Question

The purpose of this assignment is to develop an information security risk assessment report for an...

The purpose of this assignment is to develop an information security risk assessment report for an organization.

Using Kaiser Permanente as an example develop a risk assessment report with the following.

1) Executive Summary of the risk assessment report

2) Methodology

  1. Organizational Assessment
  2. System Specific Assessment

3) Results

  1. Organizational Risk Analysis, including review of emerging threats and trends, third-party assessments, and security metrics.
  2. System Specific Analysis, including system characterization, threat identification, vulnerability identification, impact analysis, control analysis, likelihood determination, risk determination, control recommendations, and results documentation.

4) Risk Register

5) Conclusion

Business   Operations-Management   
0 0
Add a commentTranscribed image text
Next >

Homework Answers

Answer #1

Executive Summary

Kaiser Permanente uses HP Fortify static scan and Webinspect dynamic scan help to find out security issues from the application code and application URL and this software is on-demand software and run whenever required and test application’s security faster, right, affordably and easy to manage. Fortify software tool is used for scanning the application code and web inspect tool is for scanning the application websites and report any possible security issues from the code and as well as website access. HP Fortify is market leading software for both static code analysis and dynamic application URL testing and provides summary report, detail report about security issues including High, Medium and Low and corresponding remediation processes for the issues.

Risk Process Methodology

Organizational Assessment

Organizational assessment is more unstructured risk analysis and it is highly depends on various sources of information and some sources and their past trends including security threats and trends, audit findings, security incidents, security exceptions, and security metrics. Kaiser Permanente must conduct a review to determine a pharmacy; Medicaid managed care plan's compliance with standards established by state related enrolled rights and protections, access to services, structure and operations, measurement and improvement and industry standards. Third party company DHCS conducts review activity through an extensive monitoring process that assesses KP plan's compliance with State and federal requirements at initial contracting through subsequent and ongoing activities.

System Specific Assessment

System specific risk assessment is more structured than organizational assessment and focused on interpreting the data gathered in order to derive findings and conclusions for the in-scope systems and this is very critical for translating the collected data and analyzes the various values and scores. System specific review shows the following structured elements including threats, vulnerabilities, likelihood, impacts and controls. During this system assessment, risk score calculated using these elements mainly threat and vulnerability pairs and risk score used as primary data analysis used in system specific assessment. Different observations and findings will be derived using different views of risk scores.

System specific assessment table at Kaiser Permanente have the following information for each specific healthcare application which includes threat with agent and action, vulnerability, risk score and risk classification like moderate, high and low values. As part of system specific assessment, after categorization of risk, team will determine the all high risk items and derive the table which contains threat agent, threat action, vulnerability and affected system. System specific risks will include disclosure of transmitted sensitive data like email encryption, secure FTP infrastructure, and security awareness. Data alteration is another example like logging and monitoring, System intrusion like password complexity enforcement and security awareness.

Risk Assessment Results

Organizational Risk Results

Risk

Observation

Threat Initiation

Mobile Attacks: Mobile device usages are increased for business activities and allow more exposure to the outside world and there is high chance of having attacks on these devices.

Based on Kaiser Permanente risk analysis using the framework, that the KP appears to have potential exposures to mobile attack threat vectors and this is due to increase in staff mainly physicians using mobile devices to access the patient data and clinical information. Trending security reviews from researchers says mobile security risks are high rate. Factors involving in increase attacks are malware and also natural predisposition of mobile devices and sometimes allowing physicians to use their personal devices to access the data and it is risk for the organization.

Effective mobile device management, security awareness, data loss prevention and technology implementation required.

Third party security Gaps: There are potential issues of Kaiser Permanente systems and networks

Fortify scanning metrics show that there are a high number of unmatched vulnerabilities within KP systems. Additional research shows that these appear to be the same unpatched systems associated with the vendor managed systems documented within filed security exceptions.

Third-party system security requirements,
Third-party system network isolation.

Fishing and social engineering: Suspect ability of organization user's fishing causes unauthorized access to the hospital network systems

A careful review of security incidents over period shows that there are large portion of incidents are related to phishing and or social engineering attacks and these attacks happened due to user credentials leaked or clicked on a malicious link or email attachment. This behavior could potentially lead to unauthorized access to hospital systems.

Security awareness, malware protection controls and data loss protection technology.

Data Loss: Lack of technology to initiative to increase the accidental or intentional data loss of ePHI data

There are several incidents for data loss and these incidents are accidental or malicious.

Data Loss Prevention
Technology,
Security Awareness,
Encryption.

Malware: Spam links or malware attack to the organization.

Unauthorized access to HIS or disruptions of services. Gaps in the current enterprise anti-virus and malware solution.

Malware protection controls

System Specific Risk Results

System characterization is the first step of system specific review and part of this step asset scope, profile surveys and interviews were conducted and there are five systems in scope for this information security risk assessment, systems including health information system, pharmacy system, accounting, HR payroll, email and imaging. Threat identification is another step that Kaiser third-party conducted research on common information security threats for organization and determines threat agent and threat action and prepare threat catalog. Vulnerability identification is another step where current and future potential vulnerabilities identified through third-party assessments. Impact analysis, likelihood and control analysis are follow-up steps to determine risks and recommendations and as part of that confidentiality, integrity and availability of the Kaiser Permanente systems.

Risk Register

Risk register identifies the risk and provides analysis based on organizational and system specific factors and also provides current and ongoing remediation activities and the following risks identified for the Kaiser Permanente.

Risk ID

Risk Name

Risk Scope

Description

Impact

Rational

Treatment

R01

Mobile attacks

Organizational


Kaiser Permanente is facing mobile attacks some extent due to extend use of apps by both external and internal providers

Exposure of sensitive information, unauthorized access of KP HIS

Increase in usage of mobiles by providers and mobile attacks from hackers

Proposals are , having strong mobile device management, data loss treatment, security awareness

R02

Security Gaps

Organizational

Compromises in health information systems due to vulnerabilities in vendor managed system

Loss of members or providers information or security breach in health information systems could lead to significant penalties.

Multiple security exceptions from the third-party managed system

Third-party security requirements, network isolation

R03

Phishing through social networks

Organizational

Exposure of company user's social network information and from there getting access to hospital websites

unauthorized use of hospital resources

Compromise of user accounts from hospital through social network pishing

security awareness, malware protection and data loss protection

R04

Data loss

Organizational

Possible loss of regulated data through emails and loss of ePHI data

Loss of members or patients could lead to reputation issues for Kaiser

security incidents of data loss via email transmission or portable removable devices

security awareness and data loss protection technology

R05

Malware

Organizational

Potential malware attacks

Due to malware attacks, possible impact on hospital systems and degrade

High priority security issues due to malware attacks

Effective malware protection

R06

Sensitive data

Email system

Possible risk of ePHI data transmission via email due to lack of encryption

Possible loss of members data

Email system like outlook or lotus notes does not support strong encryption

Email encryption

R07

Unverified data

Health Information System

Data alteration due to lack of logging and monitoring

Inaccurate data and unverified data alterations causes data integrity issues

Healthcare information system does not have logging and monitoring system

Logging and monitoring control system

Conclusion

Kaiser Permanente third-party Company conducted risk analysis for the organization and specific systems review and identified 5 organizational and three system-specific information security risks. KP company risks were found using risk determination process based on a high level KP organizational risk review. The SSR risks determined by using NIST framework and quantify each risk based on impact, likelihood and controls that are in place by threat and vulnerability from ISO. During the risk assessment process, all identified risks communicated to the Kaiser Permanente's Chief information officer (CIO) and information security officer. Risks identified in the process given the priority for mitigation activities to address the risks and mainly high risks.

0 0
Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Log In

Sign Up

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
       A well-written report would contain the following elements: required to develop a Risk management plan...
       A well-written report would contain the following elements: required to develop a Risk management plan or contingency plan to manage risk effectively in an organization. You may choose to work on any one of the following areas: a.         Hospitals b.         Real Estate c.         Chemical Industry d.         Manufacturing Unit e.         Energy plant f.          Enterprise The Risk management plan should cover in detail Risk Identification, Risk Analysis, Risk Response Planning, Risk monitoring and control.
Project 1 Design, develop and document a risk management plan related to: the reduction of accidents,...
Project 1 Design, develop and document a risk management plan related to: the reduction of accidents, illness or incidents relating to worker or general public safety the prevention of operational discontinuity the need for new or innovative improvement/ changes in processes or procedures (and the associated risks) environmental impact issues—including resource use and management You might choose another risk area relevant to the organisation for which you work. If you do you will need to describe the organisation and the...
Explain the complete HAZOP procedure as followed in the industry. See summary below. Explain all the...
Explain the complete HAZOP procedure as followed in the industry. See summary below. Explain all the main parts of HAZOP study in details given in the Pdf file including: 1. Overview (including definitions and usage) 2. Hazop methodology (including phases like definition, preparation, examination, documentation and follow-up). Give examples also 3. Risk review 4. Risk communication Guidance: Study the procedure carefully and then write the answers in your own words. Hazard & Operability Analysis (HAZOP) 1   Overview: Hazard and Operability...
6. If the items on an assessment method appear to show that a high score on...
6. If the items on an assessment method appear to show that a high score on the test correlates with performance, then, which of the following is true? A) The assessment method's criterion-related validity is high. B) The assessment method's construct validity is high. C) The assessment method's face validity is high. D) The assessment method's content validity is high. 7. Juan is a highly qualified biomedical researcher. Having recently completed his education, he applies to work at a pharmaceutical...
This case assignment draws from the Business Information Systems and the Systems Acquisition and Development modules...
This case assignment draws from the Business Information Systems and the Systems Acquisition and Development modules (Chapters 5 to 8). Its purpose is to provide you with experience in analyzing organizational information systems, making recommendations to improve these systems, and formulating a plan to execute on your recommendations. 1. Recommend one of your alternatives that is the best solution to the main issue and justify your recommendation. Your justification should be based on the key decision criteria and you must...
Funding an IS project through a Chargeback method involves: Pricing the IS service out for the...
Funding an IS project through a Chargeback method involves: Pricing the IS service out for the customer buying the end product Direct billing by the firm for IS resources or services to the department that uses them Direct billing by the manager of a function for IS resources or services to an employee that uses them An accounting process that reduces tax liability for capital investments All of the following are attributes of considering IS costs as Overhead except the...
Codger Corp. — Internal Controls Codger Corp. (CC or the “Company”) is a U.S. public company...
Codger Corp. — Internal Controls Codger Corp. (CC or the “Company”) is a U.S. public company that files quarterly andannual reports with the Securities and Exchange Commission (SEC). CC is a leading retail chain operating more than 100 department stores across the continental United States. CC department stores offer customers a variety of nationally advertised products, including clothing, shoes, jewelry, and other accessories. The Company’s supply chain ofproducts is managed through a single warehouse and distribution facility located in Kansas...
Assignment: What are the main arguments in the article? Please answer within 5 hours. It is...
Assignment: What are the main arguments in the article? Please answer within 5 hours. It is extremely urgent!!!!!!!!!!!!!!!!!!!!!!!! --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- BIOETHICS. Bioethics as a field is relatively new, emerging only in the late 1960s, though many of the questions it addresses are as old as medicine itself. When Hippocrates wrote his now famous dictum Primum non nocere (First, do no harm), he was grappling with one of the core issues still facing human medicine, namely, the role and duty of the...
Background ABC Retailers Inc. (ABC or the “Company”) is a U.S. public company that files quarterly...
Background ABC Retailers Inc. (ABC or the “Company”) is a U.S. public company that files quarterly and annual reports with the Securities and Exchange Commission (SEC). ABC is a leading retail chain operating more than 100 department stores across the continental United States. ABC department stores offer customers a variety of nationally advertised products, including clothing, shoes, jewelry, and other accessories. The Company’s supply chain of products is managed through a single warehouse and distribution facility located in Kansas City,...
Project Integration Management Questions Only A team member notifies you, after the fact, that she has...
Project Integration Management Questions Only A team member notifies you, after the fact, that she has added extra functionality to the project. There was no impact on the cost or schedule. What should be done as a result of this change? Make sure marketing is aware of the change. Implement change control processes to track the change. Inform the customer. Understand what functionality was added. You are having difficulty getting a project underway. You have not been able to get...
ADVERTISEMENT
Need Online Homework Help?

Get Answers For Free
Most questions answered within 1 hours.

Ask a Question
ADVERTISEMENT