Solved by verified expert:i already finished task1 with the help of task1 you should completed task2. i think it gone be very easy to completed to task2 . i am posting below task1 documents check it onces. you should do final project part 1 task 2 -project assessment plan template(1) and Risk assessment checklist.xlsx
20180121012940final_project_part_i_task_1__project_management_plan.docx
20180124163012risk_register_.xlsx
final_project_part_i_task_2__project_assessment_plan_template_1___2_.docx
risk_assessment_checklist.xlsx
project_risk_management_plan__1_.pdf
Unformatted Attachment Preview
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
EXECUTIVE SUMMARY
This Risk Mitigation Plan is allied to Health Network Inc. which is a fabricated health
services organization that is headquartered in Minneapolis in Minnesota. The health Network has
about 600 employees in the organization as a whole and generates approximately $500 million in
its annual revenue. The Health Networks company has two additional locations found in Portland
a city in Oregon and Arlington, a town in Virginia, which provide a mix of some corporate
operations. Each of the corporate facility is situated near a co-location center with data systems,
where the production systems are positioned and operated by a third-party data center with
hosting vendors.
The Health Network has three core products: HNetPay, HNetExchange and
HNetConnect.
HNetExchange refers to the primary revenue source for the corporation. The service is
responsible for safe electronic medical communications initiated by the customers, like large
hospitals, which are then directed to reception of clients like health centers.
HNetPay, on the other hand, is a Web portal that is used by most of the firm’s
HNetExchange clients to support the administration of secure billing and payments. The
HNetPay has a Web portal that is hosted at the Health Network manufacture sites, and accepts
different methods of payments while integrating with credit-card processing companies such as
the e-commerce shopping cart.
Lastly, HNetConnect refers to an online directory that mostly lists health facilities, doctors
among other medical service networks to allow the Health Network clienteles to search for the
right type of healthcare at the appropriate locations. It also consists of doctors’ data, medical
certifications, work addresses among other services that health facilities with the help of doctors
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
offer. Doctors are provided with credentials and are from that point capable of updating the data
in their profile. Correspondingly, the Health Network clients, who happen to be hospitals and
health centers, connect to all the three company’s products through the HTTPS connections.
During this process, doctors and patients have an opportunity to make payments while updating
their profiles through Internet-accessible HTTPS network sites.
The Risk Management Plan covers the Risks, Threats and Weaknesses of the Health Network,
Inc. (Health Network).
RISKS – THREATS – WEAKNESSES WITHIN EACH DOMAIN
The risk/threats identified are:
I.
Loss of clients due to an outage in production caused by different events like natural
catastrophes, unstable software, change management, and many more.
a. Remediation:
1.Backup strategies should be employed.
2.All losses should be examined.
3.Server proxies should have a replication.
4.All the temperature gauge alarms, Smoke detectors alongside
manual triggers should be mounted or swapped.
5.Fire safety awareness should be introduced.
6.Carbon dioxide fire extinguishers, fire proof materials and
water sprinklers, should be mounted since they are fire
suppression systems.
II.
Destruction and loss of the company data due to insider coercions
a. Remediation:
1. Restriction of access to those applications systems and data which are
required to perform user activities. Restrict delete and write
authorizations to the data users only.
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
2. Monitoring and tracking of anomalous employee behavior that leads to
inconsistent job performance and use of IT systems during odd office
hours which results to sabotage of the organization.
USER DOMAIN:
Threat: Insider coercion and threats.
Risk: Loss of the company private information.
Weakness: Former contractors, employers and other insiders having remote access to the
company information while the current employers not getting managed appropriately and
provided access to some unlicensed information.
WORKSTATION DOMAIN:
Threat: Loss of organization information through the lost or stolen company assets like mobile
devices and computers.
Risk: Loss of company data
Weakness: Software is not loaded onto the mobile devices to latch the system when it receives a
loss notification.
LAN DOMAIN:
Threat: Internet threats due to company products being accessible on the Internet
Risk: Loss or destruction of company information.
Weakness: Intrusion Control system and Firewalls which are not active or rather updated to
protect the systems from unsanctioned access.
WAN-TO-LAN DOMAIN:
Threat: Internet threats due to company products being accessible on the Internet
Risk: Loss or destruction of company information.
Weakness: Intrusion Control system and Firewalls which are not active or rather updated to
protect the systems from unsanctioned access
WAN DOMAIN:
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
RISK MANAGEMENT PLAN
Threat: Hardware being detached from the production systems
Risk: Loss of the firm data.
Weakness: Access Control measures that do not systematically track location of the equipment
as they are moved. Also, hardware may not be safe from hacking if used externally from the
data center.
REMOTE ACCESS DOMAIN:
Threat: Changes in the monitoring landscape that may influence the operations
Risk: Loss of customers and revenues.
Weakness: Change control procedures are insufficient to handle variations in regulations.
SYSTEM/APPLICATION DOMAIN:
Threat: Outages in production which is caused by different events, like change management,
natural disasters, unstable software, and many more.
Risk: Customers loss
Weakness: Inactive UPS systems to protect the systems from any outage.
COMPLIANCE LAWS AND REGULATIONS
A List of Laws and Regulations That Affect Information Security Industry
•
•
•
•
•
E-commerce policies requirements-Where companies must provide services in an easy
manner to use but entirely secure manner since they store private information like home
addresses and other personal information from credit card numbers.
Information security attacks policies-Low priority placed software developers or industry
which places companies that purchase them on security issues.
Immature information safety market
Information security staff shortage
Government legislation and industry regulations where the government imposes tight
policies on the technology ecosystem by imposing consumer privacy to some specific
regulations.
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
•
RISK MANAGEMENT PLAN
Wireless computing policies and mobile workforce. This comes from the increased cases
of unethical hacking.
Risk Register
#
101
102
103
104
105
106
107
108
B
C
D
E
F
G
H
I
J
K
Risk
Loss of company
data
Loss of revenue due
to changes in the
regulatory
landscape
II.
Loss of company
information on lost
or stolen companyowned assets, such
Loss of customers
Internet threats
because of the
company products
beingof
accessible
Loss
company on
data due to
hardware being
removed from
Innovative new
products on the
market
One of the project
lead team falling
sick for some time.
Impact on Project
Former contractors, employers and other insiders having
remote access to the company information while the current
employers not getting managed appropriately which may
provided access to some private information thus
These regulatory changes landscape may impact on the
company operations.
Company electronic assets may be stolen which may lead to
important data loss that may may be stored in the stolen
machines. May involve high cost of replacement if not
insured
The
risk could cause low revenues due to lowered product
or services sales thus increased costs in product. This can
be due to production outages caused by various events,
such as natural disasters, change management, unstable
This is due to data accessibility being undefined which can
lead to the company systems breakdown due to hackers
intrusion and malicious intrusion
This is due to hardware being removed from production
systems and can casue huge loss during repair if not
insured.
Innovative new products may hit the market while still
working on the project. This may pose a greater risk of
acceptability.
An employee is assigned to work on a project activity that is
on a project’s critical path may fall sick which may expose
the entire project goals into halt or breakdown.
Risk Identifier—a descriptive name or number. Use this for tracking across project documents
Identify the risk and relevant triggers that may cause the risk to be realized
Discuss the potential impact this risk may have on costs and/or schedule
Identify the cost associated with this risk
Likelihood is a measure of the probability of the event occurring: Very Unlikely, Unlikely, Moderately Likely, Likely, Very L
Impact measures the effect on scope, cost, and/or schedule — Negligible, Marginal, Significant, Critical, or Crisis.
Risk Level is the resultant of Likelihood and Impact Low, Moderate, or High.
Specify planned mitigation strategies: Preventative (implement immediately) OR Contingency (implement if/when risk occ
Identify who is responsible for undertaking each mitigation action(s)
Identify the status of the risk: Open, Closed, New etc
Cost $
Likelihood
Impact
$
Very Unlikely
Negligible
$
Unlikely
Marginal
$
Moderately Likely
Significant
Secure .Intrusion detection systems is being
added to the company security systems.
$
Likely
Critical
Daily data backups with extended data
storage and archiving is being implemented.
$
Very Likely
Crisis
Security on the firewalls are being increased
alongsied Intrusion detection systems on
course.
$
Very Unlikely
Negligible
Threats are being identified and systems
breakdowns is being monitored.
$
Unlikely
Marginal
$
Moderately Likely
Significant
ct documents
Unlikely, Moderately Likely, Likely, Very Likely
nal, Significant, Critical, or Crisis.
Contingency (implement if/when risk occurs)
Mitigating Actions
Enabling intrusion detection system and
intrusion prevention system which monitors
sensitive employee positions as well as
access.
Daily data backups and offsite data storage
for monthly data archiving is being
implemented.
A constant review of the possible product
improvement is being made to match the
current statndards in the projected market.
Continuos evaluation of employees’health
and constant updating of their Health
Information Records.
Contingency
Risk Owner
Deadline
Content filtering with antivirus scanning
for any email attachment should be
enabled.
Risk
Manager/Coordinator
MM/DD/YY
Risk
Manager/Coordinator
MM/DD/YY
Electronic Architecture
Lead
MM/DD/YY
Business Lead
MM/DD/YY
Electronic Architecture
Lead
MM/DD/YY
Electronic Architecture
Lead
MM/DD/YY
Business Lead
MM/DD/YY
Project Manager
MM/DD/YY
Convert all data into a digital data for long
term storage.
Redundant array of independent
risks(RAID) should be used for
icritical
data on disks. Failover clusters should
also be used
Assign strict intermittent task or
production completion dates
Workstation operating system
vulnerability window should be defined.
Use of workstation antivirus and malicious
code policies can also be actualized.
Access manually the internal CD drives
and USB ports and update the systems if
possible
Repurposing to come up with a greater
and innovative project to stay on top of
the game.
Installing a backup team to have the
project progress normally even witht the
anomaly.
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
RISK ASSESSMENT PLAN
EXECUTIVE SUMMARY
RISKS – THREATS – WEAKNESSES WITHIN EACH DOMAIN
COMPLIANCE LAWS AND REGULATIONS
< Copy your Compliance Laws and Regulations from your ‘Part-I Task-1’ Risk Management Plan >
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
R-T-W
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Risk:
Threat:
Weakness:
Table 1
RISK ASSESSMENT PLAN
Domain Impacted
Risk Impact /
Factor
ISOL 533 – Information Security and Risk Management
University of the Cumberlands
Figure 1
RISK ASSESSMENT PLAN
Risk Assessment Checklist
Category
Risk
Organizational
Project lacks Executive-level Sponsor
1
Budget reduces team’s capacity
3
Management insist on decisions that lengthen schedule
5
Inefficient team structure reduces productivity
7
Review/decision cycle slower than expected
9
Vendor tasks take longer than expected
1
Hiring resources takes longer than expected
3
Work from a prior project not be completed on time
5
Low motivation reduces productivity
7
Lack of skills increases defects
9
Personnel with critical skills unavailable
1
Personnel need extra time to learn unfamiliar tools
3
Contractors leave before the project completion
5
Conflicts between team result in errors and extra rework
7
Facilities not be available on time
9
Facilities inadequate
1
Development tools may not be in place by the desired time
3
Development tools may not work as expected
5
Staff
Development Environment
Impact
User
Contractor
External
Schedule
Learning curve for new tools longer than expected
7
User requirements are unstable
9
User review/decision cycles slower than expected
1
Users may not participate in review cycles
3
Users may not accept the end product
5
Users may have expectations than cannot be met
7
Contractor may not deliver work when promised
9
Contractor may deliver low quality products
1
Contractor may have other high-priority work
3
Product depends on government regulations
5
Product depends on draft technical standards
7
Specifications poorly defined
9
Additional requirements added
1
Error-prone modules may require more testing
3
Components may not be easily integrated
5
Schedule, resources, and product definition unclear
7
Schedule is over-optimistic
9
Schedule omits necessary tasks
1
Excessive schedule pressure may reduce productivity
3
Schedule includes several tasks that have multiple predecessors
5
Schedule includes milestones that have not been clearly defined
7
Likelihood
1
3
5
7
9
1
1
3
4
6
3
3
6
6
9
1
1
1
Difficulty of Detection
1
1
9
3
5
7
9
1
3
5
7
9
1
3
5
7
9
1
3
5
7
Project: Risk Management Plan
Deliverables
As discussed in this course, risk management is an important process for all organizations. This is particularly true in
information systems, which provides critical support for organizational missions. The heart of risk management is a formal
risk management plan. The project activities described in this document allow you to fulfill the role of an employee
participating in the risk management process in a specific business situation.
The project is structured as follows:
Project Part
Deliverable
Project Part 1
Task 1: Risk Management Plan
Task 2: Risk Assessment Plan
Task 3: Risk Mitigation Plan
Project Part 2
Task 1: Business Impact Analysis (BIA) Plan
Task 2: Business Continuity Plan (BCP)
Task 3: Disaster Recovery Plan (DRP)
Task 4: Computer Incident Response Team (CIRT) Plan
Submission Requirements
All project submissions should follow this format:
Format: Microsoft Word or compatible
Font: Arial, 10-point, double-space
APA Citation Style
Scenario
You are an information technology (IT) intern working for Health Network, Inc. (Health Network), a fictitious health
services organization headquartered in Minneapolis, Minnesota. Health Network has over 600 employees throughout the
organization and generates $500 million USD in annual revenue. The company has two additional locations in Portland,
Oregon and Arlington, Virginia, which support a mix of corporate operations. Each corporate facility is located near a colocation data center, where production systems are located and managed by third-party data center hosting vendors.
Company Products
Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.
HNetExchange is the primary source of revenue for the company. The service handles secure electronic medical
messages that originate from its customers, such as large hospitals, which are then routed to receiving customers such as
clinics.
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
Page 1
Project: Risk Management Plan
HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the management of
secure payments and billing. The HNetPay Web portal, hosted at Health Network production sites, accepts various forms
of payments and interacts with credit-card processing organizations much like a Web commerce shopping cart.
HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow Health Network
customers to find the right type of care at the right locations. It contains doctors’ personal information, work addresses,
medical certifications, and types of services that the doctors and clinics offer. Doctors are given credentials and are able
to update the information in their profile. Health Network customers, which are the hospitals and clinics, connect to all
three of the company’s products using HTTPS connections. Doctors and potential patients are able to make payments
and update their profiles using Internet-accessible HTTPS Web sites.
Information Technology Infrastructure Overview
Health Network operates in three production data centers that provide high availability across the company’s products.
The data centers host about 1,000 production servers, and Health Network maintains 650 corporate laptops and
company-issued mobile devices for its employees.
Threats Identified
Upon review of the current risk management plan, the following threats were identified:
Loss of company data due to hardware being removed from production systems
Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops
Loss of customers due to production outages caused by various events, such as natural disasters, change
management, unstable software, and so on
Internet threats due to company products being accessible on the Internet
Insider threats
Changes in regulatory landscape that may impact operations
Management Request
Senior management at Health Network has determined that the existing risk management plan for the organization is out
of date and a new risk management plan must be developed. Because of the importance of risk management to the
organization, senior management is committed to and supportive of the project to develop a new plan. You have been
assign …
Purchase answer to see full
attachment
