cases, a series of vulnerabilities and predisposing conditions combined to create the risk. In other cases, a single vulnerability and/or predisposing condition created the risk. The determination of risk for a particular threat source was expressed as a function of the following: Likelihood Determination: The following governing factors were considered when calculating the likelihood of the probability that a potential vulnerability might be exploited in the context of the associated threat environment: - Threat source motivation and capability - Nature of the vulnerability - Existence and effectiveness of current controls ---PAGE BREAK--- Risk Assessment P a g e 8 I 47 The following table defines the likelihood determinations. Threat Likelihood Table Likelihood (Weight Factor) Definition Low - 1 The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Moderate – 2 The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. High – 3 The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Impact Analysis The next major step in measuring level of risk was to determine the adverse impact resulting from successful exploitation of vulnerability. The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of the following three security goals: - Loss of Confidentiality – Impact of unauthorized disclosure of sensitive information credit card information). - Loss of Integrity – Impact if system or data integrity is lost by unauthorized changes to the data or system. - Loss of Availability – Impact to system functionality and operational effectiveness. Impact Analysis Table Type of Impact Impact Affects Maximum Impact Harm to Operations - Inability to perform current mission/business functions. - Inability, or limited ability, to perform mission/business functions in the future. - Inability to restore mission/business functions. - Harms financial costs, sanctions) due to noncompliance with applicable laws or regulations. - Direct financial costs. - Relational harms. - Damage to image or reputation (and hence future or potential trust relationships). Very High ---PAGE BREAK--- Risk Assessment P a g e 9 I 47 Type of Impact Impact Affects Maximum Impact Harm to Assets - Damage to or loss of physical facilities. - Damage to or loss of information systems or networks. - Damage to or loss of information technology or equipment. - Damage to or loss of component parts or supplies. - Damage to or loss of information assets. - Loss of intellectual property. Very High Harm to Individuals - Injury or loss of life. - Identity theft. - Loss of Personally Identifiable Information. - Damage to image or reputation. Very High Harm to Other Organizations - Harms financial costs, sanctions).  Loss of income for Pioneer Stadium.  Loss to airlines at Airport.  Loss of ability to receive a timely Business License - With contractual requirements or other requirements in other binding agreements. - Direct financial costs. - Relational harms. - Damage to trust relationships. - Damage to reputation (and hence future or potential trust relationships). Moderate Risk Determination: The following were used to assess the level of risk to the IT system: - The likelihood of a given threat source’s attempting to exercise a given vulnerability. - The magnitude of the impact should a threat-source successfully exercise the vulnerability. - The adequacy of planned or existing security controls for reducing or eliminating risk. The following table provides a definition for the risk levels. These levels represent the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability was acted upon. ---PAGE BREAK--- Risk Assessment P a g e 10 I 47 Risk Level Definition Table Level of Impact Risk Level Definition Very High Very high risk means that a threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, or other organizations. High High risk means that a threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, or other organizations. Moderate Moderate risk means that a threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, or other organizations. Low Low risk means that a threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, or other organizations. Very Low Very low risk means that a threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, or other organizations. 3.5 Step 5: Risk Mitigation Recommendations During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, were provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The risk assessment team considered the following factors when recommending controls and alternative solutions to minimize or eliminate identified risks: - Sensitivity of the data and the system - Effectiveness of recommended options - Legislation and regulations - Organizational policy - Operational impact - Safety and reliability The recommendations were the results of the risk assessment process and provide a basis by which Ogden City can evaluate and prioritize controls. At this point, the City can decide to accept the recommendations for risk mitigation, provide alternative suggestions, or reject the recommendations and accept the risk as residual risk. 3.6 System Characterization System Environment The City utilizes services provided by third party vendors. These vendors have not all been required to provide Ogden City with current PCI DSS 3.1 documentation or other industry standard certifications. System Environments, Users and Dependencies are listed in Table 1.1 ---PAGE BREAK--- Risk Assessment P a g e 11 I 47 System Environment Table System Number Application Location Application Dept. Description Dependencies Data Classification Primary Security Concern S-1 AMAG Muni IT Employee Driver’s License - Ogden LAN - Badge Readers Confidential - Confidentiality - Integrity - Availability S-2 Arbitrator Muni Police Criminal Evidence Storage - Wireless network - Laptops - SQL Restricted - Confidentiality - Integrity - Availability S-3 ArcGIS Muni/Cloud ALL Ownership Data - Internet - Ogden LAN Confidential - Integrity - Availability S-4 Avigilon MUNI IT Airport Police Employee data - Cameras - NVRs - DVRs - Internet - SQL Restricted - Confidentiality - Integrity - Availability S-5 Cartegraph MUNI Public Services Fleet Citizen Info - Ogden LAN - SQL - INCODE Internal Use Only - Integrity - Availability S-6 CDS MUNI Police Criminal Data - Ogden LAN - SQL Restricted - Confidentiality - Integrity - Availability S-7 Chameleon Weber County Animal Services County based software for animal tagging. Customer Data - Weber County - Ogden LAN Confidential - Integrity - Availability S-8 Collection online MUNI Code Enforcement Citizen Info - Ogden LAN - SQL Restricted - Confidentiality - Integrity S-9 Coris Off Site Justice Court State Mandated Court Software - Ogden LAN - Internet Restricted - Confidentiality - Integrity - Availability S-10 CSV Files MUNI Police IT Criminal Data - Internet - Ogden LAN - ArcGIS - SQL Restricted - Confidentiality - Integrity - Availability S-11 Eden Muni Finance and HR Primary financial software - Ogden PCI - Network - DMZ - Internet - Ogden LAN - SQL Restricted - Confidentiality - Integrity - Availability ---PAGE BREAK--- Risk Assessment P a g e 12 I 47 System Number Application Location Application Dept. Description Dependencies Data Classification Primary Security Concern S-12 Eventbrite Off-Premise Comptrollers Cloud-hosted web solution for event registration and payments. Citizens access the site and pay with credit cards. Our staff logs in and retrieves registrant information but no CC data. - Internet Public - Integrity - Availability S-13 Fargo Cloud Airport Badge Creation - Internet Public - Availability S-14 ForeUP CLOUD Golf Citizen Info - Internet Internal Use Only - Integrity - Availability S-15 Fortis MUNI City Recorder Employee & Customer Data - Ogden LAN - SQL Confidential - Confidentiality - Integrity - Availability S-16 ImageTrend CLOUD Fire Department Patient data - Internet Restricted - Confidentiality - Integrity - Availability S-17 iWorq CLOUD Code Enforcement Ownership Info - Internet - Ogden LAN - SQL Confidential - Integrity - Availability S-18 MS Excel Desktops All MS spreadsheet software - N/A Confidential - Integrity - Availability S-19 Online Business License Renewal App IT Server Rm Building Services Internally developed business license application that allows for web payments. - Ogden LAN - Internet - SQL Restricted - Confidentiality - Integrity - Availability S-20 Quadrant IT Server Room? Business Services Cashiering Software - File Share - Eden Confidential - Integrity - Availability S-21 Sportsites Recreation Office, Marshall White Center Recreation Recreation registration application provided by a third-party. Cloud hosted. - Internet Confidential - Integrity - Availability S-22 Sportsman Muni Public Ways and Parks Office, Green Waste Site, Recreation Office Public Ways and Parks Parks and Recreation POS application. On-premise clients accept hand-entry of CC numbers. Cloud (vendor) hosted site allows citizens to enter CC numbers. - Internet - Ogden LAN - Desktop Client Confidential - Confidentiality - Integrity - Availability ---PAGE BREAK--- Risk Assessment P a g e 13 I 47 System Number Application Location Application Dept. Description Dependencies Data Classification Primary Security Concern S-23 SQL MUNI IT Criminal, Employee, Citizen Data - Ogden LAN - Internet - AD Restricted - Confidentiality - Integrity - Availability S-24 T2Systems Parking Meter (Airport) Airport Airport Parking payment kiosk that accepts credit card payments. - Ogden PCI - Ogden LAN - Internet Confidential - Integrity - Availability S-25 Target Solutions Cloud HR Training Portal - Ogden Network - Internet Internal Use Only - Integrity - Availability S-26 Teleworks IVR (Utility) IT Server Rm Water Utility Locally hosted 3rd party application that accepts CC payments via Interactive Voice Response. - Ogden LAN - Internet - Avaya - Tyler INCODE Confidential - Confidentiality - Integrity - Availability S-27 TeleWorks/Paymentus (NOT LIVE) Hosted Water Utility Citizen Info - Ogden LAN - Internet - Avaya - Tyler INCODE Restricted - Confidentiality - Integrity S-28 Tyler INCODE (Utility) IT Server Rm Water Utility Locally hosted 3rd party application that manages water utility data. Users utilize USB attached card- swipe devices to process CC. - Ogden LAN - Internet - SQL Restricted - Confidentiality - Integrity - Availability S-29 Tyler Web (Utility) Off-Premise Water Utility Cloud-hosted web solution for payment of water utility services. - Internet - Tyler INCODE Restricted - Confidentiality - Integrity - Availability S-30 UCJIS BCI Police Justice Court Allows for mobile access of multiple databases - Internet Restricted - Confidentiality - Integrity - Availability S-31 Velosum Vcite Cloud Police Justice Court Cloud-hosted web solution for payment of parking violations. Vehicle ownership information. - Internet Confidential - Confidentiality - Integrity - Availability S-32 Versadex (MDT/MRE) Weber 911 Police Criminal Data Record Storage - Netmotion - Desktop client - Ogden LAN Restricted - Confidentiality - Integrity - Availability S-33 Worldox (Legal) MUNI Legal Criminal, Employee, Citizen Data - Ogden LAN - AD - SQL Restricted - Confidentiality - Integrity S-34 Exchange Muni IT Email - Ogden LAN - Internet Restricted - Confidentiality - Integrity - Availability ---PAGE BREAK--- Risk Assessment P a g e 14 I 47 System Number Application Location Application Dept. Description Dependencies Data Classification Primary Security Concern S-35 Active Directory Muni IT Domain Management - Internet - Time server Restricted - Confidentiality - Integrity - Availability S-36 CS Backup Muni IT Backups - Ogden LAN - AD Restricted - Confidentiality - Integrity - Availability S-37 Website -Sitecore Muni IT Webserver app - Internet - DMZ - Ogden LAN - SQL Restricted - Confidentiality - Integrity - Availability S-38 Vmware Muni IT Virtualization Software - Ogden LAN - SQL - AD Restricted - Confidentiality - Integrity - Availability S-39 LANDesk Muni IT computer management system - Ogden LAN - Internet - SQL - AD Restricted - Availability 3.7 Information Sensitivity This section provides a description of the types of information handled by Ogden City Information Systems and an analysis of the sensitivity of the information. The sensitivity of the information stored within, processed by or transmitted by Ogden City Information Systems provides a basis for the value of the system and is one of the major factors in risk management. FIPS 199 establishes three potential impact levels (Low, Moderate, and High) for each of the security objectives. The impact levels focus on the potential impact and magnitude of harm that the loss of C/I/A (Confidentiality, Integrity, or Availability) would have on Ogden City Information Systems’ operations, assets, or individuals. FIPS 199 recognizes that an information system may contain more than one type of information privacy information, medical information, financial information), each of which is subject to security categorization. Section 1.2.1 discusses the security categorization/ information type(s) for Ogden City Information Systems. Security Categorization/Information Type(s) The security category of an information system that processes, stores, or transmits multiple types of information should be at least the highest impact level that has been determined for each type of information for each security objective of C/I/A. The following table depicts the security category/information type for Ogden City Information Systems as identified in the Ogden City Information Systems Risk Assessment Report. ---PAGE BREAK--- Risk Assessment P a g e 15 I 47 Security Categorization Table Information Type Confidentiality Low/Moderate/ High Integrity Low/Moderate/ High Availability Low/Moderate/ High Public Low High Moderate Internal Use Only Moderate High Moderate Confidential High High High Restricted High High High Overall Rating High High High Sensitivity The following table provides the definitions for C/I/A ratings for Ogden City Information Systems. Confidentiality, Integrity, and Availability Table Security Objective Definitions 1 - Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protection of personal privacy and proprietary information. 2 - Integrity Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. 3 - Availability Ensuring timely and reliable access to and use of information. 3.8 Protection Requirements Both information and information systems have distinct life cycles. It is important that the degree of sensitivity of information be assessed by considering the requirements for the C/I/A of the information; the need for system data to be kept confidential, the need for the data processed by the system to be accurate, and the need for the system to be available. Confidentiality focuses on the impact of disclosure of system data to unauthorized personnel. Integrity addresses the impact that could be expected should system data be modified or destroyed. Availability relates to the impact to the organization should use of the system be denied. ---PAGE BREAK--- Risk Assessment P a g e 16 I 47 Protection Requirement Table Security Objective Low Moderate High Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protection personal privacy and proprietary information [44 USC, SEC. 3542] The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Integrity Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity. [44 USC, SEC. 3542] The modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability Ensuring timely and reliable access to and use of information. [44 USC, SEC. 3542] The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Data Classification Table Risk Level Data Classification Data Type Negligible Public Public information is information received from a third party that is known to the general public, or information developed at Ogden City that has been approved for distribution to the general public. Examples include data routinely distributed to the public, business cards, published annual reports, and press releases. Low Internal Use Only Internal Use Only information is information regarding internal operations or communications of Ogden City that is of general relevance to all employees and appropriate for distribution throughout Ogden City. Examples include policies, internal announcements, employee names, job functions and city contract information, and memoranda regarding general operational matters that do not include information confidential to a client, third party or specific business function. Moderate Confidential Confidential information is information for which access and distribution should be generally restricted on a need-to-know basis. Confidential information includes information that is received from or provided to a third party under a confidentiality agreement, or which given its nature should reasonably be understood to be confidential. Confidential information includes information that is proprietary to Ogden City or related to a sensitive or specific business process, and therefore is not appropriate or necessary for viewing by all employees. Confidential information may be shared only with vendors and consultants who have a need to know the information and are subject to a confidentiality agreement. Examples of confidential information include audit reports, legal contracts, draft documents and memoranda, formal books and records, software code, and employee personal contact information. ---PAGE BREAK--- Risk Assessment P a g e 17 I 47 Risk Level Data Classification Data Type High Restricted Restricted information is information of such extreme sensitivity or significance that its unauthorized use of disclosure could subject Ogden City to severe legal, financial or reputational harm. Examples include credit card information and customer and employee personal information that is subject to legal privacy obligations (NPPI). - Confidentiality: Ogden City’s information systems contain sensitive information that could identify a consumer or employee. This data requires protection from unauthorized disclosure. If information contained in Ogden City information systems were released to the public it could result in a loss of public confidence in the city, possible fines and reprimands, and cause a great deal of embarrassment to Ogden City. Therefore, the unauthorized disclosure of Ogden City information could be expected to have a significant adverse effect on organizational operations, organizational assets, or individuals and the information and protection measures are rated as High. - Integrity: Ogden City information systems collect consumer and vendor private information and consumer and vendor ACH information and wire transfer data. Because payments and reconciliations are dependent on this information it is vital that this data maintain its integrity. Therefore, the unauthorized modification of Ogden City data could be expected to have a significant adverse effect on organizational operations, organizational assets, or individuals and the information and protection measures are rated as High. - Availability: If Ogden City Information System information were unavailable for more than one business week, it would have a considerable impact and would affect the efficiency with which Ogden City’s Finance group typically operates. Therefore, the unavailability of Ogden City Information System information could be expected to have a minor adverse effect on organizational operations, organizational assets, or individuals and the information and protection measures are rated as Moderate. 3.9 Threat Statement Overview NIST SP 800-30 Rev. 1 describes the identification of the threat for use in the assessment process. The following is the definition: Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. ---PAGE BREAK--- Risk Assessment P a g e 18 I 47 Enterprise Threat Vector Table Threat Description Denial of Service Destruction Unauthorized Modification Unauthorized Disclosure Adversarial Threats Espionage / Sabotage / Terrorism / Vandalism - Espionage is the intentional act of or attempt to obtain confidential information. - Sabotage is premeditated destruction or malicious modification of assets or data for personal or political reasons. - Terrorism is the destruction or damage of resources for political reasons. - Vandalism is the destruction of system resources with no clearly defined objective. √ √ √ √ Theft / Pilferage - Theft is the unauthorized removal of computer equipment or media. - Pilferage is theft of property by personnel granted physical access to the property. √ √ Hacking / Social Engineering - Software may be modified intentionally to bypass system security controls, manipulate data, or cause denial of service. - Social engineering is the human-to-human interaction in which a hacker gathers data for use in modifying or manipulating the system. √ √ √ Browsing / Disclosure - Intentional unauthorized access to confidential information by outsiders or by personnel with system access but not having a need to know (browsing). √ Eavesdropping / interception - Intentional unauthorized access to confidential information through technical means (sniffing/interception) or by personnel having some level of system access but not having a need to know (eavesdropping). √ Fraud - Use of the system by authorized personnel for illegal financial gain. √ √ Explosion / Bomb Threat - Intentional disruption of operations due to actual or threatened catastrophic explosion. √ √ √ Chemical / Biological Incident - Disruption of operations and personnel hazards due to actual or potential effects of chemicals or biological agents to include infestations and illness. √ √ Information Gathering - Perform perimeter network reconnaissance/scanning, network sniffing of exposed networks. - Gathering information using open source discovery of organizational information. - Perform reconnaissance and surveillance of targeted organizations or perform malware-directed internal reconnaissance. √ Maintain an undetected presence - Adapt cyber-attacks based on detailed surveillance. - Obfuscate all adversarial actions. √ √ √ √ ---PAGE BREAK--- Risk Assessment P a g e 19 I 47 Threat Description Denial of Service Destruction Unauthorized Modification Unauthorized Disclosure Malicious Capabilities - Deliver known malware to internal organizational information systems virus via email). - Deliver modified malware to internal organizational information systems. - Deliver targeted malware for control of internal systems and exfiltration of data. - Deliver malware by providing removable media, insert untargeted malware into downloadable software and/or into commercial information technology products. - Insert targeted malware into organizational information systems and information system components. - Insert specialized malware into organizational information systems based on system configurations. - Insert tampered critical components into organizational systems. - Install general-purpose sniffers on organization-controlled information systems or networks. - Install persistent and targeted sniffers on organizational information systems and networks. - Insert malicious scanning devices wireless sniffers) inside facilities. - Insert subverted individuals into organizations. - Insert subverted individuals into privileged positions in organizations. √ √ √ √ Adversary Achieves Results - Obtain sensitive information through network sniffing of external networks. Obtain sensitive information via exfiltration. - Cause degradation or denial of attacker-selected services or capabilities. - Cause deterioration/destruction of critical information system components and functions. - Cause integrity loss by creating, deleting, and/or modifying data on publicly accessible information systems web defacement). - Cause integrity loss by polluting or corrupting critical data. - Cause integrity loss by injecting false but believable data into organizational information systems. - Cause disclosure of critical and/or sensitive information by authorized users. - Cause unauthorized disclosure and/or unavailability by spilling sensitive information. - Obtain information by externally located interception of wireless network traffic. - Obtain unauthorized access. - Obtain sensitive data/information from publicly accessible information systems. - Obtain information by opportunistically stealing or scavenging information systems/components. √ √ √ √ Attack Tools - Phishing attacks. - Spear phishing attacks. - Attacks specifically based on deployed information technology environment. - Counterfeit/spoof website. - Counterfeit certificates. - False front organizations to inject malicious components into the supply chain. √ √ √ √ ---PAGE BREAK--- Risk Assessment P a g e 20 I 47 Threat Description Denial of Service Destruction Unauthorized Modification Unauthorized Disclosure Attacks - Communications interception attacks. - Wireless jamming attacks. - Attacks using unauthorized ports, protocols and services. - Attacks leveraging traffic/data movement allowed across perimeter. - Simple Denial of Service (DoS) attack. - Distributed Denial of Service (DDoS) attacks. - Targeted Denial of Service (DoS) attacks. - Physical attacks on organizational facilities. - Physical attacks on infrastructures supporting organizational facilities. - Cyber-physical attacks on organizational facilities. - Data scavenging attacks in a cloud environment. - Brute force login attempts/password guessing attacks. - Non-targeted zero-day attacks. - Externally-based session hijacking. - Internally-based session hijacking. - Externally-based network traffic modification (man in the middle) attacks. - Internally-based network traffic modification (man in the middle) attacks. - Outsider-based social engineering to obtain information. - Insider-based social engineering to obtain information. - Attacks targeting and compromising personal devices of critical employees. - Supply chain attacks targeting and exploiting critical hardware, software, or firmware. √ √ √ √ Coordinate a campaign - Coordinate a campaign of multi-staged attacks hopping). - Coordinate a campaign that combines internal and external attacks across multiple information systems and information technologies. - Coordinate campaigns across multiple organizations to acquire specific information or achieve desired outcome. - Coordinate a campaign that spreads attacks across organizational systems from existing presence. - Coordinate a campaign of continuous, adaptive, and changing cyber- attacks based on detailed surveillance. - Coordinate cyber- attacks using external (outsider), internal (insider), and supply chain (supplier) attack vectors. √ √ √ √ ---PAGE BREAK--- Risk Assessment P a g e 21 I 47 Threat Description Denial of Service Destruction Unauthorized Modification Unauthorized Disclosure Exploit and Compromise - Exploit physical access of authorized staff to gain access to organizational facilities. - Exploit poorly configured or unauthorized information systems exposed to the Internet. - Exploit split tunneling. - Exploit multi-tenancy in a cloud environment. - Exploit known vulnerabilities in mobile systems laptops, PDAs, smart phones). - Exploit recently discovered vulnerabilities. - Exploit vulnerabilities on internal organizational information systems. - Exploit vulnerabilities using zero-day attacks. - Exploit vulnerabilities in information systems timed with organizational mission/business operations tempo. - Exploit insecure or incomplete data deletion in multi-tenant environment. - Violate isolation in multi-tenant environment. - Compromise critical information systems via physical access. - Compromise information systems or devices used externally and reintroduced into the enterprise. - Compromise software of organizational critical information systems. - Compromise organizational information systems to facilitate exfiltration of data/information. - Compromise mission-critical information. - Compromise design, manufacture, and/or distribution of information system components (including hardware, software, and firmware). √ √ √ √ Environmental Threats - Fire / Smoke - An accidental or intentional fire could damage system equipment or facility. √ √ Acts of Nature - All types of natural occurrences earthquakes, hurricanes, tornadoes) that may damage or affect the system. √ √ √ Water Damage - Water from internal or external sources may damage system components. √ √ Non-Adversarial Human Threats - User Errors / Omissions - Application and support system components may be inappropriately modified or destroyed due to unintentional administrator or user error. √ √ √ √ Mismanagement / Waste - Losses and delays caused by failure to plan, failure to adhere to plans, policies or procedures. √ √ √ √ Data Integrity Loss - Loss of the integrity of system data by intentional or unintentional alteration. √ Misuse / Abuse - Individuals may employ system resources for unauthorized purposes. √ √ √ √ ---PAGE BREAK--- Risk Assessment P a g e 22 I 47 Threat Description Denial of Service Destruction Unauthorized Modification Unauthorized Disclosure Structural and Physical Threats Power Disruption - A power failure or fluctuation may occur as the result of a commercial power failure. This may cause denial of service to authorized users (failure) or a modification of data (fluctuation). √ √ Hardware / Equipment Failure - Failure or malfunction of hardware may cause denial of service to system users. Additionally, hardware configuration may be altered in an unauthorized manner, leading to inadequate configuration control or other situations that may impact the system. √ √ √ √ Program Errors / Software Failure - Software malfunction or failure resulting from insufficient configuration controls testing new releases, performing virus scans). √ √ √ √ Communication Loss - Communication links may fail during use or may not provide appropriate safeguards for data. √ √ √ System, Structural, and Environmental Failures - Failure of a computer, device, application, communication service, or environmental or protective control that disrupts, harms, or exposes the system to harm. Examples include system hardware failures, environmental control failures, and software or data corruption. √ √ √ ---PAGE BREAK--- Risk Assessment P a g e 23 I 47 3.10 Ogden City Threat Analysis The team identified the following potential threats and associated vulnerabilities applicable to Ogden City information systems: Non-Adversarial Threats Non- Adversarial Threat Events Threat Sources Range of Effects Relevance Likelihood of Event Occurring Vulnerabilities and Predisposing Conditions Severity and Pervasiveness Likelihood Event Results in Adverse Impact Overall Likelihood Level of Impact Risk Fire / Smoke Environmental Very High Moderate Low V-1, V-27 Low High Low Moderate Low Acts of Nature Environmental Very High Low Moderate V-1 Utah is predicted to have a strong earthquake Utah has yearly strong windstorms and semi- regular snow storms Moderate Moderate Low Moderate Low Water Damage Environmental Very High Moderate Moderate V-1, V-27, V-71 Low High Moderate Moderate Moderate Chemical / Biological Incident Environmental Very High Moderate Moderate V-1 Flu pandemic in recent years. Low Moderate Low Moderate Low Power Disruption Structural & Physical High Very High Very High Utah has yearly strong windstorms and semi- regular snow storms Low Low Low Low Low Hardware / Equipment Failure Structural & Physical High Very High Very High V-1, V-3, V-57 Very High Very High Very High Very High Very High Program Errors / Software Failure Structural & Physical High Very High Very High V-5, V-8, V-13, V-18, V-36 Very High Very High Very High Very High Very High Communication Loss Structural & Physical High Very High Very High V-70 High Very High High Very High Very High System, Structural, and Environmental Failures Structural & Physical High Very High Very High V-1, V-16, V- 57, V-59 Very High Very High Very High Very High Very High ---PAGE BREAK--- Risk Assessment P a g e 24 I 47 Non- Adversarial Threat Events Threat Sources Range of Effects Relevance Likelihood of Event Occurring Vulnerabilities and Predisposing Conditions Severity and Pervasiveness Likelihood Event Results in Adverse Impact Overall Likelihood Level of Impact Risk Spill sensitive information Accidental High Very High Very High V-3, V-59, V-82, V-83, V-84, V-85 Very High High Very High High Very High Mishandling of critical and / or sensitive information by authorized users Accidental Very High Very High Very High V-3, V-7, V-11, V-12, V-45, V-47, V-49, V- 52, V-59, V-60, V-70, V-82, V-83, V-84, V-85 Very High Very High Very High Very High Very High Incorrect privilege settings Accidental High Very High Very High V-3, V-59, V-69, V-82, V-83, V-84, V-85 Very High Very High Very High Very High Very High Adversarial Threats Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Espionage / Sabotage / Terrorism / Vandalism Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate High High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Expected High Very High High High High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, V-82, V-83, V-84, V-85 ---PAGE BREAK--- Risk Assessment P a g e 25 I 47 Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Theft / Pilferage Outsider Insider Privileged Insider Customer High Very High Very High High Moderate Very High Very High High Moderate Very High Very High High Confirmed Very High High High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-27, V-28, V-29, V-30, V-31, V-32, V-33, V-34, V-35, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-61, V-62, V-63, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81 Hacking / Social Engineering Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate Very High Very High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Expected Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-28, V-30, V-31, V-33, V-34, V-35, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-68, V-69 , V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, V-82, V-83, V-84, V-85 Browsing / Disclosure Outsider Insider Privileged Insider High Very High Very High Moderate High High Moderate Very High Very High Confirmed Very High High High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-32, V-33, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, , V-82, V-83, V-84, V-85 ---PAGE BREAK--- Risk Assessment P a g e 26 I 47 Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Eavesdropping / Interception Outsider Insider Privileged Insider Organization Customer Nation-State High Very High Very High Very High High Very High Moderate High High Moderate High Moderate Moderate Very High Very High High Moderate High Confirmed Very High High High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-32, V-33, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, , V-82, V-83, V-84, V-85 Fraud Insider Privileged Insider Customer Very High Very High High High High High Moderate Very High High Confirmed Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-27, V-28, V-29, V-30, V-31, V-32, V-33, V-34, V-35, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-61, V-62, V-63, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-79, V-81, , V-82, V-83, V-84, V-85 Explosion / Bomb Threat Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate High High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Predicted Low Moderate Moderate Low High Low Vulnerabilities and Predisposing Conditions V-1, V-30, V-31, V-41, V-42, V-43, V-44, V-45, V-48, V-49, V-60, V-67 ---PAGE BREAK--- Risk Assessment P a g e 27 I 47 Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Chemical / Biological Incident Outsider Insider Ad hoc Organization Customer Nation-State High Very High High Very High High Very High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Possible Very Low Moderate Moderate Low High Low Vulnerabilities and Predisposing Conditions V-1, V-30, V-31, V-41, V-42, V-43, V-44, V-45, V-48, V-49, V-60, V-67 Information Gathering Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate High High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Expected Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-32, V-33, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, , V-82, V-83, V-84, V-85 Maintain an undetected presence Outsider Insider Ad hoc Organization Customer Nation-State High Very High High Very High High Very High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Expected High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-3, V-4, V-5, V-6, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-32, V-33, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, , V-82, V-83, V-84, V-85 ---PAGE BREAK--- Risk Assessment P a g e 28 I 47 Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Malicious Capabilities Outsider Insider Ad hoc Organization Customer Nation-State High Very High High Very High High Very High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Expected High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, V-82, V-83, V-84, V-85 Adversary Achieves Results Outsider Insider Ad hoc Organization Customer Nation-State High Very High High Very High High Very High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Confirmed Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, , V-82, V-83, V-84, V-85 Attack Tools Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate High High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Confirmed Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, V-82, V-83, V-84, V-85 ---PAGE BREAK--- Risk Assessment P a g e 29 I 47 Adversarial Threat Event Threat Sources Threat Source Characteristics Relevance Attack Initiation Pervasiveness Attack Success Overall Likelihood Level of Impact Risk Capability Intent Targeting Attacks Outsider Insider Ad hoc Organization Customer Nation-State High Very High High Very High High Very High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Expected Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-1, V-2, V-3, V-4, V-5, V-6, V-7, V-8, V-9, V-10, V-11, V-12, V-13, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-27, V-28, V-29, V-30, V-31, V-32, V-33, V-34, V-35, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-46, V-47, V-48, V-49, V-50, V-51, V-52, V-53, V-54, V-55, V-56, V-57, V-58, V-59, V-60, V-61, V-62, V-63, V-64, V-65, V-66, V-67, V-68, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, , V-82, V-83, V-84, V-85 Coordinate a campaign Outsider Insider Ad hoc Organization Customer Nation-State HighVery High High Very HighHighVery High Moderate High Moderate Moderate High Moderate Moderate Very High Moderate High Moderate High Possible Moderate Very High Moderate Moderate High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, V-82, V-83, V-84, V-85 Exploit and Compromise Outsider Insider Privileged Insider Ad hoc Organization Customer Nation-State High Very High Very High High Very High High Very High Moderate High High Moderate Moderate High Moderate Moderate Very High Very High Moderate High Moderate High Confirmed Very High Very High Very High Very High High High Vulnerabilities and Predisposing Conditions V-1, V-3, V-7, V-8, V-9, V-10, V-12, V-14, V-15, V-16, V-17, V-18, V-19, V-20, V-21, V-23, V-24, V-25, V-26, V-29, V-30, V-31, V-33, V-34, V-36, V-37, V-38, V-39, V-40, V-41, V-42, V-43, V-44, V-45, V-47, V-48, V-49, V-50, V-51, V-52, V-54, V-55,V-56, V-57, V-58, V-59, V-60, V-65, V-66, V-67, V-69, V-72, V-73, V-74, V-75, V-76, V-77, V-78, V-79, V-81, V-82, V-83, V-84, V-85 ---PAGE BREAK--- Risk Assessment P a g e 30 I 47 3.11 Vulnerability Statement The following potential vulnerabilities were identified: List of Vulnerabilities ID Vulnerability Vulnerability Severity V-1 No Disaster Recovery Plan. High V-2 No Incident Response Plan. High V-3 Configuration Management Program not in place. High V-4 No vendor management or program in place. High V-5 No program to track and monitor service providers. High V-6 No formal service provider review. High V-7 Credit card information is routinely written down with no clearly defined policy or procedure for destruction. High V-8 No Anti-Malware policy or procedure in place or enforced. High V-9 No response plan/procedure for the discovery of unauthorized wireless devices. High V-10 Access to controlled data rooms not limited to needed personnel. High V-11 Written credit card and other personal information is put in an open cardboard box that burned up to twice a month. High V-12 Social engineering training has not yet taken place. High V-13 No Change Management Process in place. High V-14 Generic passwords are used on machines that have USB credit card swipers attached. High V-15 Even when each employee has their own user/password, one user name and password are used by multiple employees to access CC software. High V-16 Old/Out of Date used on network. High V-17 No System Logging. High V-18 Out of date patches on servers and desktops. Very High V-19 Two Factor Authentication not set up for Remote Access. High V-20 Complete internal and external vulnerability/penetration scans not done regularly. High V-21 Known vulnerabilities have not been mitigated (In Process for Business License Renewal, not for Sportsman and Sportsite). High V-23 Live network jacks in public and easily accessible areas provide easy access to the internal network. High V-24 Annual Vulnerability Test on all servers and applications visible outside the network not being completed. High ---PAGE BREAK--- Risk Assessment P a g e 31 I 47 ID Vulnerability Vulnerability Severity V-25 Individual session management not in place on Renewals/Webpay1. High V-26 No rogue wireless detection process or technology. High V-27 Only sprinklers as fire suppression in the Muni building main data room. No fire suppression in several closets. Low V-28 No wireless access policy or procedure. Moderate V-29 No list of service providers and associated responsibilities. Moderate V-30 Data closets are used as a storage room necessitating more than optimal traffic in and out of the closet. Moderate V-31 Visitor logs not used for data center and key data closets. Moderate V-32 Bi-Annual Network Infrastructure Configuration Review is not being completed. Moderate V-33 There are systems with exceptions to the anti-malware policy on the network (no anti-malware installed), an annual assessment of the system is not completed. Moderate V-34 Log management policy not in place and logs are not currently reviewed. Moderate V-35 No backup or storage of logs. Moderate V-36 Change detection is not in place for infrastructure configurations and key operating system and application files. Moderate V-37 Overall diagram covering the network where cardholder data is processed, transmitted, or stored. Is not complete. Moderate V-38 All outbound traffic from the network is not limited to only ports and locations necessary. Moderate V-39 System inventory of all devices on the network is not in place. Moderate V-40 All network PC's not set for a defined idle time lockdown. Moderate V-41 Complete set of security policies not in place or enforced. Very High V-42 Physical keys are not tracked or inventoried. Very High V-43 Tracking of current physical keys and certain key cards (terminated employees) is not in place. Very High V-44 No control of temp facilities employees who may have access to the data closets and rooms. Very High V-45 Employees rely on the keycard system and do not lock PCs or file cabinets to maintain security of data. Very High V-46 No periodic review credit card machines to detect tampering. High V-47 A clean desk policy is not enforced to ensure paper documents containing personal information not kept in secure storage. Very High V-48 Employee training for detecting credit card tampering has not been completed. Very High V-49 Security awareness training not completed. Very High V-50 Training on current policies and procedures does not occur. Very High V-51 Password Controls are not enforced. Very High V-52 is not utilized on restricted data at rest in multiple locations. Very High V-53 Periodic access reviews are not completed on either active directory or critical applications. Very High ---PAGE BREAK--- Risk Assessment P a g e 32 I 47 ID Vulnerability Vulnerability Severity V-54 All wireless networks are not separated from the PCI network via firewall. Very High V-55 Up to 105 of 242 mobile devices not fully controlled. Very High V-56 Personal firewalls not installed on all laptops or devices that connect remotely. Very High V-57 Server 2003 in use and open to Web. Very High V-58 Certain incoming connections from untrusted networks (internet) are directly sent (NAT) to internal servers, bypassing the DMZ. Very High V-59 Application and AD permissions are not set appropriately or changed in a timely manner when job changes occur. Very High V-60 PC's are not sanitized of data/information between users. Very High V-61 Key card permissions are not changed in a timely manner when roles change. Very High V-62 Department Purchasing cards are not secured when not in use. Very High V-63 Five open credit accounts that require only a P.O number for access. Very High V-64 Department Purchasing card users are not required to sign purchasing card agreement. Very High V-65 Department Purchasing cards do not have a set of approved users. High V-66 Cold Fusion server is outdated and connected directly to the internet from the internal Ogden LAN. Very High V-67 Ogden City LAN accessible from the camera network. Very High V-68 Janitorial service has access to Airport, Court and HR areas after hours. Very High V-69 Exchange not in DMZ and can be made to disclose its internal IP address without authenticating to the network. Very High V-70 is not required for emails containing sensitive data, both internally and externally. Very High V-71 Leaking pipes and ceiling in more than one data closet/room. Moderate V-72 Telnet is active on network (Clear Text). High V-73 Sophos manages only 74% of devices on average (December hit 80%). Very High V-74 Outdated SSL and TLS are utilized and accepted by the server (Tanner vulnerability test). Moderate V-75 At least ten hosts SSL certificate not trusted (Tanner vulnerability test). High V-76 VPN is vulnerable due to usage of IKE aggressive mode (Tanner vulnerability test). Moderate V-77 Network Server Message Block (SMB) signing is not required (Tanner vulnerability test). Moderate V-78 No process in place to identify failed updates or installations of anti-malware. High V-79 Authorized access to the network and buildings by vendors is unmonitored and uncontrolled. High V-80 Not receiving both completed questionnaires from the Police and Justice Court (justice court returned the Risk Questionnaire but not the basic asset questionnaire) represents a risk of an unknown nature. Moderate V-81 Admin and other passwords not changed when help desk personnel terminate. High ---PAGE BREAK--- Risk Assessment P a g e 33 I 47 ID Vulnerability Vulnerability Severity V-82 Netmotion Mobility rules are not understood or tested, which could lead to split tunneling, unknown access to unknown devices, unauthorized access to authorized users and authorized access to unauthorized users. Very High V-83 No consistent process in place to ensure new devices are added to appropriate device groups within a minimal timeframe. Very High V-84 All new devices that connect to Netmotion have access to the Ogden City internal network. Very High V-85 Ogden city enables split tunneling on remote devices. High Ogden City Risk Matrix Overall Likelihood (Threat Event Occurs and Results in Adverse Impact) Level of Impact Very Low Low Moderate High Very High Very High Very Low Low Moderate High Very High High Very Low Low Moderate High Very High Moderate Very Low Low Moderate Moderate High Low Very Low Low Low Low Moderate Very Low Very Low Very Low Very Low Low Low ---PAGE BREAK--- Risk Assessment P a g e 34 I 47 Vulnerability Summary The following table provides an overview of the vulnerabilities and recommended safeguards for Ogden City. ID Vulnerability Vulnerability Severity Recommended Safeguard V-1 No Disaster Recovery Plan. High SS-3 V-2 No Incident Response Plan. High SS-4 V-3 Configuration Management Program not in place. High SS-5 V-4 No vendor management or program in place. High SS-6 V-5 No program to track and monitor service providers. High SS-7 V-6 No formal service provider review. High SS-7 V-7 Credit card information is routinely written down with no clearly defined policy or procedure for destruction. High SS-8 V-8 No Anti-Malware policy or procedure in place or enforced. High SS-9 V-9 No response plan/procedure for the discovery of unauthorized wireless devices. High SS-4 SS-20 V-10 Access to controlled data rooms not limited to needed personnel. High SS-10 V-11 Written credit card and other personal information is put in an open cardboard box that burned up to twice a month. High SS-8 V-12 Social engineering training has not yet taken place. High SS-12 V-13 No Change Management Process in place. High SS-13 V-14 Generic passwords are used on machines that have USB credit card swipers attached. High SS-12 V-15 Even when each employee has their own user/password, one user name and password are used by multiple employees to access CC software. High SS-12 V-16 Old/Out of Date used on network. High SS-14 V-17 No System Logging. High SS-15 V-18 Out of date patches on servers and desktops. Very High SS-16 V-19 Two Factor Authentication not set up for Remote Access. High SS-17 V-20 Complete internal and external vulnerability/penetration scans not done regularly. High SS-18 V-21 Known vulnerabilities have not been mitigated (In Process for Business License Renewal, not for Sportsman and Sportsite). High SS-19 SS-7 V-23 Live network jacks in public and easily accessible areas provide easy access to the internal network. High SS-18 V-24 Annual Vulnerability Test on all servers and applications visible outside the network not being completed. High SS-18 V-25 Individual session management not in place on Renewals/Webpay1. High SS-19 SS-7 V-26 No rogue wireless detection process or technology. High SS-20 ---PAGE BREAK--- Risk Assessment P a g e 35 I 47 ID Vulnerability Vulnerability Severity Recommended Safeguard V-27 Only sprinklers as fire suppression in the Muni building main data room. No fire suppression in several closets. Low SS-21 V-28 No wireless access policy or procedure. Moderate SS-20 V-29 No list of service providers and associated responsibilities. Moderate SS-7 V-30 Data closets are used as a storage room necessitating more than optimal traffic in and out of the closet. Moderate SS-12 SS-10 V-31 Visitor logs not used for data center and key data closets. Moderate SS-10 V-32 Bi-Annual Network Infrastructure Configuration Review is not being completed. Moderate SS-5 V-33 There are systems with exceptions to the anti-malware policy on the network (no anti-malware installed), an annual assessment of the system is not completed. Moderate SS-9 V-34 Log management policy not in place and logs are not currently reviewed. Moderate SS-15 V-35 No backup or storage of logs. Moderate SS-15 V-36 Change detection is not in place for infrastructure configurations and key operating system and application files. Moderate SS-5 V-37 Overall diagram covering the network where cardholder data is processed, transmitted, or stored. Is not complete. Moderate SS-22 V-38 All outbound traffic from the network is not limited to only ports and locations necessary. Moderate SS-18 V-39 System inventory of all devices on the network is not in place. Moderate SS-22 V-40 All network PC's not set for a defined idle time lockdown. Moderate SS-23 V-41 Complete set of security policies not in place or enforced. Very High SS-1 V-42 Physical keys are not tracked or inventoried. Very High SS-26 V-43 Tracking of current physical keys and certain key cards (terminated employees) is not in place. Very High SS-26 V-44 No control of temp facilities employees who may have access to the data closets and rooms. Very High SS-24 V-45 Employees rely on the keycard system and do not lock PCs or file cabinets to maintain security of data. Very High SS-12 V-46 No periodic review credit card machines to detect tampering. High SS-12 V-47 A clean desk policy is not enforced to ensure paper documents containing personal information not kept in secure storage. Very High SS-24 SS-12 V-48 Employee training for detecting credit card tampering has not been completed. Very High SS-12 V-49 Security awareness training not completed. Very High SS-12 V-50 Training on current policies and procedures does not occur. Very High SS-12 V-51 Password Controls are not enforced. Very High SS-23 V-52 is not utilized on restricted data at rest in multiple locations. Very High SS-14 V-53 Periodic access reviews are not completed on either active directory or critical applications. Very High SS-25 V-54 All wireless networks are not separated from the PCI network via firewall. Very High SS-20 ---PAGE BREAK--- Risk Assessment P a g e 36 I 47 ID Vulnerability Vulnerability Severity Recommended Safeguard V-55 Up to 105 of 242 mobile devices not fully controlled. Very High SS-17 V-56 Personal firewalls not installed on all laptops or devices that connect remotely. Very High SS-17 V-57 Server 2003 in use and open to Web. Very High SS-19 V-58 Certain incoming connections from untrusted networks (internet) are directly sent (NAT) to internal servers, bypassing the DMZ. Very High SS-18 V-59 Application and AD permissions are not set appropriately or changed in a timely manner when job changes occur. Very High SS-25 V-60 PC's are not sanitized of data/information between users. Very High SS-5 V-61 Key card permissions are not changed in a timely manner when roles change. Very High SS-26 V-62 Department Purchasing cards are not secured when not in use. Very High SS-27 V-63 Five open credit accounts that require only a P.O number for access. Very High SS-27 V-64 Department Purchasing card users are not required to sign purchasing card agreement. Very High SS-27 V-65 Department Purchasing cards do not have a set of approved users. High SS-27 V-66 Cold Fusion server is outdated and connected directly to the internet from the internal Ogden LAN. Very High SS-16 V-67 Ogden City LAN accessible from the camera network. Very High SS-5 SS-28 SS-13 V-68 Janitorial service has access to Airport, Court and HR areas after hours. Very High SS-24 V-69 Exchange not in DMZ and can be made to disclose its internal IP address without authenticating to the network. Very High SS-18 V-70 is not required for emails containing sensitive data, both internally and externally. Very High SS-14 V-71 Leaking pipes and ceiling in more than one data closet/room. Moderate N/A V-72 Telnet is active on network (Clear Text). High SS-5 V-73 Sophos manages only 74% of devices on average (December hit 80%). Very High SS-9 V-74 Outdated SSL and TLS are utilized and accepted by the server (Tanner vulnerability test). Moderate SS-5 V-75 At least ten hosts SSL certificate not trusted (Tanner vulnerability test). High SS-5 V-76 VPN is vulnerable due to usage of IKE aggressive mode (Tanner vulnerability test). Moderate SS-5 V-77 Network Server Message Block (SMB) signing is not required (Tanner vulnerability test). Moderate SS-5 V-78 No process in place to identify failed updates or installations of anti-malware. High SS-9 V-79 Authorized access to the network and buildings by vendors is unmonitored and uncontrolled. High SS-24 V-80 Not receiving both completed questionnaires from the Police and Justice Court (justice court returned the Risk Questionnaire but not the basic asset questionnaire) represents a risk of an unknown nature. Moderate N/A V-81 Admin and other passwords not changed when help desk personnel terminate. High SS-29 ---PAGE BREAK--- Risk Assessment P a g e 37 I 47 ID Vulnerability Vulnerability Severity Recommended Safeguard V-82 Netmotion Mobility rules are not understood or tested, which could lead to split tunneling, unknown access to unknown devices, unauthorized access to authorized users and authorized access to unauthorized users. Very High SS-5 V-83 No consistent process in place to ensure new devices are added to appropriate device groups within a minimal timeframe. Very High SS-5 V-84 All new devices that connect to Netmotion have access to the Ogden City internal network. Very High SS-5 V-85 Ogden city enables split tunneling on remote devices. High SS-5 SS-18 4 Phase III - Post Assessment 4.1 Risk Mitigation/Plan of Action The completed POA (Plan of Action) is the product from the preparation of the Risk Mitigation Worksheet and specific remedial recommendations to mitigate risk. Because the elimination of all risk is usually impractical, senior management and Information Owners should assess control recommendations, determine the acceptable level of residual risk, and implement those mitigations with the most appropriate, effective, and highest payback. 4.2 Ongoing Monitoring The agreed-upon safeguards to mitigate the risks are reportable and the POA is the reporting vehicle. Ogden City should create a security role to track and monitor the mitigation activities. The POA can be used to monitor the successful completion of the safeguards. ---PAGE BREAK--- Risk Assessment P a g e 38 I 47 4.3 Plan of Action Table Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-1 No Disaster Recovery Plan. High SS-3 V-2 No Incident Response Plan. High SS-4 V-3 Configuration Management Program not in place. High SS-5 V-4 No vendor management or program in place. High SS-6 V-5 No program to track and monitor service providers. High SS-7 V-6 No formal service provider review. High SS-7 V-7 Credit card information is routinely written down with no clearly defined policy or procedure for destruction. High SS-8 V-8 No Anti-Malware policy or procedure in place or enforced. High SS-9 V-9 No response plan/procedure for the discovery of unauthorized wireless devices. High SS-4 SS-20 V-10 Access to controlled data rooms not limited to needed personnel. High SS-10 V-11 Written credit card and other personal information is put in an open cardboard box that burned up to twice a month. High SS-8 V-12 Social engineering training has not yet taken place. High SS-12 V-13 No Change Management Process in place. High SS-13 V-14 Generic passwords are used on machines that have USB credit card swipers attached. High SS-12 V-15 Even when each employee has their own user/password, one user name and password are used by multiple employees to access CC software. High SS-12 V-16 Old/Out of Date used on network. High SS-14 V-17 No System Logging. High SS-15 ---PAGE BREAK--- Risk Assessment P a g e 39 I 47 Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-18 Out of date patches on servers and desktops. Very High SS-16 V-19 Two Factor Authentication not set up for Remote Access. High SS-17 V-20 Complete internal and external vulnerability/penetration scans not done regularly. High SS-18 V-21 Known vulnerabilities have not been mitigated (In Process for Business License Renewal, not for Sportsman and Sportsite). High SS-19 SS-7 V-23 Live network jacks in public and easily accessible areas provide easy access to the internal network. High SS-18 V-24 Annual Vulnerability Test on all servers and applications visible outside the network not being completed. High SS-18 V-25 Individual session management not in place on Renewals/Webpay1. High SS-19 SS-7 V-26 No rogue wireless detection process or technology. High SS-20 V-27 Only sprinklers as fire suppression in the Muni building main data room. No fire suppression in several closets. Low SS-21 V-28 No wireless access policy or procedure. Moderate SS-20 V-29 No list of service providers and associated responsibilities. Moderate SS-7 V-30 Data closets are used as a storage room necessitating more than optimal traffic in and out of the closet. Moderate SS-12 SS-10 V-31 Visitor logs not used for data center and key data closets. Moderate SS-10 V-32 Bi-Annual Network Infrastructure Configuration Review is not being completed. Moderate SS-5 ---PAGE BREAK--- Risk Assessment P a g e 40 I 47 Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-33 There are systems with exceptions to the anti-malware policy on the network (no anti-malware installed), an annual assessment of the system is not completed. Moderate SS-9 V-34 Log management policy not in place and logs are not currently reviewed. Moderate SS-15 V-35 No backup or storage of logs. Moderate SS-15 V-36 Change detection is not in place for infrastructure configurations and key operating system and application files. Moderate SS-5 V-37 Overall diagram covering the network where cardholder data is processed, transmitted, or stored. Is not complete. Moderate SS-22 V-38 All outbound traffic from the network is not limited to only ports and locations necessary. Moderate SS-18 V-39 System inventory of all devices on the network is not in place. Moderate SS-22 V-40 All network PC's not set for a defined idle time lockdown. Moderate SS-23 V-41 Complete set of security policies not in place or enforced. Very High SS-1 V-42 Physical keys are not tracked or inventoried. Very High SS-26 V-43 Tracking of current physical keys and certain key cards (terminated employees) is not in place. Very High SS-26 V-44 No control of temp facilities employees who may have access to the data closets and rooms. Very High SS-24 V-45 Employees rely on the keycard system and do not lock PCs or file cabinets to maintain security of data. Very High SS-12 V-46 No periodic review credit card machines to detect tampering. High SS-12 ---PAGE BREAK--- Risk Assessment P a g e 41 I 47 Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-47 A clean desk policy is not enforced to ensure paper documents containing personal information not kept in secure storage. Very High SS-24 SS-12 V-48 Employee training for detecting credit card tampering has not been completed. Very High SS-12 V-49 Security awareness training not completed. Very High SS-12 V-50 Training on current policies and procedures does not occur. Very High SS-12 V-51 Password Controls are not enforced. Very High SS-23 V-52 is not utilized on restricted data at rest in multiple locations. Very High SS-14 V-53 Periodic access reviews are not completed on either active directory or critical applications. Very High SS-25 V-54 All wireless networks are not separated from the PCI network via firewall. Very High SS-20 V-55 Up to 105 of 242 mobile devices not fully controlled. Very High SS-17 V-56 Personal firewalls not installed on all laptops or devices that connect remotely. Very High SS-17 V-57 Server 2003 in use and open to Web. Very High SS-19 V-58 Certain incoming connections from untrusted networks (internet) are directly sent (NAT) to internal servers, bypassing the DMZ. Very High SS-18 V-59 Application and AD permissions are not set appropriately or changed in a timely manner when job changes occur. Very High SS-25 V-60 PC's are not sanitized of data/information between users. Very High SS-5 V-61 Key card permissions are not changed in a timely manner when roles change. Very High SS-26 V-62 Department Purchasing cards are not secured when not in use. Very High SS-27 ---PAGE BREAK--- Risk Assessment P a g e 42 I 47 Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-63 Five open credit accounts that require only a P.O number for access. Very High SS-27 V-64 Department Purchasing card users are not required to sign purchasing card agreement. Very High SS-27 V-65 Department Purchasing cards do not have a set of approved users. High SS-27 V-66 Cold Fusion server is outdated and connected directly to the internet from the internal Ogden LAN. Very High SS-16 V-67 Ogden City LAN accessible from the camera network. Very High SS-5 SS-28 SS-13 V-68 Janitorial service has access to Airport, Court and HR areas after hours. Very High SS-24 V-69 Exchange not in DMZ and can be made to disclose its internal IP address without authenticating to the network. Very High SS-18 V-70 is not required for emails containing sensitive data, both internally and externally. Very High SS-14 V-71 Leaking pipes and ceiling in more than one data closet/room. Moderate N/A V-72 Telnet is active on network (Clear Text). High SS-5 V-73 Sophos manages only 74% of devices on average (December hit 80%). Very High SS-9 V-74 Outdated SSL and TLS are utilized and accepted by the server (Tanner vulnerability test). Moderate SS-5 V-75 At least ten hosts SSL certificate not trusted (Tanner vulnerability test). High SS-5 V-76 VPN is vulnerable due to usage of IKE aggressive mode (Tanner vulnerability test). Moderate SS-5 V-77 Network Server Message Block (SMB) signing is not required (Tanner vulnerability test). Moderate SS-5 ---PAGE BREAK--- Risk Assessment P a g e 43 I 47 Vulnerability Number Risk Vulnerability Risk Level Recommended Controls Action Priority Selected Planned Controls Required Resources Responsible Team/Persons Due Date Maintenance Requirement/ Comments V-78 No process in place to identify failed updates or installations of anti-malware. High SS-9 V-79 Authorized access to the network and buildings by vendors is unmonitored and uncontrolled. High SS-24 V-80 Not receiving both completed questionnaires from the Police and Justice Court (justice court returned the Risk Questionnaire but not the basic asset questionnaire) represents a risk of an unknown nature. Moderate N/A V-81 Admin and other passwords not changed when help desk personnel terminate. High SS-29 V-82 Netmotion Mobility rules are not understood or tested, which could lead to split tunneling, unknown access to unknown devices, unauthorized access to authorized users and authorized access to unauthorized users. Very High SS-5 V-83 No consistent process in place to ensure new devices are added to appropriate device groups within a minimal timeframe. Very High SS-5 V-84 All new devices that connect to Netmotion have access to the Ogden City internal network. Very High SS-5 V-85 Ogden city enables split tunneling on remote devices. High SS-5 SS-18 ---PAGE BREAK--- Risk Assessment P a g e 44 I 47 5 Risk Analysis Tables 5.1 Existing Controls Identifying and documenting controls is a key element of the procedure. It is important to note which controls either reduce the likelihood of a threat exploiting an identified vulnerability, and/or those that reduce the potential impact of the exploited vulnerability on the environment. Existing controls may be policy, procedures, operational or technical controls, depending on the identified threat and vulnerability and the possible risk to the system. Existing Controls Table Control ID Control Description Control Type C-1 Sophos installed on devices Likelihood and Impact C-2 VPNs Likelihood and Impact C-3 All data rooms and closets have locks on door Likelihood C-4 Muni Building has controlled access to each floor Likelihood C-5 Data room has more than adequate UPS and generator power backups Impact C-6 Offsite tape backups of data Impact C-7 Background checks done on employees before hiring Likelihood C-8 Visitors to the Muni building are required to be escorted by an employee or have an employee request a keycard Likelihood C-9 All city buildings have fire alarms systems and protocols Likelihood and Impact 5.2 Likelihood of Occurrence In the risk assessment there is a field called Likelihood where the assessor lists a value of Very Low, Low, Moderate, High or Very High for the probability of occurrence that the threat is realized and exploits the system’s vulnerability. There are two considerations to this value: the historical occurrence of the threat; the possibility based on cumulative security knowledge of the threat exploiting the vulnerability. The description of the different levels is as follows: ---PAGE BREAK--- Risk Assessment P a g e 45 I 47 Adversarial Risk Table Adversarial Risk Likelihood 0 - Very Low Adversary is highly unlikely to initiate the threat event. 2 - Low Adversary is unlikely to initiate the threat event. 5 - Moderate Adversary is somewhat likely to initiate the treat event. 3 - High Adversary is highly likely to initiate the threat event. 8 – Very High Adversary is almost certain to initiate the threat event. Non-Adversarial Risk Table Non-Adversarial Risk Likelihood 0 - Very Low Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years. 2 - Low Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years. 5 - Moderate Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a year 8 - High Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year. 10 – Very High Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year. Overall Likelihood Likelihood of Threat Event Initiation or Occurrence Overall Likelihood Likelihood Threat Events Result in Adverse Impacts Very Low Low Moderate High Very High Very High Low Moderate High Very High Very High High Low Moderate Moderate High Very High Moderate Low Low Moderate Moderate High Low Very Low Low Low Moderate Moderate Very Low Very Low Very Low Low Low Low ---PAGE BREAK--- Risk Assessment P a g e 46 I 47 5.3 Severity of Impact Qualitative Values Description 10 - Very High The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. 8 - High The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A severe or catastrophic adverse effect means that, for example, the threat event might: cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries. 5 - Moderate The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A serious adverse effect means that, for example, the threat event might: cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. 2 - Low The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. 0 - Very Low The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. ---PAGE BREAK--- Risk Assessment P a g e 47 I 47 5.4 Recommended Security Safeguards ID Security Safeguards SS-1 Implement a security program that meets PCI DSS 3.1 requirements and industry best practice standards. Including, but not limited to: anti-malware, user awareness training, user permissions, patch management, change management, breach management, vendor management, disaster recovery, and physical security. SS-2 Develop a security group or position to monitor and control all aspects of Ogden City Security Program SS-3 Create a disaster recovery plan and include it in the Security Program. SS-4 Create an incident response plan and include it in the Security Program. SS-5 Create and implement a configuration management program and include it in the Security Program. SS-6 Create and implement a vendor management program and include it in the Security Program. SS-7 Create and implement a service provider program and include it in the Security Program. SS-8 Implement a formal and regular PCI DSS 3.1 training for all employees active on the PCI network. SS-9 Create and implement an anti-malware program and include it in the Security Program. SS-10 Create and implement an access control program and include it in the Security Program. SS-12 Create and implement formal and regular security awareness training. Including but not limited to: social engineering, tampering detection, and restricted data disposal for all network users. SS-13 Create and implement a change management program and include it in the Security Program. SS-14 Create and implement an program and include it in the Security Program. SS-15 Create and implement a log management program and include it in the Security Program. SS-16 Create and implement a patch management program and include it in the Security Program. SS-17 Create and implement a remote access program and include it in the Security Program. SS-18 Create and implement a risk management program and include it in the Security Program. SS-19 Upgrade all operating systems to Microsoft supported versions. SS-20 Create and implement a wireless network program and include it in the Security Program. SS-21 Evaluate the current fire suppression systems in data rooms and closets and determine if cost of any system changes are justified by risk. SS-22 Create and implement a network documentation program and include it in the Security Program. SS-23 Systematically enforce the current password and system idle policies SS-24 Create and implement a physical access program and include it in the Security Program. SS-25 Create and implement a user access program and include it in the Security Program. SS-26 Create and implement a key/keycard policy that distributes, tracks, and periodically reviews the key cards and physicals keys and include it in the Security Program. SS-27 Create and implement a purchasing card policy requiring at minimum the following: • Cards to be stored in a secured location when not in use, • A list of all approved signers for each department • A signed purchasing card agreement before an employee is approved to use the purchasing card • Regular purchasing card audits. • reconciliation of statements and receipts for all accounts SS-28 Create and implement a firewall management program that includes an annual review, rule justification, and firewall configuration. Include it in the Security Program. SS-29 In addition to the current termination/off boarding process, add the following for any IT or privileged user termination; • On date of termination removal all remote access permission, • On date of termination evaluate and modify of any known admin/ generic user passwords, • On date of termination retrieve and deactivate key card, • On date of termination inventory and retrieve any physical keys.