Executive Summary
During the period June 1, 2004 to June 16, 2004 a detailed information security risk assessment was performed on the Department of Motor Vehicle’s Motor
Vehicle Registration Online System (“MVROS”).
The MVROS provides the ability for State vehicle owners to renew motor vehicle registrations, pay renewal fees, and enter change of address information.
The assessment identified several medium risk items that should be addressed by management.
This is sample data for demonstration and discussion purposes only
Page 2
DETAILED ASSESSMENT
1. Introduction
1.1 Purpose
The purpose of the risk assessment was to identify threats and vulnerabilities related to the Department of Motor Vehicles – Motor Vehicle Registration Online
System (“MVROS”). The risk assessment will be utilized to identify risk mitigation plans related to MVROS. The MVROS was identified as a potential high-risk system in the Department’s annual enterprise risk assessment.
1.2. Scope of this risk assessment
The MVROS system comprises several components. The external (customer) interface is a series of web pages that allow the user to input data and receive information from the application. The online application is a web-based application developed and maintained by the DMV. The application is built using
Microsoft’s Internet Information Server and uses Active Server Pages. The application has an interface with the motor vehicle registration database and with
Paylink – an e-commerce payment engine provided by a third party vendor. DMV
IT department hosts the application. The application components are physically housed in the DMV’s data center in Anytown.
The scope of this assessment includes all the components described above except for Paylink. The Paylink interface – the component managed by DMV IT – is in scope. Also in scope are the supporting systems, which include: DMZ network segment and DMZ firewalls. The