PM Plan
chakri1005
GroupProjecttemplate.xlsxSheet1
| Weakness Violates a policy or procedure | Threat What is the danger that exploits the weakness | Risk What ASSET could be lost (qualitative/quantitative) | Countermeasure How can it be safeguarded | Risk Factor & Reason “1” Critical: impacts company viability “2” Major: impacts asset or IT infrastructure “3” Minor: impacts productivity / availability | Group Member Name | |
| Ex1 | Client records left out in the office after hours | Janitors or others having access to the building after hours can gain access to files in the cabinets | a. Client sensitive information to include social security numbers can be stolen and used to open new accounts. b. Client financial account numbers can be obtained and finances can be stolen. c. Negative publicity can impact company's reputation. | 1. Enforce policies requiring client records to be stored securely. 2. Discipline employess who left records out. | "1" (company may have to pay penalities for each incident; negative publicity could destroy company's reputation) "3" (stolen files must be replaced) | |
| EX2 | Office areas unlocked after everyone left for day | Visitors and others can gain access to office areas without being seen | a. Company assets can be stolen or vandalized b. IT infrastruture can be destoyed c. File cabinets can be broken into and client files can be stolen or destroyed d. Negative publicity can impact company's reputation. | 1. Enforce policies requiring securing offices. 2. Discipline employess who left offices unlocked. 3. Add contact information to office entryways so janitors or others can call to report unsecured offices. | "1" (company may have to pay penalities for each incident; negative publicity could destroy company's reputation) "2" (stolen company assets and destroyed IT Infrastructure must be replaced) "3" (stolen files must be replaced) | |
| 1 | Employee taped password to screen | a. Fear of exposing oneself b. Fear of exposing one's organization to attack. | a. Losing access controls b. Organization’s valuable information could get into the hands of the hacker c. Data from the system could be compromised for example PHI, SSN, Clinical data etc. | a. One-time password tokens need to be used | Prathik Nayak | |
| 2 | LAN/WAN UPS not operational | |||||
| 3 | Regular Firewall maintenance not conducted | a. Cyber-attacks and unauthorized access to networks b. Breaking the business application c. Security Patches being missed d. Services permitting inbound and outbound communications that are risky | a. The routers, VPN’s, load balancers and other networking infrastructure items are at risk b. Apart from the above core networks of the organization, the organization's servers, software’s and application endpoints are at risk. c. Organizations reputation is at risk | a. Closing the ports on individual machines acts as a backup when the firewall is not updated and has undergone a breach. b. Having an antivirus protection | Prathik Nayak | |
| 4 | SysAdmin has little-to-no security awareness training | a. Not having proper training for the SysAdmin will result in procedures not being implemented properly. For instance if the SysAdmin does not attain the knowledge on ant virus software’s it will impact the personnel computers | a. Company's confidential information can he stolen by hackers. b. Competitors can gain the customer information which is stolen | a. Proper training needs to be provided to the SysAdmin in the aspect of Security awareness. b. Conducting seminars and workshops for security awareness training. | Kalyan Muppala | |
| 5 | Servers does not contain latest patches | a. Without latest patches software’s are not secure b. New threats will discover if you are not with updated antivirus patches | a. Lack of report availability b. Unexpected patch failures if it’s not updated. | a. Need to update the antivirus frequently. b. Change the software which can update patches. | Naga Sampath Reddy Mittala | |
| 6 | Databases/systems not backed-up | a. Loss of financial information, important documentation if system, databases were not backed-up | a. Company can face depreciation in the financial assets. | a. System/Databases need to be backed up regularly, Employ personnel to perform back up | Kalyan Muppala | |
| 7 | Computer always left logged-in | a. Lack of accountability | a. Other employees pretend they are someone else and can perform undesirable tacks b. The machines will not be rebooted and this will affect timely updates to the computer. | a. Positioning can be one of the measures. So that any casual passerby is not able to look at the screen while passing. b. Instituting timeouts so that the screensaver pops up as soon as there is no activity. c. Locking the workstation can also be a good option. | Prathik Nayak | |
| 8 | Computer login shared by everyone | |||||
| 9 | Employee uses a very simple password | a. Employees from other departments can access information easily. b. If the laptop is stolen, accessing information is very easy. | a. The user can lose all his access controls b. The privileged account is also at risk c. The members PHI is at risk d. The organization's financial documents are at risk. e. Organizations reputation is at risk. | a. First of all, use strong passwords and write them down. b. To store it, either use a locked cabinet or an office safe c. Use a password managing tool | Prathik Nayak | |
| 10 | InfoSec audits not conducted | |||||
| 11 | Employees using personal laptops to do corporate business | a. Data theft, Data integrity compromised, If personal laptops are stolen thief’s can acquire all Organization's information | a. Data compromise, Company's information stolen. | a. Personnel should us encrypted pass words if they are using personal laptops for business b. Connect to company's VPN to mitigate the risk | Kalyan Muppala | |
| 12 | Client files left out on the desk overnight | a. Anyone can get the client files access easily. b. Can copy the sources from files easily. | a. Easy access on files. | a. Lock your desk after use b. It’s better to maintain soft copy than hard copy of data | Naga Sampath Reddy Mittala | |
| 13 | Client personal data shared with everyone via email | |||||
| 14 | Password hasn't been changed in over a year | a. Anyone can hack your files if you not change your password frequently. b. If it’s not changed every employee can know your password. | a. Easily hack the details of personal or office. | a. Need to change the password frequently so that no one can know the password. b. Keep one time password for login. | Naga Sampath Reddy Mittala | |
| 15 | Office left unlocked during lunch/breaks and overnight | |||||
| 16 | Retired employee able to login | a. If he able to login he can get the details of each project. b. He can gave the data to outers too. | a. He can copy the details and tip that to anyone. b. He can corrupt the files of sensitive data. | a. Need to erase the login details of retired employees. b. If they want to login we can create the temporary credentials for them | Naga Sampath Reddy Mittala | |
| 17 | Inventory control and access control policies not followed | |||||
| 18 | Record cabinets cannot be locked or are left unlocked | |||||
| 19 | Computers do not have latest software patches | a. Critical data for your business and accesses your network using an outdated browser, that vendor could be inadvertently exposing your data to risk. b. The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files. Software updates often include software patches. They cover the security holes to keep hackers out | a. Security of your corporate network is weakened, then hackers can easily get them access to critical data. b. Hackers can take advantage of the weakness by writing code to target the vulnerability. | a. Software updates/patches include repairing security holes that have been discovered and fixing or removing computer bugs. b. Updates can add new features to your devices and remove outdated ones. | Manoj Kumar Pabbathi | |
| 20 | Unauthorized software discovered on corporate computers | |||||
| 21 | Default password still being used | a. Default passwords can easily hacked. b. If you are using default password anyone can change your data by using the password. | a. Hackers will get the data. b. Everyone can misuse the data of others. | a. Need to change the password b. If we want to use default password then we need to create a one time password for default password users. | Naga Sampath Reddy Mittala | |
| 22 | Laptops with sensitive data not encrypted | a. The employee working from home through their home a network can provide easy access for a hacker to get sensitive information | a. PHI data being lost to a hacker | a. Firstly, data needs to be encrypted b. Use protocols like SSL and TLS while transiting the networks c. Industry standard techniques for encryption needs to be followed d. Once the encryption is in place, they need to be properly managed. | Prathik Nayak | |
| 23 | Master login created by IT and used by offices | |||||
| 24 | Users can download data to USB drives | a. Employees can steal data using USBs. b. USB’s could be used for multiple reasons and this could result in loss of productivity. | a. If the USB has any sort of malicious programs, it can unknowingly get passed on to the computer/laptop. b. It can spread to other systems in the organization and the organizational network will be seized. | a. Checking for malware’s before the USB is being used b. Setting Control and Limits on the file types that can be used on office systems c. Having organizations to avoid direct plugins and utilize other methods. | Prathik Nayak | |
Student Name: ISOL 533 &P of &N
