Reference no: EM133697027
Assignment:
The Acme Corporation
The following vulnerabilities were identified during a recent internal PCI DSS audit conducted by the Acme Corporation. As the risk assessor, you are expected to assess the vulnerabilities by focusing on the root causes.
Critical vulnerabilities exist on servers due to a lack of patch management procedures.
Employees routinely store critical information in cleartext on their local workstations. There is no system where employees can store critical information securely, nor has management budgeted for any such system to be created.
Acme has an information security policy document that contains the following password policy:
2.2 Password Policy
2.2.1 All employees shall have a password for information services and computers they have been using.
2.2.2 Employees shall not share their passwords with other employees.
2.2.3 Employees shall not write their passwords on paper.
2.2.4 Employees shall not use their personal password in the computer and services of the Acme.
A production server has been discovered to contain a test account created when the server was in a staging environment. The same server contains user accounts that have been inactive for more than 90 days. The most important discovery was that the IT department has not assigned an individual or team to manage the administration of user accounts.
Acme has not been regularly monitoring and testing its IT infrastructure.
Given the scenario provided above, identify the level of the risk assessment you will perform.
Your risk assessment may cover multiple tiers. Using the NIST SP800-30 three-tier risk management hierarchy, Technical and tactical risks are classified as Tier 3, while nontechnical, organizational, and strategic risks are classified as Tier 1, and the operational business processes that connect the two are classified as Tier 2.
For example, will the scenario involve all three stages of the risk assessment, such as Tier 1,2 and 3? Or two tiers, or one.