IT-Web Essay Paper on Managing Risk in Information Systems

Managing Risk in Information Systems

Overview

The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure servicing patients with life-threatening situations. Given the list, select which of the seven domains of a typical IT infrastructure is primarily impacted by the risk, threat, or vulnerability.

User destroys data in application and deletes all files User

Hacker penetrates your IT infrastructure and gains access to your internal network System Application

Intra-office employee romance gone bad User

Fire destroys primary data center LAN

Communication circuit outages WAN

Workstation OS has a known software vulnerability LAN WAN

Unauthorized access to organization owned User

Workstations User

Loss of production data System Database

Denial of service attack on organization e-mail server LAN WAN

Remote communications from home office Remote access

LAN server OS has a known software vulnerability LAN

User downloads an unknown e –mail attachment User

Workstation browser has software vulnerability Workstation

Service provider has a major network outage WAN

Weak ingress/egress traffic filtering degrades Performance LAN-WAN

User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned computers User

VPN tunneling between remote computer and ingress/egress router Remote Access

WLAN access points are needed for LAN connectivity within a warehouse LAN-WAN

Need to prevent rogue users from unauthorized WLAN  WAN

Lab Assessment Questions

Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions from a risk management perspective:

  1. Healthcare organizations are under strict compliance to HIPPA privacy requirements which require that an organization have proper security controls for handling personal healthcare information (PHI) privacy data. This includes security controls for the IT infrastructure handling PHI privacy data. Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy requirements? List one and justify your answer in one or two sentences.

Having the information system structure hacked into is one of the risks that can violate HIPPA privacy requirements. The hacker would get access to private client information that should be protected. A healthcare organization’s information is sensitive, and should be protected to maintain confidentiality of served patients.

2.  How many threats and vulnerabilities did you find that impacted risk within each of the seven domains of a typical IT infrastructure?

User Domain: 2

Workstation Domain: 5

LAN Domain: 7

LAN-to-WAN Domain: 2

WAN Domain: 2

Remote Access Domain: 2

Systems/Application Domain: 1

  • Which domain(s) had the greatest number of risks, threats, and vulnerabilities?

LAN Domain

  • What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the healthcare and HIPPA compliance scenario?

There would be consideration of all types of risk factors. Those assigned to LAN-to-WAN would get minor consideration unless there was interference with HIPPA compliance.

  • Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and business continuity plan to maintain continued operations during a catastrophic outage?

Losing data for use of production.

  • Which domain represents the greatest risk and uncertainty to an organization?

Domain for the users.

  • Which domain requires stringent access controls and encryption for connectivity to corporate resources from home?

Rigorous control for accessing the LAN remote access domain should be administered.

  • Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risk from employee sabotage?

User domain.

9. Which domains need software vulnerability assessments to mitigate risk from software

vulnerabilities?

LAN domain

  1. Which domain requires AUPs to minimize unnecessary User initiated Internet traffic and can be monitored and controlled by web content filters?

WAN

11. In which domain do you implement web content filters?

LAN to WAN

12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation Domain, which domain does WLAN falls within?

User domain

13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just implemented their online banking solution allowing customers to access their accounts and perform transactions via their computer or PDA device. Online banking servers and their public Internet hosting would fall within which domains of security responsibility?

Private corporation responsibility of ensuring HIPPA private information compliance (Dillon, 2007).

14. Customers that conduct online banking using their laptop or personal computer must use HTTPS:, the secure and encrypted version of HTTP: browser communications. HTTPS:// encrypts webpage data inputs and data through the public Internet and decrypts that webpage and data once displayed on your browser. True or False.

True

15. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from the Systems/Application Domain.

The layered security strategy ensures that vulnerability is considerably reduced, and there are control and remedial measures if security breaches occur. These measures are in line with HIPPA guidelines (Kim & Solomon, 2010).

References

Dillon, G. (2007). Principles of Information Security: Text & Cases. Massachusetts: John &

Wiley.

Kim, D & Solomon, M. (2010). Fundamentals of Information security. Massachusetts: Jonnes &

Bartlett.