Need a 5 pager paper
Info Security & Risk Mgmt. (ISOL-533-M20)
ISOL 533 Project Part 1
Introduction
In this project part 1, the task is to conduct a risk assessment based on the information given in the project briefing. The Risk assessment is a part of Risk Management in this given scenario the Health Network Inc is the organization it is having its headquarters in Minneapolis Minnesota. There are two other branches located in Portland Oregon and Arlington Virginia.
The total number of employees in the organization are over 600. And this company generates and annual revenue of $500 million USD.
The core function of this organization is delivering IT services in the Healthcare sector. It delivers three products HTNetExchange , HNETPay and HNet Connect .
The HTNet Exchange is applied to handle secure electronic medical messages in the areas such as larger customers Hospitals and Small customers clients.
HNetPay is a product is applied in Web Portal to provide secure payment services and it also accepts different forms of payment methods
The third product HTNetConnect is used as a tool by the customers to find the suitable Doctor for their needs and it maintains user profiles of Doctors, clinics and patients
The Health Network Inc has data centers near the its branches, these data centers are managed by a third-party vendor. In total there are 3 data centers. The total breakdown for IoT devices owned by the company are 1000 data servers ,650 corporate laptops and other mobile devices.
According to briefing the current Risk management plan Health Network Inc is out of date. As a result of that the company has requested the project manager to develop a new risk assessment plan,
Known Threats
The known threats according to project briefing, the loss of company data due to hardware removal from production systems. Second area detected is loss of company data due to lost or stolen company owned IoT assets. The other major area is loss of customers due to events like natural disasters poor quality of the software and change management. Some of the other areas identified are cyber-attacks and internet threats due to company internet products configured with poor access controls. And also, insiders’ threats intentionally or un intentionally done by the insiders are identified. Finally, the threats related to impact of changes made due to regulations and their impact in daily operations are identified.
Scope of Risk Assessment
The scope of the risk assessment is to identify different areas and domains related to the Health Network Inc. From the known threats it is evident that the company’s confidentiality, Integrity and accessibility are at a risk. The scope includes collecting information regarding threat landscape, vulnerabilities that are present in the software, systems and applications. And the scope takes the assets into considerations assets such as IoT devices company owned Servers, User workstations, tablets, cellular phones, desk phones, laptops etc.
Risk= Threat x Vulnerability x Asset
‘
Identify Assets and detect Vulnerability
According to briefing. In total there are 3 data centers. The total breakdown for IoT devices owned by the company are 1000 data servers ,650 corporate laptops and other mobile devices.
The assessment must confirm weather these 3 data centers are meeting SLA (service Level Agreements). And are these data centers following standardized procedures to maintain the integrity of the data.
The assessment must conduct on 1000 servers. The plan should ensure weather the servers are properly configured to handle cyber attacks all the TCP ports are scanned and appropriate patches and fixed are done must be recorded. The server web applications must be tested using penetration testing methods and the vulnerabilities identified must be recorded. All the known vulnerabilities related to servers in terms of configuration, web application and accessibility must be recorded.
The 640 corporate laptops must be tracked and an assessment must be conducted in gathering information regarding how many laptops are lost or stolen, and how many users are working remotely using these devices must be recorded.
How many BYOD and mobile devices are active and what is the status of the security for these devices must be recorded
Based on the above asset evaluation the monetary value of the asset must be set and based on that the mission critical asset must be classified, is it a major or minor must be defined.
Conduct Assessment on Controls
The assessment on controls must be conducted to identify weather the IT infrastructure is configured to prevent or minimize the impact of potential threat agent exploiting the infrastructure using existing vulnerabilities.
Determine the Likelihood and Impact of the Incident
The potential targets and access point threat agents take advantage of are API’s with compiling issues and the servers with improper configuration and poor user access rights settings can take as an advantage, they also take advantage of HTTP user interface applications, in some cases Unpatched application along with the OS updates will be targeted. A newly installed hardware without proper security or quality certificate can also be a means to deliver a successful attack. Apart from that outdated drivers used for systems hardware.
A threat can come in many forms, it can be a potential hacker with individual motifs or a group of criminal induvial collectively working to break into the database, they can use various tools such as a planted worm or malicious program into the computer, or they can use various attack techniques to get the desired outcome.
In order to develop a threat model, one must identify the capacity, set of skills and recourses that a threat agent possess, one must also identify the patterns that threat agent is following to deliver a successful attack. They must identify the category is it a SQL injection attack or a DDOS attack, or whether they are using social engineering or phishing techniques. In some cases, the attacks are done my combination of these patterns.
By collecting this vital information and further developing a threat mitigation database to classify these threat variants origins and types it can used as benchmark reference for developing threat mitigation strategies. Upon identifying the intensity of the threat, a risk rating must be given to these threats and further prioritize based the intensity.
Risk Rating= Credible Attack Vector * Impact
Based on the classifications and data collected predict the likelihood of a potential incident risk can be rated as high medium or low
Impacts in different areas:
· The Stolen IoT asset can compromise SOX compliance and GBLA compliance
· Companies poorly configured servers and web applications can also compromise SOX compliance and GBLA compliance.
· Insider threat can cause major finical loss, it can compromise CIA, this could lead to financial loss.
· Poorly handled Change management can give un required access to the users for the confidential zones.
Tools Used to Conduct the Risk Assessment
Implement Risk Level Matrix
Developing a risk level matrix template can give a clear picture on the likelihood of the threat to occur and their impact on business operations in terms of cost ,downtime of systems and what is necessary solution or security control that has been used previously to address such risks .All this information can be stored in the risk level matrix ,and upon the occurrence of threat, this matrix can be used as a quick chart to address the issues
Business Impact Analysis
Business impact on product level
HTNet exchange the attack on HTNet exchange can compromise the secure communication messages between the hospitals and clients, it can reveal information such as User names and content in the message. This can impact the GLBA compliance. The impact on business and the risk level is high.
HNetPay is a product is applied in Web Portal to provide secure payment services and it also accepts different forms of payment methods. If this portal is under cyber-attack then there can be a financial loss and reputation loss. It can compromise the user accounts financial information. The risk level is high.
The HTNet Connect is used by clients to find the doctors. If this product is under cyber attack it can compromise user names, social security numbers, Date of births of the users. This can compromise the GBLA and HIPPA compliance the risk level is high
REFERENCES
Ilia Sotnikov January 16th , 2018 How to Perform IT Risk Assessment
ISACA Jan 2010, Journal Performing a Security Risk Assessment