Cyber

Using the scenario presented in the previous week and the templates provided in the resources below,  complete the following:

· 1- to 2-page Risk Registry accurately documenting the risk elements from the scenarios that can be used to track issues throughout the project

· 1- to 2-page Security Assessment Plan Worksheet

· 1-page PHI/EPHI Policy ( Note: In Week Five, you will practice writing policies again.)

 

 

Resources

· Ch. 2, “IT Risk Assessment,” of  CRISC Certified in Risk and Information Systems Control All-in-One Exam Guide.

· Wk 3 Assignment Template

· Wk 3 Assignment Template Plan

· Wk 3 Assignment Template Risk

Assignment Scenario

Your company is a security service contractor that consults with businesses that are considered “covered entities” under HIPAA in the U.S. who require assistance in compliance with HIPAA. You advertise a proven track record in providing information program security management, information security governance programs, risk management programs, and regulatory and compliance recommendations. You identify vulnerabilities, threats, and risks for clients with the end goal of securing and protecting applications and systems within their organization.

Your client is Health Coverage Associates, a health insurance exchange in California and a covered entity. Because of the Patient Protection and Affordable Care Act (ACA), the exchange enables individuals and small businesses to purchase health insurance at federally subsidized rates. In the past 6 months, they have experienced:

· Vulnerability #1: A malware attack (i.e., SQL Injection) on a critical software application that processed and stored client Protected Health Information (PHI) allowing access to PHI stored within the database

· Vulnerability #2: An internal mistake by an employee that allowed PHI to be emailed to the wrong recipient who was not authorized access to the PHI

· Vulnerability #3: An unauthorized access to client accounts through the company’s login website via the cracking of weak passwords

The selection of security controls will go into the Security Assessment Plan (SAP) covered in Week Three. The SAP will address the required safeguards to protect the confidentiality, integrity, and availability of sensitive data from the attacks listed above and protect their assets from the vulnerabilities that allowed the attacks to occur.

The NIST HIPAA Security Toolkit Application, developed by the National Institute of Standards and Technology (NIST), is intended to help organizations better understand the requirements of the HIPAA Security Rule (HSR), implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.

This scenario will be used in subsequent weeks of the course.

 

Wk 3 – Assignment Template

PHI/EPHI Policy Template

Version:

<Indicate the version of the policy, its revision date, and the approver.>

Purpose:

This policy prohibits the use, storage, and discloser of Personal Health Information (PHI) and Electronic Personal Heal information (EPHI), except as specifically permitted or required by HIPAA regulation.

Scope:

<Describe who this applies to in the organization.>

Policy:

1. <Provide accurate definitions used in the policy, like PHI.>

2. <State how data must be stored (e.g., encrypted).>

3. <Indicate covered entities.>

4. <Indicate the consequences for a confidentiality breach.>

5. <Indicate what standards the policy follows (e.g., NIST SP800-53).>

Wk 3 – Assignment Template

Security Assessment Plan Worksheet

Using the Assignment Scenario, complete the following worksheet.

Description of Vulnerability	Security Control Number and Name	Security Control Type	System Categorization for Risk Level Impact	Last Assessment Information	Asset	Assessment Method	Policy Alignment
<Describe the vulnerability>	<List the Security Control name and number>	<Common, System-Specific, Hybrid>	<High, moderate, or low>	<Identify any security assessments from the past>	<Describe the asset that will be tested>	<Identify at least one way you can test this asset>	<Indicate what security policy aligns with the asset>

Wk 3 – Assignment Template

Risk Registry

Create a Risk Registry using the template below to accurately documenting the risk elements form the scenarios that can be used to track issues throughout the project.

Risk Description for Risk Registry	Likelihood	Impact	Risk Owner	Resources Required	Estimated Completion Date
<Briefly describe the risk>	<Low, Medium, or High>	<Low, Medium, or High>	<List department or role>	<List hardware, software, personnel, and/or policy needed>	<Provide a date based on the risk complexity and today’s date>