Creation of a risk assessment and mitigation strategy for a fictional airport that includes four distinct organizations. Based on a provided scenario, you will develop a report for the management team that includes personnel recommendations for IT team members, a comprehensive assessment of IT security risks, and suggested strategies and approaches for minimizing the identified risks.
The Scenario: You have been hired as a consultant to conduct a comprehensive risk assessment and provide a risk assessment and mitigation report for an airport.
The airport has four different organizations:
1. Airport authority
2. Four flight service providers (four airlines)
3. Airport restaurant
4. Guests
The airport authority maintains a system that handles the flight management controls. This system is made up of a database server, an application server, and a web server.
The four flight service providers have only back-end access to their own dedicated server in the airport authority network and not to any other provider's back-end systems. Each flight service provider has a system made up of a database server, an application server, and a web server that allows patrons to reserve and purchase tickets.
The restaurant provides food for both airport employees as well as travelers. The restaurant's systems are used to maintain customer transactions, human resource functions (payroll and benefits information), and vendor ordering.
Guest users have wireless access to a high-speed internet connection, which is also shared among all the users in all organizations.
The wireless access uses a common password. Guest users should not have access to the other organizations within the airport. The users obtain IP addresses automatically. The airport authority has 27 users, and the flight service providers have 85 users. The maximum number of guests is estimated to be 100.
Software updates that address security vulnerabilities are assessed by the airport security team. The team verifies whether the vulnerability is applicable to their environment. If it is, they analyze the circumstances under which vulnerabilities could be exploited and the possible business impact on organizational assets and business continuity.
After the evaluations are complete, the security team works with the configuration management administrator to manage software updates. The administrator reviews the security team's list of critical security updates and runs a report to see how many computers on the network are potentially vulnerable to the exploit addressed in the security update.
The organization has a content-filtering firewall in place; however, there are currently no filtering rules. There has been some discussion in the past to mitigate this, but the organization is looking for recommendations on how this should be configured.
Critical Elements: Your 8- to 10-page risk assessment and mitigation strategy must include the following critical elements:
1. Team Information
a. Identification of all stakeholders.
b. Job Description. Create a job description for the chief security officer the airport plans to hire. Include desired qualifications and experiences, as well as responsibilities and daily tasks.
c. Security Certification Recommendations. Recommend certifications for the current IT staff. Provide a brief rational for your recommendations.
2. Risk Assessment
As part of your risk assessment, based on the provided scenario information, include an analysis of the security risks in the areas listed below.
a. Security and Business Processes. Summarize the impact of confidentiality, integrity, availability, and privacy on business processes.
b. Legal, Regulatory, Ethical, and Social Issues. Discuss key ethical, social, and legal issues related to IT security. Identify at least three laws or regulations that pertain to the organization.
c. Viruses and Malicious Software. Identify how the organization detects, controls, and prevents viruses and other malicious software.
d. Web Server Security Strategies. Assess the usage of browsers, cryptographic posture, and server and protocol securities such as IPsec, SSL, and VPN.
e. External Threats. Analyze necessary firewalls, intrusion detection, and intrusion prevention systems.
The results of the risk assessment will guide the development of the company's risk mitigation strategy.
3. Mitigation Strategy
As a result of the items identified in the risk assessment, develop a mitigation strategy that addresses the security risks outlined in the risk assessment. As part of your strategy, address the following:
a. Employee Guidelines. Develop guidelines to share with employees. The guidelines should summarize the proposed approach to confidentiality, integrity, availability, and privacy.
b. Legal, Regulatory, Ethical, and Social Issues. Provide a detailed explanation of how the IT department will mitigate identified ethical, social, or legal issues. Be sure to address legal or regulatory gaps.
c. Viruses and Malicious Software. Describe new approaches for the detection, control, and prevention of viruses and other malicious software.
d. Web Server Security Strategies. Detail necessary changes to the websites, browser settings, and remote access.
e. External Threats. Develop a comprehensive plan to address risks from external threats.
4. References