Running Head: EXECUTIVE SUMMARY 6
Executive Summary
Student’s Name:
Professor’s Name:
Date:
Executive Summary
The Health Network Hospital has its headquarters located in Minneapolis, Minnesota with 600 employees and generates an average of $500 million annually. Furthermore, it has its branches in Portland, Oregon, and Arlington, Virginia which support combinations of collective operations with each carrying out production systems managed by respective third-party data center hosting buyers in the strategic locations near a co-location data center.
The company comprises of three major products, that is, the net exchange which securely handles electronic media message from large hospital customers and routes them to the receiving customers like clinics. HNetPay, on the other hand, is a web portal that deals with the management of safe payments and billing. HNetConnect is an online directory listing medical staffs and facilities enabling customers to choose the service of their choice as even doctors credentials are updated frequently in their respective profiles
The institution operates in 3 production data centers providing high availability across its products which host an average of 1,000 production servers, with 650 laptops as well as mobile devices issued to employees.
The Information Technology in the Health Network Inc. provides information security with the following objectives;
i) Information is made accessible to only the authorized users whether externally or internally
ii) Protection of the information, as a way of maintaining credibility and integrity to the Health Network users.
iii) Ensuring training of personnel pertaining to information security
iv) Ensuring that breach of information and any suspected weaknesses are reported on time.
Risks - Threats – Weaknesses within each domain
Project Part
Deliverable
Project Part 1
Task 1: Risk Management Plan
Task 2: Risk Assessment Plan
Task 3: Risk Mitigation Plan
Project Part 2
Task 1: Business Impact Analysis (BIA) Plan
Task 2: Business Continuity Plan (BCP)
Task 3: Disaster Recovery Plan (DRP)
Task 4: Computer Incident Response Team (CIRT) Plan
Project Part 3
Task 1: Data Loss
Task 2: Information Loss
Task 3: Customer Loss
Task 4: Internet Threat
Task 5: Internal Threats
Task 6: Regulatory Changes
R-T-W
Domain Impacted
Risk Impact / Factor
Risk: A user destroying data and deletes files in an organization
Threat: A user downloading unknown attachment from email
Weakness: A user failing to lock the company's computer with weak password
.
User Domain
Minor
Risk: A user computer or devices which provide access to computer resources
Threat: Stealing of assets owned by company like laptops and mobile devices
Weakness: insufficient Security on Company’s Equipment
.
Workstation Domain
Critical
Risk: loss of Customers
Threat: production outages due to unforeseen circumstances like natural calamities.
Weakness: possible weak ...
Running Head EXECUTIVE SUMMARY6Executive SummaryS.docx
1. Running Head: EXECUTIVE SUMMARY 6
Executive Summary
Student’s Name:
Professor’s Name:
Date:
Executive Summary
The Health Network Hospital has its headquarters located in
Minneapolis, Minnesota with 600 employees and generates an
average of $500 million annually. Furthermore, it has its
branches in Portland, Oregon, and Arlington, Virginia which
support combinations of collective operations with each
carrying out production systems managed by respective third-
party data center hosting buyers in the strategic locations near a
co-location data center.
The company comprises of three major products, that is, the net
exchange which securely handles electronic media message
from large hospital customers and routes them to the receiving
customers like clinics. HNetPay, on the other hand, is a web
portal that deals with the management of safe payments and
billing. HNetConnect is an online directory listing medical
staffs and facilities enabling customers to choose the service of
2. their choice as even doctors credentials are updated frequently
in their respective profiles
The institution operates in 3 production data centers providing
high availability across its products which host an average of
1,000 production servers, with 650 laptops as well as mobile
devices issued to employees.
The Information Technology in the Health Network Inc.
provides information security with the following objectives;
i) Information is made accessible to only the authorized users
whether externally or internally
ii) Protection of the information, as a way of maintaining
credibility and integrity to the Health Network users.
iii) Ensuring training of personnel pertaining to information
security
iv) Ensuring that breach of information and any suspected
weaknesses are reported on time.
Risks - Threats – Weaknesses within each domain
Project Part
Deliverable
Project Part 1
Task 1: Risk Management Plan
Task 2: Risk Assessment Plan
Task 3: Risk Mitigation Plan
Project Part 2
Task 1: Business Impact Analysis (BIA) Plan
Task 2: Business Continuity Plan (BCP)
3. Task 3: Disaster Recovery Plan (DRP)
Task 4: Computer Incident Response Team (CIRT) Plan
Project Part 3
Task 1: Data Loss
Task 2: Information Loss
Task 3: Customer Loss
Task 4: Internet Threat
Task 5: Internal Threats
Task 6: Regulatory Changes
4. R-T-W
Domain Impacted
Risk Impact / Factor
Risk: A user destroying data and deletes files in an organization
Threat: A user downloading unknown attachment from email
Weakness: A user failing to lock the company's computer with
weak password
.
User Domain
Minor
Risk: A user computer or devices which provide access to
computer resources
Threat: Stealing of assets owned by company like laptops and
mobile devices
Weakness: insufficient Security on Company’s Equipment
.
Workstation Domain
Critical
Risk: loss of Customers
Threat: production outages due to unforeseen circumstances like
natural calamities.
Weakness: possible weakness involves generation of alerts.
LAN Domain
Major
Risk: configuration errors of routers and firewall
5. Threat: viruses and communication outages well as DDoS
Attacks
Weakness: lack of Backup data due to a failure of following
procedures.
WAN-to-LAN Domain
Major
Risk: loss of Customers
Threat: production outages due to unforeseen circumstances like
natural calamities.
Weakness: lack of Backup data due to a failure of following
procedures.
WAN Domain
Major
Risk: Unpermitted access of company’s information public
Internet
Threat: Internal threats
Weakness: lack of proper control being put in place and failure
to monitor Networks.
Remote Access Domain
Major
Risk: Destruction of primary data center by fire
Threat:
Changes in regulatory landscape that may impact operations
Weakness: insufficient processes to content changes made on
regulations
System/Application Domain
Major
6. Compliance Laws and Regulations
Health Network Inc. Laws and regulations include;
i) Offering quality standards to their patients
ii) Offering Internet-related products and services through IT-
enabled systems,
References
Righthand, S., Kerr, B. B., & Drach, K. (2013). Child
Maltreatment Risk Assessments: An Evaluation Guide.
Hoboken: Taylor and Francis.
Rushton, R. (2006). What a week to risk it all. London:
Piccadilly Press.
Tasler, Nick, Schirner, & Buck. (2015). The Impulse Factor:
Why Some of Us Play It Safe and Others Risk It All. Brilliance
Audio.
Risk Assessment ChecklistRisk Assessment
ChecklistCategoryRiskImpactLikelihoodDifficulty of
DetectionOrganizationalProject lacks Executive-level
7. Sponsor11Budget reduces team’s capacity33Management insist
on decisions that lengthen schedule55Inefficient team structure
reduces productivity77Review/decision cycle slower than
expected99Vendor tasks take longer than expected11StaffHiring
resources takes longer than expected 31Work from a prior
project not be completed on time53Low motivation reduces
productivity74Lack of skills increases defects96Personnel with
critical skills unavailable13Personnel need extra time to learn
unfamiliar tools 33Contractors leave before the project
completion56Conflicts between team result in errors and extra
rework76Development EnvironmentFacilities not be available
on time99Facilities inadequate 11Development tools may not
be in place by the desired time31Development tools may not
work as expected51Learning curve for new tools longer than
expected71UserUser requirements are unstable 91User
review/decision cycles slower than expected19Users may not
participate in review cycles33Users may not accept the end
product55Users may have expectations than cannot be
met77ContractorContractor may not deliver work when
promised 99Contractor may deliver low quality
products11Contractor may have other high-priority
work33ExternalProduct depends on government regulations
55Product depends on draft technical standards77Specifications
poorly defined99Additional requirements added11Error-prone
modules may require more testing 33Components may not be
easily integrated 55ScheduleSchedule, resources, and product
definition unclear77Schedule is over-optimistic99Schedule
omits necessary tasks11Excessive schedule pressure may reduce
productivity33Schedule includes several tasks that have
multiple predecessors55Schedule includes milestones that have
not been clearly defined77
1
2
3
4
8. 5
6
A
B
C
Category
Risk
Organizational
Project lacks Executive-level Sponsor
Budget reduces team’s capacity
Management insist on decisions that lengthen schedule
Risk Assessment Checklist
ISOL 533 - Information Security and Risk Management
Risk ASSessment Plan
University of the Cumberlands
Executive Summary
<Copy your Executive Summary from your ‘Part-I Task-1’ Risk
Management Plan.>Risks – threats – weaknesses within each
domain
<Using the table from your ‘Part-I Task-1’ Risk Management
Plan, complete the table on Page #2 of this template (review
your Lab #4 solution). For the Risk Factor/Impact column use
the following:
“1” is Critical: an R-T-W that impacts compliance and places
the organization in a position of increased liability.
“2” is Major: an R-T-W that impacts the C-I-A of an
organization’s intellectual property assets and IT infrastructure.
“3” is Minor: an R-T-W that can impact user or employee
productivity or availability of the IT infrastructure
Copy the R-T-W from your ‘Part-I Task-1’ Risk Management
Plan and update it to address the Risk Impact/Factors from the
table>Compliance Laws and Regulations
< Copy your Compliance Laws and Regulations from your
‘Part-I Task-1’ Risk Management Plan >
12. risk management plan. The project activities described in this
document allow you to fulfill the role of an employee
participating in the risk management process in a specific
business situation.
The project is structured as follows:
Project Part Deliverable
Project Part 1 Task 1: Risk Management Plan
Task 2: Risk Assessment Plan
Task 3: Risk Mitigation Plan
Project Part 2 Task 1: Business Impact Analysis (BIA) Plan
Task 2: Business Continuity Plan (BCP)
Task 3: Disaster Recovery Plan (DRP)
Task 4: Computer Incident Response Team (CIRT) Plan
Submission Requirements
All project submissions should follow this format:
-point, double-space
Scenario
14. Company. All rights reserved.
www.jblearning.com Page 2
HNetPay is a Web portal used by many of the company’s
HNetExchange customers to support the management of
secure payments and billing. The HNetPay Web portal, hosted
at Health Network production sites, accepts various forms
of payments and interacts with credit-card processing
organizations much like a Web commerce shopping cart.
HNetConnect is an online directory that lists doctors, clinics,
and other medical facilities to allow Health Network
customers to find the right type of care at the right locations. It
contains doctors’ personal information, work addresses,
medical certifications, and types of services that the doctors and
clinics offer. Doctors are given credentials and are able
to update the information in their profile. Health Network
customers, which are the hospitals and clinics, connect to all
three of the company’s products using HTTPS connections.
Doctors and potential patients are able to make payments
and update their profiles using Internet-accessible HTTPS Web
sites.
Information Technology Infrastructure Overview
Health Network operates in three production data centers that
provide high availability across the company’s products.
The data centers host about 1,000 production servers, and
15. Health Network maintains 650 corporate laptops and
company-issued mobile devices for its employees.
Threats Identified
Upon review of the current risk management plan, the following
threats were identified:
production systems
any-
owned assets, such as mobile devices and laptops
various events, such as natural disasters, change
management, unstable software, and so on
ccessible on
the Internet
Management Request
Senior management at Health Network has determined that the
existing risk management plan for the organization is out
of date and a new risk management plan must be developed.
Because of the importance of risk management to the
organization, senior management is committed to and supportive
17. management plan in the outline?
dent demonstrate good research, reasoning, and
decision-making skills in identifying key components
and compliance laws and regulations?
-developed draft
with proper grammar, spelling, and punctuation?
Project Part 1 Task 2: Risk Assessment Plan
After creating an initial draft of the risk management plan, the
second part of the assigned project requires you to create a
draft of the risk assessment (RA) plan. To do so, use the
template provided in class:
Evaluation Criteria and Rubrics
competencies covered in the course relating to risk
assessments?
plan in the outline?
dent demonstrate good research, reasoning, and
decision-making skills in identifying key components
and methodologies?
19. parts of the project to build out a risk mitigation plan?
-developed draft
with proper grammar, spelling, and punctuation?
Project Part 2 Task 1: Business Impact Analysis (BIA) Plan
This part of the project is a continuation of Project Part 1 in
which you prepared an RA plan and a risk mitigation plan for
Health Network. Senior management at the company has
decided to allocate funds for a business impact analysis (BIA).
Because of the importance of risk management to the
organization, senior management is committed to and supportive
of
performing a BIA. You have been assigned to develop the BIA
plan.
Evaluation Criteria and Rubrics
instructor regarding feedback on submitted work?
identify critical business functions, identify critical
resources, identify MAO and impact, and identify recovery
objectives?
21. the primary location for business units, such as Finance, Legal,
and Customer Support. Some of the corporate systems,
such as the payroll and accounting applications, are located
only in the corporate offices. Each corporate location is able
to access the other two, and remote virtual private network
(VPN) exist between each Production data center and the
corporate locations.
The corporate systems are not currently being backed up and
should be addressed in the new plan. The BCP should also
include some details regarding how the BCP will be tested.
You may refer to the following additional resources to help you
and your team develop a BCP, and you may use a BCP
template if found during your research.
References:
Questions (Protiviti, 2013),
http://www.protiviti.com/en-US/Documents/Resource-
Guides/Guide-to-BCM-Third-Edition-Protiviti.pdf
http://www.ready.gov/business/implementation/continuity
23. Network. They now want you to develop a DRP in order to
overcome any mishaps that might occur in the future. You may
research and use National Institute of Standards and Technology
(NIST) templates to develop a DRP plan for the
company.
Evaluation Criteria and Rubrics
operations while efforts are ongoing to restart
pervious operations?
research?
presented in class?
rofessional, well-developed report
with proper grammar, spelling, and punctuation?
Project Part 2 Task 4: Computer Incident Response Team
(CIRT) Plan
By now you should have developed an RA, a risk mitigation
plan, and a BIA, BCP, and DRP.
24. In this part of the project, you will create a CIRT plan for
Health Network. The company headquarters (HQ) handles all
incidents because the information security organization is
located in Minneapolis, so the plan will have its roots at HQ.
Make sure to incorporate your instructor’s feedback on earlier
submissions if applicable to the CIRT plan.
Evaluation Criteria and Rubrics
submissions?
id the student create a professional, well-developed report
with proper grammar, spelling, and punctuation?