IAS 5320 Capella University Risk Assessment Plan and Analysis Capstone Overview The Unit 9 assignment leads to additional background information concerning

IAS 5320 Capella University Risk Assessment Plan and Analysis Capstone Overview The Unit 9 assignment leads to additional background information
concerning the anatomy of an attack. You will develop a document that
describes the management and life cycle of risk planning. The resulting
Risk Assessment Plan adds to the risk approach already developed for
your course project. Instructions Create a Risk Assessment Plan for your course project that should include the following: Description of risk management and life cycle, including risk mitigation and risk ratings.Risk Registry Template (Microsoft Excel table or other document type).Process for performing a vulnerability and pen-testing assessment (use the IAS5320 Policy Template for your process). IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Driscoll Children’s Hospital
Confidential Information
DRAFT
Risk Management Plan
[RMP1]
01/29/2020
Version 01
Prepared By:
Lisa Austin
Page 1 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Disclaimer
© 2020 Driscoll Children’s Hospital
Restricted Rights
The information contained in this document is proprietary and confidential to Driscoll Children’s Hospital.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying and recording, for any purpose without the express written permission of
Driscoll Children’s Hospital.
This document is subject to change without notice, and Driscoll Children’s Hospital does not warrant that the
material contained in this document is free of errors. If you find any problems with this document, please report
them to Driscoll Children’s Hospital in writing.
The recipient is responsible for the safekeeping of this document and must not disclose its contents to
unauthorized persons.
Revision
Rev.
Date
1.0
29/01/2020
Author
Type
Major
Description
Started development of document.
Page 2 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
Approval
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Table of Contents
Disclaimer ……………………………………………………………………………………………….. 2
Revision ………………………………………………………………………………………………….. 2
Authorization ………………………………………………………………………………………………….. 4
Purpose …………………………………………………………………………………………………………. 4
Scope ……………………………………………………………………………………………………………. 4
Section 1 Executive Summary …………………………………………………………………….. 5
Section 2 Introduction ………………………………………………………………………………. 5
Section 3 Risk Management Plan Steps/Strategy ……………………………………………. 5
Subsection 3.1 Classification of Information Systems ………………………………………………… 6
Subsection 3.2 Selection of Security Controls ………………………………………………………….. 6
Subsection 3.3 Implementation of Security Controls …………………………………………………. 6
Subsection 3.4 Assessment of Security Controls ………………………………………………………. 6
Subsection 3.5 Authorization of Information System …………………………………………………. 7
Subsection 3.6 Monitoring of Security Controls ……………………………………………………….. 7
Conclusion ……………………………………………………………………………………………… 8
References …………………………………………………………………………………………….. 10
Page 3 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Initiation Date:
1/29/2020
Effective Date:1/29/2021
Policy Number: RMP1
Policy Department: IT
Authorization
The authorizing executive or the accrediting authority is a top management executive who has
the responsibility to approve risk management plan, authorize risk assessment operations on
networks and ISs and provide authorization to mitigate risks associated with networks and ISs or
deny the authorization to monitor the security of networks and ISs.
Purpose
The risk management plan records the processes, tools and techniques that will be utilized in
managing and controlling security incidences that could have a negative effect on the
organization. The RMP controls and manages the organization’s IT risks. The plan addresses the
identification of risks, assessment, mitigation and contingency planning including risk tracking
and reporting.
Scope
The RMP is used by the CISO to design, develop, implement, operate, maintain, and disposition
the security of the organization’s ISs. It includes the RMP roles and responsibilities, risks
associated with the IS development and integration as well as IS security management/oversight.
Page 4 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Section 1 Executive Summary
Risk management is a continuous process that involves processes for risk management planning,
risk identification and risk analysis including risk monitoring and control. The processes are
updated throughout the risk management life cycle as new risks emerge and identified. The
objective of risk management to minimize the likelihood and impact of security incidences on
the organization. The risk management process begins with identifying and documenting security
events that pose a risk to the organization. Once identified, it is equally crucial to monitor all the
identified risks regularly and reported on in the security status report.
Section 2 Introduction
The RMP describes the basic strategies associated with handling of information system-related
security risks that may include the application of Risk Management Framework and IT view of
risk management. The RMP incorporates information security requirements into the IS
development life cycle and establishes information system boundaries. It also entails assigning
security controls to the organization’s IS which can be the common security controls or system
specific controls. The RMP maintains awareness on the state of the IS security through improved
monitoring processes and provides crucial information to top management in regard to the
acceptance of IT risks on organization’s operations and IT resources (Jordao & Sousa, 2010).
Section 3 Risk Management Plan Steps/Strategy
The RMP is a six-step process that involves the classification of the organization’s information
and information systems, choosing of security controls, deployment of security controls,
Page 5 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
evaluation on the effectiveness of security controls, authorization of IS and monitoring of
security controls on an ongoing basis as well as security posture of the IS.
Subsection 3.1 Classification of Information Systems
This phase of risk management requires the system administrators to understand the
organization. Before the classification of information and IS, the system boundary is first
defined. All the information related to the system is identified based on the system boundary. It
includes details about the organization IT systems, roles and duties including the system’s
operating environment and intended usage and communication with other systems.
Subsection 3.2 Selection of Security Controls
These are the management, operational and technical protections or countermeasures
implemented in an organization IS to safeguard the confidentiality, integrity and availability of
the IS and the associated information. The assurance of the implemented controls enhances the
security confidence of the security measures.
Subsection 3.3 Implementation of Security Controls
This part of RMP requires an organization to deploy security controls (like access controls and
data center controls) and define how these security measures are deployed in the IS and
associated environment. Security policies are tailored for all devices to align with the security
requirements.
Subsection 3.4 Assessment of Security Controls
Page 6 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Evaluating the security measures requires the organization to utilize proper assessment
procedures in determining the level to which the security measures are deployed appropriately,
operate as expected and provide the desired results in regard to meeting the IS security
requirements (Olson & Wu, 2015).
Subsection 3.5 Authorization of Information System
The determination of the risk to organizational IT activities and personnel and resources forms
the basis for IS security operations that lead to the decision that the risk is acceptable. Risk
reporting is designed to function with ‘Plan of Action & Milestones’ which provides the tracking
as well as the status of the unsuccessful security controls.
Subsection 3.6 Monitoring of Security Controls
Continuous risk monitoring enables an organization to maintain IS security. ISs must adapt to
evolving threats, weaknesses, technologies and business procedures. Risk management should be
real-time through the utilization of automated tools. Ongoing monitoring helps in configuration
drift and other possible security events related to change in security configurations.
Page 7 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Conclusion
The Healthcare organization should not only perform risk assessment but also track and report
risks. Through the process of risk management, CISO must consider the organization’s interests
from attackers using cyberspace to their benefit. In the development of the organization’s risk
plans, the inclusion of threats, weaknesses and impacts should be reviewed in identifying crucial
security trends and make the decision on where security controls must be applied to reduce or
eradicate threat capabilities. Security leaders at all levels are held accountable in ensuring
security in the organization.
Page 8 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
Enforcement and or Non-Compliance of Policy
Failure to comply with the policy may results in the following;
1. Written warning in staff’s human resource file.
2. Refresher training on RMP and how it affects the staff and the staff’s department.
3. Refresher training on the appropriate utilization of internal policies and RMP policies.
4. Suspension of staff
Definitions
CISO-Chief Information Security Officer
IS-Information Systems
NIST-National Institute of Standards and Technology
RMP- Risk Management Plan
Approval Signatures
Name………………………. Title……………………………………….
Date…………………………Signature………………………………….
Page 9 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1
IAS5320 Plan
Driscoll Children’s Hospital
Healthcare Security and Privacy Plan
References
Jordao, B., & Sousa, E. (2010). Risk management. New York: Nova Science Publishers.
Lam, J. (2017). Enterprise Risk Management: From Methods to Applications. Somerset: John
Wiley & Sons, Incorporated.
Olson, D. L., & Wu, D. D. (2015). Enterprise risk management. Berlin, Heidelberg: Springer
Pompon, R. (2016). IT Security Risk Control Management: An Audit Preparation Plan.
Berkeley, CA: Apress.
Project Management Institute, (2019). The standard for risk management in portfolios,
programs, and projects. Newtown Square, Pennsylvania: Project Management Institute
Page 10 of 10
01/17/2020
Healthcare Security and Privacy Plan is confidential and proprietary.
HSPP1

Purchase answer to see full
attachment