Continuation of part 1

Running Head: DATA SECURITY AND RISK ASSESSMENT 1

DATA SECURITY AND RISK ASSESSMENT 8

Project Part 1 Data security and risk assessment

University of The Cumberlands

09/20/2020

Risk assessment is a broad term that describes methods or general processes in hazard identification, risk evaluation and analysis, and risk control. By identifying a hazard, an organization can pinpoint possible risks that may harm an institution or organization (Adler, 2004). An organization should also evaluate and analyze the risk that may be associated with the identified hazard. Finally, an organization ended up putting up measures that will eradicate the danger. If the threat cannot be entirely be eliminated, control measures are implemented to reduce the impact of the hazard in an organization.

The risk assessment in the Health Network Inc organization needs to identify and control perils that may compromise the technological infrastructure, processes, people, and the assets in the organization. Due to advancements in technology, I have been requested to come up with a risk assessment that addresses the organization's current problems since the current risk assessment is outdated and hence does not address the hazard associated with the company. Since Health Network Inc is a health-oriented company, data concerning hospitals, patients, and healthcare personnel is critical and requires protection.

There have been many risk assessment tools used in various organizations, particularly in a healthcare system set-up. Many organization's standard assessment tools include the Bow-tie model, Swiss cheese model, Root Cause Analysis (RCA), and Health-care Failure Mode and Effect Analysis (HFMEA). In the case of Health Network Inc, I have decided to use the Bow-tie analysis model due to its extensive application in various healthcare organizations and the manufacturing industries in the risk assessment exercise. The Bow-tie model was initially applied to high-risk organizations to assess risk in Australia and Europe.

The model has been applied in many organizations to conduct a risk assessment in healthcare organizations and prevent hazards, and proven to be effective as compared to other risk assessment tools (Elamir, 2019). The Bow-tie model shows the visualization and analysis of the risk and provides the causes and consequences of the identified hazards. In the healthcare sector, the Bow-tie model helps identify and facilitate solutions to dangers that can compromise a patient's care.

Health Network Inc deals with three main products, which include HNetConnect, HNetPay, and HNetExchange. HNetExachange is the primary source of income for the Health Network Incorporation. HNetExchange is a service within the health care organization that handles information protectively from various hospitals and then route the data to the clinics for patients' health analysis. Many large hospitals organizations are regular customers to the Health Network. Despite handling the patients' critical data, the HNetExchange also conveys crucial information about hospitals and health care personnel.

On the other hand, HNetPay is an internet web portal is supported by HNetExchange to facilitate the management of secure billing and payment to employees. Many health care organizations use HNetPay Web Portal in making payments because they accept various means of payment. For instance, there is an interaction of credit cards with HNetPay, like in the Web commercial shopping card. The use of HNetPay allows an organization to make transfers of payment electronically to the concerned stakeholders in an easier way.

Additionally, HNetConnect is an electronic directory that provides healthcare providers' names and qualifications, and other crucial healthcare information. It facilitates Health Network Inc’s clients with accurate information on why to access the right doctor in the right healthcare facility if a client is seeking medication. Moreover, HNetConnect allows clients to access the information on services clinics and doctors offer explicitly. Healthcare providers are given credentials to make updates on their profiles in the HNetConnect. The Health Network clients who are the hospitals and clinics, connect to the three company's products using HTTPS internet connections. The health care providers and potential patients update their profile and make payments through Internet-accessible HTTPS Web sites.

The first step was to review the information technology infrastructure of Health Network Inc since the organization is purely a technological enterprise. The company data center manages more than a thousand production servers; it also manages mobile devices for its employees and six hundred and fifty corporates laptops. Through the Bow-tie model tool, I realize there were a variety of risks associated with the information technology infrastructure. There was a loss of critical information relating to the company as a result of stolen hardware in the production system of the company with have cost one million dollars.

The Bow-tie model tool also reveals problems associated with mobile devices of employees. There was a loss of crucial information due to stolen mobile devices and laptops owned by the company, which have cost the company $200000. The Bow-tie tool was able to reveal information on the loss of customers as a result of unstable software application and change in management, which does not address critical details on the information technology of the company. There were also internet threats brought by the company's accessibility through the internet by unauthorized people. The Bow-tie model also identified insider threat, which has been obtained by a shift in the regulatory landscape that may negatively impact the daily company operations, which have cost the company ($700000).

The company should ensure that one million dollars that have been lost through the remover of hardware from the reproduction system are recovered. First, the company's insurer should be called upon to come and investigate the loss, and the culprits, whether they are the employees or senior management, should be charged. Besides, the company should provide back up for data to ensure even if gadgets containing the critical data are stolen, the company can still retrieve the information. Transfer and downloading of data from the organization database should be restricted to authorized people alone in the organization.

Additionally, the transfer of data should be restricted by using a firm password policy from the organization to ensure unauthorized users can assess the organization's internet information. Data accessibility should be defined to prohibit employees and customers from accessing critical information. Lastly, the organization should ensure a firewall is installed in the information system containing essential information.

If the company can implement the suggestions, it will reduce the loss of up to $10000, and the cost for implementation of the strategies will be $1200. Therefore, the Cost-Benefit Analysis (CBA) of the company will be obtained by getting the difference between the loss before and loss after the control. Which will be $1000000 subtract $10000 to give the company the Cost-Benefit Analysis of $990000. After the company deducts $1200, which is the cost of implementation, it will get $988800, the control value.

Loss of the company data through theft of the company assets such as laptops and mobile devices can be prevented by storing information in cloud computing. Cloud computing will ensure data are retrievable by an authorized user by using other different gadgets. Firm password policy should be implemented to ensure that even if internet gadgets are stolen, information cannot be accessed. The company should also establish a control room and employ a professional to ensure physical is monitored. No person without the organization's authority will steal an internet gadget without been caught.

The organization should also provide the installation of a firewall to ensure hackers are denied access to the company's information system. Implementation in this category will cost the company $240, and the loss will drop from $200000 to $2000. Therefore, CBA will be $198000, which will be attained by subtracting $2000 from $200000. The control value, on the other hand, will be $198000 deduct the cost of the project implementation ($240) to get $197760

For health Network Inc to ensure there is no loss of clients due to the regulatory landscape, the company should ensure regular backups of information and offsite data storage (Farahmand, Navathe, Sharp & Enslow, 2005). The company should also ensure there is the conversion of data into digital information that provides long-term storage.

The company should also ensure there is an adherence to standards concerning the stringent application of second-level authentication. The company will be able to reduce the cost of losing clients from $700000 to $7000, and therefore able to obtain CBA of $693000, and the cost of control will be $700. Accordingly, the control value will be subtracting the cost of implementation from the CBA to enable the company to obtain $692300 as the control value in return. The company should also ensure there is no cost incurred by the organization through the insider threat. Therefore, the company should ensure an installation of intrusion detective systems that will enable the organization to monitor employees' access and positions.

In conclusion, many organization management believes that the human resource department's negligence causes losses in an enterprise. As seen in this paper, many organizations' failures are brought by insufficiency in management controls. The organization's aggressiveness in implementing risk assessment recommendations can prevent losses in an enterprise.

References

Adler, M. D. (2004). Fear assessment: Cost-benefit analysis and the pricing of fear and anxiety. Chi.-Kent L. Rev., 79, 977.

Elamir, H. (2019). Enterprise risk management and bow ties: going beyond patient safety. Business Process Management Journal.

Farahmand, F., Navathe, S. B., Sharp, G. P., & Enslow, P. H. (2005). A management perspective on the risk of security threats to information systems. Information Technology and Management, 6(2-3), 203-225.