Port of Seattle IT Security Risk Assessment
Joseph Sanchez
Central Washington University
December 4, 2018
,Table of Contents
Executie Summary.....................................................................................................................................4
Oieriiew of Assessment..........................................................................................................................4
Identied Risks and Common Risk hndemes..............................................................................................4
Summary of Proposed Mitiaton Actiites.............................................................................................4
Risk Assessment Report...............................................................................................................................4
Oieriiew of Risk Assessment..................................................................................................................5
Risk Measurement Criteria......................................................................................................................5
Scope of Assessment...............................................................................................................................6
Security Controls Assessed......................................................................................................................6
Areas of Concern (or Risks)......................................................................................................................8
Disiruntled employee may access and release employee’s account informaton..............................8
Hacker iain access to employee’s account informaton.....................................................................9
An intruder could iain access to an access panel at tde kiosk macdine..............................................9
An intruder interceptni tde Wi-Fi siinal to obtain informaton.......................................................10
A tdief iainini access to tde locked container...................................................................................12
Risk Heat Map....................................................................................................................................13
Risk Mitiaton.......................................................................................................................................14
Risks to Accept...................................................................................................................................14
Risks to Defer.....................................................................................................................................14
Risks to hnransfer................................................................................................................................14
Risks to Mitiate................................................................................................................................14
Reference List............................................................................................................................................18
Octaie Alleiro Worksdeets.......................................................................................................................19
Worksdeet 1..............................................................................................................................................19
Worksdeet 2..............................................................................................................................................20
Worksdeet 3..............................................................................................................................................21
Worksdeet 4..............................................................................................................................................22
Worksdeet 5..............................................................................................................................................23
Worksdeet 6..............................................................................................................................................24
Worksdeet 7..............................................................................................................................................25
Worksdeet 8..............................................................................................................................................26
,Worksdeet 9a............................................................................................................................................28
Worksdeet 9b............................................................................................................................................30
Worksdeet 9c.............................................................................................................................................32
Worksdeet 10............................................................................................................................................34
Worksdeet 10............................................................................................................................................36
Worksdeet 10............................................................................................................................................38
Worksdeet 10............................................................................................................................................40
Worksdeet 10............................................................................................................................................43
Octaie Alleiro Questonnaires..................................................................................................................46
, Executive Summary
Overview of Assessment
When the assessment took place, I interviewed Oscar Segura who works for Port of Seattle.
During our interview, the information asset we assessed was employee account information. The
assessment took place on November 7, 2018. The purpose of assessing employees’ account
information was to see what are the chances that the employee’s account information would be
compromised.
Identified Risks and Common Risk Themes
There were some area of concerns that I have discovered while the assessment was in-progress.
One of those concerns was a disgruntled employee may release an employee’s account
information. Other areas that were also a concern was a hacker may gain access to employee’s
account information in the following ways. An intruder could gain access to the access panel on
the parking garage fare kiosk and plug a hacking device such as a keyboard or a flash drive. The
Wi-Fi connection from the internal network to the parking garage fare kiosk machine could be
intercepted by an unauthorized individual. Finally, an unauthorized individual could access the
room where the locked containers are stored.
These are the different risk areas that I found within my assessment at the Port of Seattle.
Summary of Proposed Mitigation Activities
The common thing to do when you are mitigating risks is to first start with the basic assessment.
A basic assessment can be something like evaluating the systems settings that has been set by
default; such as a type of encryption, is the computer’s hard drive encryption enabled or
disabled, internet security settings configured or not, etc. these are the general things that would
need to be examined before deciding which security controls to implement to the computer
system.
The proposed mitigation methods are dependent on the area of concerns and findings that were
found during the assessment. For example, an intruder using Wi-Fi to try to obtain information
from the kiosk machine is an area of concern. So, this is the area that will be assessed and
findings that were found would be the evidence to determine which security control would be
appropriate to implement that will resolve this area of concern. Generally, you would first figure
out what basic security controls are in place and possible vulnerabilities that may occur when
evaluating computer system and its infrastructure.
Risk Assessment Report
Joseph Sanchez
Central Washington University
December 4, 2018
,Table of Contents
Executie Summary.....................................................................................................................................4
Oieriiew of Assessment..........................................................................................................................4
Identied Risks and Common Risk hndemes..............................................................................................4
Summary of Proposed Mitiaton Actiites.............................................................................................4
Risk Assessment Report...............................................................................................................................4
Oieriiew of Risk Assessment..................................................................................................................5
Risk Measurement Criteria......................................................................................................................5
Scope of Assessment...............................................................................................................................6
Security Controls Assessed......................................................................................................................6
Areas of Concern (or Risks)......................................................................................................................8
Disiruntled employee may access and release employee’s account informaton..............................8
Hacker iain access to employee’s account informaton.....................................................................9
An intruder could iain access to an access panel at tde kiosk macdine..............................................9
An intruder interceptni tde Wi-Fi siinal to obtain informaton.......................................................10
A tdief iainini access to tde locked container...................................................................................12
Risk Heat Map....................................................................................................................................13
Risk Mitiaton.......................................................................................................................................14
Risks to Accept...................................................................................................................................14
Risks to Defer.....................................................................................................................................14
Risks to hnransfer................................................................................................................................14
Risks to Mitiate................................................................................................................................14
Reference List............................................................................................................................................18
Octaie Alleiro Worksdeets.......................................................................................................................19
Worksdeet 1..............................................................................................................................................19
Worksdeet 2..............................................................................................................................................20
Worksdeet 3..............................................................................................................................................21
Worksdeet 4..............................................................................................................................................22
Worksdeet 5..............................................................................................................................................23
Worksdeet 6..............................................................................................................................................24
Worksdeet 7..............................................................................................................................................25
Worksdeet 8..............................................................................................................................................26
,Worksdeet 9a............................................................................................................................................28
Worksdeet 9b............................................................................................................................................30
Worksdeet 9c.............................................................................................................................................32
Worksdeet 10............................................................................................................................................34
Worksdeet 10............................................................................................................................................36
Worksdeet 10............................................................................................................................................38
Worksdeet 10............................................................................................................................................40
Worksdeet 10............................................................................................................................................43
Octaie Alleiro Questonnaires..................................................................................................................46
, Executive Summary
Overview of Assessment
When the assessment took place, I interviewed Oscar Segura who works for Port of Seattle.
During our interview, the information asset we assessed was employee account information. The
assessment took place on November 7, 2018. The purpose of assessing employees’ account
information was to see what are the chances that the employee’s account information would be
compromised.
Identified Risks and Common Risk Themes
There were some area of concerns that I have discovered while the assessment was in-progress.
One of those concerns was a disgruntled employee may release an employee’s account
information. Other areas that were also a concern was a hacker may gain access to employee’s
account information in the following ways. An intruder could gain access to the access panel on
the parking garage fare kiosk and plug a hacking device such as a keyboard or a flash drive. The
Wi-Fi connection from the internal network to the parking garage fare kiosk machine could be
intercepted by an unauthorized individual. Finally, an unauthorized individual could access the
room where the locked containers are stored.
These are the different risk areas that I found within my assessment at the Port of Seattle.
Summary of Proposed Mitigation Activities
The common thing to do when you are mitigating risks is to first start with the basic assessment.
A basic assessment can be something like evaluating the systems settings that has been set by
default; such as a type of encryption, is the computer’s hard drive encryption enabled or
disabled, internet security settings configured or not, etc. these are the general things that would
need to be examined before deciding which security controls to implement to the computer
system.
The proposed mitigation methods are dependent on the area of concerns and findings that were
found during the assessment. For example, an intruder using Wi-Fi to try to obtain information
from the kiosk machine is an area of concern. So, this is the area that will be assessed and
findings that were found would be the evidence to determine which security control would be
appropriate to implement that will resolve this area of concern. Generally, you would first figure
out what basic security controls are in place and possible vulnerabilities that may occur when
evaluating computer system and its infrastructure.
Risk Assessment Report
