Download - NIST Retail
-
8/11/2019 NIST Retail
1/48
Risk Assessment Report for Dinny Hall Retail Mart
1
Dinny Hall Retail Mart
MBA-ITBM
Batch: 2013-2015
Prepared By: Group 1 (Div. C)
Ambrish Anand (13030241100)
Ankit Bajaj (13030241102)
Dipesh Golwala (13030241104)
Pratik Patil (13030241118)
Yogesh Shadapuri (13030241139)
Risk Assessment Report
On
Microsoft
Retail Management System
Using
NIST
-
8/11/2019 NIST Retail
2/48
Risk Assessment Report for Dinny Hall Retail Mart
2
Table of Contents
1. Introduction4
2. Risk Assessment Approach5
3. IT System Characterization6
4. Risk Identification.10
5. Control Analysis15
6. Risk Likelihood.29
7. Risk Impact Analysis34
8. Overall Risk Assessment Determination...35
9. Recommendations37
10. Result Documentation39
-
8/11/2019 NIST Retail
3/48
Risk Assessment Report for Dinny Hall Retail Mart
3
List of Tables
Table A: IT System Inventory and Definition
Table B: Threats Identified
Table C: Threats, Vulnerabilities and Risk
Table D: Security Controls
Table E: Risks-Controls-Factors Correlation
Table F: Risk Likelihood Ratings
Table G: Risk Impact Analysis
Table H: Overall Risk Rating Matrix
Table I: Overall Risk Ratings Table
Table J: Recommendations
Table K: Risk Assessment Matrix
-
8/11/2019 NIST Retail
4/48
Risk Assessment Report for Dinny Hall Retail Mart
4
1. INTRODUCTION
1.1 Purpose
The purpose of this risk assessment is to evaluate the adequacy of the Dinny Hall
Supermarkets Microsoft Dynamics Retail Management System (RMS)
IT security. RMS offers
small and midsize retailers a complete point of sale (POS) solution that can be adapted to meet
unique requirements. This powerful software package automates POS processes and store
operations, provides centralized control for multi-store retailers, and integrates with Microsoft
Office system programs, Microsoft Dynamics GP, and other popular applications. This risk
assessment provides a structured qualitative assessment of the RMS operational environment. It
addresses threats, vulnerabilities, risks, impacts and safeguards. The assessment recommends
cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities identified
in Dinny Halls RMS System.
1.2 Scope
The scope of this risk assessment report is to assess the systems use of resources and
controls (implemented or planned), to eliminate and/or manage vulnerabilities exploitable by
threats internal and external to the retail domain. If exploited, these vulnerabilities could
result in:
Unauthorized disclosure of data(customer sensitive information)
Unauthorized modification to the system, its data, or both
Denial of service, access to data or both to authorized users
This Risk Assessment Report evaluates the confidentiality (protection from unauthorized
disclosure of system and data information), integrity(protection from improper modification of
information) and availability (loss of system access) of the system. Recommended security
safeguards will allow management to make decisions about security-related initiatives.
-
8/11/2019 NIST Retail
5/48
Risk Assessment Report for Dinny Hall Retail Mart
5
2. RISK ASSESSMENT APPROACH
This risk assessment methodology and approach was conducted using the guidelines in
NIST SP 800-30,Risk Management Guide for Information Technology Systems. The assessment
is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity and
availability. The assessment recommends appropriate security safeguards, permitting
management to make knowledge-based decisions about security-related initiatives. The
methodology addresses the following types of controls:
Management Controls:Management of the Information Technology (IT) security system
and the management and acceptance of risk.
Operational Controls: Security methods focusing on mechanisms implemented and
executed primarily by people (as opposed to systems), including all aspects of physical
security, media safeguards and inventory controls.
Technical Controls:Hardware and software controls providing automated protection to the
system or applications (Technical controls operate within the technical system and
applications).
The NIST RMF, illustrated in Figure 1, provides the covered entity with a disciplined,
structured, extensible, and repeatable process for achieving risk-based protection related to the
operation and use of information systems and the protection of EPHI. It represents aninformation security life cycle that facilitates continuous monitoring and improvement in the
security state of the information systems within the organization.
The flexible nature of the NIST RMF allows other communities of interest to use theframework voluntarily either with the NIST security standards and guidelines or with industry-
specific standards and guidelines. The RMF provides organizations with the flexibility needed to
apply the right security controls to the right information systems at the right time to adequately
protect the critical and sensitive information, missions, and business functions of theorganization.
-
8/11/2019 NIST Retail
6/48
Risk Assessment Report for Dinny Hall Retail Mart
6
Figure 1.NIST RMF
The risk assessment methodology encompasses of nine primary steps, which are described
below:
Step 1 - System Characterization
Step 2 - Threat Identification
Step 3 - Vulnerability Identification
Step 4 - Control Analysis
Step 5 - Likelihood Determination
Step 6 - Impact Analysis
Step 7 - Risk Determination
Step 8 - Control Recommendations
Step 9 - Results Documentation
3. IT SYSTEM CHARACTERIZATION:
The purpose of this step is to identify IT system and define Risk assessment boundary,
components and data sensitivity.
-
8/11/2019 NIST Retail
7/48
Risk Assessment Report for Dinny Hall Retail Mart
7
Table A : IT System Inventory and Definition
I. IT System Identification and Ownership
IT System
ID
IMS IT System Common Name Inventory Management
System (IMS)
Owned by Dinny Hall Retail Mart
System
Owner
Chris Chapman System administrator Ant Corrie
Data owner William Gomes Data CustodianAnt Corrie, Evans
Thomas
II. IT System Boundary and Components
IT SystemDescription
and
Components
Operating System: Windows Server 2008.
Two servers running in Windows server 2008.
Backup Server operates when main server fails.
Database and backup database are attached to server.
The Systems Payment, Inventory and Supply Chain accesses relevant data
from server.
IT system
Interface TeraData This system ensures data transmission among different network
entities.
All the security aspects of data transfer are handled by TeraData
Employee accessibility rights are defined by TeraData
Initial user id and password are generated by this system
III. IT System Interconnections
Agency or org IT system name IT system name IT System
owner
Interconnect
securityagreement
summary
Retail management
services
Bill Payment
system
BPS Chris
Chapman
No formal
agreement
required asthe system
has common
owner
-
8/11/2019 NIST Retail
8/48
Risk Assessment Report for Dinny Hall Retail Mart
8
Diagram of the system and network architecture, including all components of the system and
communications links connecting the components of the system, associated data communications
and networks:
Figure 1 IT System Bo undary Diagram Interconnected Reta il Envi ronm ent)
Retail management
services
Stock
managementsystem
SMS
Chris
Chapman
No formal
agreementrequired as
the system
has common
ownerType of data Confidentiality Integrity Availability
Financial data High. May lead
to unauthorizedtransaction and
fiscal loss to
customer,
thereby harmingcompany
reputation
High Low
Stock details High. If leaked
competitors canmisuse them
High High
-
8/11/2019 NIST Retail
9/48
Risk Assessment Report for Dinny Hall Retail Mart
9
Information Flow Diagram:
Security Structure:
Information sent from main outlet
to RMS division data center
-
8/11/2019 NIST Retail
10/48
Risk Assessment Report for Dinny Hall Retail Mart
10
4. RISK IDENTIFICATION
The purpose is to identify risks existing in the system. Risks occur when vulnerabilities in
the IT system or its environment can be exploited by threats.
4.1 Identification of Vulnerabilities:
The following were the vulnerabilities identified:
Weak encryption standard is vulnerability for the RMS system. It threatens the
CIA (confidentiality, availability, integrity) aspect of the organization. Encryption
standard is not compliant with the PCI DSS standards (wireless eavesdropping,
wired eavesdropping )
Absence of network monitoring systems.
Absence of processing logs.
No purging of old data.
Storage of critical information in unencrypted format.
Certain inventories dont have their details fed in the system, though they are present in
the stock. So there are risks of theft and other manipulations in which the staffs may be
involved.
Supply chain management system didn't comply with security standards.
The transaction systems and other network connected hardware devices handling
sensitive information used the same usernames and passwords across DH stores
nationwide.
Maintenance Hurdles on remote Sites due to lack of technical expertise.
No timely security patches on in-house systems.
Cyber-attacks as connection with diverse set of networks-in-house, corporate and public.
4.2 Identification of Threats
The following threats were identified:
Any hacker or intruder may get an easy access to the critical information because
of the weak encryption standards implemented.
If at all any intrusion happens it would not be detected because of the inadequate
network monitoring system.
-
8/11/2019 NIST Retail
11/48
Risk Assessment Report for Dinny Hall Retail Mart
11
Detection of login details would not be possible because of absence of processing
logs so if at all any security incident happens, the source would not be traceable.
In case of any security breach, the critical data would be easily accessible as it
was present in unencrypted format.
VPN accounts assigned to former employees, which the system administrator didntclose
after the employees service was terminated can become a gateway for hacker intrusion.
The risk of system in the SCM getting hacked, thus revealing inventory details to the
hackers who can sell these information to the competitors of DINNY HALL
Supermarket.
The transaction systems and other network connected hardware devices handling
sensitive information used the same usernames and passwords across stores nationwide.
An attacker who compromised on a system in one store could access the same device at
every DH store nationwide.
Loopholes in the inventory management system would compromise on the
traceability of products kept in retail store.
Systems connected to network- internal or public are susceptible to malware
attacks.
Stealing of credit card information and other sensitive customer data.
The threats identified are listed in table below:
Table B: Threats IdentifiedWirelesseavesdropping
Power loss Communicationfailure
Wired eavesdropping Tornadoes Work place violence
Spoofing Floods DOS Attack
Stored datamanipulation
Bomb threat Rioting
Lost or stolen device Malware Attacks Robbery
Earthquake Fire Cyber terrorism
-
8/11/2019 NIST Retail
12/48
Risk Assessment Report for Dinny Hall Retail Mart
12
4.3 Identification of Risks
The following were the risks identified:
Poor network Security would risk the critical information of the company. Access control mismanagement would risk the disclosure of company details
Failures in hardware devices may lead to permanent loss of data.
Disgruntled employees may result in loss of critical company decisions and policies.
Active VPN accounts of ex-employees would result in unauthorized access and risk
the critical information.
Loss of financial information would affect the company image.
Loss of inventory details would give an undue advantage to competitors.
Natural calamity would hamper the business.
Loss of business details would reveal strategies and hamper the long term goals.
Table C: Threats, Vulnerabilities and Risk
Risk
No.
Vulnerabilities Threats Risks of
Compromise
of
Risk Summary
1 Improper
handling of
financial data of
the company.
Loss of confidential data May lossFinancial Data
some
importantfinancial
legers and
balance sheet
internally.
Loss of financialdata, having severe
impact on the
companys brandimage
2 Unencrypted data
and detail ofemployee
Unethically updating
details of employee.
Misuse of
employeesdetails
Loss of employee
details
3 Accidentaldamage to
business
A situation from whichthe company cant recover
Discontinuityof services
Business plan
4 Not well planned
architecture of
company
Loss of data Loss of
resources data
and othersthing which is
important.
Natural calamities
like earthquake,
hurricane etc
-
8/11/2019 NIST Retail
13/48
Risk Assessment Report for Dinny Hall Retail Mart
13
5 Water leakage
near the serverroom
Threat of fire. Availability
and integrity
of retail data
Water leakage may
cause short-circuitleading to eruption
of fire.
6 No proper access
control employee
Lack of access control can
be misused leading to
incidents such as data
theft etc
Confidentiality
and integrity
of retail data
Unauthorized access
control
7 Poor network
security
Weak firewall, outdated
anti- virus etc
Confidentiality
and integrity
of retail data
Denial of service
attack via dummy
packets
8 Unsecure remote
access
Multiple access points Due to this the
data can beshared withothers.
Masquerading access
points
9 Encryption
standard is not
compliant with
the PCI DSS
standards
wireless eve dropping,
wired eavesdropping,
spoofing, etc may be the
outcome of exploiting this
vulnerability
Confidentiality
and integrity
of retail data
Spoofing
10 Physical accesscontrols notimplemented
Unauthorized peopleaccess in the organization
Tailgating andhence loss ofconfidential
data
Tailgating
11 Hardware-failure Important customer
confidential data may be
lost or corrupted
Confidentiality
and integrity
of retail data
Power loss
12 VPN accounts of
the ex-employees
still in use
Unauthorized access. Confidentiality
and integrity
of retail data
VPN account of ex-
employee
compromised
13 Lack of proper
security practices
Accessible to hackers. Easily
accessible tohackers.
Hacking
14 Customer
sensitive
Misuse of confidential
customer data
Confidentiality
and integrity
Unencrypted
password increases
the chances of
-
8/11/2019 NIST Retail
14/48
Risk Assessment Report for Dinny Hall Retail Mart
14
data/password
was also stored
unencrypted.
of retail data security breaches in
the system
15 Disgruntled
employees
Work place violence,
execution of system
sabotage
Confidentiality
and integrity
of retail data
Loss or theft of USB
drives could result incompromise of
confidentiality ofDH
data
16 The transaction
systems and
other network
connectedhardware devices
handling
sensitiveinformation used
the same
usernames andpasswords across
DH stores
nationwide
If the hacker gets through
the network security walls
of one system, he can do
so for other systems too.
Confidentiality
and integrity
of retail data
Compromise of
unexpired/unchanged
passwords could
result in compromiseof confidential
business data
17 Lack of proper
physical security
Robbery Money, Shop
items
Lack of adequate
physical security
leads to robberywhich in turn leads
to physical injury.
-
8/11/2019 NIST Retail
15/48
Risk Assessment Report for Dinny Hall Retail Mart
15
5. CONTROL ANALYSIS:
The purpose of control analysis is to provide a report about the control measures
implemented and the control policies that are planned. It is then matched with the risks to
identify which risk needs to be addressed and which can be acceptable to the organization.
Table D : Security ControlsControl Area In-place/Planned Description of Controls
1. Risk Management
1.1
IT security Roles and
Responsibilities
Planned
Required IT Security roles
have been assigned. There is a
CIO appointed who has
appointed roles to individuals.
1.2Business Impact analysis In Place
DH management and staff
conducted and documented a
BIA. It needs to be reviewed
annually and was done also.
1.3 IT system & data
Classification
In Place DH should know how much
data it should store. There
should be provision to store
customer sensitive information
separate from other data. In
short, classification of data
should be there.
1.4 IT system Inventory &
Definition
In Place DH recognizes an inventory of
Sensitive IT data that contains
crucial customer information.
This also includes stock level
and inventory detail included
in the Risk assessment report.
-
8/11/2019 NIST Retail
16/48
Risk Assessment Report for Dinny Hall Retail Mart
16
System definition also forms a
part of this report.
1.5 Risk Assessment In Place This report documents the
Risk Assessment of DH in
April 2012
1.6 IT security Audits In Place IT security audit has been
taken care of by Mark Smith,
Internal Audit Director in DH.
An internal audit is planned
annually.
2. Contingency planning
2.1Continuity of operations
planning
In Place
In Place
Ant Corrie is the DH
Coordinator of Operation Plan
Coordination. The DH COOP
identifies all personnel
required for its execution,
includes personnel required
for recovery of the DH, &includes emergency
declaration, notification and
operations procedures.
The COOP document is
classified as sensitive; access
to this document is restricted
to COOP team members, & a
copy of the COOP is stored
off site at Data Recovery
Services, Inc., DHs recovery
site partner. The DH COOP,
-
8/11/2019 NIST Retail
17/48
Risk Assessment Report for Dinny Hall Retail Mart
17
including components relating
to the DH is currently being
updated as a result of the
COOP exercise; completion is
expected by Dec 2013.
2.2IT disaster recovery
planning
In Place 1. A Disaster Recovery Plan
(DRP) and Business
Continuity Plan (BCP) for the
DH has been documented
& approved by the Security
Commissioner, Marlin Luther.
This plan calls for:-
Recovery of the DH within 48
hours at a cold site maintained
by Data Recovery Services,
Inc. (DRSI). In order to
support 24-hour recovery of
DH during budget preparation,
the contract with DRSIincludes 24-hour recovery
during this period.
2.3 IT system and data
backup Restoration
In Place DH has a backup and
restoration plan, documented
and approved by Chris
Chapman, the DH system
owner. This plan calls for:
a. Daily full & monthly
incremental backups & review
of backup logs of DH data by
operations staff.
-
8/11/2019 NIST Retail
18/48
Risk Assessment Report for Dinny Hall Retail Mart
18
3. IT Systems Security
3.1 IT System Hardening In Place DH systems use Windows 7,
Windows 2008 server and
Oracle 10g benchmark for the
Centre of Internet Security(CIS). Chris Chapman the
BFS system owner, has
approved the
recommendations regarding
the benchmarks
DH operations staff will
determine whether the CIS
benchmarks continue to
provide appropriate protection
by carrying out vulnerabilityscan.
3.2 IT System
Interoperability Security
In Place The RMS system in DH
interacts with the payment
system, Inventory system and
the POS system. The data
sharing is mentioned in the
risk assessment report. Chris
Chapman is the System Owner
of retail system, POS system
and inventory system.
Therefore no written data
sharing agreement is required.
3.3 IT System Development
Life cycle security
PlannedThe DH risk assessment team
analyses all its software in the
various stages of its life cycle
with regards to security
compliance. As documented
throughout this Risk
-
8/11/2019 NIST Retail
19/48
Risk Assessment Report for Dinny Hall Retail Mart
19
Assessment report, DH risk
assessment team conducts &
documents a formal Risk
Assessment of the DH every
three years.
3.4 Malicious Code
protection
Planned DH has few antivirus products
installed in the system and
network servers. These
software do the following :-
1) Protects the system from
malicious programs
2)
Scans files retrieved from
various sources
3) Maintains logs for
protection activities
4) Allows administrator to
modify the configurations
The Acceptable User Policy,
under development, willprohibit DH users from
intentionally developing or
experimenting with malicious
programs & knowingly
propagating malicious
programs. This policy is
scheduled to get completed in
October 2012.
4.Logical Access Control
4.1 Account Management Planned The following Policies need to
be implemented:
-
8/11/2019 NIST Retail
20/48
Risk Assessment Report for Dinny Hall Retail Mart
20
Access level to be
granted on the basis of
least privilege.
Any change in the
access levels should be
done with the
permission of Chris
Chapman and Ant
Corrie.
Any account, if unused
for 60 days should get
locked. Unlocking of
the account should be
done with the
permission of George
Mathew.
Account monitoring
should be done.
Detailed report shouldbe made to identify
any unusual account
access.
4.2 Password Management In Place Password would expire
after 60 days
Every password
requires 4
alphanumeric
characters, 3 numeric
characters and 1
special characters.
New password and old
-
8/11/2019 NIST Retail
21/48
Risk Assessment Report for Dinny Hall Retail Mart
21
password should not
have more the 5
characters in common.
Use of different
password at different
stores.
High encryption
standards for database
passwords.
Use of standard
procedure for handling
the initial user id and
password. User is
required to change the
password in the first
login.
4.3 Remote access In Place VPN account
monitoring system
should establish. Old VPN accounts
should be locked.
Logs should be
maintained that contain
VPN account access
information.
Access level for
different VPN
accounts should be
defined.
5.Personnel Security
-
8/11/2019 NIST Retail
22/48
Risk Assessment Report for Dinny Hall Retail Mart
22
5.1 Access Determination
and control
Planned Access control needs
to implemented as per
work area and
hierarchy
Access rights for
people working in
SCM and Payment
system should be
separated.
5.2 IT security awareness
and training
Planned Employee Security
awareness training
should be conducted
on an annually basis
Security training
should be provided to
newly joined
employees
6.Threat Management
6.1 Threat Detection
In Place
Planned
Planned
Ant Corrie is the head forthreat detection. Following
are the components of threat
detection:
1. Regular training sessions
for employee on IT security
training.
2. Regular monitoring of IT
system.
3. Regular evaluation of
security awareness among
employees.
6.2 Incident handling Planned Following are the measures
-
8/11/2019 NIST Retail
23/48
Risk Assessment Report for Dinny Hall Retail Mart
23
that are suggested to be
implemented
1. Protocols for handling
security incident
2. Establishment of a
dedicated team to prevent and
handle cyber attacks
3. Identifying different levels
of security incident and
chalking out preventive
measures for the same
4. Establishing hierarchy for
reporting process, in case of
security incident
6.3 Security Monitoring
&logging
Planned 1. Development of logging
capabilities and review
procedures
2. Enabling logging and
retention of logs for 60 days3. Monitoring of security logs
and reporting to security team
in case of security incident
7. IT Asset Management
7.1 IT Asset Control In Place Any personal data storage
devices are not allowed in the
company premises.
All the devices have a unique
ID and Device record has
entry of all the devices as per
the unique ID.
Any allocation of new
-
8/11/2019 NIST Retail
24/48
Risk Assessment Report for Dinny Hall Retail Mart
24
devices or change in the
position of the devices should
be done with the permission of
George Mathew and also
should be recorded in Device
Record.
7.2 Software License
Management
In Place
In Place
Documented policies require
the use of only DH (Dinny
Hall Retail Mart), approved
software on its IT systems &
require annual reviews of
whether all software is used in
accordance with license
requirements.
All software used at Dinny
Hall Retail Mart is
appropriately licensed.
7.3 Configuration
Management & Change
Control
In Place Creation and management of
IT assets record.Record should have entries of
all the IT assets and its
valuation.
Security practices as per the
valuation of the device are
implemented.
Any change in the IT
environment
(intentional/accidental) should
be immediately reported to
George Mathew.
-
8/11/2019 NIST Retail
25/48
Risk Assessment Report for Dinny Hall Retail Mart
25
The identified risks are associated with the relevant controls in a Risk-Controls Table
(Table E), as below.This correlation determines whether controls exist that respond adequately to
the identified risks.
Table E: Risks-Controls-Factors Correlation
Risk
No.
Risk Summary Correlation of Relevant Controls &
Other Factors
1. Loss of financial data, having severe
impact on the companys brand
image
Overall Security enforcement in DH is
being worked upon. Loopholes are
being analyzed and documented.
2 Loss of employee details Encryption standards and system
security controls are being focused
upon.
3 Business plan DH is coming up with compliance in
BCP and DRP to ensure uninterrupted
business procedures.
4 Natural calamities like earthquake,
hurricane etc
There are no controls relevant to this
risk; neither are there any mitigating or
Exacerbating factors. DH Management
has accepted this risk. However BCP
and DRP are being focused upon to
ensure speedy recovery.
5 Water leakage may cause short-
circuit leading to eruption of fire.
There are no controls relevant to this
risk; neither are there any mitigating or
exacerbating factors. DH Management
has accepted this risk.
6 Unauthorized access control Controls 4.2 and 7.1 determine the
security measures against unauthorized
access. These policies are adhoc based
rather than on roles.
-
8/11/2019 NIST Retail
26/48
Risk Assessment Report for Dinny Hall Retail Mart
26
7 Denial of service attack via dummy
packets
Intrusion control measures have been
included in the control analysis
documentation. Intrusion Prevention
System (IPS) is yet to be implemented
in the system.
8 Masquerading access points Masqueraded access points are difficult
to detect and has often succeeded in
fooling the system users. No controls
so far have been effectively
implemented regarding this.
9 Spoofing Spoofingis the creation of TCP/IP
packets using somebody else's IP
address. DH firewall protects the
system from spoofing. However it fails
to give consistent resistance against
spoofing.
10 Tailgating Control 7.1 takes into account the
various risk factors against
unauthorized entry of people inrestricted entry zone. This control has
not been consistently followed posing
greater security threat.
11 Stored data manipulation Stored data can be manipulated by the
employees from the inventory. RFID
tracking and updating in the
corresponding system can help prevent
this. This strategy is yet to be
implemented in DH.
12 Power loss Power loss may result in loss of crucial
data from the system during the
process of transition. Proper backup
-
8/11/2019 NIST Retail
27/48
Risk Assessment Report for Dinny Hall Retail Mart
27
systems are being worked upon in
order to avoid this.
13 VPN account of ex-employee
compromised
Controls 4.1 and 7.1 are in place for
closing unneeded and unused user
accounts, but are not enforced.
A mitigating factor is that the risk
depends ongaining access to the client
application.
14 Hacking Hacking is difficult to prevent due to
various flaws present in DHs core
systems. Network security controls are
being enforced in DH.
15 Unencrypted password increases the
chances of security breaches in the
system
Effectiveness of controls requiring
encryption of passwords is low, as
these controls have not been followed.
16 Loss or theft of USB
drives could result in
compromise of
confidentiality of BFSdata
Effectiveness of controls prohibiting
storage of sensitive data on USB drives
is low, as these controls have not been
followed. Threat source capability ishigh as such USB drives are frequently
lost or stolen.
17 Compromise of
unexpired/unchanged
passwords could
result in compromise
of confidential business data
Password management controls such as
changing password within certain
number of days, password should be
above specific length and should
contain mixture of alphabets, numbers,
special characters etc. are emphasized.
18 Lack of adequate physical security
leads to robbery which in turn leads
to physical injury.
Post signs stating that the cash register
only contains minimal cash along with
periodic patrolling by security officer
are emphasized.
-
8/11/2019 NIST Retail
28/48
Risk Assessment Report for Dinny Hall Retail Mart
28
6. RISK LIKELIHOOD DETERMINATION
The purpose of this step is to assign a likelihood rating of high, moderate or low to each risk.This rating is a subjective judgment based on the likelihood that vulnerability might be exploitedby a threat.
Table F : Risk Likelihood RatingsRisk no. Risk Summary Risk Likelihood
Evaluation
Risk likelihood
rating
1 Loss of confidential data There are adequate
protections implemented
to avoid this incident.
But it depends on the
occurrence and
compliance of core
security controls by the
organization.
High
2 Loss of staff details staff detail loss may be
not be that crucial to the
organization unless it
involves compromise of
data such as credit card
numbers etc.
Moderate
3 Business plan Business plan of DH can
be of immense value to
its competitors. It can beof major utility to
sabotage its business
strategies thus leading to
fall in its market
High
-
8/11/2019 NIST Retail
29/48
Risk Assessment Report for Dinny Hall Retail Mart
29
positions.
4 Natural calamities like
earthquake, hurricane etcThere is no control
against these calamities
in DH, so the
effectiveness of controls
is low.
Low
5 Water leakage may cause
short-circuit leading to
eruption of fire.
There are no controls
against water damage to
DH from the wet-pipe
sprinkler system in the
event of a fire, so the
effectiveness of controls
is low. The likelihood of
fire in the DH is
moderate.
Moderate
6 Unauthorized access control Unauthorized access
control can lead to
confidential data loss or
theft. The likelihood ofthis incident is moderate
in DH
Moderate
7 Denial of service attack via
dummy packetsThe controls in place to
avert these attacks are
very poor. The
likelihood of this
incident is high in DH.
High
8 Masquerading access points Masqueraded access
points are difficult to
detect and has often
succeeded in fooling the
system users. No
High
-
8/11/2019 NIST Retail
30/48
Risk Assessment Report for Dinny Hall Retail Mart
30
controls have so far been
effectively implemented
regarding this. The
likelihood of this
incident is high in DH
9 Spoofing DH firewall protects the
system from spoofing
however it fails to give
consistent resistance
against spoofing. The
likelihood of this
incident is moderate in
DH
Moderate
10 Tailgating Controls against
tailgating/unauthorized
physical access have
been a neglect issue thus
posing greater security
threat. Such incident canlead to data theft or loss
from the system due to
presence of intruders in
entry restricted zones.
High
11 Stored data manipulation Stored data can be
manipulated by the
employees or outsiders
from the inventory.
High
12 Power loss Power loss may result in
loss of crucial data from
the system during the
process of transition.
Moderate
-
8/11/2019 NIST Retail
31/48
Risk Assessment Report for Dinny Hall Retail Mart
31
Proper backup systems
are yet to be installed.
The likelihood of this
incident is moderate
13 VPN account of ex-employee compromised
Effectiveness of controls
for closing user accounts
is low, as unneeded user
IDs exist on DH Threat
source capability is also
low as the risk is
dependent on learning a
user ID & password &
gaining access to the
client application. There
appear to be adequate
protections against this
risk.
Moderate
14 Hacking Due to lack of proper
system security controlimplementation in DH,
hacking risks are always
on the greater side due to
presence of many
loopholes
High
15 Unencrypted password
increases the chances of
security breaches in the
system
Unencrypted passwords
or weakly encrypted
passwords are easily
hacked with less effort.
High
16 Loss or theft of USB
drives could result in
compromise of
Threat source capability
is high as such drives are
frequently lost or stolen
High
-
8/11/2019 NIST Retail
32/48
Risk Assessment Report for Dinny Hall Retail Mart
32
confidentiality of DH
data
USB.
17 Compromise of
unexpired/unchanged
passwords could
result in compromise of
confidential business data
Employees and system
users many a times do
not comply with
password compliance
norms leading to weak
system security.
High
18 Lack of adequate physical
security leads to robbery
which in turn leads to
physical injury.
No installation of panic
buttons, to notify
security officials
quickly, and no security
guard(s) can give way to
robbery.
Moderate
-
8/11/2019 NIST Retail
33/48
Risk Assessment Report for Dinny Hall Retail Mart
33
7 RISK IMPACT ANALYSIS
The purpose of this step is to impact rating of high, moderate or low to each risk
identified in Table C. The impact rating is determined based on the severity of the adverse
impact that would result from an occurrence of the risk.
Table G: Risk Impact AnalysisRisk
No.
Risk Summary Risk Impact Risk Impact
Rating
1 Loss of financial data, having severeimpact on the companys brand image
Image of the company ishampered.
High
2 Loss of employee details Managing and collecting all dataagain is difficult.
Moderate
3 Business plan Competitive rival may get thecompanys plan.
High
4 Natural calamities like earthquake,hurricane etc
Damaging the infrastructure ofthe company
Low
5 Fire would activate the water sprinklersystem thereby causing water damage
It causes the sudden loss ofelectricity at Dinny Hall or
shock circuit which hits the
computer
Moderate
6 Unauthorized access control Important data may be hacked
by hackers or some confidentialdata loss of the company
Moderate
7 Denial of service attack via dummypackets
Cyber-attack or may causesviruses in computer which
corrupt the data or update wrongdata.
High
8 Masquerading access points Update the information store in
the system automatically by thehackers from the access point.
High
9 Spoofing Unauthorized data sent to systemby gaining access through
firewall.
Moderate
10 Tailgating Unauthorized access to critical
work places leading breach of
confidentiality and security.
High
11 Stored data manipulation Manipulating data meanschanges in data which isimportant from confidentiality
point of view, bringing system in
danger zone.
High
12 Power loss Unsaved important data loss,
data corruption.
Moderate
13 VPN account of ex-employee It may be misused by ex- Moderate
-
8/11/2019 NIST Retail
34/48
Risk Assessment Report for Dinny Hall Retail Mart
34
compromised employee to steal confidential
data.
14 Hacking Viruses, malware creation which
corrupt data or updateunauthorized data
High
15 Unencrypted password increases thechances of security breaches in the
system
Easily detected and hackers cangain access to system.
High
16 Loss or theft of USB
drives could result incompromise of
confidentiality of DH
data
Loss of important confidential
data or stolen by the others rivalsor hackers.
High
17 Old passwords Easily detected and can be
hacked by hackers.
High
18 Robbery Unavailability of adequate
physical security measures leadsto the occurrence of easyrobbery.
High
8 .OVERALL RISK DETERMINATION
The purpose of this step is to calculate an overall risk rating of high, moderate or low for
each risk identified in Table C. The risk rating must be based on both the likelihood of the risk
occurring and on the impact to the COV should the risk occur.
Table H: Overall Risk Rating Matrix
Risk Likelihood
Impact
Low (10) Medium (50) High (100)
High (1.0) Low Risk
(10 x 1.0 = 10)
Medium Risk
(50 x 1.0 = 50)
High Risk
(100 x 1.0 = 100)
Medium (0.5) Low Risk
(10 x 0.5 = 5)
Medium Risk
(50 x 0.5 = 25)
Medium Risk
(100 x 0.5 = 50)
Low (0.1) Low Risk
(10 0.1 = 1)
Low Risk
(50 x 0.1 = 5)
Low Risk
(100 x 0.1 = 10)
-
8/11/2019 NIST Retail
35/48
Risk Assessment Report for Dinny Hall Retail Mart
35
Risk Scale: Low(1 to 10), Moderate (> 10 to 50), High(>50 to 100)
Risk rating is assigned to each risk identified and as listed in Table C. The risk rating of
each individual risk was calculated using the guidance provided in NIST SP 800-30.
Table I : Overall Risk Ratings Table
Risk No. Risk Summary Risk Likelihood
Rating
Risk Impact
Rating
Overall
1 Loss of financial data,
having severe impact on the
companys brand image
High High High
2 Loss of employee details Moderate Moderate Moderate
3 Business plan High High High
4 Natural calamities like
earthquake, hurricane etc
Low Low Low
5 Fire would activate the
water sprinkler system
thereby causing waterdamage
Moderate Moderate Moderate
6 Unauthorized accesscontrol
Moderate Moderate Moderate
7 Denial of service attack viadummy packets
High High High
8 Masquerading access points High High High
9 Spoofing Moderate Moderate Moderate
10 Tailgating High High High11 Stored data manipulation High High High
12 Power loss Moderate Moderate Moderate
13 VPN account of ex-employee compromised
Moderate Moderate Moderate
14 Hacking High High High
15 Unencrypted password
increases the chances ofsecurity breaches in the
system
High High High
16 Loss or theft of USB
drives could result incompromise ofconfidentiality of DH
data
High High High
17 Compromise of
unexpired/unchanged
passwords couldresult in compromise
High High High
-
8/11/2019 NIST Retail
36/48
Risk Assessment Report for Dinny Hall Retail Mart
36
of confidential business
data
18 Robbery Moderate High High
9. RECOMMENDATIONS
The purpose of this step is to recommend additional actions required to respond to theidentified risks in DH. The objective is to reduce residual risk to the system its data to a level thatis acceptable as defined by ISM.
Table J: Recommendations
Risk No. Risk Summary Risk Rating Recommendations
1 Loss of financial
data, having severeimpact on thecompanys brand
image
High Financial data should be encrypted and not to
be accessed directly. Access controls shouldbe implemented. It should be accessible onlyto registered financial employee.
2 Loss of employee
details
Moderate Employee data should be encrypted and
stored. Loss if any should be reported
immediately.
3 Business plan High Business employee should know about
business plan and they should not discuss thisplan with colleagues friends and/or relatives.
4 Natural calamities
like earthquake,hurricane etc
Low Highly protected plan to prevent damage from
these natural calamities.
5 Fire would activate
the water sprinkler
system therebycausing water
damage
Moderate None. Replacing the Wet-pipe Sprinkler
System in the Data Center is supposed to be
cost-prohibitive. Executive management haselected to accept this risk.
6 Unauthorized access
control
moderate There should be only authorized access to
register employee. Control team should have
high control on the access.
7 Denial of serviceattack via dummy
packets
High Risk management staff and the PSI supportteam should analyze whether replacing the
existing Intrusion Detection Systems (IDS)
with an Intrusion Prevention System is a
cost effective response to this risk.
8 Masquerading accesspoints
High As an immediate step, the system supportteam should disable the remote OS features.
As documented in planned controls, the
-
8/11/2019 NIST Retail
37/48
Risk Assessment Report for Dinny Hall Retail Mart
37
admin Risk management staff and support
team should work to develop a secure methodto allow remote access.
9 Spoofing Moderate The client software should be rewritten sothat clear-text user IDs & passwords are not
used in script and initialization files.10 Tailgating High Ethical practices should be used by every
employee in the organization.
11 Stored data
manipulation
High Taking regular back-ups on a daily/hourly
basis as per requirements.
12 Power loss Moderate Backup power supply should be available.
13 VPN account of ex-
employee
compromised
Moderate System admin should control and block the
accounts of ex-employees as soon as they
leave the organization.
14 Hacking High High security practices to block the hackers.
Network security applications should be
installed to detect hackers if any, existing inthe system.
15 Unencrypted
password
High Store data in encrypted format.
16 Loss or theft of USB
drives
High Admin should include the prohibition on
storing sensitive data on removable media
such as USB drives of the employees.Security Awareness and training programs for
employees should be conducted.
17 Compromise of
unexpired/unchanged
passwords couldresult in compromise
of confidential
business data
High The system support team should encourage
employees to change password regularly
within 30 days and keep strong passwords.
18 Robbery High Along with frequent guard patrolling, panic
buttons need to be installed so that employeescan notify the authorities quickly and easily.
10. RESULT DOCUMENTATION
The final step in risk assessment approach is to complete the Risk Assessment Matrix.Risk Assessment once completed should be documented in an official report or management
brief. Management should take care to assign a priority to the recommendation, assign
responsibility, initiate responsibility and provide a date by which the implementation should be
completed.
-
8/11/2019 NIST Retail
38/48
-
8/11/2019 NIST Retail
39/48
Risk Assessment Report for Dinny Hall Retail Mart
39
recover DRP to
ensure
uninterrupt
ed business
procedures.
not discuss
this planwith
colleagues
friends
and/orrelatives.
4 Not wellplanned
architect
ure ofcompany
Loss ofdata
Lossof
resour
cesdata
and
others
thingwhich
isimportant.
Naturalcalamities
like
earthquake,hurricane
etc
Low low Low There are
no controls
relevant to
this risk;
neither are
there any
mitigating
or
exacerbatin
g factors.
DH
Manageme
nt has
acceptedthis risk.
However
BCP and
DRP is
being
focused
upon to
ensure
speedy
recovery.
Highlyprotected
plan to
preventdamage
from these
natural
calamities.
5 Water
leakage
Fire Confi
dentia
Fire wouldactivate the
water
Moderate
Moderate
Moderate
There are
no controls
None.Replacing
the Wet-
-
8/11/2019 NIST Retail
40/48
Risk Assessment Report for Dinny Hall Retail Mart
40
near the
server
room
lity
and
integri
ty of
retail
data
sprinkler
systemthereby
causing
water
damage
relevant to
this risk;
neither are
there any
mitigating
or
Exacerbatin
g factors.
DH
Manageme
nt has
accepted
this risk.
pipe
SprinklerSystem in
the Data
Center is
supposed tobe cost-
prohibitive.Executive
managemen
t has elected
to acceptthis risk.
6 No
proper
access
control
employe
e
Lack of
access
control
can be
misuse
dleading
to
incident
s such
as data
theft
etc
Confi
dentia
lity
and
integri
ty ofretail
data
Unauthorize
d access
control
Mode
rate
Mode
rate
Mod
erateControls
4.2 and 7.1
determine
the security
measures
againstunauthorize
d access.
These
policies are
ad hoc
based
rather than
on roles.
There
should be
onlyauthorized
access to
register
employee.Control
team shouldhave highcontrol on
the access.
7 Poor
network
security
Weak
firewall
,
outdate
Confi
dentia
lity
and
Denial ofservice
attack via
dummypackets
High High High Intrusion
control
measures
have been
Riskmanagemen
t staff and
the PSIsupport
team should
-
8/11/2019 NIST Retail
41/48
Risk Assessment Report for Dinny Hall Retail Mart
41
d anti-
virus
etc
integri
ty of
retail
data
included in
the control
analysis
documentat
ion.
Intrusion
Prevention
System
(IPS) is yet
to be
implemente
d in the
system
analyze
whetherreplacing
the
existing
IntrusionDetection
Systems(IDS)
with an
Intrusion
PreventionSystem is a
cost
effective
response to
this risk.
8 Unsecure
Methods
remoteaccess
Multipl
e
accessdata
Due
to this
thedata
will
shared
withthe
others.
Masqueradi
ng access
points
High High High Masquerad
ed access
points are
difficult to
detect and
has oftensucceeded
in fooling
the system
users. No
controls
have so far
been
effectively
implemente
d regarding
this.
As an
immediate
step, thesystem
support
team
shoulddisable the
remote OSfeatures. Asdocumented
in planned
controls, theadmin
Riskmanagemen
t staff and
supportteam should
work todevelop asecure
method to
allowremote
access.
-
8/11/2019 NIST Retail
42/48
Risk Assessment Report for Dinny Hall Retail Mart
42
9 Encrypti
on
standard
is not
complian
t with the
PCI DSS
standards
wireles
s eve
droppin
g,
wired
eavesdr
opping,
spoofin
g, etc
may be
the
outcom
e of
exploiti
ng this
vulnera
bility
Confi
dentia
lity
and
integri
ty of
retail
data
Spoofing Mode
rate
Mode
rate
Mod
erateSpoofing is
the creation
of TCP/IP
packets
using
somebody
else's IP
address.
DH firewall
protects the
system
from
spoofing
however it
fails to give
consistent
resistance
against
spoofing
The client
softwareshould be
rewritten so
that clear-
text userIDs &
passwordsare not
used in
script and
initializationfiles.
10 Physicalaccess
controls
notpracticed
Unauthorized
people
accessin the
organization
Tailgating
and
henceloss
ofconfid
ential
data
Tailgating High High High Control 7.1
takes into
account the
various risk
factors
against
unauthorise
d entry of
people in
restricted
entry zone.
This
Ethicalpractices
should be
used byevery
employee inthe
organization
.
-
8/11/2019 NIST Retail
43/48
Risk Assessment Report for Dinny Hall Retail Mart
43
control has
not been
consistently
followed
posing
greater
security
threat.
11 Not
properdata
storage
Loss of
theworkin
g data
andinformational
data
Rewri
teagain
whole
newdatathat
are
loss.
Stored data
manipulation
High High High Stored data
can be
manipulate
d by the
employees
from the
inventory.
RFID
tracking
and
updating inthe
correspondi
ng system
can help
prevent
this. This
strategy is
yet to be
implemente
d in DH.
Taking
regularback-ups on
a
daily/hourlybasis as perrequirement
s.
12 Hardwar
e -failure
Importa
nt
Confi
dentia
Power loss Moderate
Moderate
Moderate
Power loss
may result
Backuppower
supply
-
8/11/2019 NIST Retail
44/48
-
8/11/2019 NIST Retail
45/48
-
8/11/2019 NIST Retail
46/48
Risk Assessment Report for Dinny Hall Retail Mart
46
ed
employe
es
place
violenc
e,
executi
on of
system
sabotag
e
dentia
lity
and
integri
ty of
retail
data
theft of
USBdrives could
result in
compromise
ofconfidential
ity of DHdata
ss of
controls
prohibiting
storage of
sensitive
data on
USB
drives is
low, as
these
controls
have
not been
followed.
Threat
source
capability
is high as
such USBdrives are
frequently
lost or
stolen.
should
include theprohibition
on
storing
sensitivedata on
removablemedia
suchas USB
drives of the
employees.Security
Awareness
and
Training
Programsfor
employeesshould be
conducted.
-
8/11/2019 NIST Retail
47/48
Risk Assessment Report for Dinny Hall Retail Mart
47
17 The
transacti
on
systems
and other
network
connecte
d
hardware
devices
handling
sensitive
informati
on used
the same
usernam
es and
passwords across
DH
stores
nationwi
de
If the
hacker
gets
through
the
networ
k
security
walls of
one
system,
he can
do so
for
other
systems
too.
Confi
dentia
lity
and
integri
ty of
retail
data
Compromis
e ofunexpired/u
nchanged
passwords
couldresult in
compromiseof
confidential
business
data
High High High Password
manageme
nt controls
such as
changing
password
within
certain
number of
days,
password
should be
above
specific
length and
should
contain
mixture of
alphabets,numbers,
special
characters
etc are
emphasized
.
The system
supportteam should
encourage
employees
to changepassword
regularlywithin 30
days and
keep strong
passwords.
-
8/11/2019 NIST Retail
48/48
Risk Assessment Report for Dinny Hall Retail Mart
18 Lack of
proper
physical
security
Robber
y
Mone
y and
other
assets
Lack of
adequatephysical
security
leads to
robberywhich in
turn leads tophysical
injury.
Mode
rate
High High Post signs
stating that
the cash
register
only
contains
minimal
cash along
with
periodic
patrolling
by security
officer are
emphasized
.
Along with
frequentguard
patrolling,
panic
buttons needto be
installed sothat
employees
can notify
theauthorities
quickly and
easily.