USA: +1(669)289-8683 
Sign in
Project 1: Vulnerability and Threat AssessmentStep 1: Classify Aspects to Be Addressed
Before beginning the
vulnerability assessment
, you must first create a preliminary classification of mission-critical aspects to be addressed in the assessment. Determine what “secure” means to the organization by reviewing the topic of cybersecurity vulnerability, evaluating existing business practices, and interviewing senior personnel.
Prepare an overview of the mission-critical aspects of the organization’s current processes. Include personnel, physical security, network security, and cybersecurity in the overview. You will use this overview to prepare a
scope of work
in the following step.
Step 2: Create a Scope of Work (SoW)
In this step, you will perform a vulnerability assessment once again as the CISO. Since the previous contractor was an external consultant, you will be able to offer insights and consider the big picture of the organization when conducting the assessment. You will prepare for the assessment by creating a comprehensive list of security needs based on findings from the previous step. This list should identify threats, risks, and vulnerabilities to achieve a holistic view of the risk across the entity.
The scope of work is the key element to any project and important to learn. It should be filed as supplementary documentation for purposes of evaluating execution and directional purposes of meeting milestones of a multiphase comprehensive project plan within the vulnerability assessment. The scope of work will be the first section of the final vulnerability assessment report.
Combine the overview from the previous step with the list of security needs into a one-page SoW report. Submit the report for feedback.
Step 3: Develop a Comprehensive Work Breakdown Structure (WBS)
Within the previous step, the SoW report conveyed a brief overview of the organization’s critical aspects and a list of the organization’s security needs. Now, you are ready to develop a comprehensive
work breakdown structure
(WBS).
This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a
penetration test
,
baseline analysis
, or
system logging
. Note the tools and techniques to use in conducting a vulnerability assessment to be used later in the project.
Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed. Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:
internal threats: personnel, policies, procedures
external threats: systems, connectivity, databases
existing security measures: software, hardware, telecommunications, cloud resources
compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain
Note the security threats and vulnerabilities. This plan will serve as the second section of the final vulnerability assessment report.
Step 4: Explain Security Threats and Vulnerabilities
In the previous step, you developed a comprehensive work breakdown structure. In this step, you will explain the security threats and vulnerabilities included in the plan. In the explanations, consider relevant concepts such as the
threat modeling process
and
third-party outsourcing issues
. Include system and application security threats and vulnerabilities.
Reference aspects that are not being included. Note that you would need to obtain management agreement with the initial analysis of mission-critical components to be included in the assessment. This phase includes management input into the prioritization process of all risks from internal and external sources.
This information will be used in the following steps to develop the threats and vulnerabilities report, which will then be included in the Final Vulnerability Assessment Report.
Next, you will classify the risk of threats and vulnerabilities.
Step 5: Classify the Risk of Threats and Vulnerabilities
Throughout this project, you have developed a foundation for the vulnerability and threat assessment by classifying critical organizational aspects, creating a scope of work, and explaining security threats and vulnerabilities. Now, you are ready to classify the organization’s risk according to the relevant data determined in the project plan.
Company demands, management input, compliance requirements, and industry probability of exploitation are all considerations when classifying the risk of threats and vulnerabilities. Based on these considerations for the midsize government contracting group, further clarify the vulnerabilities and threats you have itemized. Explain why each is a vulnerability or threat, as well as why it is relevant to the overall assessment.
Consider
continuous monitoring
issues as you work through the classification. Use the threat and vulnerability explanations from the previous step and risk classifications from this step to develop the threats and vulnerabilities report.
In the next step, you will prioritize the threats and vulnerabilities you have explained and classified.
Step 6: Prioritize Threats and Vulnerabilities
Now that you have explained and classified the threats and vulnerabilities, you will prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:
Use this information, along with the threat and vulnerability explanations and risk classifications from the previous steps, to develop the threats and vulnerabilities report.
Compose a two- to three-page report regarding specific threats and vulnerabilities of the technical aspects of the environment. This report will be used in the final vulnerability and threat assessment report.
Submit the threats and vulnerabilities report for feedback.
Step 7: Analyze Network Analysis Tools
Now that you have finished the threats and vulnerabilities report, you will analyze how network analysis tools are employed to identify vulnerabilities.
Earlier in the project, as you developed the comprehensive project plan, you should have read about tools and techniques available for vulnerability assessment activities. Research the tools relevant to the project plan and provide a cogent analysis of which tool or tools to recommend for this project. Consider threat remediation and make special note of tools used to identify software communications vulnerabilities.
Include the findings in a one- to two-page report, including a justification of your decision based on peer-reviewed reference materials cited in APA format. This report will be used in the final vulnerability and threat assessment report.
Submit the network analysis tools report for feedback.
Step 8: Assess Vulnerabilities and Threats
So far, you have considered the scope of work to complete a vulnerability and threat assessment for the organization, created a comprehensive work breakdown structure, explained, classified, and prioritized threats and vulnerabilities, and have chosen the network analysis tools to be used. It is finally time to assess vulnerabilities.
Using the
Vulnerability and Threat Assessment Matrix
template, complete the vulnerability assessment for your organization. This matrix will serve as Appendix B of the final report.
Step 9: Review and Record Findings
After completing the vulnerability and threat assessment in the previous step, you should now take time to review and consider your findings. Review the work you have completed and the feedback that you have received. Record any lessons that you have learned that may be beneficial in the future.
Issues that may be addressed include whether nontechnical factors should be considered during the vulnerability assessment, the point at which the assessment is complete, next steps, and any other issues that you noticed throughout. Record your notes thoroughly, as they will be the basis for the “lessons learned” report completed in the next step.
Step 10: Write Lessons Learned Report
Based on the work done and research accomplished, consider what you have learned so far. Build upon the findings recorded in the previous step to write a lessons learned report.
Is a vulnerability and threat assessment a technical undertaking only, or should it consider other factors? When is the assessment complete? What are the “next steps” based on your assessment? These are some examples of issues that should be addressed. This report will serve as the conclusion of the final report.
Now that you have completed all the major sections of the vulnerability and threat assessment, it is time to prepare the individual sections of the final report. Review the feedback from the SoW, Work Breakdown Structure, Threats and Vulnerabilities Report, Network Analysis Tools Report, Vulnerability and Threat Assessment, and Lessons Learned Report. Make any appropriate revisions to incorporate the received feedback. Compile the findings in preparation to submit the final report.
Step 12: Write Overview and Compile Final Vulnerability and Threat Assessment Report
Since this report will be delivered to Maria and other top executives, tailor your writing to the appropriate audience. Be sure that coherent paragraphs or points are developed so that each is internally unified, functioning as part of the whole document.
When you are finished, submit the final report.
Transcript
Vulnerability and Threat Assessment
Start Here
Vulnerabilities are security holes or flaws that can leave a system open to attack. These may be
from an inherent weakness in the system itself, in procedures used, external sources, or
anything that may leave information exposed.
A threat is an event that has the potential to damage an organization or any part of it. Threats
can be human or nonhuman.
It is important that organizations actively assess their vulnerabilities and threats as well as ways
to address them. In this project, you will perform a vulnerability assessment, which identifies,
classifies, and ranks the vulnerabilities for your organization from a disaster-management
perspective.
The assessment will be completed in a series of steps. You will classify and prioritize threats,
assess vulnerabilities, and include a “lessons learned” section as part of the assessment.
Your final document will be seven to 10 pages long, not including charts and graphics, and will
include appendices, including a vulnerability assessment matrix. Throughout the process, you
will be submitting portions of the document to your instructor for feedback so you can adjust
materials before submitting the final assessment.
You will be assessed on the coherence, inclusiveness, and feasibility of your findings and
recommendations on the vulnerabilities of an organization from a disaster-management
perspective.
Vulnerability Assessment
You have just been promoted to the newly created role of chief information security officer, or
CISO, at your organization, a midsize federal government contracting group.
Maria Sosa, the chief technology officer and your new boss, stops to talk. “Can you stop by my
office? I’d like to talk to you about a new project.”
Maria gives you a friendly greeting as you enter.
“As you know, your new role involves helping us stay ahead of cyber criminals, keeping up with
compliance requirements for our contracts, and ensuring that our partners and employees
engage in proper security practices.”
You nod.
“I’m concerned that the contractor we hired to develop our last vulnerability assessment just
didn’t understand the big picture of how our organization works. Instead of using an outside
vendor, I’d like you [emphasis] to take the lead on the assessment this year.”
“I realize this is a highly technical process, but as you are working, I’d like you to keep the “big
picture” in mind. Look at people, processes, and technology across the entire organization and
really tie vulnerabilities to possible business impacts.”
You head back to your office, excited about the prospect of tackling your first big assignment as
CISO. You will have to combine technical and research abilities to come up with an assessment
that ranks the vulnerabilities of the system from a disaster management perspective. As part of
this assignment, you will present your prioritized list and supporting information to the
executives in a professional manner.
Learning Topic
Project Statement of Work
Print
By Adrienne Watt and bpayne
The statement of work (SOW), sometimes called the scope of work, is a definition of a project’s
parameters—factors that define a system and determine its behavior—and describes the work
done within the boundaries of the project, and the work that is outside the project boundaries.
The SOW is typically a written document that defines what work will be accomplished by the
end of the project—the deliverables of the project. The project scope defines what will be
done, and the project management plan defines how the work will be accomplished.
No template works for all projects. Some projects have a detailed scope of work, and some
have a short summary document. The quality of the scope is measured by the ability of the
project manager and project stakeholders to develop and maintain a common understanding of
the products or services the project will deliver.
The size and detail of the project scope is related to the complexity profile of the project. A
more complex project often requires a more detailed and comprehensive scope document.
According to the Project Management Institute (2008), the scope statement should include the
following components:
description of the scope
product acceptance criteria
project deliverables
project exclusions
project constraints
project assumptions
The scope document is the basis for agreement by all parties. A clear project scope document is
also critical to managing change on a project. Since the project scope reflects what work will be
accomplished on the project, any change in expectations that is not captured and documented
creates an opportunity for confusion.
One of the most common trends in project management is the incremental expansion in the
project scope. This trend is labeled scope creep. Scope creep threatens the success of a project
because the small increases in scope require additional resources that were not in the plan.
Increasing the scope of the project is a common occurrence, and adjustments are made to the
project budget and schedule to account for these changes. Scope creep occurs when these
changes are not recognized or not managed. The ability of a project manager to identify
potential changes is often related to the quality of the scope documents.
References
Project Management Institute, Inc. (2008). A guide to the project management body of
knowledge (PMBOK guide) (4th ed.). Project Management Institute, Inc.
Licenses and Attributions
Chapter 4: Framework for Project Management by bpayne and Adrienne Watt from Project
Management is available under a Creative Commons Attribution 4.0 International license. ©
2014, Adrienne Watt. UMGC has modified this work and it is available under the original
license. Download this book for free at http://open.bccampus.ca.
Vulnerability and Threat Assessment Matrix
Internal Vulnerability and Threat Matrix
Threat or
Vulnerability
Classification
Priority
Analysis Tool Used
Remediation Plan
(High-Medium-Low)
1
External Vulnerability and Threat Matrix
Threat or
Vulnerability
Classification
Priority
Analysis Tool Used
Remediation Plan
(High-Medium-Low)
2
3
Vulnerability and Threat Assessment
Scope of Work (SoW)
NAME
Cybersecurity Management and Policy, UMGC
CMP 630 9040 Risk Management and Organizational
Resilience
Professor
APRIL 15, 2022
Vulnerability and Threat Assessment
Scope of Work (SoW)
Description of Scope
Global Tech Consulting has provided information technology consultancy services for over 30
years with unmatched results. With the growing threat landscape and speedy technological
advancement, we must identify our critical assets to effectively assess the impact of risk on
confidentiality, integrity, and availability. The need for system categorization, asset
management, disaster recovery, and remediation planning can not be overemphasized. This
project aims to perform a vulnerability assessment to determine the security posture of our
systems while considering personnel, physical security, network security, and cybersecurity
aspects of risk assessment.
Project Acceptance
Vulnerability assessment is a vital element in the cybersecurity program of Global Tech
Consulting because it allows us the opportunity to evaluate our security efforts and provide the
framework on which we can build a better security environment (physical, logical, and
managerial). A vulnerability assessment tool like Nessus Professional will be used to scan the
network, and the scan report will serve as a guide for a remediation plan and help prepare a
reliable disaster recovery plan. Risk assessment actions will be based on mission-critical asset
prioritization. Nessus Prof provides the visibility, accuracy, and speed that Global Tech consulting
needs to protect against unacceptable risk while identifying the vulnerabilities that need
attention with accurate scanning (Tenable, n.d).
Vulnerability and Threat Assessment
Scope of Work (SoW)
Project Deliverables
Mission-critical assets are technology, people, and processes that, when compromised, could halt
business activities or cause significant damage to the organization’s operations. The organization
must ascribe impact levels on all assets through categorization to determine the impact. FIPS
Publication 199 defines three levels of the potential impact on organizations or individuals should
there be a security breach (i.e., a loss of confidentiality, integrity, or availability). The potential
impact is LOW if; the loss of confidentiality, integrity, or availability could have a limited adverse
effect on organizational operations, assets, or individuals. The impacts MODERATE if; the loss of
confidentiality, integrity, or availability could have a serious adverse and HIGH if; the loss of
confidentiality, integrity, or availability could be expected to have a severe or catastrophic
adverse effect (National Institute of Standards and Technology, 2004).
Project Consideration
No matter how much effort is put in place to build a formidable security surface, organizations
still face the risk of compromise from threat actors utilizing threat vectors via vulnerabilities. It is
paramount that threat is detected through the use of Intrusion Detection, intrusion prevention
systems, multifactor authentication, user activity log trails, security control monitoring, and
system notification security events. The vulnerability assessment will probe into personnel,
physical security, network security, and cybersecurity programs. A plan of action will be
developed to mitigate risk to acceptable levels based on identified risk.
Vulnerability and Threat Assessment
Scope of Work (SoW)
References
National Institute of Standards and Technology. (2004, February 1). Standards for security
categorization of Federal Information and Information Systems. CSRC. Retrieved April 11, 2022,
from https://csrc.nist.gov/publications/detail/fips/199/final
Tenable. (n.d.). #1 vulnerability assessment solution: Nessus professional™. Tenable®. Retrieved
April 13, 2022, from https://www.tenable.com/products/nessus/nessus-professional
4/19/22, 11:24 PM
Information Resource Valuation
Learning Topic
Information Resource Valuation
In every organization, there are critical resources that must be identified and protect in
order to support the organization’s business functions. Every identified asset must be
valued, and an asset value can be either tangible or intangible.
A tangible asset value is one that has an assigned monetary value and has a physical
presence within the organization. The asset is valued based on its original cost minus
depreciation. For example, how much would it cost to replace a web server?
An intangible asset value is one that is not physical, and it is hard to assess a monetary
value to it. Therefore, when an organization wants to assess the value of an intangible
asset, the organization should hire a financial professional. Examples of intangible asset
value include trademarks, brand recognition, intellectual property, or patents.
Because risk is a cost-weighted measure of vulnerability, planners assign cost factors to
recognized vulnerabilities according to the impact each might have on the organization’s
employees, facilities, customer base, or key business processes. An impact analysis with
more specific categories might be developed to any arbitrary degree of detail using the
many analysis tools available. A notional risk analysis tool may produce total risk scores by
extending the previous vulnerability analysis.
In the example presented in the table below, cost factors and relative likelihood scores are
multiplied across the vulnerability from left to right to quantify the risk associated with
each specific vulnerability. In this analysis, a cost factor of 1 equates to “no effect.” The
far right column displays the total risk score. BP1, BP2, and BP3 stand for business
processes 1, 2, and 3, respectively.
Example of Aggregate Risk Analysis Summary
Risk
Analysis
Employees
Facilities
Customers
BP1
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/information-resource-valuation.html?ou=632511
BP
1/5
4/19/22, 11:24 PM
Information Resource Valuation
Risk
Analysis
Employees
Facilities
Customers
BP1
BP
Threat
Relative
Likelihood
Cost
Cost
Cost
Cost
Co
VFLOOD4N
3
1
3
1
1
2
VFIRE2Y
3
3
2
1
4
1
VFIRE4Y
1
1
2
1
2
2
VPOWER3Y
2
2
2
3
4
4
Source: UMGC course IFSM432
Cost factors representing the impact analysis for individual vulnerabilities are another area
where you rely upon subjective judgments. For any given threat event, the impact on
employees can range from a minor inconvenience, to financial difficulty, to injury, or even
death. Similarly, disruption to a facility may prompt a simple safety inspection, a small
repair, large-scale remodeling, or an entire demolition and reconstruction operation.
Due to natural interdependencies among employees, customers, suppliers, facilities, and
equipment, a seemingly small vulnerability may end up disrupting one or more business
processes. Therefore, planners must strive for a well-reasoned impact analysis for each
specific vulnerability.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/information-resource-valuation.html?ou=632511
2/5
4/19/22, 11:24 PM
Information Resource Valuation
Resources
Information Asset Classification
(https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218cmp630/learning-resource-list/information-assetclassification.html?ou=632511)
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/information-resource-valuation.html?ou=632511
3/5
4/19/22, 11:24 PM
Information Resource Valuation
Check Your Knowledge
Choose the best answer to each question:
Question 1
Disruption to a facility may prompt a simple safety inspection, a small
repair, large-scale remodeling, or an entire demolition and reconstruction
operation.
True
False
Question 2
Due to natural interdependencies among employees, customers,
suppliers, facilities, and equipment, a seemingly small vulnerability may
end up disrupting one or more business processes.
True
False
Question 3
A tangible asset value is one that is assigned a monetary value and has a
physical presence within the organization. The asset is valued based on
its original cost.
True
False
Question 4
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/information-resource-valuation.html?ou=632511
4/5
4/19/22, 11:24 PM
Information Resource Valuation
An intangible asset value is one that is not physical and it is hard to
assess its monetary value. Therefore, it is recommended that the
organization hire a financial professional to assess.
True
False
Question 5
Cost factors representing the impact analysis for individual vulnerabilities
are another area where we rely upon objective judgments.
True
False
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/information-resource-valuation.html?ou=632511
5/5
4/19/22, 11:24 PM
Assessment of Exposure to Outages
Assessment of Exposure to Outages
For an organization to assess the risk of a power outage due to the threat of sabotage,
natural disaster or accident, you must calculate the organization’s exposure to the threat.
Exposure is a product of an organization’s vulnerability due to outage, the likelihood of
the occurrence of the threat, and the likelihood of the outage due to the threat.
Vulnerability is a product of the probability of outage impact and the potential loss (e.g.,
as a dollar amount). A power backup capability would mitigate some of the risk and it
would facilitate further assessment—similarly for a geographically removed backup facility.
These constitute the mitigation cost.
Otherwise:
vulnerability = (impact probability) x (potential loss)
and
exposure (risk) = (vulnerability) x (threat likelihood) x (outage likelihood)
Impact probability would depend upon the redundant array of independent disks (RAID)
technique, backup frequency and method and power-dependent physical security
methods, people’s availability during the outage, fail safety of locks, and warning time
before the outage.
Potential loss will vary by the duration of the outage and may be assessed as primary (loss
of services dependent upon power) and secondary (consequences of services losses).
These costs would be considered two components of the total risk, both as a function of
outage time. Potential loss includes the business value of the lost operations, impaired
reputation, and the cost to recover.
Threat likelihood for natural disasters exists in actuarial databases, mostly for use by
insurance companies for their risk calculations. Likewise, insurance companies calculate
the risk of sabotage or accident.
Outage likelihood depends upon the resilience of the power supply (grid) and the
resilience of the equipment to failure.
Here are the steps to assess a system’s vulnerability:
1. calculate the vulnerabilities
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/assessment-of-exposure-to-outages.html?ou=632511
1/2
4/19/22, 11:24 PM
Assessment of Exposure to Outages
2. evaluate mitigation costs
3. assess the risk
4. ensure that the mitigation cost is less than the cost of the risk
System Vulnerability Process
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
https://leocontent.umgc.edu/content/scor/uncurated/cmp/2218-cmp630/learning-topic-list/assessment-of-exposure-to-outages.html?ou=632511
2/2
