Risk Management Project Part 5

Project Part 2: Risk Management Plan

Yogesh Jagarlamudi

Executive MSIT

University of the Cumberland’s

Summer 2021 - Info Security & Risk Mgmt (ISOL-533-A03)

Date:05/19/2021

Risk Assessment report

Introduction

This report takes an internal look at the Health Network Inc. Hospital substructure through a Risk Assessment (RA). The data is delivered to the management on the probable hazards our network might fall target to if suitable acts are not taken. A system description will be comprised to give an understanding of the Health Network inc. Information systems in its entirety. (Hordyk, A. R. (2018). The productivity of this procedure will aid in recognizing fitting controls for eliminating or decreasing risk in risk extenuation procedures. Being responsible for this project, I will utilize the qualitative threat evaluation technique for the current case. By using this method, my team and I will be able to establish the significance of tackling specific hazard guides for risk reaction measures. The report will measure liabilities by utilizing a threat scale matrix. Every vulnerability will be gauged on a gauge of low-risk to a high-risk degree.

Purpose

This RAR intends to update Health Network's top executives regarding the security evaluation that will be carried out on the firm’s network. The firm’s network system will be examined using “Nmap-security scanner” gears. The weaknesses uncovered by these tools would make our information network substructure a victim to manifold invasion by various means if not corrected.

Importance

This risk management strategy will be crucial as it will ascertain cognizance of risk and hazards existent, establish control programs for different threats, decide if present control actions are satisfactory or if more should be accomplished, and highlight threats and control activities. Also, it will distinguish the systems and networks which may be in jeopardy.

Scope

The scope of this hazard valuation will be to assess the internal and external liabilities in the Health Network company products (HNetExchange, HNetPay, and HNetConnect). Also, the RAR will evaluate the control actions of eradicating internal and external vulnerabilities which could lead to unsanctioned expose of data, considerable monetary losses, internet defacement, and renunciation of service.

Data-center assessment

Production systems of health Network Inc. Are situated and ran on three co-location data farms near each of its corporate amenities. The assets and activities to be assessed in these data centers include power mainstay, engine generators, function, batteries and UPS, and vital power supply, which is an essential prerequisite. (Hordyk, A. R. (2018). Also, cooling regulators for the entire data station will be evaluated as adequate measures should be in place to oversee cooling as servers tend to heat up when handling a considerable load. Emergency and catastrophe extenuation activities, upkeep, and operations will also be evaluated. Furthermore, the physical safety of the data farms, both internal and external will be evaluated.

Threats and vulnerabilities

Hazards to healthcare information safety have recently upsurged considerably. In the current case, the Health Network Inc. (Ayatollahi, H. (2017). Information systems are threatened by both intentional and unintentional activities which could rigorously harm our health information systems dependability. They include:

Hardware and software faults or failures – includes hardware upkeep fault, inadequate storage room, hardware elimination from the production routines. Software upkeep errors and software application breakdown are also possible threats.

Industrial espionage. Threat acts include information larceny, network penetration, social plotting, invasion of individual’s privacy, and unlawful network entree.

Internet threats such as malware bouts, DDoS attacks, packet sniffing, and spoofing. Threat acts include social plotting, hacking, system invasion, break-ins, and illegal system access.

According to (Ayatollahi, H. (2017), insider threats including discontented workers, fraudulent or dismissed personnel, and malicious negligence can result to threat actions such as perusing of propriety information, deceit, and stealing, interception, malicious cipher such as viruses, trades of private data, system incursion and sabotage, data subornation and input of tainted and fabricated information.

Power loss/failure and natural disasters such as air conditioning stoppage, server down because of power loss, and disruption by service givers such as internet and electrical package providers. Earthquakes, lightning bouts, and fire or water hardware destruction.

Management and regulatory changes: variations of terms and conditions of usage for the hospital products and variation of federal policies and rules.

Some of the vulnerabilities include lack of exclusion of dismissed worker’s network identifiers from the system, organization's firewall permitting incoming telnet, and recognized flaws in the security blueprint on the system. Finally, since data farms utilize water sprayers to put out a fire, canvases are not in place to shelter the servers from water destruction.

Risk determination

This step will intend to evaluate the risk scales to the IT networks. The establishment of threat for a certain susceptibility /risk set can be denoted as a function of the probability of a particular threat-origin’s attempt to exploit a given weakness, the degree of the effect should a hazard- source efficaciously exploit the weakness and the capability the current or planned safety measures for lessening or elimination of the risk. The probability given for every hazard prospect level is 1 denoting high, 0.5 denoting intermediate, and 0.1 denoting low. (Ayatollahi, H. (2017). Standards for each effect scale are 100 denoting high, 50 denoting intermediate, and 10 denoting low. The below table indicates the risk scale and the needed measures

Risk level	Description and needed measures
High	When a finding is analyzed as a high risk, there is a clear requirement for counteractive actions.
Intermediate	When regarded as medium risk, counteractive measures are essential and a strategy must be established to integrate these measures within an equitable time.
Low	When a finding is alleged to have low risk, the network’s DAA should resolve whether counteractive measures are needed or choose to assent the risk.

Relevant controls for assessment

Controls capable of eliminating or alleviating recognized susceptibilities and threats as fitting to Health Network Inc.’s undertakings are stipulated. The objective of the proposed control is for lessening the risk intensities of the IT system and its data to standard levels. Some of the relevant controls that should be assessed include legislation and by-laws of company systems and networks, administrative policies, operational effects such as effect on the network functionality, dependability and safety, and network compatibility. (Hordyk, A. R. (2018).it should be acknowledged that not all proposed control actions can be applied for a decrease in loss. To establish the essential and apt controls for a healthcare facility, a cost-value evaluation should be performed to validate that the costs of applying the control could be vindicated by the decreasing of the risk levels. Moreover, viability including user approval and technical needs should also be assessed as a control measure.

Key roles

Top management will be crucial in ensuring that the requisite capitals are proficiently applied to advance the abilities to undertake the project. The Chief Information Officer (CIO) will be accountable for IT scheduling, costing, and functioning including IT’s data safety constituents. (Rothrock, R. A. (2018). ISSO will be accountable for their organizational safety networks, including risk managing, and will be essential in presenting an apt organized approach to aid in identifying, evaluating, and minimizing risks to the IT systems. The network manager will be accountable for business functionalities and IT procurement procedures. Database and safety supervisors and custodians will also play a key role in the completion of this project.

RISK ASSESSMENT REPORT 2

Proposed project schedule

References

Ayatollahi, H., & Shagerdi, G. (2017). Information security risk assessment in hospitals. The open medical informatics journal, 11, 37.

Hordyk, A. R., & Carruthers, T. R. (2018). A quantitative evaluation of a qualitative risk assessment framework: Examining the assumptions and predictions of the Productivity Susceptibility Analysis (PSA). Plos one, 13(6), e0198298.

Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board's role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12-15.