Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Which of the seven domains of a typical IT infrastructure is primarily impacted

ID: 3532029 • Letter: W

Question

Which of the seven domains of a typical IT infrastructure is primarily impacted by the risk, threat, or vulnerability?

Unauthorized access from public Internet

Users destroys data in application and deletes all files

Hacker penetrates your It infrastructure and gains access to your internal network

Intra-office wmployee romance gone bad

Fire destroys primary data center

communication circuit outages

Workstation OS has a known software vulnerability

Unauthorized access to organization owned Workstations

Loss of production data

Denial of service attack on organzation e-mail server


Explanation / Answer

DESCRIPTION

A. Threat Assessment

The first step in a risk management program is a threat assessment. A threat assessment considers the full spectrum of threats (i.e., natural, criminal, terrorist, accidental, etc.) for a given facility/location. The assessment should examine supporting information to evaluate the likelihood of occurrence for each threat. For natural threats, historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, or earthquakes can be used to determine the credibility of the given threat. For criminal threats, the crime rates in the surrounding area provide a good indicator of the type of criminal activity that may threaten the facility. In addition, the type of assets and/or activity located in the facility may also increase the target attractiveness in the eyes of the aggressor. The type of assets and/or activity located in the facility will also relate directly to the likelihood of various types of accidents. For example, a facility that utilizes heavy industrial machinery will be at higher risk for serious or life-threatening job related accidents than a typical office building.



Fig. 1. The tornado damaged Cash America Building - Fort Worth, TX

For terrorist threats, the attractiveness of the facility as a target is a primary consideration. In addition, the type of terrorist act may vary based on the potential adversary and the method of attack most likely to be successful for a given scenario. For example, a terrorist wishing to strike against the federal government may be more likely to attack a large federal building than to attack a multi-tenant office building containing a large number of commercial tenants and a few government tenants. However, if security at the large federal building makes mounting a successful attack too difficult, the terrorist may be diverted to a nearby facility that may not be as attractive from an occupancy perspective, but has a higher probability of success due to the absence of adequate security. In general, the likelihood of terrorist attacks cannot be quantified statistically since terrorism is, by its very nature, random. Hence, when considering terrorist threats, the concept of developing credible threat packages is important.


B. Vulnerability Assessment

Once the credible threats are identified, a vulnerability assessment must be performed. The vulnerability assessment considers the potential impact of loss from a successful attack as well as the vulnerability of the facility/location to an attack. Impact of loss is the degree to which the mission of the agency is impaired by a successful attack from the given threat. A key component of the vulnerability assessment is properly defining the ratings for impact of loss and vulnerability. These definitions may vary greatly from facility to facility. For example, the amount of time that mission capability is impaired is an important part of impact of loss. If the facility being assessed is an Air Route Traffic Control Tower, a downtime of a few minutes may be a serious impact of loss, while for a Social Security office a downtime of a few minutes would be minor. A sample set of definitions for impact of loss is provided below. These definitions are for an organization that generates revenue by serving the public.


Devastating: The facility is damaged/contaminated beyond habitable use. Most items/assets are lost, destroyed, or damaged beyond repair/restoration. The number of visitors to other facilities in the organization may be reduced by up to 75% for a limited period of time.

Severe: The facility is partially damaged/contaminated. Examples include partial structure breach resulting in weather/water, smoke, impact, or fire damage to some areas. Some items/assets in the facility are damaged beyond repair, but the facility remains mostly intact. The entire facility may be closed for a period of up to two weeks and a portion of the facility may be closed for an extended period of time (more than one month). Some assets may need to be moved to remote locations to protect them from environmental damage. The number of visitors to the facility and others in the organization may be reduced by up to 50% for a limited period of time.

Noticeable: The facility is temporarily closed or unable to operate, but can continue without an interruption of more than one day. A limited number of assets may be damaged, but the majority of the facility is not affected. The number of visitors to the facility and others in the organization may be reduced by up to 25% for a limited period of time.

Minor: The facility experiences no significant impact on operations (downtime is less than four hours) and there is no loss of major assets.

Vulnerability is defined to be a combination of the attractiveness of a facility as a target and the level of deterrence and/or defense provided by the existing countermeasures. Target attractiveness is a measure of the asset or facility in the eyes of an aggressor and is influenced by the function and/or symbolic importance of the facility. Sample definitions for vulnerability ratings are as follows:


Very High: This is a high profile facility that provides a very attractive target for potential adversaries, and the level of deterrence and/or defense provided by the existing countermeasures is inadequate.

High: This is a high profile regional facility or a moderate profile national facility that provides an attractive target and/or the level of deterrence and/or defense provided by the existing countermeasures is inadequate.

Moderate: This is a moderate profile facility (not well known outside the local area or region) that provides a potential target and/or the level of deterrence and/or defense provided by the existing countermeasures is marginally adequate.

Low: This is not a high profile facility and provides a possible target and/or the level of deterrence and/or defense provided by the existing countermeasures is adequate.

The vulnerability assessment may also include detailed analysis of the potential impact of loss from an explosive, chemical, or biological attack. Professionals with specific training and experience in these areas are required to perform these detailed analyses. A sample of the type of output that can be generated by a detailed explosive analysis is shown in Figure 2. This graphic representation of the potential damage to a facility from an explosive attack allows a building owner to quickly interpret the results of the analysis, although a more fully detailed and quantitative engineering response would be required to design a retrofit upgrade. In addition, similar representations can be used to depict the response of an upgraded facility to the same explosive threat. This allows a building owner to interpret the potential benefit that can be achieved by implementing various structural upgrades to the building frame, wall, roof, and/or windows.



Fig. 2. Sample output from detailed explosive analysis: glazing hazard in existing facility (left) and glazing hazard in upgraded facility (right)

C. Risk Analysis

A combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat. A sample risk matrix is depicted in Table 1. High risks are designated by the red cells, moderate risks by the yellow cells, and low risks by the green cells.


Table 1. Matrix identifying levels of risk


Vulnerability to Threat

Impact of Loss Very High High Moderate Low

Devastating

Severe

Noticeable

Minor

The ratings in the matrix can be interpreted using the explanation shown in Table 2.


Table 2. Interpretation of the risk ratings


These risks are high. Countermeasures recommended to mitigate these risks should be implemented as soon as possible.

These risks are moderate. Countermeasure implementation should be planned in the near future.

These risks are low. Countermeasure implementation will enhance security, but is of less urgency than the above risks.

D. Upgrade Recommendations

Based on the findings from the risk analysis, the next step in the process is to identify countermeasure upgrades that will lower the various levels of risk. If minimum standard countermeasures for a given facility level are not currently present, these countermeasures should automatically be included in the upgrade recommendations. Additional countermeasure upgrades above the minimum standards should be recommended as necessary to address the specific threats identified for the facility. The estimated capital cost of implementing the recommended countermeasures is usually provided in the threat/vulnerability assessment report. The estimated installation and operating costs for the recommended countermeasures are also usually provided in the threat/vulnerability assessment report. All operating costs are customarily estimated on a per year basis.


E. Re-Evaluation of Risks

The implementation of the recommended security and/or structural upgrades should have a positive effect on the impact of loss and/or the vulnerability ratings for each threat. The final step in the process is to re-evaluate these two ratings for each threat in light of the recommended upgrades. Using an exterior explosive threat as an example, the installation of window retrofits (i.e., security window film, laminated glass, etc.) will not prevent the explosive attack from occurring, but it should reduce the impact of loss/injury caused by hazardous flying glass. Therefore, the impact of loss rating for an explosive threat would improve, but the vulnerability rating would stay the same.

Related Questions

Which of the folowing kindsCengage Online teaci x bsorption and Variable Costing
Question #2555128
Which of the folowing statement negarding the early events of DNA replication s
Question #211082
Which of the formations has the most prominent topographic expression as indicat
Question #295174
Which of the four basic tissue types is/are excitable? (Check all that apply.) _
Question #3474285
Which of the four classes of ATP-powered pumps share overall similarity: several
Question #162611
Which of the four generic (Porter) strategies does the Coca-Cola Company follow,
Question #460076
Which of the four reaction steps involve an oxidation-reduction reaction (in whi
Question #852645
Which of the four structures to the right is an example of a fat? Which of the f
Question #932238
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Which of the sedimentary structures below is most useful in telling earth\'s lif
Next
Which of the solutions shown here will have the lowest vapor pressure? White cir

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.