Professional Documents
Culture Documents
Unencrypted
databases, data could
be theft or used by Databases in production are
2 anyone. User Access unencrypted High
Couldn't be trusted, it
has been lost of Databases in production are
2b honesty. User Access unencrypted High
Password never
Passwords never expire
expire might help you
but it also have it
4 disadvantages. Vulnerability Manageme High
Application development
Tiers are not logically
segmented from Business
7b Network Security Application servers High
Notes:
Risk - descriptions should be some reasonable approximation of what is written above but does not need to be exact
Reasoning - The reasoning should approximately match to the user's assessment of the liklihood and impact of a potential risk
marked high, the reasoning should reflect why it might be high
Mitigating Controls - For the purpose of this exercise we did not include mitigating controls
Total Risk Score - Should not be less than a reasonable approximation of the liklihood x impact. For instance, if L=High and I=H
essment
Impact Reasoning Mitigating Controls Total Risk Score
AES-128 encryption
its not in use, its not a Change it from
strong secure any AES-128 to AES-
more. It could be 256.
High hacked by a hacker. High
The databases is
secret and sensitive Encrypt the
info and could not be database for
High exposable. security reasons. High
Password should
be at least 8 or
The password could more character in
Medium be easily gussed. length. Medium
The servers is no
longer activated, and
it could have a high
opportunity to be in
risk of hacking. You have to
High update the servers. High
Update the
High application code. High
eed to be exact
mpact of a potential risk. If, for instance the liklihood and impact are
stance, if L=High and I=High (and no mitigating control exists) then Risk cannot equal Low
Data at Rest
Data in Transit
User Access
Secure Code
Network Security
Vulnerability Management
Low
Medium
High