Nilamber Pitamber University Executive Practical Connection Assignment:
Provide a reflection of at least 500 words (or 2 pages double spaced) of how the knowledge, skills, or theories of this course have been applied, or could be applied, in a practical manner to your current work environment. If you are not currently working, share times when you have or could observe how these theories and knowledge could be applied to an employment opportunity in your field of study.
Requirements:
Provide a 500 word (or 2 pages double spaced) minimum reflection.
Use of proper APA formatting and citations. If supporting evidence from outside resources is used those must be properly cited.
Share a personal connection that identifies specific knowledge and theories from this course.
Demonstrate a connection to your current work environment. If you are not employed, demonstrate a connection to your desired work environment.
You should NOT, provide an overview of the assignments assigned in the course. The assignment asks that you reflect how the knowledge and skills obtained through meeting course objectives were applied or could be applied in the workplace.
BASED ON THE ATTACHED DOCUMENTS EXECUTIVE SUMMARY
Information private security is essential in a company that can help reduce and prevent
risks associated with a breach of data. The Health Network, Inc has been facing several
challenges about information security policy. They include the following:
Loss of organization information due to the removal of hardware from the
production system.
Loss of organization information due to stolen or lost mobile and laptops devices.
Changes in the laws and regulatory landscape affecting operations.
Inside threats
Accessibility of the internet, causing internet threats.
Loss of clients due to production outages.
This policy establishes information security needs to ensure that the organization’s
information regarded as property and computer systems do not get jeopardized and that
production services get guarded in regards to organization goals.
The goals of the Information Security Policy are:
To ensure the information is easily accessible only to the authorized personnel
with the borders of the health center.
To ensure the availability, integrity, confidentiality of data is secure from external
forces.
To ensure that all workers involved with the IT department are thoroughly trained
information security and should be mandatory to comply with the policy.
To ensure all suspected weaknesses and breach of data security should be reported
quickly and investigated the source.
Therefore, this paper covers the threats, risks, and weaknesses of the Health Network,
Inc. (Health Network).
RISKS THREATS WEAKNESSES WITHIN EACH DOMAIN
The following risks, threats, and weaknesses are critical to the organization considering they
violate or put the company at a substantial risk of breaking the HIPAA regulation: accessing the
workstation without authorization, loss of data for both customers and personnel, access to LAN
without permission, the LAN-to-WAN access without approval, loss of confidential information,
and destroying the entire server. It is essential that the company works at minimizing these
potential risks through the implementation of an appropriate IT security system through which to
avoid the possible legal consequences of a data breach and violation of the HIPAA. Other
significant risks to account for considering their potential impact on the company’s integrity are
the damage to the user domain, a slow network connection, and the damage to the physical
infrastructure of the company as the wiring closets and computer rooms.
COMPLIANCE LAWS AND REGULATIONS
Every organization, regardless of its operations, is obliged to comply with the laws and
regulations of information system security. As an organization, to avoid regulatory action from
the Information Security Law and stay secure, the company requires to identify with the rules
and regulations that apply to network systems protection against known or unknown threats. The
Act of HIPAA is a law passed by the United States Congress to provide information privacy and
security for protecting health information. Consequently, through the emergence of EMR’s
advanced, the rules and regulations encompassing privacy and confidentially of medical
information continued to adjust (Jacques, 2010). The HIPAA initiated in the year 1996 in
acknowledgment to the growing problems facing healthcare security, privacy, and coverage in
the U.S. The healthcare institutions began to shift to electronic method of storing information as
the HIPAA act began to take effect (Taitsman et al., 2016).
Every clinical manager has to ensure and enhance in-depth ethical implications concerning
the use of data and technology in all aspect of management, from client care to operations
management. However, the violation of HIPAA by medical practitioners continues to increase
every day (Choi et al., 2006). There are several cases of HIPAA violations that are identified
through analysis by the U.S DHHS, OCR. Every medical practitioner is required to protect and
preserve private any patient/client medical information under the HIPAA Privacy Rule (Mercuri,
2004). The medical providers have a set of rules that direct their ethical conduct regarding the
confidentiality of a patient’s medical data (Taitsman et al., 2016). The achievement of healthcare
organizations is due to their privacy rule system.
R-T-W
Domain Impacted
Risk: User Domain damage
Threat: Can cause damage to the server
Weakness: Lack of awareness and insertion of CD and
External Drives
Risk: Accessing the workstation without authorization
Threat: Cybersecurity
Weakness: Poor firewall security system
Risk: Use of invalid USB and CD drives with music,
videos, and photos
Threat: Viruses
Weakness: No proper management of the systems
Risk: Loss of data for both customers and personnel
Threat: Loss of clients
Weakness: No strict and high-security codes
Risk: Access to LAN without authorization
Threat: Cause damage
Weakness: Lack of proper wiring of the data centers
Risk: The LAN-to-WAN access without permission
Threat: Loss of information
Weakness: Lack of strict security monitoring controls
User Domain
2
Workstation Domain
1
User Domain
3
Workstation Domain
1
LAN Domain
1
LAN-to-WAN
1
Risk: Slow network connection
Threat: Access to WAN-to-LAN without permission
Weakness: Firewall, Ip Router, & network appliance
WAN-to-LAN
Risk: Interference with internet traffic
Threat: Use of the internet for private
communications
Weakness: Lack of secure encryption
Risk: Loss of confidential information
Threat: Attack on the user domain
Weakness: Use of multiple logins
WAN Domain
3
Remote Access
1
Risk: Damage in the wiring closets and computer
rooms
Threat: Accessing systems without application
Weakness: No strict rules and policies
Risk: Destroy the entire serve
Threat: Accessing private information
Weakness: Low level of authentication procedures
System/Application
Table 1
Risk Impact /
Factor
Domain
2
Domain
Domain
2
Domain
System/Application
Domain
1
Figure 1
References
Choi, Y. B., Capitan, K. E., Krause, J. S., & Streeper, M. M. (2006). Challenges associated with
privacy in the health care industry: implementation of HIPAA and the security rules.
Journal of Medical Systems, 30(1), 57-64.
Jacques, L. B. (2010). Electronic health records and respect for patient privacy: a prescription for
compatibility. Vand. J. Ent. & Tech. L., 13, 441.
Mercuri, R. T. (2004). The HIPAA-potamus in health care data security. Communications of the
ACM, 47(7), 25-28.
Taitsman, J. K., Grimm, C. M., & Agrawal, S. (2013). Protecting patient privacy and data
security. New England Journal of Medicine, 368(11), 977-979.
PROJECT SCENARIO
Executive Summary
Information private security is essential in a company that can help reduce and prevent
risks associated with a breach of data. The Health Network, Inc has been facing several
challenges in relation to information security policy. They include the following:
Loss of organization information due to the removal of hardware from the
production system.
Loss of organization information due to stolen or lost mobile and laptops devices.
Changes in the laws and regulatory landscape affecting operations.
Inside threats
Accessibility of the internet, causing internet threats.
Loss of clients due to production outages.
This policy establishes information security needs in order to ensure that the
organization’s information regarded as property and computer systems are not jeopardized and
that production services are guarded in regards to organization goals.
The goals of the Information Security Policy are:
To ensure the information is easily accessible only to the authorized personnel
with the borders of the health center.
To ensure the availability, integrity, confidentiality of data is secure from external
forces.
To ensure that all workers involved with the IT department are thoroughly trained
information security and should be mandatory to comply with the policy.
To ensure all suspected weaknesses and breach of data security should be reported
quickly and investigated the source.
Therefore, this paper covers the threats, risks, and weaknesses of the Health Network,
Inc. (Health Network).
Risks-Threats-Weakness within Each Domain
Risk Threat – Weakness
Domain Impacted
Risk: User Domain damage
Threat: Can cause damage to the server
Weakness: Lack of awareness and insertion of CD and External
Drives
Risk: Accessing the workstation without authorization
Threat: Cybersecurity
Weakness: Poor firewall security system
Risk: Use of invalid USB and CDs drives with music, videos, and
photos
Threat: Viruses
Weakness: No proper management of the systems
Risk: Loss of data for both customers and personnel
Threat: loss of clients
Weakness: No strict and high-security codes
Risk: Access to LAN without authorization
Threat: cause damage
Weakness: Lack of proper wiring of the data centers
Risk: The LAN-to-WAN access without authorization
Threat: Loss of information
Weakness: Lack of strict security monitoring controls
Risk: Slow network connection
Threat: Access to WAN-to-LAN without authorization
Weakness: Firewall, Ip Router, & network appliance
Risk: Interference with internet traffic
Threat: Use of the internet for private communications
Weakness: Lack of secure encryption
Risk: Loss of confidential information
Threat: attack on the user domain
Weakness: Use of multiple logins
Risk: Damage in the wiring closets and computer rooms
Threat: Accessing systems without application
Weakness: No strict rules and policies
User Domain
Workstation Domain
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN-to-LAN Domain
WAN Domain
Remote Access Domain
System/Application
Domain
Risk: Destroy the entire serve
Threat: Accessing private information
Weakness: Low level of authentication procedures
System/Application
Domain
Compliance Laws and Regulations
Every organization, regardless of its operations, is obliged to comply with the laws and
regulations of information system security. As an organization, to avoid regulatory action from
the Information Security Law and stay secure, the company requires to identify with the rules
and regulations that apply to network systems protection against known or unknown threats. The
Act of HIPAA is a law passed by the United States Congress for the purpose of providing
information privacy and security for protecting health information. Consequently, through the
emergence of EMR’s advanced, the rules and regulations encompassing privacy and
confidentially of medical information continued to adjust (Jacques, 2010). The HIPAA was
initiated in the year 1996 in acknowledgment to the growing problems facing healthcare security,
privacy, and coverage in the U.S. The healthcare institutions began to shift to electronic method
of storing information as the HIPAA act began to take effect (Taitsman et al., 2016).
Every clinical manager has to ensure and enhance in-depth ethical implications
concerning the use of data and technology in all aspect of management, from client care to
operations management. However, the violation of HIPAA by medical practitioners continues to
increase every day (Choi et al., 2006). There are several cases of HIPAA violations that are
identified through analysis by the U.S DHHS, OCR. Every medical practitioner is required to
protect and preserve private any patient/client medical information under the HIPAA Privacy
Rule (Mercuri, 2004). The medical providers have a set of rules that direct their ethical conduct
regarding the confidentiality of a patient’s medical data (Taitsman et al., 2016). The achievement
of healthcare organizations is due to their privacy rule system.
References
Choi, Y. B., Capitan, K. E., Krause, J. S., & Streeper, M. M. (2006). Challenges associated with
privacy in the health care industry: implementation of HIPAA and the security rules.
Journal of Medical Systems, 30(1), 57-64.
Jacques, L. B., (2010). Electronic health records and respect for patient privacy: a prescription
for compatibility. Vand. J. Ent. & Tech. L., 13, 441.
Mercuri, R. T., (2004). The HIPAA-potamus in health care data security. Communications of the
ACM, 47(7), 25-28.
Taitsman, J. K., Grimm, C. M., & Agrawal, S. (2013). Protecting patient privacy and data
security. New England Journal of Medicine, 368(11), 977-979.
RISK MITIGATION PLAN
1
Risk Mitigation Plan
Name:
RISK MITIGATION PLAN
2
RISK MITIGATION PLAN
EXECUTIVE SUMMARY
This Risk Mitigation Plan is for Health Network, Inc. (Health Network), a fictitious health
services organization headquartered in Minneapolis, Minnesota. Health Network has over 600
employees throughout the organization and generates USD 500 million in annual revenue. The
company has two additional locations in Portland, Oregon, and Arlington, Virginia, which
support a mix of corporate operations. Each corporate facility is located near a co-location data
center, where production systems are located and managed by third-party data center hosting
vendors.
Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the primary source of revenue for the company. The service handles secure
electronic medical messages that originate from its customers, such as large hospitals, which are
then routed to receiving customers such as clinics.
HNetPay is a Web portal used by many of the companys HNetExchange customers to
support the management of secure payments and billing. The HNetPay Web portal, hosted at
Health Network production sites, accepts various forms of payments and interacts with creditcard processing organizations much like a Web commerce shopping cart.
HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to
allow Health Network customers to find the right type of care at the right locations. It contains
doctors personal information, work addresses, medical certifications, and types of services that
the doctors and clinics offer. Doctors are given credentials and are able to update the information
in their profile. Health Network customers, which are the hospitals and clinics, connect to all
RISK MITIGATION PLAN
3
three of the company’s products using HTTPS connections. Doctors and potential patients can
make payments and update their profiles using Internet-accessible HTTPS Web sites.
CRITICAL 1 RISKS AND SHORT-TERM REMEDIATION
The risk/threats identified are:
I.
Loss of customers due to production outages caused by various events, such as natural
disasters, change management, unstable software, and others
a. Remediation:
II.
In order to provide a remedy for the loss of customers as a result of the mentioned
challenges, the firm will need to create a reliable backup system. A backup system will
ensure that the firm continues its day to day operations regardless of the occurrence of the
mentioned incidents. In this case, the backup mechanism will provide a measure of not
only guaranteeing that the corporate data remains intact but also ensuring that the
business operations are not interrupted due to the occurrence of natural disasters among
other challenges (Christiansen, D’angona & Bell, 2014).
a. CBA:
When such incidents occur, they may result in massive loss which may not necessarily equate to
monetary value. However, the value that the mentioned outages may bring may be a loss of
consumer`s trust due to inconsistencies in the operations carried o0ut and the services provided.
The cost of treating the risk is approximately $5000, which involves the implementation of
power, data, and workforce backup.
III.
Loss or destruction of company information due to insider threats
a. Remediation:
RISK MITIGATION PLAN
4
To mitigate insider threat involves the firm installing access control mechanisms such as access
cards.
b. CBA:
Insider threat may lead to loss of valuable information which may cost the firm reputation and
legal actions. The cost of treating risk identified involves the redesign of the access mechanisms
used by the employees. The benefits of the potentially expensive mitigation strategy are that it
helps to reduce the chances of loss or compromise of vital company data in the future.
MAJOR 2 / MINOR 3 LONG-TERM REMEDIATION
I.
Loss of company data due to the hardware being removed from production systems
a. Remediation:
To control the removal of computer hardware from the production lines, the firm will
need to set up policies meant to control the access of such areas to the authorized
personnel only.
b. CBA:
Installing access control and authentication and authorization systems may cost the
company about $3000 since it involves the purchase of the relevant equipment. The
costs associated with the risk include loss of vital company`s data and reduced
production, thus resulting in poor performance. The benefit of the implementation of
the mitigation is that it helps to reduce the chances of similar occurrences in the
future.
RISK MITIGATION PLAN
II.
5
Loss of company information on lost or stolen company-owned assets, such as mobile
devices and laptops
a. Remediation:
To mitigate this loss, the firm will need to install surveillance cameras to control the
loss of laptops, among other assets. Also, the firm will need to implement encryption
measures to reduce the chances of data loss to the wrong parties.
b. CBA:
The cost of installing these technologies may amount to approximately $3000
catering for the purchase and installations. The benefits associated with the
technologies include the reduction of risks which may involve loss of valuable data
and assets.
III.
Theft of company confidential information due to insider threats.
a. Remediation
Insider threat to the confidential information of the firm can be mitigated through
the application of access control systems. With access control systems, the
business will monitor the employees who try to access or manipulate the critical
corporate data (Gritzalis, Stavrou, Kandias & Stergiopoulos, 2014).
b. CBA:
The costs of controlling this risk include the implementation of technologies such
as access cards, surveillance cameras, logging software, and encryption measures.
The benefits of this mitigation are that it will reduce the possibilities of the
occurrence of similar incidents in the future.
RISK MITIGATION PLAN
IV.
6
Loss of customers or revenue due to changes in the regulatory landscape that may
impact operations.
a. Remediation
To mitigate this threat, the business must implement a dedicated legal and regulatory
department.
b. CBA: The costs of mitigating this threat include employing new workers to act as
legal, regulatory, and compliance experts for the business. The business may incur
additional costs to cater for the remuneration of these employees. However, the
business may benefit from reduced risks of regulatory implications and compliance
challenges which may arise in the future.
IMPLEMENTATION PLAN
R-T-W
Domain
Risk Impact
Impacted
/ Factor
System /
2 Major
Threat: Hardware being removed from production systems
Risk: Loss of company data.
Application
Domain
RISK MITIGATION PLAN
7
Weakness: Access Control procedures do not track the
location of equipment as it is moved. Hardware may not be
protected from hacking if used outside the data center.
Threat: Loss of company information on lost or stolen
2 Major
company-owned assets, such as mobile devices and laptops
Workstation
Risk: Loss of company information
Domain
Weakness: Software not loaded on mobile devices to lock
system when notified of the loss.
Threat: Production outages caused by various events, such as
1 Critical
natural disasters, change management, …
Purchase answer to see full
attachment
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.