Managing Risk in Information Systems
The following risks, threats, and vulnerabilities were found in a healthcare IT infrastructure servicing patients with life-threatening situations. Given the list, select which of the seven domains of a typical IT infrastructure is primarily impacted by the risk, threat, or vulnerability.
User destroys data in application and deletes all files User
Hacker penetrates your IT infrastructure and gains access to your internal network System Application
Intra-office employee romance gone bad User
Fire destroys primary data center LAN
Communication circuit outages WAN
Workstation OS has a known software vulnerability LAN WAN
Unauthorized access to organization owned User
Loss of production data System Database
Denial of service attack on organization e-mail server LAN WAN
Remote communications from home office Remote access
LAN server OS has a known software vulnerability LAN
User downloads an unknown e –mail attachment User
Workstation browser has software vulnerability Workstation
Service provider has a major network outage WAN
Weak ingress/egress traffic filtering degrades Performance LAN-WAN
User inserts CDs and USB hard drives with personal photos, music, and videos on organization owned computers User
VPN tunneling between remote computer and ingress/egress router Remote Access
WLAN access points are needed for LAN connectivity within a warehouse LAN-WAN
Need to prevent rogue users from unauthorized WLAN WAN
Lab Assessment Questions
Given the scenario of a healthcare organization, answer the following Lab #1 assessment questions from a risk management perspective:
- Healthcare organizations are under strict compliance to HIPPA privacy requirements which require that an organization have proper security controls for handling personal healthcare information (PHI) privacy data. This includes security controls for the IT infrastructure handling PHI privacy data. Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy requirements? List one and justify your answer in one or two sentences.
Having the information system structure hacked into is one of the risks that can violate HIPPA privacy requirements. The hacker would get access to private client information that should be protected. A healthcare organization’s information is sensitive, and should be protected to maintain confidentiality of served patients.
2. How many threats and vulnerabilities did you find that impacted risk within each of the seven domains of a typical IT infrastructure?
User Domain: 2
Workstation Domain: 5
LAN Domain: 7
LAN-to-WAN Domain: 2
WAN Domain: 2
Remote Access Domain: 2
Systems/Application Domain: 1
- Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
- What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the healthcare and HIPPA compliance scenario?
There would be consideration of all types of risk factors. Those assigned to LAN-to-WAN would get minor consideration unless there was interference with HIPPA compliance.
- Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and business continuity plan to maintain continued operations during a catastrophic outage?
Losing data for use of production.
- Which domain represents the greatest risk and uncertainty to an organization?
Domain for the users.
- Which domain requires stringent access controls and encryption for connectivity to corporate resources from home?
Rigorous control for accessing the LAN remote access domain should be administered.
- Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risk from employee sabotage?
9. Which domains need software vulnerability assessments to mitigate risk from software
- Which domain requires AUPs to minimize unnecessary User initiated Internet traffic and can be monitored and controlled by web content filters?
11. In which domain do you implement web content filters?
LAN to WAN
12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation Domain, which domain does WLAN falls within?
13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just implemented their online banking solution allowing customers to access their accounts and perform transactions via their computer or PDA device. Online banking servers and their public Internet hosting would fall within which domains of security responsibility?
Private corporation responsibility of ensuring HIPPA private information compliance (Dillon, 2007).
14. Customers that conduct online banking using their laptop or personal computer must use HTTPS:, the secure and encrypted version of HTTP: browser communications. HTTPS:// encrypts webpage data inputs and data through the public Internet and decrypts that webpage and data once displayed on your browser. True or False.
15. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from the Systems/Application Domain.
The layered security strategy ensures that vulnerability is considerably reduced, and there are control and remedial measures if security breaches occur. These measures are in line with HIPPA guidelines (Kim & Solomon, 2010).
Dillon, G. (2007). Principles of Information Security: Text & Cases. Massachusetts: John &
Kim, D & Solomon, M. (2010). Fundamentals of Information security. Massachusetts: Jonnes &