Risk Presented by the Scenario

¶ … risk presented by the scenario described depends on the degree of ease with which the access controls are "bypassable," but any potential exposing of PII to unauthorized internal users or external attackers would be a high risk that warrants (if not demands) immediate attention (Stoneburner 2002). The impact of the vulnerability could be quite high if a breach were to occur, affecting not only extrinsic functions of the company but also the level of safety and security felt by its customers and employees.

Non-exploitable vulnerabilities are not true vulnerabilities as they cannot lead to purposeful damage to or unauthorized access of an information security system or database -- such vulnerabilities are really just software bugs (Foster 2005). Examples of this would be a glitch that disallows access for an authorized user with the proper means of achieving access or those that simply result in program errors when access is attempted -- in and of themselves, such bugs cannot be exploited and are thus not true vulnerabilities, or at most nonexploitable vulnerabilities (Foster 2005). Other vulnerabilities, such as those that make gaining unauthorized access possible or easier and those that purposefully corrupt information, are exploitable and thus the true vulnerabilities of the system (Foster Year).

3)

The closeout meeting for the IA-CMM in any organization should include an assessment of each of the nine processes identified and scrutinized by the IA-CMM and an explanation of the rank (from 0-5) given for each process assessed. Comparable products or systems and their rankings in these areas should also be identified and discussed during these closeout meetings, to determine the degree of congruence a specific IA-CMM assessment has with expected norms and standards. Methods for addressing any low rankings and improving scores n areas assessed as poor would also be useful components of discussion.

4)