Posted: April 26th, 2019

Essay project|IT Security Risk Assessment

Essay project|IT Security Risk Assessment

You are employed with Government Security Consultants, a subsidiary of Largo Corporation. As a member of IT security consultant team, one of your responsibilities is to ensure the security of assets as well as provide a secure environment for customers, partners and employees. You and the team play a key role in defining, implementing and maintaining the IT security strategy in organizations.

A government agency called the Bureau of Research and Intelligence (BRI) is tasked with gathering and analyzing information to support U.S. diplomats.

In a series of New York Times articles, BRI was exposed as being the victim of several security breaches. As a follow up, the United States Government Accountability Office (GAO) conducted a comprehensive review of the agency’s information security controls and identified numerous issues.

The head of the agency has contracted your company to conduct an IT security risk assessment on its operations. This risk assessment was determined to be necessary to address security gaps in the agency’s critical operational areas and to determine actions to close those gaps. It is also meant to ensure that the agency invests time and money in the right areas and does not waste resources. After conducting the assessment, you are to develop a final report that summarizes the findings and provides a set of recommendations. You are to convince the agency to implement your recommendations.

This learning activity focuses on IT security which is an overarching concern that involves practically all facets of an organization’s activities. You will learn about the key steps of preparing for and conducting a security risk assessment and how to present the findings to leaders and convince them into taking appropriate action.

Understanding security capabilities is basic to the core knowledge, skills, and abilities that IT personnel are expected to possess. Information security is a significant concern among every organization and it may spell success or failure of its mission. Effective IT professionals are expected to be up-to-date on trends in IT security, current threats and vulnerabilities, state-of-the-art security safeguards, and security policies and procedures. IT professionals must be able to communicate effectively (oral and written) to executive level management in a non-jargon, executive level manner that convincingly justifies the need to invest in IT security improvements. This learning demonstration is designed to strengthen these essential knowledge, skills, and abilities needed by IT professionals.

3. Steps to Completion

Your instructor will form the teams. Each member is expected to contribute to the team agreement which documents the members’ contact information and sets goals and expectations for the team.

1) Review the Setting and Situation

The primary mission of the Bureau of Research and Intelligence (BRI) is to provide multiple-source intelligence to American diplomats. It must ensure that intelligence activities are consistent with U.S. foreign policy and kept totally confidential. BRI has intelligence analysts who understand U.S. foreign policy concerns as well as the type of information needed by diplomats.

The agency is in a dynamic environment in which events affecting foreign policy occur every day. Also, technology is rapidly changing and therefore new types of security opportunities and threats are emerging which may impact the agency.

Due to Congressional budget restrictions, BRI is forced to be selective in the type of security measures that it will implement. Prioritization of proposed security programs and controls based on a sound risk assessment procedure is necessary for this environment.

The following incidents involving BRI’s systems occurred and reported in the New York Times and other media outlets:

BRI’s network had been compromised by nation-state-sponsored attackers and that attacks are still continuing. It is believed that the attackers accessed the intelligence data used to support U.S. diplomats.

The chief of the bureau used his personal e-mail system for both official business purposes and for his own individual use.

A software defect in BRI’s human resource system – a web application – improperly allowed users to view the personal information of all BRI employees including social security numbers, birthdates, addresses, and bank account numbers (for direct deposit of their paychecks). After the breach, evidence was accidently destroyed so there was no determination of the cause of the incident or of its attackers.

A teleworker brought home a laptop containing classified intelligence information. It was stolen during a burglary and never recovered.

A disgruntled employee of a contractor for BRI disclosed classified documents through the media. He provided the media with, among other things, confidential correspondence between U.S. diplomats and the President that were very revealing.

Malware had infected all of the computers in several foreign embassies causing public embarrassment, security risks for personnel and financial losses to individuals, businesses and government agencies including foreign entities.

These reports prompted the U.S. Government Accountability Office to conduct a comprehensive review of BRI’s information security posture. Using standards and guidance provided by the National Institute of Standards and Technology and other parties, they had the following findings:

Identification and Authentication Controls

Controls over the length of passwords for certain network infrastructure devices were set to less than eight characters.

• User account passwords had no expiration dates.

• Passwords are the sole means for authentication.

Authorization Controls

BRI allowed users to have excessive privileges to the intelligence databases. Specifically, BRI did not appropriately limit the ability of users to enter commands using the user interface. As a result, users could access or change the intelligence data.

BRI did not appropriately configure Oracle databases running on a server that supported multiple applications. The agency configured multiple databases operating on a server to run under one account. As a result, any administrator with access to the account would have access to all of these databases; potentially exceeding his/her job duties.

At least twenty user accounts were active on an application’s database, although they had been requested for removal in BRI’s access request and approval system.

Data Security

BRI does not use any type of data encryption for data-at-rest but protects data-in-transit using VPN.

A division data manager can independently control all key aspects of the processing of confidential data collected through intelligence activities.

One employee was able to derive classified information by “aggregating” unclassified databases.

System Security

Wireless systems use the Wired Equivalent Privacy (WEP) standard for ensuring secure transmission of data.

The agency permitted the “Bring Your Own Device” (BYOD) concept and therefore users can utilize their personal mobile devices to connect to the agency network freely.

In the event of a network failure due to hacking, the data center manager has his recovery plan but has not shared it with anyone in or out of the center. He was not aware of any requirement to report incidents outside of the agency.

There has never been any testing of the security controls in the agency.

Processes for the servers have not been documented, but in the minds of the system managers.

Patching of key databases and system components has not been a priority. Patching systems have either been late or not performed at all. Get research paper samples and course-specific study resources under   homework for you course hero writing service – Manage rs explained that it takes time and effort to test patches on its applications.

Scanning devices connected to the network for possible security vulnerabilities are done only when the devices are returned to inventory for future use.

System developers involved with financial systems are allowed to develop code and access production code.

Physical Security

An unauthorized personnel was observed “tailgating” or closely following an official employee while entering a secure data center.

The monthly review process at a data center failed to identify a BI employee who had separated from BRI and did not result in the removal of her access privileges. She was still able to access restricted areas for at least three months after her separation.

End User Security

Users even in restricted areas are allowed to use social media such as Facebook. The argument used is that is part of the public outreach efforts of the agency.

Users receive a 5-minute briefing on security as part of their orientation session that occurs typically on their first day of work. There is no other mention of security during the course of employment.

Users are allowed to use public clouds such as Dropbox, Box, and Google Drive to store their data.

BRI has not performed continual background investigations on employees who operate its intelligence applications (one investigation is conducted upon initial employment).

There is no policy regarding the handling of classified information.

An internal audit report indicated that the organization needed several security programs including a security awareness and training program, a privacy protection program and a business continuity/disaster recovery programs. These programs will need special attention.

2) Examine Background Resources

This learning demonstration focuses on the National Institute of Standards and Technology’s (NIST) “Guide for Conducting Risk Assessments”

( HYPERLINK “http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf” http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf). See Pg. 23 to view the description of the risk management process.

Throughout this learning activity, feel free to use other references such as:

Other NIST publications ( HYPERLINK “http://csrc.nist.gov/publications/PubsSPs.html” http://csrc.nist.gov/publications/PubsSPs.html),

SANS Reading Room ( HYPERLINK “https://monkessays.com/write-my-essay/sans.org/reading-room/” https://monkessays.com/write-my-essay/sans.org/reading-room/),

US-CERT ( HYPERLINK “https://www.us-cert.gov/security-publications” https://www.us-cert.gov/security-publications),

CSO Magazine ( HYPERLINK “https://monkessays.com/write-my-essay/csoonline.com/” https://monkessays.com/write-my-essay/csoonline.com/),

Information Security Magazine ( HYPERLINK “https://monkessays.com/write-my-essay/infosecurity-magazine.com/white-papers/” https://monkessays.com/write-my-essay/infosecurity-magazine.com/white-papers/),

Homeland Security News Wire ( HYPERLINK “https://monkessays.com/write-my-essay/homelandsecuritynewswire.com/topics/cybersecurity”https://monkessays.com/write-my-essay/homelandsecuritynewswire.com/topics/cybersecurity)

Other useful references on security risk management include: HYPERLINK “https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&dq=security+risk+management&hl=en&sa=X&ei=_1JFVdGIJsKkgwSG4IGgCA&ved=0CDEQ6AEwAA%23v=onepage&q=security%20risk%20management&f=false” https://books.google.com/books?id=cW1ytnWjObYC&printsec=frontcover&dq=security+risk+management&hl=en&sa=X&ei=_1JFVdGIJsKkgwSG4IGgCA&ved=0CDEQ6AEwAA#v=onepage&q=security%20risk%20management&f=false

HYPERLINK “https://books.google.com/books?id=FJFCrP8vVZcC&printsec=frontcover&dq=security+risk+management&hl=en&sa=X&ei=_1JFVdGIJsKkgwSG4IGgCA&ved=0CD4Q6AEwAg%23v=onepage&q=security%20risk%20management&f=false” https://books.google.com/books?id=FJFCrP8vVZcC&printsec=frontcover&dq=security+risk+management&hl=en&sa=X&ei=_1JFVdGIJsKkgwSG4IGgCA&ved=0CD4Q6AEwAg#v=onepage&q=security%20risk%20management&f=false

3) Prepare the Risk Assessment Plan

Using the NIST report as your guide, address the following items:

Purpose of the assessment,

Scope of the assessment,

Assumptions and constraints, and

Selected risk model and analytical approach to be used.

Document your above analysis in the “Interim Risk Assessment Planning Report.” (An interim report will be consolidated to a final deliverable in a later step.)

All interim reports should be at least 500 words long and include at least five references for each report. These reports will eventually be presented to management for their review.

4) Conduct the Assessment

Again, use the NIST report to address the following:

1) Identify threat sources and events
2) Identify vulnerabilities and predisposing conditions
3) Determine likelihood of occurrence
4) Determine magnitude of impact
5) Determine risk

You are free to make assumptions but be sure to state them in your findings.

In determining risk, include the assessment tables reflect BRI’s risk levels. Refer to Appendix I. on risk determination in Special Publication 800-30.

Document your analysis from this step in the “Interim Risk Assessment Findings Report.” Be sure to include the final risk evaluations in this report.

5) Identify Needed Controls and Programs

Research and specify security controls needed to close the security gaps in BRI.

Also, be sure to include a description of the following programs for securing BRI:

Security Awareness and Training Program (i.e., communications to employees regarding security)

Privacy Protection Program

Business Continuity/Disaster Recovery Program

You should justify the need for the agency to invest in your recommendations.

Document your findings and recommendations from this step in the “Interim Security Recommendations Report.”

6) Communicate the Overall Findings and Recommendations

Integrate of your earlier interim reports into a final management report. Be sure to address:

Summary of the Current Security Situation at BRI (from Step 1)

Risk Assessment Methodology (from Step 2)

Risk Assessment Plan (from Step 3)

Risk Assessment Findings (from Step 4)

Security Recommendations Report (from Step 5)

Conclusions

Also provide a presentation to management. The presentation should consist of 15-20 slides. It should include audio narration (directions are found at: HYPERLINK “https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c” https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c). The narration should also be captured in the slide notes.

As an alternate method of delivery, you can create a video using YouTube Capture ( HYPERLINK “https://www.youtube.com/capture” https://www.youtube.com/capture) or a similar tool.

Prepare a peer evaluation report.

4. Deliverables

Interim Risk Assessment Planning Report

Interim Risk Assessment Findings Report

Interim Security Recommendations Report

Final presentation

Create a folder to hold all of your deliverables.

Title your files using this protocol: GroupNumber_G-2_AssignmentName_Date.

Please zip (compress) the folder containing all of the files and the team leader is to submit the zipped file in the Assignments area.

In lieu of submitting the presentation, the team leader may provide a link to the presentation file.

NOTE: At the end of the project, each member of the team should email a completed Peer Evaluation form to your instructor.

5. Rubrics

Criteria

Weight

Score

Identify threats and vulnerabilities associated with information systems and assess their risks

30

Formulate the appropriate security controls to address the identified threats and vulnerabilities

30

Communicate to employees an awareness of security issues related to IT systems

10

Write a word essay – Evaluate organizational information systems to insure they protect the privacy of users and of customers

10

Determine requirements for business continuity/disaster recovery plans and backup procedures

10

Exhibit communication skills

10

Total

=SUM(ABOVE) 100

References

Ross, R. (2014). Security and privacy controls for federal information systems and organizations. NIST Special Publication 800-53. Retrieved from HYPERLINK “http://dx.doi.org/10.6028/NIST.SP.800-53r4” http://dx.doi.org/10.6028/NIST.SP.800-53r4

Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J. & Thomas, R. (2002). Contingency planning guide for information technology systems. NIST Special Publication 800-34.Retrieved from HYPERLINK “http://ithandbook.ffiec.gov/media/22151/ex_nist_sp_800_34.pdf” http://ithandbook.ffiec.gov/media/22151/ex_nist_sp_800_34.pdf

Wilson, M. & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

 

Group Project G-3

1. Title

Health Information Technology Architecture

2. Introduction

Largo Corporation has recently acquired Suburban Independent Clinic, Inc. (SIC) which serves the general outpatient medical needs of a suburb just outside of Washington, D.C. It competes directly with CVS Minute Clinic and Urgent Care Center. The corporation appointed you as the chief information officer (CIO) of the clinic in charge of managing clinical and administrative information, technologies and systems.

The clinic is feeling the pressure in many respects – cost, quality of care, access, and efficiency. Disease and personal injuries are on the rise, requirements for efficient and effective care delivery are increasing, and healthcare costs have climbed over time.

Legislation such as the Affordable Care Act has called for the greater adoption of health information technology to improve access, delivery, efficiency and quality of health care serves and treatments while reducing costs and the occurrence of medical errors. This project explores the development and use of information technology IT since it has emerged as a powerful enabler in helping to achieve multiple goals and objectives across the entire U.S. healthcare system.

As the CIO you realize the value and importance of applying IT and have been asked to analyze the issues faced by the clinic and develop a new IT architecture for the facility.

You will benefit from this project in that it will develop your knowledge of information technology in the context of the health care field. So welcome to the world of health information technology and let’s begin this journey step-by-step.

3. Steps to Completion

Your instructor will form the teams. Each member is expected to contribute to the team agreement which documents the members’ contact information and sets goals and expectations for the team.

1) Understand the Setting

The mission statement of Suburban Independent Clinic is as follows:

1. Provide high quality medical care to the patient regardless of race, ethnicity, and gender.

2. Optimize visit experience, communication standards and patient understanding.

3. Treat patients with respect.

4. Maintain patient confidentiality and security.

5. Provide a pleasing working environment for employees.

6. Follow established policies and procedures for clinics such as HIPAA.

Besides yourself, employees include:

Clinic Director

Attending physicians (general practitioners)

Nurses

Office manager [designated as the Health Information Get research paper samples and course-specific study resources under   homework for you course hero writing service – Manage ment (HIM) Get research paper samples and course-specific study resources under   homework for you course hero writing service – Manage r]

Receptionist/Interpreter

A survey was conducted involving the patients and specific employees of SIC. Here is a representative sample of their feedback:

Patient

I can only make appointments by phone. SIC, you need to move to the 21st century!

The only way I can view my medical record is by being physically in the office.

Boy, it takes a really long time for the office people to find my medical records. I notice that they keep them in paper files. Once they gave the doctor the wrong record for me because I had the same name as another patient.

I once saw an employee leave my medical records out in the open where anyone can view it!

I have to complete all forms by hand. What a pain!

Drug costs are skyrocketing. We need to look if pharmaceutical companies are ripping us off!

My pharmacist once told me that the prescription from the doctor was difficult to read. She had to call the doctor’s office to find out what medication was being prescribed.

I often forget what the doctor told me after my examination especially when he gives a lot of instructions.

I had a drug-drug interaction that could have been prevented. I am suing SIC!

I have a difficult time getting to the office. No one will take me and the cost of a taxi is expensive.

I like the fact that the receptionist is bilingual but sometimes she is too busy and cannot interpret for me.

Physician

I cannot read the handwritten charts from Dr. Smith because of his lousy penmanship. Some comments he includes are scribbled in the margins.

I like to identify trends and patterns among my patients (is there an epidemic of a particular virus?) but it is too much of a manual process to compile and compare all of the records. I also like to explore trends among all clinics in the region and in the country.

It takes a long time to get patient records from the filing cabinet. It is sometimes misfiled or even missing!

I wish I could better communicate with my patients beyond an office conversation.

I want to start a wellness program but printing and mailing costs makes it prohibitive.

I wish I could see the patient’s medical history from birth to the present particularly when the patient has changed doctors.

I have a difficult time managing my certifications. They are all lying in my office drawer or hanging in frames.

I like spending time with patients and teaching but I hate the paperwork and administration issues I face every day!

Nurse

Often medical supplies were low and had to be ordered them by phone at the last minute.

Sometimes there is an inadequate staffing of nurses and I have to work a double shift. It’s just not fair!

Occasionally we have to repeat tests because we cannot find the patient’s data.

I don’t have the time to take training sessions I need during regular office hours.

It takes a while to contact immunization registries by phone.

I am spend less and less time on patient care and more time with bookkeeping.

Office Get research paper samples and course-specific study resources under   homework for you course hero writing service – Manage r / HIM Get research paper samples and course-specific study resources under   homework for you course hero writing service – Manage r

The facility is running out of space due to the frequent addition of file cabinets to hold the growing patient data. It is expensive to buy these cabinets and we are losing space that we normally use for patient care.

Documentation is inadequate when corporate auditor want to examine records for cost and compliance reviews.

Once we lose medical records they were gone forever.

Health insurance claims are handled manually and subject to errors. And when there is changes in the rules, we learn about it much too late and some employees are not informed of the change.

We have a frequent cash flow problems because we tend to send bills late. We should ask for payments on the spot!

Please, I don’t want to use computer technology since it will increase costs tremendously. I don’t believe those computer systems vendors – they are just out to make a buck.

I am overworked and underpaid! I would like to start a union of clinic office managers!

Archived medical records are stored in a warehouse. If they need to be retrieved they need to faxed, scanned or mail which is a time consuming process when it could be a life or death situation.

2) Analyze the Issues

Your work begins now. As a first step you are to organize these issues into logical categories and prioritize them.

In analyzing each issue, think about these questions:

Do I understand the meaning and nature of the issue?

Should we care about this issue?

What does literature say about this issue?

Who is affected by the issue? How so?

Which issues are most important? Least important?

How does this issue relate to corporate strategy and goals?

Do not jump the gun and start identifying solutions now. That step comes later.

Deliverable: Prepare a narrative and a summary table that would capture the results of your issue analysis in this step. The table should prioritize the issues in the context of SIC and Largo Corporation. Minimum length = 600 words. Be sure to state your assumptions.

3) Research Technologies and Technology Trends

Investigate and evaluate the current and emerging technologies that have the potential of addressing the identified issues. Review your textbook, library resources and other peer-reviewed references.

Write a word essay – Evaluate the relevance of the following technology trends and approaches:

Electronic health records (EHR)

Computerized provider order entry (CPOE)

Bar code medication administration (BCMA)

Medication management system

Robotics/Workstations on wheels (WOW)

Mobile technologies and apps

Internet-based applications

Enterprise Resource Planning

Cloud computing

Big Data technologies

Collaborative technologies

Decision support systems

You are not limited to the above list in your analysis.

Review and evaluate the relevancy of IT trends and approaches to the current situation. Review your textbook, library resources and other peer-reviewed references.

Deliverable: Provide a technical briefing that examines different technologies and technology trends relevant to SIC’s issues include a short description of each. Also, explain why these technologies are applicable to SIC’s challenges. Minimum length = 1,000 words.

4) Prepare a migration strategy

Moving from the “as-is” to the “to-be” state can very challenging. Review techniques for migrating an organization to a new set of technologies and processes. Keep in mind change management strategies.

Deliverable: Outline a plan that addresses how the organization will move to its new architecture.

5) Communicate the Overall Findings and Recommendations

Provide a presentation that addresses a set of recommendations on the technologies and trends needed to address the current situation. A suggested agenda is as follows:

Purpose of the Briefing

Description of the Overall Environment

Analysis of the Issues

Relevant Technologies that Address the Issues including Rationale

Overall Recommendations

Proposed Migration Strategy

Conclusions

The audience consists of the CEO and executives representing Largo Corporation and SIC.

The presentation should consist of 15-20 slides. It should include audio narration (directions are found at: HYPERLINK “https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c” https://support.office.com/en-au/article/Add-narration-to-a-presentation-0b9502c6-5f6c-40ae-b1e7-e47d8741161c). The narration should also be captured in the slide notes.

As an alternate method of delivery, you can create a video using YouTube Capture ( HYPERLINK “https://www.youtube.com/capture” https://www.youtube.com/capture) or a similar tool.

Prepare a peer evaluation report.

4. Deliverables

Issue analysis table (from Step 2)

Technology briefing (from Step 3)

Migration plan (from Step 4)

Final presentation (from Step 5)

Create a folder to hold all of your deliverables.

Title your files using this protocol: GroupNumber_G-3_AssignmentName_Date.

Please zip (compress) the folder containing all of the files and the team leader is to submit the zipped file in the Assignments area.

In lieu of submitting the presentation, the team leader may provide a link to the presentation file.

NOTE: At the end of the project, each member of the team should email a completed Peer Evaluation form to your instructor.

5. Rubrics

Criteria

Weight

Score

Analyze technical issues that are evident in a clinical environment

20

Identify the appropriate technology solutions to address identified issues

40

Write a page paper – Describe a viable migration plan

20

Exhibit communication skills

20

Total

=SUM(ABOVE) 100