You are a recently hired cybersecurity risk manager for a fictitious health services organization, Health Infrastructure Services, Inc. (HISI), headquartered outside of Richmond, Virginia. The CISO has determined that the existing risk management plan is out of date and a new risk management plan must be developed. Senior leadership is committed to and supportive of the project to develop a new plan.
Scenario
You are a recently hired cybersecurity risk manager for a fictitious health services organization, Health Infrastructure Services, Inc. (HISI), headquartered outside of Richmond, Virginia. The CISO has determined that the existing risk management plan is out of date and a new risk management plan must be developed. Senior leadership is committed to and supportive of the project to develop a new plan.
Your first task is to develop this new umbrella plan and supporting plans/artifacts.
Though a young firm (3 yrs.), HISI has just over 250 employees and annual revenue of $100 million.
The company has one additional location near San Diego, California, which supports a mix of company operations.
The company utilizes a managed services infrastructure relying on a mix of major cloud infrastructure and services provider for its corporate IT infrastructure (aside from the company laptops and smartphones provided to all staff and executives). This includes IT production and development environments, databases, and online presence, as well as, typical telecom and corporate desktop services (e-mail, document processing, reports management, etc.).
HISI Services
HISI offers three core services: SecureConnect, SecureExchange, and SecurePay.
SecureConnect is an online directory that lists doctors, clinics, and other medical facilities to allow customers to find the right type of healthcare near them. It contains doctors’ specialties, practice locations, medical qualifications, and specific types of services that the doctors’ practices and clinics offer. Practice and clinic managers are given credentials and are able to update the information in their profiles. HISI customers, primarily hospitals and clinics, connect to all three of the company’s products using HTTPS connections. Patients are also able to make payments using Internet-accessible HTTPS websites.
SecureExchange is a secure medical messaging service, the primary revenue source for the company. It handles messages that originate from its customers, such as large clinics, and routes them securely to receiving customers such as hospitals or other clinics.
SecurePay is an online portal used by many of the firm’s customers to support the management of secure billing and payments. The portal, hosted in the cloud, accepts various forms of payments and interacts with credit card processing organizations.
Threats Identified
Upon review of the current risk management plan, the following threats were identified:
Loss of company data due to cloud services and infrastructure
Loss of company information on lost or stolen company-owned assets, such as mobile phones and laptops
Loss of customers due to production outages caused by various events, such as natural disasters, change management, unstable software, and so on
Remote access threats
Insider threats
Changes in regulatory landscape that may impact operations
Risk Management Plan (Stages 1, 2, 3, and 4)
The final submission for the complete Risk Management Plan should be a cohesive report. Sections 1, 2, 3, and 4 should be updated to reflect feedback received throughout the course. The formatting should be consistent throughout the project and the writing should flow well from beginning to end. The final submission should be one cohesive body of work.
Overall, the entire plan should be 18 to 20 pages (total length), which includes the following:
Cover page
Table of contents
Overall risk management program concept
Risk assessment process
Risk mitigation approach
Business continuity and disaster recovery plans
POAM template
Supporting references
Appendix
This assignment corresponds to or addresses the following Cybersecurity Program outcomes for the bachelor of science degree:
Students assess and apply cybersecurity principles, tools, and methods to defend information systems against cyber threats. [BSCS 1]
Students protect an organization’s critical information infrastructure by applying cybersecurity design best practices and technologies to prevent and mitigate cyber attacks and vulnerabilities. [BSCS 2]
Students analyze and navigate policy, legal, ethical, and compliance aspects of cybersecurity. [BSCS 7]
Your work on this assignment should reflect your ability to:
[Stage 1: Outline and POAM Template]
Describe how the fundamental concepts of cyber defense can be used to provide system security. (Concepts of cyber defense)
Describe cyber defense tools, methods, and components. (Cyber defense tools, methods, and components)
List the applicable laws and policies related to cyber defense and satisfactorily describe the major components of each pertaining to the storage and transmission of data. (Laws and policies)
Describe responsibilities related to the handling of information about vulnerabilities. (Responsibilities)
[Stage 2: Risk Assessment Approach and Process]
Describe why each principle of security is important and how it enables the development of security mechanisms that can implement desired security policies. (Development of security mechanisms)
Analyze common security failures and identify specific design principles that have been violated. (Common security failures)
Examine the architecture of a particular system and identify significant vulnerabilities, risks, and points at which specific security technologies/methods should be employed. (System architecture)
Describe responsibilities related to the handling of information about vulnerabilities. (Responsibilities)
[Stage 3: Risk Mitigation Plan]
Describe potential system attacks and the actors that might perform them. (Potential system attacks)
Identify the bad actors in cyberspace and capably compare and contrast their resources, capabilities/techniques, motivations, and aversion to risk. (Identification of bad actors)
Describe different types of attacks and their characteristics. (Types of attacks)
Apply cyber defense methods to prepare a system to repel attacks. (Cyber defense methods)
Given a specific scenario, identify the needed design principle. (Needed design principle)
Examine the architecture of a particular system and identify significant vulnerabilities, risks, and points at which specific security technologies/methods should be employed. (System architecture)
[Stage 4: Disaster Recovery and Business Continuity]
Describe appropriate measures to be taken should a system compromise occur. (System compromise)
Examine the interaction between security and system usability and discuss the importance of minimizing the effects of security mechanisms. (Interaction between security and system usability)
List the applicable laws and policies related to cyber defense and satisfactorily describe the major components of each pertaining to the storage and transmission of data. (Laws and policies)
Satisfactorily describe responsibilities related to the handling of information about vulnerabilities. (Responsibilities)
Click here for further assistance on this assignment
