Risk Assessment Plan

profileNIK-raj
informationsectask1.docx

HEALTH NETWORK

EXECUTIVE SUMMARY

Health network is a heath service organization headquartered in Minnesota. The organization has over 600 employees currently and it has an estimate revenue turnout of $500 million. In addition, the company has two other operational locations in Portland, Oregon and Arlington, Virginia which support mix of organization operations. Each facility is located near a co-location data center, where product system is located and managed by third party data center hosting vendors.

The company deals with 3 products: HNetExchange, HNetpay, and HNetconnect.

1. HNetExchange is the primary source of revenue for the company. The server handles secure electronic medical messages that originate from customers i.e. from large hospitals, which are then relayed to the smaller hospital and clinics for reference when needed.

2. HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the management of secure payments and billing. The HNetPay Web portal hosted at Health Network production websites, accepts various forms of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.

3. HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses, medical certifications and types of services that the doctors and clinics offer. Doctors are given credentials and are able to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments and update their profiles using Internet-accessible HTTPS Web sites.

Introduction

Mission: The Mission of the information security is to protect the three HNetExchange, HNetpay and HNetconnect applications from potential risks.

Goal: The goal of the risk management process is to protect the three key products or applications to ensure fulfilling the organization’s mission.

Objective: The objective of the risk management is to tackle its impending threats before they occur. It provides a better chance for proactive approach to handling problems than the reactive methods where problems solutions are created or thought of when it has already occurred. In Health Network, the risk management will help protect the organization information from major attacks thus ensuring it smooth operation. As this plan will create an inventory that helps when a data breach occurs, the plan can be referenced for insight and solutions.

SCOPE OF THE PROBLEM

For the sound existence and operation of the health network organization, data security is at the Centre of its sole operation. The organisation holds key data from customers ranging from its customer sickness which is private and also customer debit and credits cards which are also private. These dat are vital and hence attract cyber security attacks in an aim to get this data either to embarrasse or use it as black mail to get money from subscribers of the system.

The organization faces two risk of data breach other external or internal which may affect the company more severely. The are 3 elements which make up risks for the smooth operations of the Health Network.These include threats, valnurability and impact.

ELEMENTS OF RISK

Threats: Health network organization has a number of threats in its day-to-day operations, whose occurance may render the company to its standstill. These threats range from loss of company data due to hardware being removed from the system this can occur intentionally or un-intentionally. The risk can also be from loss of organizations’ data through loss of computers or phones where data is stored. The theft can be caused by misplacement of assets so that someone can gain access to company data in the name of theft. The data loss can also occur due to natural disasters such as storms, which occur in the area. The data can also be lost due to change in management of local host who may at times hold onto data for their own personal gain, or due to unstable software or computer malwares or software updates where virus finds ways to retrieve the secured data. (Acharyya, 2019)

These data can be lost due to insider activities to which may help attackers to gain access to the secured customers data. Data can also be lost because the company facilities are always accessed online hence attackers can use virus, DOS attack picketing to gain access to the secured data in an aim to use it for their selfish gain. These data can also be lost due to change in regulatory landscape that the stored data operate this is majorly due to change in government policy, which may change the data stored privacy acts which may make it more easly for attackers to gain access to customer data.

Vulnerabilities: The health network organisation servers have a weak link. the company main servers are easily accessible by unauthorized personnel who may plant attacks, which may bring activities to a standstill.

Impacts: HNetPay disruption might cause issue in delay in payments or mismanaging finances if messages are not transferred well using HNetExchange. If the information of the patients is revealed through HNetConnect, it might cause serious reputation damage to the organization. The threats the company face is major and can be encountered on any day, which make it a major concern as if one of this vital information is leaked or deleted it may cause inefficient access and transfer if information hence tinting the company image hence consequently reducing the total revenue turnouts. The decrease in revenue may leads to cut of major operation cost which may leads to retrenchment of workers which may affect their lifestyles. If deletions occur the company will be forced to start from start hence more finances involved in rebulding.it may also results in lack of information transfer hence making it difficult for smaller clinics to access patient’s information thus leading to misdiagnosis. Loss of customers debit card may also result into customers’ accounts funds being stolen or frozen.

Management of risk:

Risk management plan plays a vital role in the protection of an organization data. Hence the implementation of a powerful is a key factor to a successful security system. This can be achieved by having robust recovery system to ensure that data stored in servers can easily be retrieved in case of natural disasters in minutes to ensure smooth operations can be attained with minimum time. Back up of data on cloud storage will ensure this functionality is resumed but the cloud storage does not take responsibility of data stored. Hence company would be tasked with frequent deletion of old data to keep hard copies of data and encrypt data for security purposes.

Control Activities:

Policies and procedures must be setup for migrating from on-premises to cloud for the three products or applications to ensure safe migration without loosing any functionality or disruption.

The organisation has to adopt a rigorous plan to ensure data stored on hard drives is fully backed up as it is often under impending attack ranging from power loss, insufficient memory, accidental deletes, malwares, viruses or even natural disasters. This back up should be on a specific time which is part of day to day or weekly schedule and should be followed without fail this will reduce risk of data loss.

Resources Identification:

As the information that is transferred through products is highly confidential, the cloud application or active directory credentials must not be shared with unauthorized personnel. Periodically the credentials must be changed and shared with only corresponding personnel.

Control Review:

As the core products are accessed directly by limited users, a subject matter expert must ensure access control of the products in cloud. Also audit team must be setup with high integrity for the security of the data and applications by ensuring periodic audit access. Awareness about the importance of confidentiality, potential contingency plan and incident response must be generated through trainings for staff and stakeholders.

RISK ASSESMENT

A proactive and periodic internal audit must be conducted on the three products and corresponding stakeholders to ensure security of the product. Assessment report must consist of security threats and vulnerabilities that are associated with three products. If any serious concern arises or identified newly, it must be fixed with stringent change management rules.

An external audit also helps in identifying threats and vulnerabilities for the products and data without any bias. Health Network has 3 Major products whose data breach will cause reputation damage to the company. The HNetExchange is the major company revenue source and it hosts sensitive data of patients’ health and finances. Most people who walk around have sickness they have kept secrete and would not wish it to get known to other third parties. A small data breach from this channel may result to both effects both from compliance and strategic aspect where the company will be fined for not protecting the customer data in accordance to the standings laws and its sole purpose in data protection. This will also publicize the company negatively hence loosing clients to other competitor, this would in turn lower revenue thus its day-to-day operations. Ensuring a robust firewall for data can mitigate this effect and vetting of authorised personnel to ensure no internal breach occurs.

An attack on the HNetpay may results in loss of customers’ financial data. This may plunge the company into endless lawsuits and fines from government and affected individuals. This will drain company resources as well as destroy its amicable reputation.

Risk Management Program:

Risk management program must be implemented in sequence and multiple iterations.

1. Policies, procedures and guidelines must be setup for migration of applications from on-premises to cloud. After first iteration, management with help of documents from internal must review and update the policies, procedures and guidelines periodically. If any changes are needed, they must be implemented in proper ay and tested and deployed to the application in cloud without making. Also, the organization must ensure the security of the application after deployment of the new changes by doing Security Review (Newsome , 2014) Testing.

2. New documentation must be release and shared with stakeholders by risk management committee, which must include management, audit team and SMEs. Users must be trained on the new changes when necessary with a strong emphasis on security and integrity of the applications.

3. As time changes, the application needs some changes as per the demands. So, the application must have a dedicated development and support team to ensure periodic update to handle threats and vulnerabilities of the constantly changing world. A product review process and continuous monitoring and measuring security issues and performance of the system must be in place.

4. As the scope of the business increases, the products must support new business needs by expanding direct ties between products and corresponding data sources.

Risk mitigation.

Not all foreseen risks can be 100% corrected hence a mitigation plan is considered a plan to reduce the likelihood of occurance of risks either externally or internally thus curbing its fatal ramifications on organization operations. The best mitigation practise against external attack is through continuous training of the employees of the possible impending loopholes that attackers use to gain access to the system. This methods include access attacks password cracking hence develop and instill the need for stronger password.train them on how to detect virus that are attached to emails or which occur in apps updates hence need to develop system that seek admin permission to carry out any software install or update.(Andersen , 2012) The data loss can also be saved by robust hard copy for sensitive data or save copies of harddrives in a secure location .Also the implementation of cloud data storage with strong recovery and protection method will ensure continued operation even in times of storms on hardwares.

The internal licks can be mitigated by continuously vetting new members while monitoring traffics of already members this will give vital information of possible moles in the company hence preventing such data loss.Also strong rooms should be accessed by authorised personnel through double verifications of finger prints and card for access which will also keep track of the log activities of all users.this approach is expensive but necessary but is also subjected to loopholes where authorized personnel. It will give their credential’s to attackers.

REFERENCES

1. Acharyya, M., & Brady, C. (2014). Designing an Enterprise Risk Management Curriculum for Business Studies: Insights from a Pilot Program. Risk Management and Insurance Review,17(1), 113-136. doi:10.1111/rmir.12019

2. Approach for selecting risk analysis methods. (2015). Risk Analysis,178-183. doi: 10.1002/9781119057819.app3

3. Andersen, T., Bollerslev, T., Christoffersen, P., & Diebold, F. (2012). Financial Risk Measurement for Financial Risk Management. doi:10.3386/w18084

4. Quail, R. (2011). How to Plan and Run a Risk Management Workshop. Enterprise Risk Management,155-170. doi:10.1002/9781118267080.ch10

5. Newsome, B. (2014). A practical introduction to security and risk management. Los Angeles: SAGE.