Cybersecurity Vulnerability Assessment

According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations.” This exercise will take the student through performing a risk assessment on IT assets using a Vulnerability Oriented Analysis Approach based on https://doi.org/10.6028/NIST.SP.800-30r1.

he IT Director requested a cybersecurity vulnerability assessment on some of the older IT assets still in use today. The results of the vulnerability scans identified that each of the assets has a known vulnerability that is listed in the National Vulnerability Database (NVD).Links to an external site. NVD – Vulnerabilities (nist.gov)
You will use this excel workbook, asset-list week4rev2 Download asset-list week4rev2for this assignment, it has 4 tabs:
Risk Assessment (complete the assessment using this tab): The IT assets are listed, along with the associated known CVE SCORE Reference and CVSS SCORE Reference vulnerability that was identified as part of the vulnerability scanning process.
Other relevant information that you will need to conduct your assessment:
Reference Information: Confidentiality, Integrity and Availability Criteria are listed, along with the Score. A Threat Matrix is provided that identifies the Agent and the Action that Agent has the ability to take. You can supplement this with Threat Actor information found in SP800-30.
Asset List Audit Results: The audit results provides you with a results score for each of the security controls that have been implemented for each of the IT assets.
Protection Controls: The security control families are listed with the score value for the condition of that control.
NSTRUCTIONS FOR CONDUCTING RISK ASSESSMENT AND ANALYSIS
You will use the 4 step Risk Assessment Process shown here to conduct your assessment.

1) Open the RISK ASSESSMENT TAB worksheet of the excel file
2) Review the example provided – Pulse Secure VPN Server 8.2R1.0 gateways Appliance. See column descriptions comments for helpful hints.
3) You are to assess the identified vulnerability using the provided NIST National Vulnerability Database and the Common Vulnerability Exploit web site links. Information on CVSS 3.1, a scoring rubric, and a glossary is available at Common Vulnerability Scoring System version 3.1: User GuideLinks to an external site. CVSS v4.0 User Guide (first.org)
4) Using the information from the CVE, CVSS scores, and referencing the appropriate NIST SP 800-30 Appendices and Tables complete the columns for each asset.

• Assess the inherent risk given the existing set of controls.
• Make a recommendation on how to manage the risk and stipulate whether you expect management to accept or reject this recommendation.
• Assess the residual risk of each asset (add an addition column for this)