ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
RISK MANAGEMENT PLAN
EXECUTIVE SUMMARY
The risk management plan is for Health Network, Inc. An imaginary health administrations association
headquartered in minneapolis, Minnesota. Wellbeing Network has more than 600 representatives all
through the association and creates $500 million USD in yearly income. The organization has two extra
areas in Portland, Oregon and Arlington, Virginia, Which bolster a blend of corporate activities. Each
corporate office is situated close to a co-area server farm, where generation frameworks are found and
oversaw by outsider server farm facilitating sellers.
Health Network has three fundamental items: HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the essential wellspring of income for the organization. T he administration handles
secure electronic medicinal messages that start from its clients, for example, expansive healing facilities,
which are then directed to getting clients, for example, centers.
HNetPay is web entry way utilized by a large number of organizatinons HNetExchange clients to help
the administration of secure installments and charging. The HNetPsy Web gateway, facilitated at Health
Network generation locales, acknowledges different types of installments and communicates with visa
preparing associations much like a web business shopping basket.
HNetConnect is an online record that once-overs experts, focuses, and other restorative workplaces to
allow Health Network customers to find the right sort of consideration at the right zones. It contains pros'
up close and personal information, spots of business, restorative affirmations, and sorts of organizations
that the experts and offices offer. Masters are given accreditations and can revive the information in their
profile. Prosperity Network customers, which are the specialist's offices and focuses, partner with all of
the three of the association's things using HTTPS affiliations. Authorities and potential patients can make
portions and invigorate their profiles using Internet-accessible HTTPS Web go
RISKS - THREATS – WEAKNESSES WITHIN EACH DOMAIN
Installment chance is the hazard оf hardship due tо a default оn an understanding, оr mоrе all things
considered, thе chance оf setback due tо ѕоmе "installment occasion". Associations thаt handle a high
volume оf online installments go up against thiѕ hazard, аѕ whеrе blocking thе portions аnd expected
source оf installments саn ricochet back оn thе association. Various associations hаvе bееn compelled tо
bring nеw focus аnd drive tо thеir installment hazard.
the executives methodologies
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
in аn attempt tо keep away from falling loss whilе аt thе ѕаmе timе trуing tо go without causing аnу
undue outcomes appropriately tо thеѕе challenges.
Truth be told every installment method incorporates hazard. If you keep up an online business and
procedure installments on your website, you need to understand that it goes with a collection of dangers.
The genuine dangers are coercion and operational hazard at the point when the cash related setback is a
direct result of human or specific oversights.
It is crucial for associations and relationship to realize the best ways to deal with supervise installment
hazards in an idea to keep up a key separation from liquidation and blackmail. As I determined
beforehand, you need to grasp the installment hazard, and that is what the hazard the board is about.
It could assist you with settling on better decisions in light of the fact that there's no space for any slipups. If you settle on a wrong decision, it could be costly for you. You need to envision the probability of
the hazard.
Consider the going with:
What are the potential dangers
That it is so at risk to occur
How quickly it could be recognized
The sum it could cost you
Knowing the hazard with assessed costs supports you decline the likelihood of occasion the hazard.
Understanding the installment hazard will empower you to manage your business to better. Keep in mind
that when you offer something on the web, fraudsters can make a couple of trades in light of sporadic
identities or stolen Visa numbers. In the time of the web, the distortion practices are generally hard to
stop.
When you pick the most ideal installment door, you don't have to manage all the hazard yourself.
They have an experience and deception shirking mechanical assemblies, so the best installment entryways
realize how to keep coercion and operational hazard at low dimensions. Banks, and furthermore fintech
associations, are looking ceaselessly for the advancement that will assist them with hazard the board.
Online installment providers with high-security level screen installments for consistence with hazard help
standards. They need to face the hazard, paying little heed to if it's connected to creating installment
systems or increasingly settled ones.
Online installments are directly extensively not so much requesting but rather more moderate recently.
However, the accomplishment of the e-installments, and all imaginative installment methodologies
depend their ability to control the hazard.
Domain User: Domain raise client mindfulness, actualize satisfactory use approaches (AUPs) to
guarantee clients comprehend what they ought to
What's more, shouldn't do. Use login pennants to help clients to remember the AUP's. Convey
intermittent
sends with security tibits to keep security in their brains and use publications in worker regions
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
WORKSTATION DOMAIN: Install Antivirus software, and update it regularly, keep operating systems up
to date, evaluate and deploy security patches when needed as they become available.
LAN DOMAIN: Routers have ACL’s (access control lists) which controls what traffic is allowed though
them. Switches can be programmed for specific functionality. They are commonly located in a wiring
closet or server room which protects it from physical security modify ACLs as needed. Practice port
security as a added control. This ensures that only specific computers are able to attach to the network
device. What that means it that an attacker brings his computer he won't be able to connect that computer
to the network.
WAN-TO-LAN DOMAIN: firewalls that would discriminate and allow only certain types of traffic
through. Training a domains to understand the importance of limiting the number of firewall rules.
WAN Domain: use of a demilitarized zone which uses two firewalls. One firewall has direct access to the
internet and the other to the internet network. When patches are available test them to ensure it doesn't
have any negative impacts and then deploy to the servers.
Remote Access Domain: can use several different controls to protect servers. Automatic callback is one
with dial-in remote access servers. It hangs up and calls the home number after she logs on from being
prompted to log on. This is used with people who work from home. Another one is remote access
policies.
They’re used to specify the only layer 2 tunneling protocol connections are allowed. Additionally Internet
Protocol Security (IPSec) could be required to ensure the connection encrypted.
System/Application Domain: ensure administrators have adequate training and knowledge.
Configuration and change management practices are helpful configuration management ensures the
systems are configured using sound security practices. Change management ensures that the configuration
is not modified without adequate review. Administrators of these systems need to test the patches they get
from the vendors and make sure no negatives and then send them out.
COMPLIANCE LAWS AND REGULATI ONS
Envision consistence and hazard and program method, organization and program plan.
Create compelling undertaking attempts to embed consistence social needs into the surface of the
association .
Outline consistence association improvement and change practices.
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
Create incorporated hazard methodology and structures across over consistence, regulatory, cash related,
and advancement chance scene Make a system for consenting to consistently growing state, government,
and overall straightforwardness requirements.
Use examination and development answers for setup/overhaul consistence watching and hazard
assessment practices Make and reinforce the assignments of overall outcast hazard and consistence the
executive.
Loss or obliteration of organization data.
Table 1
Risk – Threat – Weakness
Risk: Loss or destruction of org information.
Weakness: Firewalls and Instrusion Control systems not been active or
updated to prevent systems from unauthorized access.
Risk: Loss of company confidential information.
Threat: Insider threats.
Weakness: Former employers, Contractors or other insiders having access
to company information-present employees are not properly and given
access to unauthorized information.
Risk: Loss of customers, Clients or revenue
Threat: changes in regulatory landscape & oriented that may impact
operations.
Weakness: Change control processes & methods inadequate to handle
changes in regulations.
Risk: Loss of company useful contained data.
Threat: Hardware being removed from production & deploy systems
Weakness: Access Control procedures do not track location of equipment
as it is moved. Hardware may not be protected from hacking if used
outside & public the data center.
Risk: Loss of company information.
Threat: Loss of company information on lost or stolen company-owned
important assets, such as mobile and laptops
Weakness: Software not loaded on mobile devices & laptops to unlock
system when notified of loss
Risk:
Threat: Internet threats due to org products being access on the internet.
Weakness:
Risk: Loss of customers.
Threat: Production outages caused by various events, such as natural
disasters, unstable & bug software, and others.
Weakness:UPS & elctronic systems not active to protect systems from
outages.
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Domain Impacted
Remote Access Domain
User domain
System/
Application Domain
System/
Application Domain
Workstation Domain
LAN-to-WAN
System/
Application Domain
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Figure 1
RISK MANAGEMENT PLAN
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
RISK ASSESSMENT PLAN
EXECUTIVE SUMMARY
This policy establishes information security requirements to make sure that production services follows
the company objectives and that company information (referred as an asset) and technologies meet the
standard.
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
2
The Information Security Policy ensures that:
•
Only the authorized people can access the information
•
The availability, integrity, and information confidentiality are well protected
•
All employees are well skilled on information security and the compliance is made mandatory.
•
All suspected weaknesses and breaches in the information security are recorded and investigated
Risk Management Plan take care of Weaknesses, Threats and Risks of the Health Network, Inc.
RISKS – THREATS – WEAKNESSES
1) Critical -Those affect compliance and increase organization liability.
2) Major -That affect the IT infrastructure and C-I-A of a company’s intellectual property assets.
3) Minor – That can impact the availability of the IT infrastructure or the employee and user
productivity.
COMPLIANCE IN LAWS
•
Employees should be trained on major corporation laws and be motivated to comply with them.
•
For company to meet its requirement it must have good risk management, governance and
compliance.
•
Some laws are straightforward and easy to understand.
•
Every stakeholder should know their part in the corporate governance program.
•
Every stakeholder should knowledge on laws and regulations of PCI-DSS, FISMA, HIPPA etc.
•
In the Information Security there are customer information for PCI-DSS and set of twelve
regulations designed to reduce fraud.
•
Documentation of every act happening inside the company will help any person not to breach the
compliance law
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
3
•
Access should be limited on basis of the employee position in order to avoid any
regulation and compliance breach.
•
Limiting internet access will not let any risk to the data of the organization.
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
4
R-T-W
Risk: User deletes all files and destroys data in application.
User inserts USB and CDs with personal videos, music, and
music on the organization’s computers.
Domain
Impacted
Risk Impact /
Factor
Minor
USER DOMAIN
Threat: Employee downloads an unknown e –mail attachment
Weakness: User has a weak domain password and does
Shutdown his computer.
WORKSTATION
Risk: Desk computer. This can affect other devices on the
network.
Critical
DOMAIN
Threat: Company’s assets, for example, laptops and mobile
devices are stolen or lost.
Weakness: Equipment is unsecured; equipment is not set properly;
GPS tracking software not enabled.
Risk: Company will loss customers.
LAN DOMAIN
Major
WAN-TO-LAN
Major
Threat: Outage in production due to different events, for example
software, change in management, natural disasters and so on
Weakness: Some weaknesses are devices install at Egress/Ingress
Points in the network is of little help in stopping the spread of
outbreaks thought the internal network and also high amounts of
alerts generated as perimeters of attackers seeking for vulnerable
systems.
Risk: Network, firewall and IP appliance configure file weakness
or errors.
DOMAIN
Threat: DDoS attacks, communication outages, viruses, hackers.
Weakness: Procedures not followed; backup data centers not
available.
Risk: Company will loss customers.
Threat: Outage in production outages due to different reasons, for
WAN DOMAIN
Major
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
5
example, unstable software, changes in management, natural
disasters, and so on.
Weakness: Backup data centers are unavailable; procedures not
adhered to.
Risk: Unauthorized entry through public Internet.
Major
Threat: Threats inside the company.
REMOTE ACCESS
Weakness: Networks not monitored; controls not in
place.
DOMAIN
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
6
Figure 1
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MITIGATION PLAN
Project Part 1 - Task 3 - Risk Mitigation plan
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MITIGATION PLAN
Executive Summary
Risk mitigation plans play a huge role in the assurance of both the security of organizational
assets and data. Risk mitigation plan for Health Network Inc. will thus play a huge role in
securing both important organizational assets data. Health Network, Inc., Headquartered in
Minneapolis, Minnesota has an employee network of over 600 employees and generates
approximately $500 million on an annual basis. The organization has additional locations in
Portland, Oregon and Arlington, Virginia. These locations act as data centers and production
systems for the organization.
Health network mainly deals in three product lines. These products include HNetExchange,
HNetPay and HNetConnect. The entire product line plays a significant role in the generation of
revenue for the organization. HNetExchange is the main source of revenue for the company. This
product helps in the handling of secure electronic transmission of private data betwee the patients
and the organization. HNetpay is a web portal that helps in the securing of payments and billings.
This web portal helps in securing payments and billings for both the company and its clients.
HNetConnect is an online directory that has a list of doctors and medical facilities. This platform
thus makes it easier for clients to find the right type of care that re closer to them.
Critical “1” risks and short-term remediation
The risk/threats identified are:
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
I.
RISK MITIGATION PLAN
Loss of customers due to production outages caused by various events, such as natural
disasters, change management, unstable software, and others
a. Remediation: Having insurance plans that will cover the customers against losses that
are caused by natural disasters, change management, unstable software and other
complications.
b. CBA: Estimated Cost of loss = $ 14000
Cost of risk prevention = Outsourcing insurance services = $ 12000
II.
Loss or destruction of company information due to insider threats
a. Remediation: Conducting proper employee audit during employee recruitment and
after employee recruitment.
b. CBA: Estimated cost of loss = $ 4000
Cost of risk prevention = $ 3000
MAJOR “2” / MINOR “3” LONG-TERM REMEDIATION
I.
Loss of company data due to hardware being removed from production systems.
Hardware may be removed from the production system due to a variety of factors.
For example faulty systems may result in the spoiling of some parts of the production
system resulting in hardware failure that may result in data.
a. Remediation: Servicing the company’s hardware of a regular basis.
b. CBA: Estimated cost of loss = $ 20000
Estimated cost of risk prevention = $12000
II.
Loss of company information on lost or stolen company-owned assets, such as mobile
devices and laptops. Mobile devices and laptops act as the primary storage units for
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MITIGATION PLAN
important company information. For example, some of the mobile devices store
important company login details.
a. Remediation: Coming up with policies that will ensure that each employee is
responsible for the safety of the devices assigned to them.
b. CBA: Estimated Cost of Loss = $20000
Estimated cost of risk prevention = $ 400
III.
Theft of company confidential information due to insider threats. Malicious
employees may collaborate with other external entities to steal important
organizational information. For example, an employee with an high access level may
use his or her authority to access information that are important for the organization.
a. Remediation: Conducting a thorough employee background check before and
after employment.
b. CBA: Estimated cost of risk = $ 23000
Estimated cost of risk prevention = $ 9000
IV.
Loss of customers or revenue due to changes in regulatory landscape that may impact
operations. The company may fail to keep up with the changing government
regulation policies.
a. Remediation: Outsourcing services from personnel and companies that specialize
in regulation.
b. CBA: Estimated cost of risks = $ 12000
Estimated cost of risk prevention = $ 2000
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MITIGATION PLAN
Implementation plan
R-T-W
Domain
Risk Impact
Impacted
/ Factor
System /
“2” Major
Threat:Hardware being removed from production systems
Risk: Loss of company data.
Application
Domain
Weakness:Access Control procedures do not track location of
equipment as it is moved. Hardware may not be protected
from hacking if used outside the data center.
Threat: Loss of company information on lost or stolen
“2” Major
company-owned assets, such as mobile devices and laptops
Workstation
Risk: Loss of company information
Domain
Weakness: Software not loaded on mobile devices to lock
system when notified of loss.
Threat:Production outages caused by various events, such as
“1” Critical
natural disasters, change management, unstable software, and
others.
System /
Application
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
Risk: Loss of customers.
RISK MITIGATION PLAN
Domain
Weakness: UPS systems not active to protect systems from
outages.
Threat: Internet threats due to company products being
accessible on the Internet
LAN-to-WAN
“1” Critical
Domain
Risk: Loss or destruction of company information.
Remote Access
Weakness: Firewalls and Intrusion Control systems not active
Domain
or updated to protect systems from unauthorized access.
Threat: Insider threats.
User Doman
Risk: Loss of company confidential information.
Weakness: Former employers, contractors or other insiders
having access to company information; current employers are
not managed properly and given access to unauthorized
information.
“3” Minor
ISOL 533 -Information Security and Risk Management
University of the Cumberlands
RISK MITIGATION PLAN
Threat: Changes in regulatory landscape that may impact
operations
System /
Application
Risk:Loss of customers or revenue.
Weakness: Change control processes inadequate to handle
changes in regulations.
Table 1 from Risk Assessment Plan
Domain
“3” Minor
Running Head: ISOL 533- Information security and Risk management
1
Information security and Risk Management
Business Role/Process
Real time communication with the
patients. Through calls
Email communication both inside and
outside information
2
Business
Effect
Factor
Retrieval
Time
objective
Critical
4 hours
4 hours
Critical
Domain Name Server (DNS) for interior
and exterior Internet Protocol (IP)
Critical
Website where patients can access their
data and personal info.
IT Systems and Apps
Voice IP Servers
System Application Domain
4 hours
DNS Server LAN-to-WAN
Network
Main
11 hours
System Application Domain
Critical
4 hours
VoIP Call Servers WAN
LAN-to-WAN Network
Major
24 hours
System Application Domain
Finance operation support for Accounts
Received and Paid Out
Major
24 hours
Technical Support and Network
Management.
Critical
12 hours
Internet and Extranet
critical
24 hours
Patients services through the company
website, emails and telephone with real
time services and communication that
requires Customer relationship
Management(CRM)
Communication through voices and
Emails to other branches
LAN Accounting Networks
LAN-to-WAN
Remote Access control
Information security and Risk Management
3
Information Security and Management Risk
Health network Exchange main source of incomeon behalf of the Business
Establishment. It handles the services including the medical data and secure them well. These
services include payment of bills and other services. These information always comes from
the customers in large hospitals(Hopkin& Management, 2012, p. 46).
This is a website portal used by company’s Health networkExchange customers to
support the running of protecteddisbursements of the bills.Health network Pay Website
gateway at Health Network constructionplaces, receives and processes several payments and
merge it with credit-card information from the handling organizations such as shopping carts
or web commerce.
Health network Connect is an online portal that contains the information such as the
list of the doctors and various clinics available. This information will enable every individual
looking for medicine facilities to get the right type of the medications they require and also
get the the precise location and procedure of getting assisted. The doctor’s information in the
system will enable a patient to get in touch with the doctor who gave out the medication. This
website also helps the patient to know the services the healthcare clinics and hospitals are
giving out (Vacca, 2012, p. 38) The portal enables the doctors to update their information
whenever needs arise and also patients to make payments for the bills and other services
through their HTTPS websites.
Health Network take their operation in three production data center and provide the
services required across the network. This network contains a lot of the services and websites
inside it.
Information security and Risk Management
Mission For Health network
Telephone Services
Customer Email Services
Mission ForHealth network
Internet and Extranet
Communication through
messaging and email
Mission For Health
networkPay
Financing services
Website portal
4
MTD
Less than
48hrs
Less than48
hours
RTO
Less than 24hrs
RPO
Less than 4hrs
Less than 24
hours
Less than 4
hours
MTD
Less than
48hrs
Less than48
hours
RTO
Less than 24hrs
RPO
Less than 4hrs
Less than 24
hours
Less than 3
hours
MTD
Less than
48hrs
Less than48
hours
RTO
RPO
Less than 24hrs
Less than 4hrs
Less than 24
hours
Less than 4
hours
Information security and Risk Management
5
Task 3: Disaster Recovery Plan
SUMMARY
PRODUCTION
SERVER
Portland
IT SET-UP
Health network Database for payment
BACKUP STRATEGY
FOR SYSTEM ONE
Daily / Monthly /
Yearly/ Quarterly
Daily.
DISASTER
RETRIEVALPROCES
S
Risk #1: Loss of
company data due to
removal of production
systems.
Risk #2: Loss of clients
due to production
shortages.
This will bring main problem in payments of services by
customers and they will not be able to make payment. This
will impact all the services as without payment there is no
services going on.
To curb up with this impact there should be other mode of
payment available within different server platform.
This will lead to a major impact in terms of revenue and
other services.
To avoid this impact and payment plan should be introduced
especially in affected areas and remote areas. Also, Data
Recovery Plan should be introduced.
Disaster Recovery Plan for Health networkConnect
SUMMARY
PRODUCTION
SERVER
Arlington, Portland.
IT STRUCTURE
Health Network for Database and Directory connection.
Information security and Risk Management
6
BACKUP PLAN FOR
SYSTEM ONE
Daily
Daily.
DISASTER
RETRIEVALPROCESS
Risk #1: Loss of
company data due to
removal of production
systems.
Risk #2: Loss of clients
due to production
shortages.
It will be difficult to find care using online services. Patients
will not be able to view and see various doctors and clinics
available in the website.
Through this customers will not be able to find the right care
or the best clinic services providing best services.
In case of the primary failure patients will not be able to
find right care.
Disaster Recovery Plan for Health networkExchange
OVERVIEW
PRODUCTION
SERVER
Portland, Arlington and Minneapolis.
IT STRUCTURE
Health network Exchange Server
BACKUP PLAN FOR
SYSTEM ONE
Daily / Monthly /
Quarterly
Daily.
DISASTER
RETRIEVALPROCES
S
Risk #1: Loss of
company data due to
removal
ofHealthnetwork from
theproduction systems.
The communication between the company and the patients
or the customers will be affected and therefore no services
taking place and that will bring effect in the revenue
collected by the company.
To eliminate the problem, the company should introduce
Information security and Risk Management
7
proper backups and access control techniques for the system
in place.
Risk #2: Loss of
customers due to
production outages.
Customers and patients will not get the best services they
require thus poor care thus there should be proper disaster
recovery plan and different servers working on different
platforms.
Task 4: Computer Incident Response
Identify the nature of the incident
Major business impact will be in Health network pay, Health network Exchange and
Health network Connect.
Threat in the company is the loss of the sensitive data and major information from the
company and its customers.
The risk impact within the company will be severely critical
MTD- more than 24 hours
RTO- More than 4 hours
RPO- More than 2 hours.
What needs to be done to limit the scope of the incident?
The company need to disable all the incoming exchange of information and communication
from the laptop and other users (Stamp, 2011, p. 67).
What needs to be done to mitigate the risk of the incident?
To curb the risk of the incident the company need to limit the access of production data from
the unauthorized people to allow only authorized users and restrict the access of data
externally.
What needs to be done to recover the IT systems?
The lost data should be recovered from the Backups made earlier.
BCP plan should be executed in response to the incident.
The BIA, BCP and Dr planning should have updated with new procedure to help to curb up
the incident
Information security and Risk Management
8
References
Hopkin, P.,& Management, I. O. (2012). Fundamentals of Risk Management: Understanding,
Evaluating and Implementing Effective Risk Management. London, England: Kogan
Page Publishers.
Stamp, M. (2011). Information Security: Principles and Practice. Hoboken, NJ: John Wiley
& Sons.
Vacca, J. R. (2012). Computer and Information Security Handbook. London, England:
Newnes.
Purchase answer to see full
attachment