Identify the associated risk rating as low, moderate, or high and explain the risk.
INTRODUCTION
Throughout your career in cybersecurity management, you will be asked to develop and improve an IT department to support a company’s strategic goals and mission. Assessments of the organization’s cybersecurity posture will need to be conducted to secure the company’s information and systems. The organization’s leadership may decide to hire external consultants to do this assessment. The consultants will review the security policies, standards, procedures, and guidelines that are used to secure the company’s assets. Additionally, they will look at compliance issues, personnel roles and assignments, continuity plans, and overall risk management.
In this task, you will serve as a chief information security officer (CISO) to review a security assessment report provided by an external consulting firm (see the attached “Security Assessment Report for Fielder Medical Center”). You will confirm or reject the findings by evaluating the focus points of the security assessment report and will develop a remediation plan for compliance based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5 and your company’s business needs.
SCENARIO
Fielder Medical Center (FMC) is a federally funded healthcare facility that seeks to expand its business into the local sale of medical equipment. As FMC sought to improve its data management in alignment with digitization goals, it implemented a system to manage the licensing, certificates, and relevant professional documents for the doctors working at FMC. Doctors are required to log in and upload sensitive artifacts that prove they are current in their licensing to practice. These artifacts may contain personally identifiable information about the doctor, including real name, home address, social security number, and other sensitive data.
Aside from the digitization of data for convenient management within FMC, the main purpose of this system is to allow access by the government for the purpose of validating information and securing federal funds on a recurring annual basis.
Concerns about security were discussed at a recent board meeting, and an external security consulting firm was hired to conduct a security assessment of FMC’s systems. This report identifies several potential compliance issues that would require the system security plan (SSP) to be updated, including security controls that are in place or planned for meeting system requirements.
As FMC’s CISO, you are responsible for identifying and developing a cyber strategy to address the risks identified in the attached “Security Assessment Report for Fielder Medical Center” to ensure that FMC’s security posture is brought into alignment with the Federal Information Security Management Act (FISMA) requirements. As the new FMC system includes only doctor information and does not include patient information, compliance focuses on FISMA requirements instead of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements.
REQUIREMENTS
Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
Tasks may not be submitted as cloud links, such as links to Google Docs, Google Slides, OneDrive, etc., unless specified in the task requirements. All submissions must be file types that are uploaded and submitted as single attachments (e.g., .doc., .docx, .pdf).
A. Summarize the gaps that currently exist in the company’s security framework as described in the attached “Security Assessment Report for Fielder Medical Center” (SAR).
B. For each of the five identified controls within the SAR, do the following:
1. Identify the associated risk rating as low, moderate, or high and explain the risk.
2. Justify FMC’s decision to remediate the risk associated with the identified control instead of accepting the risk based on compliance and industry guidelines and support the justification with industry-respected sources.
C. Discuss how FMC should remediate the risks with each of the five controls identified in Section 3.3 of the SAR. For each risk, include any assets, actions, or changes that will be needed for remediation.
D. Develop a PCI DSS–compliant policy to address the three concerns identified in Section 3.2 of the SAR, including the roles and responsibilities associated for each requirement identified within the SAR to meet PCI DSS compliance.
E. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
F. Demonstrate professional communication in the content and presentation of your submission.
File Restrictions
File name may contain only letters, numbers, spaces, and these symbols: ! – _ . * ‘ ( )
File size limit: 200 MB
File types allowed: doc, docx, rtf, xls, xlsx, ppt, pptx, odt, pdf, txt, qt, mov, mpg, avi, mp3, wav, mp4, wma, flv, asf, mpeg, wmv, m4v, svg, tif, tiff, jpeg, jpg, gif, png, zip, rar, tar, 7z
RUBRIC
A:RISK ANALYSIS
NOT EVIDENT
The submission does not summarize the gaps that currently exist in the company’s security framework.
APPROACHING COMPETENCE
The submission summarizes the gaps that currently exist in the company’s security framework but is not based on the provided SAR.
COMPETENT
The submission summarizes the gaps that currently exist in the company’s security framework based on the provided SAR.
B1:CONTROL RISKS
NOT EVIDENT
The submission does not identify the risk rating or explain the risk for any of the 5 controls provided in the SAR.
APPROACHING COMPETENCE
The submission identifies the risk rating for each of the 5 controls provided in the SAR but does not explain the risks. Or the submission explains the risk for each of the 5 controls provided in the SAR but does not identify the risk ratings. Or the submission identifies the risk rating and explains the risk for 1–4 of the controls provided in the SAR.
COMPETENT
The submission identifies the risk rating and explains the risk for each of the 5 controls provided in the SAR.
B2:RESPONSE JUSTIFICATION
NOT EVIDENT
The submission does not justify why FMC will choose to remediate the risk associated with any of the 5 controls provided in the SAR.
APPROACHING COMPETENCE
The submission justifies why FMC will choose to remediate the risk associated with each of the 5 controls provided in the SAR but does not base the justifications on compliance and industry guidelines or provide support from industry-respected sources. Or the submission justifies only 1–4 of the justifications the 5 controls provided in the SAR.
COMPETENT
The submission plausibly justifies why FMC will choose to remediate the risk associated with each of the 5 controls provided in the SAR. The justification is based on compliance and industry guidelines and supports each justification with industry-respected sources.
C:RISK REMEDIATION
NOT EVIDENT
The submission does not discuss how FMC should remediate any of the risks associated with the identified controls.
APPROACHING COMPETENCE
The submission addresses 1–2 of the given points in a discussion of how FMC should remediate each of the risks associated with the 5 identified controls. Or the submission addresses each of the given points in a discussion of how FMC should remediate 1–4 of the risks identified in part B2 as needing remediation.
COMPETENT
The submission addresses each of the given points in a discussion of how FMC should remediate each of the risks associated with the 5 identified controls.
D:PCI DSS POLICY
NOT EVIDENT
The submission does not provide a policy.
APPROACHING COMPETENCE
The submission develops a policy, but it is not PCI DSS compliant. Or fewer than 3 of the concerns in Section 3.2.4 the SAR are addressed. Or the roles and responsibilities are not included for each component of the adapted PCI DSS policy. Or the information provided contains errors.
COMPETENT
The submission develops a PCI DSS–compliant policy that addresses each of the 3 concerns identified in Section 3.2.4 the SAR. The roles and responsibilities are included for each component of the adapted PCI DSS policy, and all of the information is correct.
E:SOURCES
NOT EVIDENT
The submission does not include both in-text citations and a reference list for sources that are quoted, paraphrased, or summarized.
APPROACHING COMPETENCE
The submission includes in-text citations for sources that are quoted, paraphrased, or summarized and a reference list; however, the citations or reference list is incomplete or inaccurate.
COMPETENT
The submission includes in-text citations for sources that are properly quoted, paraphrased, or summarized and a reference list that accurately identifies the author, date, title, and source location as available.
F:PROFESSIONAL COMMUNICATION
NOT EVIDENT
Content is unstructured, is disjointed, or contains pervasive errors in mechanics, usage, or grammar. Vocabulary or tone is unprofessional or distracts from the topic.
APPROACHING COMPETENCE
Content is poorly organized, is difficult to follow, or contains errors in mechanics, usage, or grammar that cause confusion. Terminology is misused or ineffective.
COMPETENT
Content reflects attention to detail, is organized, and focuses on the main ideas as prescribed in the task or chosen by the candidate. Terminology is pertinent, is used correctly, and effectively conveys the intended meaning. Mechanics, usage, and grammar promote accurate interpretation and understanding.
Requirements:
Security Assessment Report
for
Fielder Medical Center (FMC)
Version 1.0
Prepared by
Pruhart Security Consulting
FOR OFFICIAL USE ONLY
Document Revision History
The security assessment report (SAR) is a living document that is changed as required to reflect system, operational, or organizational changes. Modifications made to this document are recorded in the version history matrix below.
At a minimum, this document will be reviewed and assessed annually. Reviews made as part of the assessment process shall also be recorded below.
This document history shall be maintained throughout the life of the document and the associated system.
From: Sophia Martin, Head Consultant, Pruhart Security Consulting
To: Board of Directors, Fielder Medical Center (FMC)
On behalf of Pruhart Security Consulting, I would like to thank you for the opportunity to provide a security audit and assessment for FMC. We have finalized our preliminary reporting and are disseminating our findings below for your review.
Our key findings indicate FMC needs specialized support in updating and modernizing its network and internal controls to address the changing landscape of laws, regulations, and standards that apply to federal government compliance. Specifically, FMC needs to address the following:
There is a lack of security controls and policies, including access control policies and procedures, account management, least privilege, and security attributes.
The systems design is outdated, requiring immediate attention to remediate gaps between the previous and outdated systems security plan (SSP) and compliance requirements.
Security and privacy plans need to be updated to reflect the organizational needs and requirements. This includes:
an information security program plan based on compliance and the organization’s needs
an updated system inventory/asset list based on the organization’s systems
a risk assessment completed after updating the current SSP to reflect the new controls within the network and information systems
There is a lack of multifactor authentication (MFA) and a need to identify and authenticate organizational users requiring access to the network and information systems.
We appreciate the time FMC employees spent with us to help us compile this report. If you have any questions, please feel free to consult Pruhart Security Consulting at any time.
Regards,
Sophia Martin, Head Consultant, Pruhart Security Consulting
Table of Contents
1 Overview 5
1.1 Applicable Standards and Guidance 5
1.2 Purpose 5
2 System Overview 6
2.1 System Name 6
3 Assessment Methodology 7
3.1 Overall Security Findings 8
3.2 Overall Findings Across All Connected Systems 8
3.3 Security and Privacy Control Families/Control Enhancements 9
1 Overview
This document represents the security assessment report (SAR) for FMC as requested as part of the security assessment and posture for FMC and related entities. This SAR contains the summary results of the comprehensive security test and evaluation of FMC. This assessment report, and the results documented herein, supports program goals, efforts, and activities necessary to achieve compliance with organizational security requirements.
Title III, Section 3544, of the E-Government Act of 2002, dated December 17, 2002, requires agencies to conduct periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency. Appendix III of Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, requires federal agencies to do the following:
Review the security controls in each system when significant modifications are made to the system, but at least every three years. §3(a)(3)
Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information. §8(a)(1)(g); §8(a)(9)(a)
Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time. §8(b)(3)(b)(iv)
Ensure that a management official authorizes in writing the use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations. The application must be authorized prior to operating and reauthorized at least every three years thereafter. Management authorization implies accepting the risk of each system used by the application. §(3)(b)(4)
1.1 Applicable Standards and Guidance
The following standards and guidance are applicable to FMC:
Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 800-53, Revision 5]
Risk Management Guide for Information Technology Systems [NIST SP 800-30]
Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199]
1.2 Purpose
The purpose of the SAR is to provide the system owner(s), CISO, and security authorization officials with a summary of the security assessment during the security review for FMC. A security assessment has been performed on FMC to evaluate the system’s implementation of and compliance with the organization’s baseline security controls. As a federally funded healthcare facility, FMC must ensure it meets all Federal Information Security Management Act (FISMA) compliance mandates.
The organization requires information systems to use internal and third-party assessment organizations to perform independent security assessment testing and documentation of the SAR. Security testing for FMC was performed by the head consultant of Pruhart Security Consulting, Dr. Sophia Martin.
2 System Overview
2.1 System Name
3 Assessment Methodology
The security assessment uses a logical and prescriptive process for determining risk exposure for the purpose of facilitating decisions, as is aligned with the risk management framework (RMF) described in NIST 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. The RMF describes six steps that apply to the system development life cycle. Assessing security controls constitutes Step 4, as illustrated in the figure below:
Figure 3.0.1: Risk Management Framework
This methodology, used to conduct the security assessment for FMC’s systems, is summarized in the following steps:
Perform tests from the systems security plan (SSP) and record the results.
Identify vulnerabilities on the platform.
Identify threats and determine which threats are associated with the cited vulnerabilities.
Analyze risks based on vulnerabilities and associated threats.
Recommend corrective actions.
Document the results.
3.1 Overall Security Findings
The following findings are based on a risk analysis and gap analysis between the current systems within FMC and their requirements to meet compliance to control families within NIST SP 800-53r5 and high-level requirements of PCI DSS compliance.
The current system does not provide adequate protection as outlined within the Privacy Act. Information stored on FMC systems contains personal identifiable information (PII), including and not limited to name, address, social security number (SSN), and other private information. This information is required to allow authorized government agencies access to this information and artifacts to verify doctor qualifications.
3.2 Overall Findings Across All Connected Systems
All connected systems at FMC are aging and in need of review, prioritization, compliance, upgrade, and the development of a maintenance plan. The following control families and/or control enhancements need to be addressed to ensure FMC’s governance and compliance:
During the audit process, we determined that the workstations connected to both switches do not have proper antivirus (AV) protection; specifically, some workstations have unlicensed AV solutions, and others do not have an active AV solution.
End-point protection is currently inadequate to protect the network and systems.
A multifactor authentication (MFA) is not present on the network.
FMC has stated its intent to meet PCI DSS compliance. FMC plans to eventually complete a point-of-sale (POS) system at its physical location for customers to purchase equipment. This POS requires a secure and maintained network, specifically a firewall and the removal of vendor-supplied defaults regarding passwords and other security requirements. In addition, this system is missing an AV solution.
Authorized government agencies require secure access to an FMC web portal to review documents and other artifacts to help in the verification process for certified doctors.
Doctors use FMC’s services to upload their PII and other artifacts. During our assessment, we determined there currently is no secure process to authenticate doctors on FMC’s network or to protect the PII from unauthorized access.
3.3 Security and Privacy Control Families/Control Enhancements
Pruhart Security Consulting was contracted by FMC to identify its security posture on its current system(s), conduct a risk analysis, and disseminate the results of Pruhart Security Consulting findings to FMC stakeholders. A brief gap analysis is provided below based on our findings and recommendations for the new system.
Figure 3.3.1: Network Topology Based on Findings
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.