Phase 3 of Final Project: Write a two- to four-page paper that addresses and reflects upon the following: Describe the
- Phase 3 of Final Project: Write a two- to four-page paper that addresses and reflects upon the following:
- Describe the concepts and practices of designing and implementing business continuity and disaster recovery plan.
- How might you test a disaster recovery plan?
- What should a risk management plan include?
- How does a change management plan impact the overall risk strategy?
- What are the important concepts that should be included in a security plan for developing secure software?
- Support your writing with at least two outside sources. The paper should be in APA format.
- This is the 3rd part to be submitted; please look at the previous 2 parts.
2
THREAT ANALYSIS OF HEALING TOUCH HOSPITAL 2
2.4 Assignment: Threat Analysis
Threat Analysis of Healing Touch Hospital
Mandar Sathe
Indiana Wesleyan University
03/20/2022
Threat Analysis of Healing Touch Hospital
Healing Touch hospital is a beacon for healthcare for many individuals around the district. Being the biggest hospital in the region, many individuals depend on it for various services, including special surgeries, emergency care, dialysis, and hospice care. The hospital is also nationally recognized for its services, and it is known for having some of the best and most well-trained nurses in the country.
However, the hospital has encountered serious challenges regarding computing security. The hospital has been victim to several instances of theft, where important computing supplies have gone missing or been stolen by known assailants. Though in many cases, those who are guilty are seen and arrested, there is a lot of time and resources spent in this pursuit, which costs the hospital more funds and decreases the quality because nurses and doctors are at times forced to rely on manual means such as recording data on their notebooks instead of inserting them into the system directly.
The organization has also been the victim of three separate denial-of-service attacks. The company has managed to keep the attacks out of the media by silently paying the attackers, but their impacts have been felt. In one instance, the attack was about three hours, forcing patients in the intensive care unit (ICU) to be transferred to different rooms because the attackers had interfered with the pronation beds in the hospital. The fact that this has happened three times has made the institution worry. This is made worse because the institution has been quick to pay the attackers, creating the insinuation that they are an easy target who pay quickly and easily.
Considering these factors, the organization has tasked my team to perform a threat analysis to determine where the institution is most vulnerable and implement strategies that will best protect the institution. The organization is determined to tighten the security in the hospital and is willing to do whatever it takes to ensure that theft and denial of service attacks come to an end.
Threat Analysis Steps
Identifying Threats
In computing security, a threat is a potential vulnerability that can harm the system (McCabe, 2007). Human actions or natural disasters can cause threats. In the organization's case, the threats are mainly human. Threats can affect the hardware, software, services, and data. To determine the hospital's threats, the team looked at the hospital's history of data security and previous attackers' methods to attack the institution.
The first threat that the team determined was that the hospital did not protect its hardware properly (Pfleeger & Pfleeger, 2012). The hospital's security guards were old and not physically fit, making it easy for a thief to grab and dash. The guards could not run fast enough to catch the thieves. Though the hospital had security cameras, they were a proactive measure because they did little to stop attackers from stealing equipment from the hospital. The team also interviewed the security guards, who said they were understaffed and were mostly involved in incidents of unruly patients when the theft took place. An example was when a mentally ill patient was in the emergency department being treated for a cut, when he began acting unruly, forcing security guards and doctors to restrain him. When the fracas was over, the hospital realized two computer monitors were missing. There is also a risk that when the patients are acting disorderly, they can damage the hardware in the hospital.
The second threat is the reoccurring denial-of-service attacks. On investigation, we realized that the source of three attacks came from within the hospital. The first attack came when a nurse used the hospital's computer to access unsecured websites. The hacker downloaded malicious software onto his computer when accessing these websites, which acted as the doorway to the hospital's system. This reveals two elements to this: the human element, where the employee opened the door for the hacker to download the malicious software, and the system’s failure to detect the intrusion and the download of the malicious software.
The other two attacks were hardware-based. In one of the attacks, the attacker gained access to the server room, which was locked using a normal padlock. The attacker gently cracked the door open and accessed the server room, where he planted malicious software onto the server directly. After ensuring that the software was in place, he left the hospital and began the attack remotely. The other attack happened when the attacker inserted a USB drive that contained malicious software onto a nurses’ workstation computer. Again, in both of these instances, there are issues of human negligence.
Addressing the Threats
After identifying the threats, the conclusion is that addressing the issues in computer security requires a double-pronged approach. The fix needs to address the human element and the computing element. The human element deals with the humans that work with the security system. This includes the guards, nurses, doctors, and other personnel who interact directly with the system. Understanding the effect of the human element on the system is very important because it may help prevent future attacks and helps to mitigate the risks caused by threats.
The first step is to deal with the security guards. The recommendation to the hospital is that they should invest in more security guards. Outsourcing the job to an external entity is a viable solution, where they contract a company to provide security to the hospital. The hospital can also choose to hire directly, although they are unlikely to find good candidates due to the job's stature. The best option for the hospital is to partner with a security company and increase the manpower in the hospital. The security personnel should be trained to be proactive, meaning that they have to detect danger before it happens. A plan needs to be set in motion to ensure that if someone snatches a piece of hardware, they are locked down and are not allowed to leave. The security personnel need to be trained on the basics of computing security to ensure that they can detect the dangers associated with computing security.
The next step is to train the faculty (nurses, doctors, and other personnel) on digital security. It may be that the individual who tried to access the harmful sites had no knowledge that they existed. This education is also to protect the system from harm caused from inside the system. The hospital can also place policies that advocate against using office equipment for personal use. The existence of consequences for such offenses in the policies will help improve the system's security from internal issues.
The computing element is also an important aspect to analyze and inspect. The recommendation is that the hospital invests in an in-house IT team responsible for updating and revamping the current system. Their first task will be installing appropriate intrusion detection systems to prevent external parties from accessing the system illegally. The team will also be responsible for ensuring the safety of the servers and other hardware in the hospital by implementing better security systems such as password-controlled locks on the doors of the server rooms. This will help prevent the servers from physical intrusion. The IT team will also be responsible for ensuring a balance between confidentiality, integrity, and availability that suits the hospital. They will also help the hospital stop an intrusion after they are successful, preventing the organization
's harm or loss of data.
Implementing better security features will take time and require all parties involved to be committed and patient as the results are being achieved. The support of upper management in providing finances and implementing policies will be crucial to ensure the success of the new changes.
Conclusion
Computing security is a serious issue for many organizations after experiencing the effects of not addressing computing security. Healing Touch hospital has made it its mission to upgrade its system and policies to ensure that they protect the hospital and its needs. Though the journey is a marathon, not a sprint, in the long-term, the decision to uphold computing security will prove to be very helpful for the organization.
References
McCabe, J. D. (2007). Security and Privacy Architecture. Network Analysis, Architecture, and Design, 359–383. https://doi.org/10.1016/b978-012370480-1/50010-4
Pfleeger, S. L., & Pfleeger, S. L. (2012). Analyzing Computer Security. Prentice-Hall.
,
6
Mitigation Strategy
Mandar Sathe
Indiana Wesleyan University
03/03/2022
Executive Summary
The objectives of the risk mitigation plan are to provide a series of strategies that an organization can follow to respond to the risks that keep arising in its business environment. These techniques play an integral role in guiding the management's decision-making process by providing reliable steps that they can take to manage, evaluate, and mitigate any form of potential risks that might be facing the organization. The goal of XM Retail is to remain in operation for as longest time possible by obtaining reliable strategies that will guide the company’s investment and decision making processes to ensure that the possible risk that can occur will be limited as much as possible. Therefore, paper aims at presenting the strategies that the company will follow to ensure that any form of risk will be encountered promptly. If it occurs, the company will be able to get back on its feet and pursue further goals that will enable them to become sustainable.
Avoidance
When the company is avoiding a particular risk, they are refusing to accept it. Therefore, the exposure of the risk in the organization is not allowed to come into existence. The organization will avoid engaging in activities that will give rise to risk. Again, the actions of the organization will be predicted by the alternatives the company establishes during decision making to ensure that they can have a wide variety of room to explore the less risky activities that they can engage in. for instance, if the organization desires to avoid the risks that are associated with property ownership, then they will tend to refrain from purchasing buildings for the office floors but will instead go for renting or leasing options (Rafi-Ul-Shan et al., 2018). By successfully stepping away from the activities that will attract the risk, the organization will be able to avoid encountering unanticipated activities. Risk avoidance, in this case, will apply to our organization because it is a retail outlet exposed to serious issues such as the theft of products. Suppose the organization intended to invest in a new area but realized various risk concerns relating to theft and burglary cases. In that case, the management will withhold the decision to make the investment and cancel the projects. Although this might limit the ability of the organization to expand its boundaries, it will be worth pursuing rather than pushing ahead with the investment only to suffer the consequences. Alternatively, the company can anticipate that the employees might find strategies to steal the company merchandise, which will cost the organization a lot. Therefore, to avoid experiencing this risk, they will implement policies and procedures involving employees checking out when they are leaving to ensure that they are not leaving with the company merchandise.
Consequently, there might be a possibility that some of the products that the suppliers supplied could be defective, and this could pose some serious health risks for the consumer if they consume them. Therefore, to avoid this risk, the company will conduct thorough screening on the quality of the products by close checking with the existing health standards to eliminate defective products from harming the company employees. However, although some risks are unavoidable, having a clear risk avoidance will be important.
Risk spreading
This involves preparing measures that will enable the organization to avoid putting all eggs in one basket and focus on distributing the risk to various areas. The best scenario for this is when recently, the company was involved in distributing the company assets in terms of geographical location. The company realized that they maintain an inventory of high-value merchandise stored in the same warehouse as what the organization uses to store the rest of the retail products. The underlying risk, in this case, is that the company could end up losing all of its merchandise in case thieves were able to gain access to it. Therefore, to remediate this risk, the company plans to open up three other warehouses in different geographical regions (Naidoo and Gasparatos 2018). If the thieves can compromise one warehouse, the organization will still have other warehouses to supply the required merchandise, thus not running out of business. Another example of risk spreading that the company is pursuing is ensuring that they regularly back up the company data on an external drive. Retaining a copy of the organization's inventory in an external drive will prevent the organization from losing all of its company data due to malware intrusion or computer breakdown. From this perspective, although risk spreading will cost the organization some funds, it will be worth pursuing because it decreases the rate of risk exposure to the organization's critical assets.
Risk reduction
This strategy involves any particular security measures or pursuing activities that will play an integral role in reducing the exposure of company assets to risks. This will involve the usage of hazard analysis techniques. These FMEA or FTA practices will prioritize the risks that an organization will experience and reduce the severity of the consequences resulting from the unwanted risk. In situations where it will be impossible to minimize the severity, the organization can turn to implement restrictive controls that will detect the unwanted events before delivering their consequences to the organization by identifying the root causes that will trigger failure. Also, the company can ensure that its controls focus on the decisions that the management intends to pursue and ensure that the process will be improved by increasing the ability of the organization to identify an alternative decision-making design to improve accuracy and avoid blackspots (Tarei et al., 2020). Apart from this, the company can focus on diversifying the security risk at hand by thinking of a wide variety of product mixes, technologies, operations, markets, and supply chains that will provide the organization with the highest possible opportunity to limit high-risk exposure by availing opportunities that are more manageable and acceptable. Lastly, a risk reduction strategy will help our organization by ensuring that when the risk goes against all odds and occurs, the company will rely on the superior decision-making system to guide how the company will get back to its feet and reduce the rate of exposure to more failures.
References
Naidoo, M., & Gasparatos, A. (2018). Corporate environmental sustainability in the retail sector: Drivers, strategies and performance measurement. Journal of Cleaner Production, 203, 125-142.
Rafi-Ul-Shan, P. M., Grant, D. B., Perry, P., & Ahmed, S. (2018). Relationship between sustainability and risk management in fashion supply chains: A systematic literature review. International Journal of Retail & Distribution Management.
Tarei, P. K., Thakkar, J. J., & Nag, B. (2020). Benchmarking the relationship between supply chain risk mitigation strategies and practices: an integrated approach. Benchmarking: An International Journal.
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.