Attachment # 00009708 - Part_2_Question_6_Cyber_Security_Action_Plan_Spreadsheet.xlsx
Part_2_Question_6_Cyber_Security_Action_Plan_Spreadsheet.xlsx (19.74 KB)
Raw Preview of Attachment:
(refer to the detailed question and attachment below)
* Conduct appropriate background checks for personnel handling information classified as "sensitive" or "to be protected."QUESTIONS: See "[Workforce] Administrative," above for process for obtaining privileged access/accounts. Is privileged access and activity logged? Are logs reviewed periodically? Are they reviewed in response to potential security events? Do individuals have unique access credentials for privileged access?Reference to help with responsesProtect resources in the event of emergencies. Identity and Access ManagementQUESTIONS: Is there a session timeout for the application, including for administrators? Are users encouraged to implement screensaver locks at the desktop? Are desktops configured to automatically lock or go to screensaver after a period of inactivity?Questions to ConsiderMaintain incident response and notification processes.Monitor for attempted/actual unauthorized access through review of access and audit logs.Ensure that contracts with external entities include data security language.QUESTIONS: Describe encryption methods or mitigating controls: Are passwords or other authentication tokens encrypted in transit and in storage? Is restricted data encrypted during transmission, including printing? Is stored restricted data encrypted? How about database tables or columns with restricted data elements? Is restricted data on backups, portable devices and media encrypted or otherwise protected? Are encryption keys secure? Are encryption keys managed to ensure availability of essential data? Special Categories of DataQUESTIONS: Describe the patching process, including frequency, whether it is a manual or automatic process, and verification. Is there a testing or backout procedure? What is the process for severe or critical updates? Security ControlsQUESTIONS: Are portable devices and media used? If so, are procedures in place to ensure their physical security? Are laptop computers locked down? Is restricted data on portable devices and media encrypted? Is there a practice of reviewing and deleting data from portable devices when no longer needed?Security Program ProcessesControl risk of unauthorized access to "sensitive"/"restricted" data by use of encryption. Payment Card Industry Data Security Standard (PCI DSS)Action Plan* Control physical security of portable media. - [Portable & Media Devices (III.C.3.e)]Applications Systems ManagementDefine/update the "security objectives" for confidentiality, integrity, and availability of information resources, describing the potential harm/security impact that failure to achieve security objectives would have on the operations, function, image/reputation, or ability to protect personal information. * Take appropriate personnel/disciplinary action(s) for violations of policy/procedures.Education & Security Awareness Training Risk Assessment, Asset Inventory & Classification* Backup systems supporting essential activities; encrypt data where required to secure backup data. * Control systems-level access through review of personnel assignments for appropriate classification, security responsibilities, and separation of duties.* Control production application software modification through change management procedures for major systems.[Workforce] Administrative Risk Mitigation MeasuresThird Party Agreements * Control passwords through password management conventions and vulnerability assessment procedures. - [Passwords and other authentication credentials]EncryptionHIPAA Security Rule /Practices for HIPAA Security Rule ComplianceSystems and Application Security * Control access to working sessions through session timeout mechanisms. -[Session protection] Control access to facilities by appropriate measures - [Physical Access Controls] Track movement of devices - [Tracking Reassignment or Movement of Devices & Stock Inventories] Remove data before equipment is re-deployed, recycled, or disposed. - [Disposition of Equipment]QUESTIONS: Describe your recommendations to provide security information to your client's workforce, including the proper handling of information and how information about relevant policies and laws is distributed. Is training required for access to this system or service? If so, does it include security information, either general or specific to the systems/service (e.g. restricted data reminders)? Do you include security information in response to security-related events? More generally, how are people made aware of the reources described above? Inventory computing devices (servers, desktop computers, laptops, mobile devices, storage devices, etc.) and the characteristics of the information/data stored on or transmitted from/to those computing devices. Inventory applications and the characteristics of the data stored by or transmitted from/to those applications. Classify each computing device and application based on the characteristics of the associated stored data or data transmitted from/to the computing device or application.QUESTIONS: Is there a formal authorization process for obtaining access to systems or data? Who is responsible for granting authorization? Please describe the authorization process. How about for obtaining privileged/admin access at any level, e.g. root access, superuser access, privileged application or database access, etc.? Does the Support Center have a role in account management for your system or service? Are procedures in place to ensure prompt modification or termination of access or authorization levels in response to user separation or change in role? Including for people with privileged access? Are privileged accounts and individuals with access to these accounts reviewed periodically for appropriateness? Describe the review process, including frequency.* Control how employees and other affiliates are granted access privileges to computing and information resources and how those privileges for individuals are altered or revoked. Review privileged account access.* Maintain currency of operating systems and application systems software. - [Patch Management]Conduct appropriate security awareness training for employees.QUESTIONS: Is additional language, e.g. for HIPAA or PCI, required? Assuming a third party managing a web site for you that collects sensitive data, such as SSN, credit card info, or other PII or restricted data, how will compliance aspects be handled? QUESTIONS: How will the password policy be monitored and enforced by your system or service? Describe any limitations that prevent this and additional mitigations to compensate. How will passwords be tested for strength? Are there any expiration or password aging policies? Will individuals have unique access credentials? How about vendors/contractors? QUESTIONS: How will system backups containing restricted data be secured? How will data integrity/user functionality be ensured/verified upon recovery or restore? Is a retention and disposition schedule in place for backups? Physical/Environmental Controls * Protect networked devices against malicious software. - [Malicious Software Protection Question: How will the system protect against malware and other types of malicioius software?* Protect passwords or other authentication tokens while in transit?* Control potential security loopholes for operating system, application software, and firmware code on all devices connected to the network. How will the system control potential security loopholes for operating system, application software, and firmware code on all devices connected to the network?* Control access to networked devices* Control the use of networked devices for intended purposes by eliminating unnecessary services from devices.* Control network communications to/from networked devices through host-based firewall software, as available.QUESTIONS: Does organization run any network proxy servers? Is access controlled through authentication?* Control access to network proxy servers through authentication * Prevent networked devices from becoming unauthorized email relays. QUESTIONS: How will the system secure devices from becoming unauthorized email relays? How will they be configured?* Control application systems development/maintenance through conformance with specifications in local standards, procedures, guidelines, and conventions; conduct application vulnerability assessments as appropriate. QUESTIONS: Describe the process used to develop/deploy new application(s) from inception (requirements, function, funding), to development (coding standards, application security, authentication/authorization), and deployment (workflow, management approval, alpha/beta testing and pilot, release). How will application development take into account business decisions about how restricted or confidential information should be collected, stored, shared, and managed? How are application vulnerability assessments performed? Is appropriate separation of duties in place? Is data in test, training and development systems protected according to its classification, including storage, transmission, bug reports, and bug reporting systems?BACKGROUND: The system or service is in the Data Center, this information is provided by the Core Tech Operations group. Access to the Data Center is regulated by the Data Center Access Policy as well as physical security controls (i.e. locks). Movement of equipment is tracked; rack inventory is updated as needed, reviewed quarterly. Devices are stored securely pending secure destruction. QUESTIONS: Where will this system or service be housed, including backups? * Describe the physical security controls protecting access to the facility, systems and data, including backups and portable devices. * Are facility access policies in place, including procedures to verify the identity of individuals and tracking of entry and exit, including for visitors and guests? * Are all critical and restricted systems locked down? * Is there a unit inventory of all computers and storage devices with restricted or critical data, including portable devices (data sticks, CDs, PDAs, etc.) and media? Is there frequent movement of equipment? Is there a check-out/in or tracking system in place? * Are procedures in place to ensure secure removal or destruction of data before equipment or electronic media is re-deployed, recycled or disposed?How will the system protect passwords or authentication tokens in transit?QUESTIONS: How will the system control the use of networked devices for intended purposes by eliminating unnecessary services from devicesQUESTIONS: How and where will host-based firewalls be used? What about network firewalls and Intrusion Detection System/Intrusion Prevention System?How will credit card information be stored, processed or transmitted so as to ensure compliance with PCI? (e.g. ensure that credit card environment is PCI compliant) QUESTIONS: How will the system protect against computer viruses and spyware? How is this verified? What about for systems not in the Data Center?* Protect computing and information resources from malicious software (e.g., viruses, worms, Trojans, spyware, etc.)- Audit Logs QUESTIONS: Where will audit logs be enabled? What types of activiteis will be captured in the logs? What procedures are in place to proactively review logs or is review event-driven, such as in the case of problems or potential security incidents?Your Name: Since ePHI is present, how will organizational resources be ensured to comply with HIPAA and SOX Security Requirements? How will the compliance practices be monitored? How will the system control access to networked devices?* Control accurate identification of authorized parties and that provides authenticated access to and use of network-based services. * Control access by authentication and authorization mechanisms to insure that only identifiable individuals with appropriate authorization gain access to specified computing and information resources. QUESTIONS: How Is authentication used for access to these systems or services? Does this system or service utilize the name as part of authentication? Is the authentication system local or is it integrated with something central, e.g. kerberos or Active Directory? What is the mechanism for handling authorization, e.g., is it technically enforced within the application?Security Plan RequirementsQUESTIONS: What are your gaps in required security controls (based on your assessment)? Identify if the risk is low, medium or high. Determine cost-effective actions, and document an action plan to address areas of high risk.Incident Response Planning & Notification Procedures Describe your recommendations and projected improvements CYBER SECURITY ASSESSMENT Biefly describe your cyber security plan recommendations for ABC include objectives and any action/security plans resulting from your security review.Understand and document the risks in the event of failures that may cause loss of confidentiality, integrity, or availability of information resources. Ÿ Identify the level of security necessary for the protection of information resources.BACKGROUND: Centralized systems and applications are supported by ABC employees with IT-related classifications. QUESTIONS: Do job descriptions for individuals who provide application and system support accurately reflect their duties and access to restricted data or systems? Are individuals who provide IT-related services trained and knowledgeable in these areas of responsibility? Do defined procedures exist for reviewing personnel assignments for appropriate classification, security responsibilities, and separation of duties?BACKGROUND: ABC has adopted divisional change management process for outage communications and maintenance window guidelines. QUESTIONS: Explain procedures used to manage and document changes. Include any method in place to provide history of changes. Are change management procedures in place where restricted data is involved and for essential systems? Are changes tested and backout plans developed? Is documentation updated based on changes?BACKGROUND: The system or service is in the IT Data Center, this information is provided by the ABC Core Tech Operations group. The Data Center has regular data backups and mitigations for infrastructure failures, including power, fire, flooding. QUESTIONS: Where is this system or service housed, including backups? If not in the IT Data Center, or for any portions not in the Data Center, describe what is in place for the prevention, detection, early warning of, and recovery from emergency conditions. For example, are there locks, is there UPS or generator back-up power, is there fire suppression? Are procedures in place to protect restricted data during emergencies when focus may be elsewhere? Are there regular backups of critical/essential data and are they securely stored in an off-site location?BACKGROUND: Organizational procedures for reporting violations of law or security policies/procedures. QUESTION: Is management aware of procedures for reporting violations of law or policy/procedures? Are individuals? Does the department have any local procedures in addition to campus procedures? Are violations and responses reported and documented?* Control privileged account access through defined procedures for providing privileged accounts and reviewing activity under privileged account. - [Privileged access]BACKGROUND: ABC HR procedures exist for identifying positions requiring background checks. ABC requires all staff to have background checks as standard part of recruitment process. QUESTIONS: Are required background checks for employees in your organization implemented promptly upon hire or reclassification? Do you know whether other departments do the same for people who have access to your system? Vulnerability Assessment Are you taking into account all the places where your data may be stored, including desktops, reports portable devices, etc. Additionally, is education in place instructing people to minimize storage and transmission of restricted data, such as by deleting, redacting or de-identifying restricted data whenever possible, including from storage devices? Are people aware of electronic discovery and data retention requirements (when it’s OK to delete something and when it’s not? where authoritative copies live?) BACKGROUND: Does the organization have an implementation plan for protection of electronic restricted data and data security incidents are to be reported? QUESTIONS: How will employees become aware of procedures for reporting and responding to potential security incidents? Do additional departmental procedures exist, and if so, are people aware of them?ABC Cyber Security PlanINSTRUCTIONS: When addressing this question #6: 1) you only need to refer back to the final exam case study description; 2) address the points presented in the 1st two columns (i.e. 'ABC Cyber Security Plan' and 'Questions to Consider') by filling in the Action Plan colum (yelllow cells); 3) you can add additional space if needed; and 4) bullet point entries are acceptable.
Help for Assignment

Help for Assignment

Question # 00347191 Posted By: Bunny Updated on: 07/27/2016 12:53 PM Due on: 08/03/2016
Subject Computer Science Topic Algorithms Tutorials:
Question
Dot Image

100 points

This examination is worth 20 percent of your total grade. There are five semi open ended questions(worth 70 points) along with an accompanying cyber security action plan template (worth 30 points). You are to answer each of the five questions and to complete the Cyber Security Action Plan template based on best practices and your understanding of the case.

Please refer to the FAQ concerning the maximum length answer for each question. You are to use references where appropriate but are not required to use APA formatting. For the open ended questions you are to provide your answers immediately follow the question as follows:

1. Describe…

Response

2. Discuss…

Response

And so forth…

ABC HEALTHCARE CASE BACKGROUND

Healthcare companies, like ABC Healthcare, that operate as for-profit entities, are facing a multitude of challenges. The regulatory environment is becoming more restrictive, viruses and worms are growing more pervasive and damaging, and ABC Healthcare’s stakeholders are demanding more flexible access to their systems.

The healthcare industry is experiencing significant regulatory pressures that mandate prudent information security and systems management practices.

Furthermore, the continued pressure to reduce cost requires that management focus on streamlining operations, reducing management overhead and minimizing human intervention. The regulatory focus at ABC Healthcare is on the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX). Both pieces of legislation highlight the need for good systems administration and controls, but focus on different aspects of the business. The main focus of HIPAA is to protect personally identifiable health information while SOX is concerned with data that impacts financial reporting. Violations may be met with both civil and criminal penalties. Therefore, the company must be ever watchful of new threats to their systems, data, and business operations.

The most prevalent security related threat to on-going business operations is the continued development and propagation of viruses and worms. Virus and worm prevention or containment is a vital component to the overall risk mitigation strategy. Virus and worm outbreaks have multiple cost aspects for the company including lost patient charges due to system unavailability, lost productivity because of recovery efforts due to infection, and potential regulatory impacts depending on the virus or worm payload. However, the company must balance risk with opportunities in order to serve the stakeholders and grow the business.

ABC Healthcare’s stakeholders include multiple groups that depend on or need access to clinical and/or financial systems in order to help support and grow the company. The access requirements and associated risk model varies by user group. The main access groups are internal only users (i.e. nurses, hourly employee, etc.), internal/remote users (i.e. salaried employees, doctors, etc.), and business partners (i.e. collection agencies, banks, etc.). Risk mitigation solutions must be developed for each user group to help ensure that the company recognizes the benefit that each group brings and to minimize the risk to business operations.

The high-level management goals of the network design implementation are as follows:

· Support the business and balance security requirements without introducing significant overhead and complexity;

· Maintain and enhance security without significantly increasing management overhead or complexity;

· Implement systems that are industry supported (standards where appropriate), scalable, and fault-tolerant;

· Ensure that the design is implemented to help ensure compliance with any and all applicable regulations;

· Proper management of access control for legitimate users and malicious users is of the utmost importance for the security of the ABC Healthcare management system. The threat is not limited to outside malicious users but also legitimate users engaged in illegitimate activity.

Based on the above description you are to provide a recommendation of how you would address each of the following ABC Healthcare’s computer network security requirements. Note, whereas cost is typically an important factor, this is not a consideration for this case analysis. Therefore, you do not need to include cost estimates. Your solution should have the “right feel”, despite the lack of depth or details necessary to be accepted by upper management. Be specific in your answers. Write them as if you were writing a proposal to your boss. Since you are developing a solution to a specific circumstance, material that is copied from an outside source will not likely fit so everything should be in your own words.

  1. Describe your technical recommendation for addressing the security requirements in the overall technical design of the ABC Healthcare network. This should include both internal and external (untrusted and trusted) aspects. Untrusted would include user connectivity to the Internet. The “trusted” network has the main purpose of supporting the business functions of known entities (i.e. partners, suppliers, etc.) which have a business relationship with the company. Note that you are to concentrate on the physical and logical level, including the type of hardware and software, however you are not expected to provide specific low level details in terms of equipment suppliers or model numbers, etc. for your recommended design. (30 points)

  1. Discuss the way you will address requirements for system monitoring, logging, auditing, including complying with any legal regulations. (10 points)

  1. Describe how the system will identify and authenticate all the users who attempt to access ABC Healthcare information resources. (10 points)

  1. Discuss how the system shall recover from attacks, failures, and accidents. (10 points)

  1. Discuss how the system will address User Account Management and related security improvements. (10 points)

  1. Complete the Cyber Security Action Plan (see attached spreadsheet) (30 points)
Dot Image
Attachments
Part_2_Question_6_Cyber_Security_Action_Plan_Spreadsheet.xlsx (19.74 KB)
Frequent_Questions_and_Answers.docx (14.29 KB)
Tutorials for this Question
  1. neil2103
    Tutorial # 00342863 Posted By: neil2103 Posted on: 07/27/2016 01:08 PM
    Puchased By: 3
    Tutorial Preview
    The solution of Help for Assignment...
      Get the Solution
    Attachments
    Solution-00342863.zip (79 KB)
  2. neil2103
    Tutorial # 00342870 Posted By: neil2103 Posted on: 07/27/2016 02:00 PM
    Puchased By: 3
    Tutorial Preview
    The solution of Help for Assignment...
      Get the Solution
    Attachments
    csec_630_final_exam_instructions.docx (27.67 KB)
    csec_630_final_exam_question_6_cyber_security_template.xls (67 KB)
Whatsapp Lisa