WESTERN GOVERNOR’S UNIVERSITY

MANAGING INFORMATION SECURITY C843

Victor E. Benvenuto
Student No. 009801687
Managing Information Security – C843
Western Governors University (WGU)

1
 Contents
A. Vulnerabilities and Attack Success..........................................................................................................3
B. Confidentiality, Availability, & Integrity.................................................................................................4
C. Federal Regulations..................................................................................................................................5
D: Immediate Steps..........................................................................................................................................6
E: Incident Response plan................................................................................................................................7
F: Processes......................................................................................................................................................8
G: Technical Controls......................................................................................................................................9
H: Organizational Structure...........................................................................................................................10
I: Risk Management.......................................................................................................................................11
local police....................................................................................................................................................11
J: Citations.....................................................................................................................................................12

2
 A. Vulnerabilities and Attack Success

As a semi organization, Azumer is designed to offer water aid in the event of man-made or
catastrophic calamities that could cause a water scarcity. Water is provided by the charity to the
impacted persons and areas. The organization only uses contributors, whose data is maintained in a
databases for security and privacy, and has ten filled to the brim employees. Unfortunately, the
agency's security mechanism has come under assault from the online system, communications, and
information share. Hackers have obtained the volunteered registry, which is set to be made public in
an effort to deter people from lending a hand by contributing their services. The Azumer
organization has been dealing with a computer software bug that can be exploited by targeted
attacks like cybercriminals to encounter privilege boundaries within the computing device. The
Assumers organization in this instance has experienced a number of technology security problems,
which allowed for hijacking and exposure to the participant databases. First, the networks
vulnerabilities of the organization exposes it to potential encroachment from outside parties. The
above problem can involve issues also with network infrastructure, software, or both. Volunteers
can access unsecure Wi-Fi at the Azumer nonprofit and without a username. Furthermore, since this
website credentials are not refreshed and secured, there is a connectivity risk. Since the password
hasn't updated in a while, former employees and other outside persons that have the information can
obtain them. The second is a software weakness. The computer system's flaw is found by the
hackers, who can then exploit it to disrupt or access that information stored on systems with the OS
installed. Due to threats that have been transmitted through email links and allowed access to the
company system's data, there is a significant risk in the file system at the Azumer organization.
Thirdly, Assumers challenges interpersonal vulnerability, which are the weakest player in many
electronic security systems because of human influence. These are user errors that can readily
reveal sensitive data, open up vulnerable entrances and exits for invaders, and interfere with
classification functionality. In .this instance, Johns made the error of clicking a hyperlink in a
message without giving it much thought, which allowed outsiders to exploit and access the
paramedic's registry. Additionally, Pruhart Technologies and Marie refuse to change their
passwords, which exposes them to a human weakness. The webpage, internet, as well as dataset
might have become targets of cyber-attacks if they hadn't been secured.
3
 B. Confidentiality, Availability, & Integrity

Assume your company has been harmed as a consequence of not using a simple security
provider that adheres to the CIA standards. The organization is first seriously
compromised because of confidentiality, which restricts admission to data. In the situation
of the Azumer society, notwithstanding the reality that only John and a small number of
other employees had access to personal records, the guideline for the business was still
met because participants and other individuals could easily use the information because
the password was left the same. Additionally, usernames that are established to preserve
the secrecy of the database are weak, making it simple to access the information. Second,
comes the question of accessibility; people who require the knowledge may easily access
it. The content in this instance of Assumers organization is not easily accessible to those
who require it. For particular, the contributors only undergo instruction on network
infrastructures and have restricted access to data. Also, the purposeful feature is
demonstrated when Thomas cannot connect the community outreach repository in which
he was supposed to protect and modernizing. The evidence and figures that other
unsanctioned employees can admittance are put at risk for security as a result. When
Elecktores removed the information from the database, the number's honesty was also
compromised. Any information that has been altered in an irresponsible way has destroyed
its legitimacy. The accessibility of the statistics was additionally hampered because John
claimed he wasn't able to locate or enter the volunteering registry. The compromising of
confidentiality, integrity, and accessibility might have been averted with the use of
appropriate legislation, standards, and protocols (CIA).

4
 C. Federal Regulations

The Azumer organization had violated a number of federal laws in an effort to protect their
infrastructure form assaults. First, the Azumer business violated the government coalition's control
over access by failing to secure their facilities and by employing every practical measure to protect
data from just a leak. Even though the Assumers organization uses Pruhart Software's system
security apparatus, they neglect to keep an eye on the business to make sure it provides a reliable
and safe connectivity to protect users from falling into the hands of unauthorized people. Second,
the Assumers disobey the statutory law protecting confidential information regarding customers,
subscribers, or contributors from getting into the hands. In this instance, the Azumer group was at
fault for not protecting the participant's data against hackers. Finally, the organization failed to keep
educating its workforce on the best research defense system and implements dependable techniques
to safeguard data. This is violates government law, which requires that businesses train staff
members like Johns on safe computers and how to defend unwanted cyber-attacks. The Federal
Information Security Act, better known as FISMA, had been blatantly broken by Azumer Water.
FISMA is appropriate to Azumer Water even though it influences federal organizations as they are
part of Military. The act was created to guarantee that state agencies protected the private details of
residents.

5
 D: Immediate Steps

There were many ways that the espionage event may have been mitigated after it happened. Since
the incident's criminals always had knowledge of the system's passcode, it is important to keep
changing accounts. This would make it difficult to allow them to access any organization-related
data that may have kept online or in their different databases. Despite John's knowledge, the
password and databases illegally accessed. Therefore, implementing an additional layer of security

by rotating passwords can stop more time - tested and possible lockout attackers. In order to
recognize the telltale characteristics of a malicious website and warn users about phishing scams, it
would be necessary to acquire free or paid phishing add-ons. This would assist in preventing such a
situation. .Thirdly, it could also be important to alert the extra employees of the recent attacks in
order to safeguard .their equipment, be extra vigilant, and uniform show them what the team
aspects like in order to prevent further occurrences. In order to stop more information from loss or
theft, it is best to refrain from revealing private data and from following the link again. This will
protect digital evidence while ensuring that outside hostile forces can no long have direct access to
the computer system. The NIST incident handling architecture ought to be used to resolve any
weaknesses. A username force replacement should be done after packet filtering upgrading,
security system upgrade to WPA2, policy formulation, and individual user training because
password complex, modification cadence, and security systems have not been upgraded.

6
 E: Incident Response plan

An incident response plan is crucial because that creates a problem communication plan but also
aids in handing out tasks to other teams. To maximize the performance of the frequency response, it
is essential to include all necessary partnerships and professionals in the reaction strategy. Today's
cybercrimes are on the rise, and developing an emergency response strategy can help a company
deal with them, lessen their effects, and fortify system defenses to prevent further events.
Communication with customers who can help foster trust is made simple for an organization with a
disaster response plan in place. Plans for mitigating risk are essential for controlling cybercrime.
The majority of cybercrimes erode an institution's trust in the eyes of its stakeholders, particularly
customers and consumer. To accomplish this, the IT team as a whole needs to collaborate in order
to preserve the safety of the business. The council's security managers ought to ensure that every
individual is carrying out their responsibilities properly and that each of the apparatus is in working
order. Network administrators would keep monitoring the organization's system for any despicable
behavior and take appropriate action in response to the cyber-attack. They should make sure the
IDS and IDDs are functioning properly to alert them to any potential computer assaults.

7
 F: Processes

Talent management on industry standards for handling PII and perhaps other CIA
requirements is the first step in raising Azumer Water's information management levels
and ensuring the organization complies well with violated federal legislation. Employees
with important knowledge system responsibility, also including having to handle
privileged volunteering data, such as Azumer, must receive training. Training improves
staff understanding of CIA responsibilities in firms that classified PII data depending on
security grow over the course. Increased educational facilities and awareness of current
security issues within the company is the fourth procedure that would raise the information
management levels at Azumer Water. Workers education programs raise overall business
understanding of data integrity while talent management equips users of information
systems with task-specific skills for boosting cyber-security. Additionally, it was
determined that Azumer Water had violated FISMA. Lack of proper guidelines, methods,
and practices exposed the infraction. By developing current, pertinent methods to ensure
the safeguarding of confidential data, Azumer Water can also become FISMA compatible.
Responsiveness to fulfill specific instruction, WLAN verification, event detection and
reporting, and decryption standards will be included. By putting these tactics into practice,
Azumer Water can validate its total security posture and make sure that future attacks
won't leave them as exposed.

8
 G: Technical Controls

To ensuring that Azumer Water emerges from the impact of the attack on its information system,
more procedures will be required. These procedures will include setting up the gateway to secure
the company assets, recovering lost worker data, and creating a thorough firewall rules. For global
network connections, Azumer Water must convert to more dependable protocols like WPA2 from
WEP. The executives of Azumer Water must also be aware of external risks to the corporation's
information system safety and set up our perimeter to prevent future invasion. The firm might build
a data protection policy to prevent potential attacks on the basis of this acknowledgement. These
procedures, together with the ones mentioned in the preceding section, will give the business the
resilience it requires to rebound from the attacks and win back the trust of its employees.
There are major technological measures that .Assumers businesses should take to prevent cyber-
attacks. Furthermore, it is assumed that organizations ought to think about creating cyber-security
guidelines. These regulations ought to guarantee that the system is protected from risks both
external and internal. That could have shielded the .Assumers since attempts from
cybercriminals .who took benefit of the flaw to obtain the private data. Making secure passwords
that would shield the personal computer Furthermore. Recommend deploying filters in place and
generally pro technologies in Azumer organizations. This programs could allow the system to
recognize attacks and notify users; alternatively, it would prevent users from receiving the data they
want.
Thirdly, the Assumers Company should think about installing next-generation walls to enhance
cyber security. These firewall would analyze and regulate inbound and outbound traffic according
to the company's security regulations. The Assumers firm should also think about implementing
about certain defense, which would guarantee a back to this place by observing device to spot and
address potential cyber-attacks to the system security.

9
 H: Organizational Structure

To ensure that their system is secured and that their data is safe, Azumer enterprises should create it
or and cyber security management. The firms ought to establish a technical division in charge of
keeping system security. They ought to designate a supervisor for the technology department who
will be in charge of the surveillance system and oversee the other personnel there. Additionally,
they ought to appoint a systems engineering specialist to check that the organization is compatible
with the secure measures put in place. Additionally, the company needs a system administrator to
operate, improve, and guarantee the computer system's reliable operation. On order to secure the
security of the computer organization and the data, the business would also have information
technology specialists employed at numerous levels in the internet, electronic mail, .and databases.
To prevent repeat mishaps and speed up the efficient identification of breaches, Azumer Water
must rearrange its IT operation by adding an electronic security officer who can plan regular
vulnerability assessments and modifications. The organization’s information security personnel will
also set up security tools and procedures, create a training programs for the staff, and give them
access to cyber security training resources. Azumer Utilities must also define the personnel with
major responsibility in the computer systems that contain sensitive volunteer data. These staff
members are required to preserve complete secrecy when reviewing the database information and
undergo role-specific training on the security measures for managing PII. The computer safety
officer is in charge of making sure that security guidelines are followed therefore all computer
security equipment’s are operational.

10
 I: Risk Management

Taking into account the likelihood, complexity, and severity classification of risks in the practical
example, the initial risk mitigation strategy for Azumer Water will be to safeguard all
communication lines via which user can access the organizational digital assets. Due to the absence
of firewall setups and inadequate encrypted standards for network connections, Azumer Water's
increasing the strength was exposed. Due to this flaw, the attackers had quick access to the database
of the organization, enabling them to email employees and harm the business's reputation. Changes
to the business's directory and email services methods will be made as part of the third portfolio
management strategy to ensure that attackers cannot leverage the same vulnerabilities in subsequent
attacks. These measures include updating the email account and company database's breached
security and authorization measures. Sanitary and operations and maintenance risk mitigation
strategies are the best ones for Azumer Water. The business should abide by all mobile computing
government rules. The company has to switch from a WEP cellular network to a Remote access
home router, which is much more hermetic and security. In order to identify any suspicious
activities, also including Assaults on the network system, and alert the network manager to take the
appropriate safeguards, the organization must have advanced mechanism monitors or hardware in
place. By designating certain people to oversee the company's technology branch, the company can
improve staff loyalty. It should also prohibit the usage of external storage media inside the
corporation unless expressly permitted by the local police.

11
 J: Citations

Erika McCallister, Tim Grance,

Karen Scarfone. Guide to
Protecting the Confidentiality of
Personally Identifiable Information
(PII). April 2010. Retrieved from
NIST SP 800-122, Guide to
Protecting the Confidentiality of
Personally Identifiable Information
(PII)
Office of Logistics and Acquisition
Operations, 2016. Retrieved from
WHAT IS FISMA | OLAO
(nih.gov)
NIST Special Publication 800-37
12
Revision 2, December 2018, Risk
Management Framework for
Information Systems and
Organizations. Retrieved from Risk
Management Framework for
Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy
(nist.gov)
Erika McCallister, Tim Grance,
Karen Scarfone. Guide to
Protecting the Confidentiality of
Personally Identifiable Information
(PII). April 2010. Retrieved from
NIST SP 800-122, Guide to
Protecting the Confidentiality of
Personally Identifiable Information
13
(PII)
Office of Logistics and Acquisition
Operations, 2016. Retrieved from
WHAT IS FISMA | OLAO
(nih.gov)
NIST Special Publication 800-37
Revision 2, December 2018, Risk
Management Framework for
Information Systems and
Organizations. Retrieved from Risk
Management Framework for
Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy
(nist.gov)
Erika McCallister, Tim Grance,
Karen Scarfone. Guide to
14
Protecting the Confidentiality of
Personally Identifiable Information
(PII). April 2010. Retrieved from
NIST SP 800-122, Guide to
Protecting the Confidentiality of
Personally Identifiable Information
(PII)
Office of Logistics and Acquisition
Operations, 2016. Retrieved from
WHAT IS FISMA | OLAO
(nih.gov)
NIST Special Publication 800-37
Revision 2, December 2018, Risk
Management Framework for
Information Systems and
Organizations. Retrieved from Risk
Management Framework for
15
Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy
(nist.gov)
StudyExcell. (2021). INFORMATION SECURITY» StudyExcell. [online] Available at:
https://studyexcell.com/information-security-7/ [Accessed 19 Oct. 2022].

Anon, (2020). Incident Analysis, Risk Assessment and Management Essay | EssaysDot.com.
[online] Available at: https://essaysdot.com/incident-analysis-risk-assessment-management/
[Accessed 19 Oct. 2022].

Chai, W. (2022). What is the CIA Triad? Definition, Explanation and Examples. [online]
WhatIs.com. Available at: https://www.techtarget.com/whatis/definition/Confidentiality-integrity-
and-availability-CIA.

‌ non, (2022). Azumer Water’s Case Study | Free Essay Examples. [online] Available at:
A
https://samples.freshessays.com/azumer-waters-case-study.html [Accessed 19 Oct. 2022].

16
17