Memo to CIO: Threat, Risk & Impact Analysis
Like Shawn Barnes

Memo to CIO: Threat, Risk & Impact Analysis

Memo to CIO: Threat, Risk & Impact Analysis


Published: January 7, 2017 0 0 666
By: Shawn Barnes, Cal State San Marcos
Category: Management
Hashtags: #Analysis #Communications #Excel #Management #Research #StrategicThinking #Word

Weekly Security Prompt (September 14, 2015)

You are the recently hired (first!) ISO of Acme Rocket Company (ARC). One of your first moves was to review the patch status of the company desktops, laptops, and servers. You were alarmed to discover that not all systems had current security patches, and when you tried to make that a priority people gave you a bunch of reasons why it was an impact to their productivity.

ARC has never had any kind of user awareness training, and you suspect you’d get more cooperation if they had more info about the risk and impacts. You decide to start making them more aware of the threats to ARC’s computers. So far you’ve discovered that
• everyone uses Internet Explorer – it is the default browser
• the IT group along with people from Finance use RDP (Remote Desktop) to access hosts
• everyone uses Microsoft Office
• Engineering and Accounting use SMB to access their department shares on the fileserver
• everyone uses applications that rely on XML
• only Marketing is allowed to use memory sticks or other USB devices
• ARC does not use SCOM (System Center Operations Manager)
• The IT department uses UDDI and command line scripts
• No one uses WebDAV or Microsoft Edge, but Accounting uses some .net applications

Visit, and pull up the Microsoft Security Bulletin Summary for August 2015.

Create a spreadsheet (or table) summarizing the bulletins. For each, list the bulletin ID, the critical/important rating, the application or function affected, the vulnerability, exploit method, the type of mitigation and affected departments, active exploit. Example:

# Rating Function/App Vulnerability Method Mitigation Affected Dept(s) Active
MS15-079 Critical Internet Explorer Remote Code Execution User visit to bad website Limit user admin rights, user awareness training all Yes

Write a brief (no more than two page!) memo to Joe Smith, the ARC CIO with a summary of your findings and recommendations. Attach your spreadsheet or table.


2ndmemotoCIO313.pdf 358.8 KB