This document discusses the identification and management of information assets in MyHealth Company. It explores the importance of information security governance and the use of ISO framework for securing assets. The document also covers vulnerability management and risk management strategies.
Contribute Materials
Your contribution can guide someoneβs learning journey. Share your
documents today.
Running Head: Information Assets0 Information Assets Report Student name
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information Assets1 Table of Contents Task 1: Identify and Manage Asset.................................................................................................2 Task 2:Vulnerability management and risk management............................................................10 References......................................................................................................................................16
Information Assets2 Task 1: Identify and Manage Asset Q. 1(a), Q.1 (b), Q.1 (c) MyHealth Company is a healthcare sector company that provides different services and products to their patients, such as clinical services, healthcare products, and many others. It has a cancer-related research department for researching new things in the field of oncology. It have many information assets to manage different services and operations of the MyHealth Company, such as computer systems, servers, routers, switches, wireless access points, and many others. The MyHealth Company requires identification and manages their assets using different security policies, which are based on the Australian cyber security standards(ACSC, Australian Cyber Security Centre 2017). There are many policies and mitigation strategies are used to mitigate the risks from the organizations. MyHealth Company wants to know about their resources and secure them from different cyber-attacks. They require security policies to mitigate risk from their organization. ACSC provides different mitigation rules to mitigate risks(ACSC, Strategies to Mitigate Cyber Security Incidents 2019). Information systems are required high security from the cyber-attacks. In addition, information assets are having a huge value. Therefore, it is highly required strong security policies to make them secure(Andrijcic and Horowitz 2016). NumberAsset ID AssetAsset Location OwnershipAsset Description 1S.01Database server On windows server 2008 in the server room Server administrator (IT staff) Database server is a basic need of an organization to manage large amount of data of different operations in the organization. It manages all the data in systematic way, which is used for decision- making in future. Database server is
Information Assets3 used to manage all the patientsβ data and information as well as research data ofMyHealth Company. Cyber security is requiring securing data and information(Barkly 2018). 2S.02Web application Server On windows server 2008 in the server room Server administrator (IT staff) Web server is used to manage all the request of all the patients and customers, which are coming from their internal network. It is included in theMyHealth Company to manage different applications of their business operations. In present era, data breaches are highly increases. Therefore, company should implement cyber security ( Bradford 2018). 3S.03Electronic mailing Server On windows server 2008 in the server room Server administrator (IT staff) MyHealth Company is used email server for internal communication.it is helpful for internal non-verbal communication in between different staff members. 4NW.01Layer 2 Switch Server RoomMyHealth Company MyHealth Company is having access layer switches to connect different computer systems with server. It is included in the MyHealth Company to connect server with the personal computer systems and internet. Network should have security(Dutton 2017). 5HW.01Personal Computer In different department in MyHealthComputer systems are used to manage different data and
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Assets4 Systemsa same floor, such as research lab, payment section, reception, and many others Companyinformation about the patients and research data. It is included in the organization for save time to know about the information of patients. It is also used in payments and communication. It is included in the organization to complete all the works in less time(export.gov 2019). 6SW.01Windows Firewalls In operating systems of Computer systems MyHealth Company Windows firewalls are used to secure system form upcoming packets from network and other devices. It is included to provide security to the data of MyHealth Company and patientβs data. 7NW.02ADSL RouterServer roomMyHealth Company Asymmetric Digital Subscriber Line router is used to connect internal network from Internet for different purposes, such as payment and research. It is included in the system for routing of packets. It used routing algorithms to sends packets in a network(www.stanfieldit.com 2019). 8NW.03Wireless access points Reception Area MyHealth Company Wireless network is required in the open areas. Therefore, wireless access points are used to share network for different purposes in different devices(Fruhlinger 2018). 9SM.01IT StaffServer roomMyHealthIT staff members are responsible to
Information Assets5 Companymanage all the systems in a proper way. If there is an issues in systems then they will provides a proper solution of that issues. They are hired for management of computer systems, internal network, and server applications. They are included in the organization for managing database, email, web server as well as different hardware of the systems. 10CS.01Wireless Security System Setting in wireless access point situated in reception area MyHealth Company A wireless security system is used to avoid unnecessary change in the data and network settings. Open access is harmful for system, as it is accessible for public. Wireless access point is access by only authorized persons. 11S.03Dynamic Host Configuration Protocol and Domain Name System On windows server 2008 in server room MyHealth Company DHCP is used for provide IP addresses to different computer system based on the dynamic way. It provides different IP addresses as per availability of address at that time. DNS is used for domain management in the organization. 12SW.02Operating Systems In personal computer systems MyHealth Company Windows β 7 operating system is used to manage different works of all operations, such as sales, patientβs records, payments, and many other works.
Information Assets6 d. NumberAssetClass 1.Database serverRestricted 2.Web application ServerRestricted 3.Electronic mailing ServerRestricted 4.Layer 2 SwitchInternal 5.Personal Computer SystemsInternal 6.Windows FirewallsInternal 7.ADSL RouterRestricted 8.Wireless access pointsInternal 9.IT StaffPublic 10.Wireless Security SystemInternal 11.Dynamic Host Configuration Protocol and Domain Name System Restricted 12.Operating SystemsInternal 2- Information security governance can manage different assets ofMyHealth Company. It will provide manybenefitsto thecompanyto secure theirresourcesandassetmanagement. Information Security Governance (ISG) identifiesdifferent critical risks of the MyHealth Company and provide them a rank based on their risk level(Von Solms and Van Niekerk 2013). It is having fewobjectives to secure the assets of company, which are as: 1.Objectives are achieved 2.Risks is mitigates 3.MyHealth Companyβs resources are used responsibly, and 4.Monitor security program of MyHealth Company
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information Assets7 Itwillprovidemanybenefits,suchasstrategicalignment,riskmanagement,resource management, performance management, and value delivery. Information Security Governance (ISG) is a best way to manage all the resource and information assets of MyHealth Company. It will provide a high security to all the assets of company. It is a way to manage all the assets of company, such as personal computer systems, server, routers, switches, wireless access points, and many others(Gordon and Loeb 2006). ISG is having some objectives, which is as: 1.Goals are achieved 2.All the risks mitigates through controls 3.Tangible resources are used in responsive way 4.Monitor all the activities of MyHealth company network It will provide many benefits, such as, value delivery, risk management, performance management, resource management, and strategic alignment. 3- Acceptable Use Policy (AUP): ο·Handling of Username and password are responsibility of responsive person, such as network admin, IT staff and other staff for their credentials ο·All staff members are responsible for their assets, which are allocated by the company. Access Control Policy (ACP): ο·Only authorized persons have entry in restricted areas, such as sever room ο·Physical security is applied to all information assets ο·Wireless devices should be in surveillance Database security: ο·Database server should have proper cyber security through firewalls ο·Database server access only by username and passwords ο·Proper authentication is used for accessing database server Firewall configuration policy: ο·Firewall configuration should be proper to prevent system from cyber-attacks ο·All the risk controls are managed by the network administrator ο·Firewall should have IDS and IPS systems for security
Information Assets8 Antivirus update policy: ο·Antivirus are always updated in all the working systems of the company ο·Respective person is responsible for update process ο·Respective person should have record for different changes in system based on the hardware and software ο·Antivirus should have proper license Information Security Policy (ISP): ο·Credential are responsibility of respective person ο·Roles and responsibilities are distributed in terms of documents of email into all the staff members by the IT staff members at training time of staff. ο·Data and information of patients and company is an important asset. Therefore, everyone should responsible for that data and could not share with anyone(Arlitsch and Edelman 2014). Incident Response Policy (IRP): ο·All the staff members should inform about any incident related to the computer system, data, and information of company. ο·CISOs are responsible to take proper response based on mitigation controls Disaster Recovery Policy (DSP): ο·Disaster recovery plan should be implement to business continuity ο·Activate business continuity program after any disaster Business Continuity Policy: ο·Business continuity process start after disaster and disaster recovery plan is activated ο·CISOs start security checks after disaster ο·All the connectivity of network should check by respective person Password Policy: ο·Do not use personal information in password, such as date of birth, name, address, and anything else. ο·Password should have at least eight characters ο·Password should have combination of different character, such as uppercase, number, lowercase, and special characters(NCSC 2019).
Information Assets9 ο·In every month password should change by the respective person with the help of password tool or software ο·Password should have a meaning to remember.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Assets10 Task 2:Vulnerability management and risk management 1- ISO framework is used to secure different assets of an organization. In case of MyHealth Company, they have many information assets(iso27001security.com 2019). Therefore, they should use a proper framework to secure them. Information assets require security from different cyber-attacks(Hayslip 2018).ISO 27001 is perfect for the MyHealth Company and it is suitable to secure information assets from cyber-attacks(Kosutic 2016). These are the steps to secure enterprise: 1.Identify the goals of your Business 2.Obtain Management Support to secure assets 3.Define the Scope of risk 4.Write a brief ISMS Policy as a document 5.Define Risk Assessment Methodology and Strategy 6.Create an Inventory of Information Assets to Protect them 7.Rank all the Assets based on Risk Assessment 8.Create a Risk Treatment Plan and Manage those Risks 9.Set Up Policies and Procedures to Control Risks 10.Allocate Required Resources to all staff and provide training to secure resources 11.Prepare for an Internal Audit of the companyβs tangible and non-tangible resources 12.Periodic Management Review( Cobb 2010). These steps are strictly followed by the company to secure assets of the company. ISO 27001 is a framework, which provides full protection to the information assets(Verma 2019).MyHealth Company requires a framework to manage their assets from cyber-attacks. Therefore, they should choose ISO/IEC 27001 framework for enterprise risk management( Licato 2014). 2- AssetVulnerabilityThreatAnalysis Database serverLack of access controlUnauthorizedPatients and company information
Information Assets11 on the serveraccess using network and physical access should store in a database server with proper security Email serverLack of access control on the server Physical access of all the staff members in server room SMTP and POP3 should be implementing in the server. Web serverLack of access control on the server Unauthorized access of server Data should be stored on a server and access controls should be applied. User permissions should be managed. FirewallsLack of proper configuration Access of firewallNetwork administrator should configure firewall at network level and system level Layer 2 switchesLack of proper configuration All staff members are having access of server room Network admin should configure access layer switches Personal Computer systems All staff members are having access of systems No proper credintial distribution with responsibility All the staff members should use server services to store data and take responsibility of username and password of their system. Wireless securityLack of physical security Less securityNetwork administrator should use WEP2 for security RoutersLack of configurationNo configrationNetwork admin should configure routers to prevent whole system from cyber-attacks Wireless access points Lack of physical accessUnauthorized access and physical access Network admin should provide physical security to wireless access points and implement high level of access password Operating SystemLack of credentialUnauthorizedIT staff should responsible for
Information Assets12 access to the PCsupdates and configuration of operating system and other applications DHCP and DNS server Lack of configurationUnauthorized access in server room Network administrator should configure DHCP and DNS server. 3- Asset :An information asset is having some body of knowlede, which have financial value for the company, state, and country. Threat :Threat is anything, which cant have potential to damage information assets of company. Vulnerability:Vulnerability is a loophole that can be useful for attacker to access or damage the system. Risk:Risk is cause that have potential for damage of an inforamtion asset through a vulnerability. 4-Template has enclosed in a separate file 5- ThreatVulnerabilityLikelihoodImpactRisk ratingDescription Unauthorized access of Server room is not having any 3ExtremeHighAuthorized persons can have entry in the
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Information Assets13 servers roomrestrictionserver room, such as IT staff members Disaster Recovery Plan Data and information are required for different operations. MyHealth Company is not having a proper security policies 3LowMediumData is stored in personal computer systems, which are not having updated antivirus. Therefore, it is so risky for the company Database storage Database system is not having proper storage 4ExtremeMediumTo secure database, company should implement a data centre for more security of patientβs data and information as well as research data Wireless security Lack of access to the wireless devices 3HighMediumWireless network is a simple way to enter in the network by an attacker Configuratio n of routers and switches Lack of configuration 4MediumHighWithout confirmation routers and switches are not secure for data and information
Information Assets14 Quantitative Risk Analysis Calculations The key variables and equations used for conducting a quantitative risk analysis are shown below (Christoffersen 2011). An example calculation for unpublished research information is shown in each step: Example: Exposure Factor (EF)= Percentage of asset loss caused by identified threat; ranges from 0 to 100%. Here is a method for estimating the exposure factor for use in conducting risk analysis (feel free to modify any of the numbers below to suit your own needs and preferences): Start with 100% for the starting exposure factor and answer each of the following questions. 100% 1. Does the system under attack have any redundancies/ backups/copies? Subtract 30% if the answer is YES -ο There is not backup, so no need for subtraction 2.Is the system under attack behind a firewall? Subtract 10% if the answer is YES
Information Assets15 ο Yes: 100 β 10=90% s 3.Is the attack from outside? Subtract 20% if the answer is YES -ο Yes: 90-20=70% 4.What is the potential rate of attack? (10% damage / hour vs. 10% damage / min) Subtract 20% if the answer is less than 20% damage/hr, Subtract 40% if the answer is less than 2% damage/hr ο rate is assumed to be 20% / hourο no subtraction 5. What is the likelihood that the attack will go undetected in time for a full recovery? Subtract 10% if the probability of being undetected is less than 20%, Subtract 30% if the probability of being undetected is less than 10%ο assume to be 15%ο 70 β 10 = 60% 6. How soon can a countermeasure be implemented in time if at all? Subtract 30% if the countermeasure can be implemented within Β½ hour, Subtract 20% if the countermeasure can be implemented within 1 hour Subtract, 10% if the countermeasure can be implemented within 2 hoursο assume to be within 2 hoursο 60 β 10 = 50%ο EF=50% Single Loss Expectancy (SLE)= Asset Value x Exposure factor; SLE= 1,000,000 X 50% = $500,000 Annualized Rate of Occurrence (ARO)= Estimated frequency a threat will occur with in a year and is characterized on an annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 10 times in a year has an ARO of 10 Assumption is the threat occurring once in two yearο ARO is Β½=0.5
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Information Assets16 Annualized Loss Expectancy (ALE)= Single Loss Expectancy x Annualized Rate of Occurrence. ALE= SLE X ARO = 500,000 X 0.5 = 250,000
Information Assets17 References Bradford, Laurence.What You Need To Know About Cybersecurity In 2018.2018. https://www.forbes.com/sites/laurencebradford/2018/03/30/why-people-should-learn- about-cybersecurity-in-2018/#7c88f6fe5d00 (accessed December 11, 2018). Cobb, Michael.ISO 27001 SoA: Creating an information security policy document.2010. https://www.computerweekly.com/tip/ISO-27001-SoA-Creating-an-information-security- policy-document (accessed March 12, 2019). Licato, Rich.Six steps to build an effective enterprise risk management program.june 2014. https://searchcompliance.techtarget.com/tip/Six-steps-to-build-an-effective-enterprise- risk-management-program (accessed April 8, 2019). ACSC.Australian Cyber Security Centre.2017. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2017.pdf (accessed December 12, 2018). β.Strategies to Mitigate Cyber Security Incidents.2019. https://acsc.gov.au/infosec/mitigationstrategies.htm. Andrijcic, Eva , and Barry Horowitz. "A MacroβEconomic Framework for Evaluation of Cyber Security Risks Related to Protection of Intellectual Property."Risk analysis26, no. 4 (2016): 907-923. Arlitsch, Kenning, and Adam Edelman. "Staying safe: Cyber security for people and organizations."Journal of Library Administration54, no. 1 (2014): 46-56. Barkly.5 Cybersecurity Statistics Every Small Business Should Know in 2018.May 6, 2018. https://blog.barkly.com/small-business-cybersecurity-statistics-2018. Christoffersen, Peter.Elements of financial risk management.Academic Press, 2011.
Information Assets18 Dutton, Julia .three-pillars-of-cyber-security.September 26, 2017. https://www.itgovernance.co.uk/blog/three-pillars-of-cyber-security. export.gov.United Kingdom - Cyber-Security.2019. https://www.export.gov/article?id=United- Kingdom-Cyber-Security (accessed March 14, 2019). Fruhlinger, Josh .Top cybersecurity facts, figures and statistics for 2018.2018. https://www.csoonline.com/article/3153707/security/top-cybersecurity-facts-figures-and- statistics.html (accessed december 11, 2018). Gordon, Lawrence A, and Martin P Loeb.Managing cybersecurity resources: a cost-benefit analysis (Vol. 1).New York: McGraw-Hill., 2006. Hayslip, Gary .9 policies and procedures you need to know about if youβre starting a new security program.March 16, 2018. https://www.csoonline.com/article/3263738/9- policies-and-procedures-you-need-to-know-about-if-youre-starting-a-new-security- program.html (accessed April 8, 2019). iso27001security.com.Information risk managemnet.2019. http://www.iso27001security.com/html/risk_mgmt.html (accessed March 9, 2019). Kosutic, Dejan .What should you write in your Information Security Policy according to ISO 27001?2016. https://advisera.com/27001academy/blog/2016/05/30/what-should-you- write-in-your-information-security-policy-according-to-iso-27001/ (accessed March 12, 2019). NCSC.The National Cyber Security Centre.2019. https://www.ncsc.gov.uk/ (accessed March 14, 2019). Verma, Sunita .ISO 27001 Implementation β Step By Step Guide.january 26, 2019. https://www.sync-resource.com/blog/iso-27001-implementation-guide/ (accessed April 8, 2019). Von Solms, Rossouw, and Johan Van Niekerk. "From information security to cyber security." computers & security38 (2013): 97-102.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.