OPM System Probable Dangers and Vulnerabilities

Risk Evaluation Report


The purpose of performing this risk assessment was to identify potential hazards and vulnerabilities related to OPM System. The risk assessment will be used to recognize possible risk mitigation plans related to Organization. The network was identified to have a potential high-risk during security diagnosis. Therefore, risk assessment is required to be conducted to gauge the impact of any breach that can derive from the vulnerabilities uncovered.


The company's system includes several infrastructural components. The exterior interface is a series interactive web page which allows users to source data and receive the required information from the application. The system is made using Internet Information Server that uses Active Server Web pages. The network infrastructure assists with the management of information exchange in the whole system. The web application, database and operating systems that support these components are included in the scope. Ensuring the machines require several firewalls that are create in virtually all the network interconnection restrictions.


Cybercrime have been a major source of leak of personal, organization and governmental leak. The OPM works with out a proper risk governance composition. The OPM does not have a structured and standardized monitoring system for security settings. The OPM failed to maintain appropriate IT inventory that undermines all efforts at securing their information systems.

Insider threats to information systems may be the largest risks that any group might face. The reason why they are reported to be the biggest is the fact it becomes very hard to determine who would betray your organization among the trusted employees. It will always be super easy to ignore the menace within on the assumption that there is always that loyalty within and then realize that the primary cause of the risks is from within. The common insider dangers are:

Theft of unsecured personal device is a very big menace as the mobile devices use in organizations are uncontrollable. These devices can be used to access vital information about the organization not limited by Intellectual Property and Protection plan robbery.

External threats

Some of the types of external security risks to the info system of the organization are:

Phishing attacks is an external attack in which a hacker uses the con to trick an employee into providing them with their login details. They send e-mails that are embedded with a link that captures the details when got into by the worker.

Denial of Service harm where in fact the attacker gains usage of the network of the business and keeps users from having access to certain services. The hackers achieve this by disrupting the way the sponsor system functions. If the attacker floods all the computer ports instead of only certain interface is called Direct denial of service episode.

Spoofing occurs when an attacker masquerades as a legit sponsor and steals the IP address, spoofs a site or hijacks a network system and by which means inject malicious rules that are developed to build damage to the system functions. They include Trojan horses, infections, key-loggers, spyware and many others. Once they are planted in the system, they interrupt the operation of the system by disabling the firewalls and presenting access to the hackers (Catteddu & Hogben, 2013).


Very Low




Very High


Very Likely

Known Unpatched Exploit

Digital Ransom

Hackers / DDoS/ Malicious Codes

Somewhat Likely

Insiders / Phishing Attacks

Partners / Competition /Terrorists / Spoofing


Theft from it equipment

Man in the middle

Not Likely

Above is the chance matrix of risks which exist in many organizations. This includes their likeliness of event and their level of impact of the assault.


The OPM allows information systems to use indefinitely without been put through a tight security controls assessment. The FISMA requirements, OMB regulations and suitable NIST guidelines have not been used through appropriately such as dated system inventory which include the organization and contractor-operated systems.

The Risk Assessment Matrix below shows the risk source, threat action probability of event and the impact of the vulnerabilities involved.


Threat Source

Threat action

Likelihood of occurrence


OPM applications do not require PIV authentication

Unauthorized users and terminated employees

Dialing into the company's databases and access of critical information.

Very high

Loss of essential data, loss of profits through litigation expenses in case these details is misused.

Unsupported software

Terminated employees, Hackers and computer criminals

Getting into the system using the unsupported software or any other software

Very high

This can lead to loss of hypersensitive files from the system of the company.

Lack of gross annual assessment of its systems

Unauthorized users, hackers and computer criminals

Accessing the databases of the business through hacking or any other way such as used to the pattern

Very high

Remote access of the info which may lead to the gain access to of the data.

Impact assessments for exploitation of security weaknesses

The weakness of security makes the OPM exposed to data reduction. The evaluation implies that OPM doesn't have a process to track record or observe security status making the process susceptible. This also exhibited the necessity for OCIO to centrally keep track of the current position of security weakness.


On performance specifications, systems owners needed to be modified to fit the FISMA conformity systems. They were few remediation forwarded among others. OIG suggests that the OCIO develop and maintain a comprehensive inventory of all servers, directories, and network devices that are living on the OPM network. All productive systems in OPM's inventory must have a whole and current Authorization. OPM must be sure that an gross annual test of security settings has been completed for all systems.

Use of Access control is very important in making sure that usage of information in the system is controlled. The use of passwords and usernames help the business protect private data from landing the hands of official personnel. This system is important in security against dangers like spoofing, packet hijacking, harmful codes and many others. RDBMS assist in making the transactions within the systems quite successful and effective because they provide the ACID lab tests offering security to the transactions. The usage of transfer logs also helps in monitoring the changes that are made to the data source. Firewall log data files help in protecting the transfer within the system secure from problems.

Cryptography also applies sophisticated mathematics and reasoning to create high-end encryption methods which allows system administrators to keep confidence of the customers in the organization's procedures. People are promised that their data is kept private using cryptography and very important to make sure that the database ventures are stored secured and lock out the attackers (Filipek & Hudec, 2015).

Cost/benefit analyses of remediation

The OPM is attempting to improve their comprehensive security control system that will, later on, need periodic system authorization. Even though it may cost the business high to get this work, it'll be a win because of the security dangers and vulnerabilities they face. Proper governance is required to proactively put into action cost-effective controls to protect critical information systems that support the quest and changing the risk management.

High-level plan of action with interim milestones (POAM)

The action was done through auditing criteria accepted by the federal government. The standards necessity includes the systems which allows efficient auditing to be able to draw out sufficient information's and summary on any activities in the network. Considering OPM, inside controls were evaluated for various systems which had varying examples of computer produced data.


This is a report on OPM Authorization program have concluded that OPM hasn't substantially defined the roles and responsibilities of most positions of the IT management structure. With all the existent hazards and vulnerabilities, there have been significant advancements to the monitoring program.


Catteddu, D. , & Hogben, G. (2013). Cloud computing risk assessment: benefits, risks and tips for information security, ENISA record.

Filipek, J. , & Hudec, L. (2015, June). Distributed firewall and cryptography using PKI in mobile RANDOM sites. In Proceedings of the 16th International Convention on PERSONAL COMPUTERS and Technologies (pp. 292-298). ACM.

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)