1 / 18100%
There are a lot of potential threats that can cause harm to a business or organization
but what in the medical field the threat is mainly about stealing information from
patients such as financial information, name, address, etc. those demographics can
allow a person to steal your identity. So if this is the case you must wonder if they
have some sort of system or process to prevent this from happening. Which is when
it becomes important to have a planned security method in place to protect patients.
The doctors office or hospital will take certain measures to ensure such safety when
it comes to their patients information such as purchasing security software to protect
their devices from cyber attacks and viruses. Which is very helpful because it
prevents hackers from being able to access the patient information that is located in
their electronic health record (EHR). It is also good to hire someone to monitor the
activity of the patient information as well so that they can detect an attack that the
system doesn’t and stop it. Risk Management at a financial institution such as
USAA is very critical. USAA is a federal bank and has access to plenty of people’s
personal and financial information. Because of their access to such personal
information there are several risks and vulnerabilities that clients and people have to
be prepared for and protected from. Some of the risks are cross site scripting,
remote code execution, and more. The best way to go about protecting users from
cross-site scripting is likely to involve a combination of filtering input on arrival,
encoding data on output, and using appropriate response headers.. To do this you
would filter as soon as the user input is received and filter as strictly as possible
depending on what is expected or valid input. To prevent users from remote code
execution timely installation of software update is ranked as the top cybersecurity
measure in preventing remote code execution attacks. If your organization is using
computers or servers that are using software that’s vulnerable to remote code
execution, the last vendor patch to diminish this particular cyberattack should be
timely applied. Risk management for Virginia Medicaid is extremely important. The
assets that they have to look at is Account information as in social security numbers
and account numbers for banks. The best way to ensure that the risk factors go
down is to make sure that employees do the clean desk policy which removes all
important documents at the end of the day or when they are away from their desk.
Also they have a risk with employees taking home laptops someone might connect
to a non secure network and a hacker can gain information that way. Also make
sure that people have the correct ID badges and that non employees who no longer
is employed cannot enter the building as well. They need to have a higher security
with what people do on work computers such as online shopping and more. After
reviewing System76, I can say that the over all risk assessment is relatively low,
and the best I can tell their risk control is pretty good. I do not know that I could
advise the company on an contingency plan. Their biggest risk is possible theft of
customers payment methods, however, for what I can tell they already use a third
party company for transactions, so that transfers their risk and liability. Risk control
is mitigated by having hosted site, once again transferring the responsibility to a
third party. If they were to change things up, in the future, having employees access
sensitive information, via VPN. Having a strong, and closely monitored firewall
protecting customer sensitive information, also employing remote encrypted storage,
backing up order history and also unfulfilled orders. The firewall and the remote
encrypted storage, along with the VPN access should cover all three topics we
needed to discuss. Risk Management can play a very important role when it comes
to working with any computer company. It will give the individual different steps
that they have to go by which would be the process of rsk management. The Basics
of Risk Management stays the same. We know that we must take a risk assessment
and follow all guidelines. We could identify potential risks and try to figure out
whats wrong or how we can support it. There are several steps involved in the
security planning process including contingency planning, risk assessment and risk
control. Contingency planning is about creating a response plan if an adverse event
should threaten our normal operations. An important part of Contingency planning is
incident detection and this involves identifying the different types of events that
could cause harm to our business. This type of event is called an adverse event.
When an adverse event happens it’s important to roll out our incident response plan
which is going to detail how our business is going to respond to the adverse event
to continue operations.
Another step in security planning is risk management. Risk
management is about identifying the risk to our business and how we can actively
protect ourselves from that risk being able to damage our operations. This is
important because it helps us reinforce our risk weaknesses.
vv v vv vv vv In our current business we face a number of risks and we have some
vulnerabilities that need to address. But first we have to start by identifying our
assets that need to be protected. The first asset we should evaluate is our servers.
Currently our server room is unsecured. We do not control the physical access of
people into our server room which can be a serious problem. It would be very
similar to disabling our network firewall. We also should identify other risk or
adverse events that could impact our server room. After we have done this we
should start a contingency plan to establish what actions should be taken in the
event of an adverse event. Additionally what steps can we take now to mitigate the
risk of such adverse event. I originally choose Apple to write about and the risk
level versus the value of data they hold that threat are after to exploit. Apple has
systems in place to assess risk levels daily if not using advance systems to assess
risk level and the assets they want to protect and the treat to those assets. Apples
risk assessments in place continuously looks for threats they face and the projected
damage done if a threat is successful that then goes into contingency planning based
off the risk appetite. Contingency planning is always planning for the likely and
most likely outcome for incident recovery. Some incidents are so disastrous that the
primary site isn’t immediately recoverable, and Apple would have to use on of their
offsite or alternate location while the primary site and servers are recovered. I think
Apple has advance systems in place that are continually evolving to assess risk
assessments and develop risk controls that eliminate or minimize the threats to assets
that are worth defending as a big Apple product and account user it’s comforting
that they value my information as a asset worth defending from threats. The surge
in remote working has made managing data on employee devices increasingly
important and I wanted to see if anyone in the class is using or have used mobile
devices to conduct work for your organization. American eagle would need to assess
their risks first. I believe they have a lot of information to protect. They store many
customers personal information, including emails, birthdays, home addresses, etc.
With that their website/app stores credit card information for ease of ordering for
their customers. Once we have identified the assets to protect, we would place value
upon them. Next, we would need to assess the threats they are facing. I would
imagine with any corporation they likely face a lot. Hackers, knowing they store
pertinent information on their servers would make anyone a target. Risk management
is extremely important so everyone can be aware of what is at stake if there was an
adverse event. Knowing the amount of loss is also important if a breach was
successful. Having a recovery plan in place would be helpful. Having a planned
response ready if an incident occurs will reduce the losses we may face. Aside from
American Eagle’s online database they need to protect, they also need to be able to
run point of sale registers around the world. When we had an issue before and
could not ring people up they either had to come back (and they likely wouldn’t so
we lost sales) or we would have to handwrite receipts and imprint credit cards
which a lot of people are not comfortable with these days. The steps involved in
security planning for Verizon would start with doing a risk assessment. First, we
would need to understand what we want to protect, and then understand the threats
that face the things we want to protect, or assets. We would create a TVA (Threats,
Vulnerabilities, and Assets) worksheet, by listing the assets by order of importance
down the first column and the threats by order of danger across the top row. Where
each of these intersect, we would list the weaknesses found. Once the TVA
worksheet is complete the risk appetite will be determined, or whether we are able
to live with a current risk. The risk control options include accepting the risk;
transferring the risk to another organization or company; mitigating the risk;
terminating the program, software, etc., that creates the risk; or defending the risk.
Basically, we will decide for each intersection if we can address it in-house or if we
need help from a specialized company. Risk management is very important if an
organization wants to have a working security planning process. If something is
missed while doing a risk assessment it will likely cause the company losses in
revenue, data, time, and even reputation. The key steps that are involved in security
planning for an organization include identifying the vulnerabilities and weaknesses in
the system, risk management including prioritizing them and deploying stringent
control measures. Furthermore, it is very important to create a robust security culture
so that both employer and employ can contribute towards the security aspect. The
thorough and timely review of IT policies and protocols are very important as they
provide direction to the personnel to minimize risks that could arise and compromise
the security .The employees must be given training so that they can play a proactive
role to strengthen the effectiveness of the security plan. Risk management is very
important in the security planning process as it helps to identify the threats that
could arise and compromise the security (Renfroe & Smith, 2010). Thus it influences
the security plan so that the identified risks can be reduced or eliminated. The
existing threats and vulnerabilities impact the importance of risk management. Since
the risk management process is in place to deal with these elements, it acts as a
barrier that safeguards the business organization and improves its security. Thus risk
management is a cardinal component of a security plan that helps to strengthen the
security posture of the organization. One example of contingency planning that we
have here at Kaiser Permanente is when we have "down Time". Down time is when
our systems are down, we have no internet connection, our computer systems stop
communicating to each other and we have to process prescriptions manually. Filling
a prescription during down time can be very dangerous, and very overwhelming. We
have to manually type every bit of information thats on the prescription, from patient
information, doctors information, the instructions, description of the medication, and
manufacture. Normally our computer system does all that for us, our system also
automatically lets us know of any drug interactions with other medications the
patient is on, now times that by how ever many prescriptions we have to process
during down time. Thats only getting the prescription ready, now we have to sell it,
we have to verify everything manually, verify the patient, medication, directions, how
many medications the patient is picking up. We have to fill out a manual receipt
and have the patient print and sign. When the system is back online we later have
to get all the manual receipts and process them in our system so its saved into each
of the patient profile and sell them again in the register. This is a big security and
safety issue, this increases our chances of selling the wrong medication, giving
protected health information to the wrong patient, processing the wrong prescriptions
into the wrong patients profile. The main issue during down time is not being able
to close the pharmacy, patients are coming down from the ER needing their
medication, and wanting to go home. We need to be there for the patients, and our
members at Kaiser, so we have a system to process prescriptions during these tough
times. Apple always has Contingency Planning going on due to a lot of users calling
in about their accounts with issues. When a customer calls in you always have to
verify who you are speaking with and make sure the case customer match's the
name given. Then you are able to proceed to help the User if not then you are
unable to help them unless customer has a case profile. Apple always keeps the
correct policy's up to date so that whatever risks there are we know how to see a
threat coming. Its very important to make sure your talking to the correct person
attached to the case so that your not giving out wrong information. Before being
able to give specifications to a apple product you have to get the serial or IMEI
number first. Making sure you have the correct device and giving out the correct
information. Threats are a big impact because a lot of people use apple products and
their services backing up to icloud their information also so they wont lose it if
their device stops working. The user can always download their information off the
cloud on their new device. Adversary's always want to get users information by
pretending to be a apple representative. Currently companies are falling victim to
ransomware attacks every 14 seconds. “These sophisticated attacks start by infecting
secure database systems, encrypting data, and threatening deletion or corruption of
files unless a hefty ransom is paid.”. To evade these types of threats, CACI would
need to focus on keeping data backup stored off the network and maybe store that
data on a cloud service of your choice. Performing actions like this as a part of a
ransomware recovery strategy will help to mitigate any loss of data, business
interruption, and added losses associated with having to pay a ransom for your data.
Another attack that CACI may encounter and is considered to be a very big threat
on the internet today is botnets. Botnet uses a group of computers in a ‘zombie
state’ to carry out Distributed Denial of Service (DDoS) attacks which overwhelm a
company’s information system until the attackers get what they want from the
company. This could be a ransom or a competitor that wants to crash your network
while competing for the same government contract to provide a new military
technology. Your network security plan should guide CACI employees in the use of
email, electronic devices, Internet usage, and other guidelines in respect to your
company’s network. You have to ensure that this security plan is easy to follow and
seamless to implement. In order to accomplish this, you have to ensure that the plan
is manageable, understandable, and enforceable. Risk management is a key part of
the process as well because you have to consider the risk or events before they
happen which can save money and protect the future of CACI. If something were to
go wrong, you already have a plan of action to eliminate or significantly reduce that
event or threat. Existing vulnerabilities and threats impact the importance of risk
management because not only do you have to evaluate all possible risks but it is a
fluent process because threats are always evolving. You will have to continue to
monitor the existing and new threats to make sure that your risk management is
fluently current with future threats just as much as current threats. The organization
I chosen is the U.S. Department of Health & Human Services. The contingency
planning purpose is to lessen the damage of the risk when it occurs. Without the
plan in place, the full impact of the risk could greatly affect the project. The
contingency plan is the last line of defense against the risk. Risk assessment overall
process or method where; Identify hazards and risk factors that have the potential to
cause harm hazard identification. Analyze and evaluate the risk associated with that
hazard risk analysis, and risk evaluation. The steps involved in security planning for
my organization are to assets are items that have a value to the entity, including
resources and property that are relied on to sustain operations and capabilities. These
are in addition to people and information (including ICT) identified as critical to
ongoing operations. Critical assets and components of an asset are essential to the
ongoing operation of the entity. Asset attractiveness is how a threat source may view
the asset in relation to the activity it seeks to undertake. Asset attributes are the
qualities that determine the nature and extent of impact on the entity operations
following an event or incident. For my chosen organization, google faces many
security issues and well in general. Firstly is accommodating to scaling availability
causes increased traffic this can cause downtime and maintenance which can cause
need for patches allowing exploits and zero days. Another issue which can cause the
same results is they rely on service providers, using third party providers can cause
breaches in data. Ways to process these threats to specifically data is that google
already consists of cloud based storage this reduces the chances of breaches and is a
data loss preventive measure. According to googles security policies they monitor
suspicious activities on their networks, reviews security with services, and periodic
security assessments. Risk management is extremely critical for google as it is such
a widely used domain used worldwide. Any vulnerabilities or downtime would
exponentially affect the world falling under the cyber domain category. Confidential
data and data loss would be catastrophic as it's number of users is worldwide and is
the most used database. Existing threats and vulnerabilities are how risk management
is constantly updated and changing, because of it we have policies and prevention
measures to keep things secure. Anytime you deal with larger corporations or
companies their are a ton of vulnerabilities that could exist. In my case using
Microsoft I would say that security for individual users and their information stored
is a big vulnerability that has been exploited in the past. Although this breach
might’ve been small compared to other companies it has happened and can happen
again. Most companies or corporations learn from the mistakes or ‘kinks’ in their
armor to say and implement a stronger response with more security options.
Contingency planning, risk assessment, and finally risk control are very important to
any company when it comes to maintaining a degree of security and reliability in
that company. Considering how Microsoft is such a dominant technologies company
it stands to reason that they must defend themselves from any of the possible risks
or issues involved with cyber security and other cyber issues that may arise. I
always ask myself what would happen if Microsoft was unable to provide services
for a single day or even a single hour. These are things companies and corporations
prepare for in risk assessment and risk control. The organization that I chose in
week one is my current employer, Bureau of Automotive Repair. There are
vulnerabilities in every organization, which is why risk management is such an
important factor in the security planning process. Vulnerabilities can come in any
shape or form whether its a physical or cyber risk. Every year, employees in my
organization are trained on what to do if a natural disaster occurred during working
hours to avoid injury. We're also trained on what to do if we received a bomb
threat from a package or through the phone whether it's just a prank. We have a
team responsible for training every new employee and we are even given the
opportunity in taking classes to be first aid certified. The cyber risks that occur with
the organization that I work for consist of employees clicking on phishy emails and
links. This can cause a breach in our database and personal information from our
consumers can be obtained. To avoid this from happening, every employee who
notices a suspicious email is required to report it to our security team. The system
is also overlooked at the end of the day with a time duration of how long
maintenance will be until we can access our database again.
In my personal and professional opinion, all organizations and companies have
vulnerabilities. They are not always the same, but the risk will always be there.
These risks can be physical or online, as well as internal or external. These risks are
never a good thing for a company. They ultimately can cause anything from minor
financial damage to the whole business shutting down because of severe destruction.
No one wants to have to deal with these threats, but they are unavoidable. All you
can do is have a plan in place to help you through it when the time comes. I am
continuing to run my research on the Sherwin-Williams Company, and this company
faces physical and cyber risks all over the world. Some types of physical damage
that can occur could be natural disasters as well as robberies. Depending on what
physical disaster occurs, the company could lose different assets. The cyber risks are
also a big deal in this company. Hackers can sometimes gain traction on an internal
server and start to download personal information. This information could be
financial information, product information, or employee’s personal information. No
one wants to have to deal with a data breach. Therefore, company’s need to be
prepared with a plan to avoid these threats, as well as deal with them. The three
important steps go as follows:
Step one: Perform Regulatory Review and Landscape. The company should first
perform regulatory review. This is where all the business requirements and industry
standards are assessed. This normal is looked at from outside the company.
Step two: Specify Governance, Oversight, and Responsibility. This is where the
company should create a computer information response team (CIRT) or computer
information security response team (CISRT). This team will be responsible of
informing the company and employees of the information security plan and making
sure everyone follows it.
Step three: Take Inventory of Assets. This is the final step where you create an
inventory of both hardware and software. You can also keep track of existing
safeguards and controls currently in place. The level of security wont be assessed
until this step is competed.
I think risk management is important part of the security planning process. This
allows the company to know itself and to know and plan for any risks that may
happen and to assess how much damage it can do to the organization. Also, this
allows the organization to reduce the level of risk to an acceptable level. I think the
reading this week in chapter 5 explains it perfectly. “The defenders attempt to
prevent, protect, detect, and recover from a seemingly endless series of attacks.
Moreover, those defenders are legally prohibited from deploying offensive tactics, so
the attackers have no need to expend resources on defense. While the defenders need
to win every battle, the attackers only need to win once. To be victorious, defenders
must know themselves and their enemy.” The risks will always be there but with
risk assessment and management the overall fallout from the threat can be much less
damaging to the company and its customers. https://www.wbdg.org has a pretty good
example. Using an exterior explosive threat as an example, the installation of
window retrofits (i.e., security window film, laminated glass, etc.) will not prevent
the explosive attack from occurring, but it should reduce the impact of loss/injury
caused by hazardous flying glass. Therefore, the impact of loss rating for an
explosive threat would improve, but the vulnerability rating would stay the same.
Vulnerabilities can come at anytime time from a organization standpoint. Security is
a process that requires management and support for key areas of the organization.
The challenge is never-ending, and security teams have to cover different fronts
through which malicious code can infiltrate a network. A vulnerability that I believe
would be a potential threat are internal attacks. Internal attacks are one of the
biggest threats facing your data and systems, especially members with knowledge of
and access to networks, data centers and admin accounts, can cause serious damage.
Careless and uninformed workers can be a risk due to employees who are not
trained in security best practices and have weak passwords, visit unauthorized
websites and/or click on links in suspicious emails or open email attachments pose
an enormous security threat.
Security management deals with how system integrity is maintained amid man-made
threats and risks, intentional or unintentional. Some Risk Management steps to put in
place for the organization would be:
Step1: Reevaluate IT assets and risks
Security management is a discipline that never rests. Major changes that would
require a reassessment of the security management practice include:
Security violations are rampant.
Organizational structure or composition changes.
Business environment changes.
Step2: Analyze risk
Every effective security management system reflects a careful evaluation of how
much security is needed. Too little security means the system can easily be
compromised intentionally or unintentionally. Too much security can make the system
hard to use or degrade its performance unacceptably. Security is inversely
proportional.
Step3: Implement security practices
Implement the security measures defined in the preceding step. You can do this in
stages to make it easier for everybody to adapt to the new working environment.
Expect many problems at the start, especially with respect to user resistance to their
security tasks, such as using passwords.
Vulnerabilities can be found in all organizations all around the world. Because of
this organizations and businesses should be managing risk responsibly and
considering all possible threats and maintain a mentality that it’s not if something
happens it when something goes wrong. There should be different plans of action
and preparation covering all the potential threats and hazards such as physical, social
and cyber. The department I work in mainly puts a large focus on privacy and
avoiding data breaches, so I’m not deeply versed in the procedures regarding
physical threats. But I understand the importance of risk management in all of its
forms and have a basic understanding of planning for a disaster. You will start by
staying up to code so to speak, making sure that you are meeting industry standard
and meeting all the requirements of your organization and its governing bodies
including SLA's. They would do this by setting up the proper policies and
procedures. Your next move is assigning responsibility and leadership roles. Your
response teams should help with making sure the policies put into place are being
followed. You’d do this in the form of response teams like a CIRST and a CIRT.
Your final step is keeping proper documentation on your inventory and assets,
whether that be hardware or software. And having strong backups in place in case
there is a loss of information due to disaster. When it comes to vulnerabilities all
organizations have them in one form or another regardless the type of organization.
Risks come in different forms whether it is physical or cyber, either one can cause
severe damage to an organization costing them severally financially. The company I
decided to research run the risk of physical and cyber risks to all 3 locations they
currently have. When it comes to physically threats, the offices are at risk of natural
disaster and man-made attacks such as flooding, wildfires, earthquakes, and possible
car collision to the building. If any physical disaster were to occur it would cause
equipment and data loss such as the desktops used by employees and the servers
where all the information is stored. Along with physical risks, cyber risks are can be
a financial burden; some cyber risks would include hackers, trojan attack, or a server
going down due to internal failure. Risk management is an important part of security
planning for an organization, the steps go as follow;
Step one: perform regulatory review and landscape the firm must perform a
regulatory review; all businesses have requirements from oversight bodies along with
self-imposed industry standards and expectations coming from external stake holders.
Step two: specify governance, oversight, and responsibility Create a Computer
Information Response Team (CIRT) or Computer Information Security Response
Team (CISRT). The team will be responsible to ensure the firm follows policy and
procedures from the information security plan.
Step three: take inventory of assets create an inventory of both hardware, and
software as well as identify existing safeguards and controls currently in place. The
firm’s level of risk can not be assessed properly without this step.
Information security risk management, or ISRM, is the process of managing risks
associated with the use of information technology. It involves identifying, assessing,
and treating risks to the confidentiality, integrity, and availability of an organization's
assets. An information security plan is documentation of a firm's plan and systems
put in place to protect personal information and sensitive company data. This plan
can mitigate threats against your organization, as well as help your firm protect the
integrity, confidentiality, and availability of your data.
Following are some of the steps to create an Information Security Plan:
Step 1: Perform a Regulatory Review and Landscape
Your firm must first perform a regulatory review, as all businesses have requirement
coming from oversight bodies. There are also self-imposed industry standards and
expectations that come from external stakeholders.
Step 2: Specify Governance, Oversight & Responsibility
Create a CIRT (Computer Information Response Team). This group will be
responsible for ensuring the firm follows the policy and procedures around the
information security plan.
Step 3: Take Inventory of Assets
Know what you have means create an inventory of both hardware and software and
identify existing safeguards and controls you have in place. This step is crucial, as
you can't properly assess your firm's level of risk or adequately protect data and
information unless you understand what systems you have and what data they hold.
All facilities face a certain level of risk associated with various threats. These threats
may be the result of natural events, accidents, or intentional acts to cause harm.
Regardless of the nature of the threat, facility owners have a responsibility to limit
or manage risks from these threats to the extent possible.
When it comes to risk management, there are a lot of different risks that could
potentially cause harm. When assessing the risks for the organization there is a lot
that goes into the risk analysis. We consider not only virtual harm but physical harm
as well. I am not sure the exact details on what types of prcautions are taken on
the cyber side of things. I do however know that the branch that I work at is a hot
site backup for the branch down in Louisiana. The place that I work is where we
ship oil for the company. If the site in Louisiana is hit by a natural disaster such as
a hurricane, they would send all of there orders and processing needs to us. This
happened a few years ago when I was first starting there and we had to cover their
needs until they made the necessary repairs to the facility and they could get back
up and running. There are all kinds of security threats to deal with on the cyber
side. Since the organization is a quite large one the risks are always surrounding it.
One risk management strategy that they have implemented is setting up 2 offsite
backups that are always running and always ready to take over when a disaster hits.
We have the main headquarters in the UK which is the primary. This is where
everything is run from normally. They have a main office that is in NJ and then
another in Toronto. If the main facility in the UK goes down or is hit with a
disaster, the office in NJ can take over the operations as if nothing had ever
happened. The same goes with the office in Toronto since they are all the main
offices for the 3 different countries.
Students also viewed