Scribd Logo
Upload

Welcome to Scribd!

  • Ra CW TEMPLATE 23-24 - 7wcm2005-1

    Uploaded by

    Zamica Zamica
    2 views90 pages

    Original Title

    ra cw TEMPLATE 23-24_7wcm2005-1

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views90 pages

    Ra CW TEMPLATE 23-24 - 7wcm2005-1

    Uploaded by

    Zamica Zamica

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 90

    University of N

    Document info
    Document name Last updated date
    Risk assessor name: Document Classification:
    Date created:
    ersity of No-Security
    Document information
    9.11.2023
    Vulnerability

    Asset (describe with authentic citations


    where possible) How could it happen (describe
    with authentic citations where
    possible)

    Windows 2008 Server to a document Remote code execution


    scanner with RDP enabled vulnerability in Remote Desktop
    Services (CVE-2019-0708)

    Student data

    unautourizer data access

    Physical access

    Employee devices

    Fintral data for fmailies who are not well off


    Vulnerability Code Threat to IS properties CIA

    Vulnerability code What could happen


    from ISO/IEC (describe with authentic
    2005:2022(E) citations where possible)

    An attacker could execute


    arbitrary code on the server to
    VS02: Well known
    install programs, view, change
    flaws in the
    software or delete data, or create new
    accounts with full user rights
    (Microsoft 2019). Affects CIA
    Threat Code

    Threat code from ISO/IEC 2005:2022(E)

    TH04, THO5, TH08, TH13, TC02, T004


    Consequence (C) Rating

    What is the worse thing can happen? (anwer should be a number from the conse

    3
    Likelihood (L) Rating

    What are the chances of the event occuring? Risk Rating (R = C x L)


    (anwer should be a number from the likelihood
    table)

    4 12
    Risk Treatment
    category Itemised Mitigations (describe with authentic citations),
    (Accept/Reduce/ split into more rows if needed
    Trasfer/Avoid)

    Avoid Remove RDP service


    Control domain from ISO 27002
    and its type
    (https://herts.instructure.com/cou
    rses/108403/pages/2-dot-4-1-dot- Revised likelyhood rating
    2-iso-27002-2022-reference-slash- (anwer should be a number
    advisory-document? from the likelihood table)
    module_item_id=3118336)

    Management of technical
    vulnerabilities 1
    (Technical/Preventive)
    Your relavent
    Policy statement
    Number
    Residual Risk Rating Risk Acceptance Status addressing the
    control

    Low (this risk can be


    4 accepted without further 1.5
    action)
    Vulnerability

    Asset (describe with authentic citations


    where possible) How could it happen (describe
    with authentic citations where
    possible)

    Remote code execution


    Windows 2008 Server to a document vulnerability in Remote Desktop
    scanner with RDP enabled Services (CVE-2019-0708)

    Student data

    unautourizer data access

    Physical access

    Employee devices

    Fintral data for fmailies who are not well off


    Vulnerability Code Threat to IS properties CIA

    Vulnerability code What could happen


    from ISO/IEC (describe with authentic
    2005:2022(E) citations where possible)

    An attacker could execute


    arbitrary code on the server to
    VS02: Well known
    install programs, view, change
    flaws in the
    software or delete data, or create new
    accounts with full user rights
    (Microsoft 2019). Affects CIA
    Threat Code

    Threat code from ISO/IEC 2005:2022(E)

    TH04, THO5, TH08, TH13, TC02, T004


    Consequence (C) Rating

    What is the worse thing can happen? (anwer should be a number from the conse

    3
    Likelihood (L) Rating

    What are the chances of the event occuring? Risk Rating (R = C x L)


    (anwer should be a number from the likelihood
    table)

    4 12
    Risk Treatment
    category Itemised Mitigations (describe with authentic citations),
    (Accept/Reduce/ split into more rows if needed
    Trasfer/Avoid)

    Avoid Remove RDP service


    Control domain from ISO 27002
    and its type
    (https://herts.instructure.com/cou
    rses/108403/pages/2-dot-4-1-dot- Revised likelyhood rating
    2-iso-27002-2022-reference-slash- (anwer should be a number
    advisory-document? from the likelihood table)
    module_item_id=3118336)

    Management of technical
    vulnerabilities 1
    (Technical/Preventive)
    Your relavent
    Policy statement
    Number
    Residual Risk Rating Risk Acceptance Status addressing the
    control

    Low (this risk can be


    4 accepted without further 1.5
    action)
    Asset Threats Vulnerabilities Likelihood Impact Controls Implemented Risk Level

    Student Unauthori Access Control Policies,


    Weak Authentication High High High
    Records zed Access Encryption

    Network Malware Antivirus Software, Regular


    Outdated Software Medium High Medium
    Systems Infections Patching

    Staff Encryption, Remote Wipe


    Data Theft Lost or Stolen Devices Low High Medium
    Devices Capability

    Financial Insider User Activity Monitoring,


    Lack of Audit Trail Low High Medium
    Data Threats Logging

    Physical Unauthori CCTV Surveillance, Access


    Inadequate Security Medium Medium Medium
    Assets zed Access Control
    Treatment Plan

    Implement Multi-Factor
    Authentication

    Update Software Regularly

    Enforce Device Encryption Policy

    Implement Audit Trail System

    Enhance Physical Security


    Measures
    s
    NOTES: All figures must be referenced

    You might also like