Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Risk Assessment for MyHealth

Verified

Added on 2023/01/11

AI Summary

The objective of the report is to conduct a security risk assessment for the company MyHealth. The study discusses about each of the assets, explaining their role in the network and then lists them in a tabular format.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: RISK ASSESSMENT FOR MYHEALTH
Risk Assessment for MyHealth
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1RISK ASSESSMENT FOR MYHEALTH
Summary
The objective of the report is to conduct a security risk assessment for the company
MyHealth. The study discusses about each of the assets, explaining their role in the network
and then lists them in a tabular format. Thereafter the Information Security governance for
the company is talked about which suggests why and how it can be beneficial for MyHealth.
Next the cybersecurity policies are explained suggestions provided for MyHealth. The report
then proceeds to talk about Enterprise risk management and explains the steps after which the
vulnerability assessment table is given. After explaining assets, threats, vulnerabilities and
risks, the risk assessment table is created. The report then ends with concluding notes by
providing observations from the assessment.

2RISK ASSESSMENT FOR MYHEALTH
Table of Contents
Introduction................................................................................................................................3
Discussion..................................................................................................................................3
Task 1 Asset Identification.....................................................................................................3
The different information assets of MyHealth are:............................................................3
Information Security Governance and MyHealth............................................................10
Cybersecurity policies for MyHealth...............................................................................11
Task 2 Vulnerability Management and risk management....................................................12
Enterprise Risk Management...........................................................................................12
Vulnerabilities in assets of MyHealth..............................................................................13
Asset.................................................................................................................................17
Threat...............................................................................................................................17
Vulnerability....................................................................................................................17
Risk..................................................................................................................................17
Conclusion................................................................................................................................19
Bibliography.............................................................................................................................20

3RISK ASSESSMENT FOR MYHEALTH
Introduction
The report concerns with carrying out the security risk assessment for the company
MyHealth which involves clinical practise in the field of cancer related research. It is clear
that the company deals with sensitive data and hence they are looking to secure their practises
by evaluating a security risk assessment of their company. As part of the risk assessment the
report is responsible for identifying and briefing on the assets of the network and classifying
them in a table (Kott and Arnold 2015). After that the report discusses on how and why
information security governance can be beneficial for the company and following which
cybersecurity policies are explained and suggestions are given for MyHealth. Then the report
enters vulnerability and risk management section by explaining enterprise risk management
and the steps. Next the vulnerabilities for each of the assets are identified and presented in the
vulnerability assessment table and thereafter assets, threats, vulnerabilities and risk are
explained. After that the risk assessment table is created and concluding notes are given.
Discussion
Task 1 Asset Identification
The different information assets of MyHealth are:
Email Server: Email servers also called mail servers, are applications or computers
placed in a network the purpose of which is acting as virtual post offices. The servers store
incoming mails as also distribute them to the local users and are responsible for sending
outgoing messages. They use client-server applications for sending and receiving messages
via the Simple Mail Transfer Protocol (SMTP) protocol. Email servers can also be called
mail and message transfer agents.
Web server: Web servers are programs make use of Hypertext Transfer Protocol (HTTP)
so they can serve files that form the web page, as response against user requests. These web

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4RISK ASSESSMENT FOR MYHEALTH
pages get forwarded through the HTTP clients of the computers. Computers and applications
dedicated for such tasks are also called web servers.
Database Server: Database server refers to hardware as well as software solutions used
for running databases as per requirements. The software side database servers act as back
ends of databases following client-server model. These back end portions are at times called
instances. These can also be physical computers used for hosting databases. These are
generally high-end computers that are dedicated for database purposes only.
DHCP and DNS server: Although both DNS and DHCP work using the client-server
architecture they are completely different. DNS is used for mapping domain names to IP
addresses while the DHCP protocol assigns IPs to hosts present in the network through static
or dynamic methods. Even for configuring the DNS server with hosts the DHCP used.
ADSL router: Configuring WiFi ADSL Routers can be done in a matter of minutes so
that the Internet connection can be shared. Sharing of hard drives, files and printers can be
performed from any place within the WiFi range or through wired Ethernet connections via
any of the Ethernet ports found at the back of WiFi ADSL routers. Because of having built-in
ADSL modem, the ADSL routers can plug directly with the telephone line through micro-
filters.
Workstations: Workstations are computers dedicated to users or a user group of
businesses for performing professional tasks. These systems include displays with high
display resolutions and much faster processors than regular personal computers (PC).
Workstations also have higher multitasking capabilities owing to the additional amount of
random-access memory (RAM), hard drives and hard drive capacities. Workstations can also
possess graphics adapters relatively faster than regular PCs as also have more peripheral
connections.

5RISK ASSESSMENT FOR MYHEALTH
Operating system: Operating systems in computers are among the most important
components of computers. Almost all computers including cellular telephones need operating
systems for operating as intended. Operating systems allow users to work with the computer
without the need of understanding how computers work.
Firewall: firewalls are security systems that use predetermined set of rules for analysing
and controlling traffic going in and out of the network. In other words, firewalls serve as
gatekeepers which keep malicious programs and viruses away from the network for
preventing breach of data.
Telnet connection: The Telnet protocol is used for providing communication through the
Internet or a LAN by using virtual terminal connections. This is by default installed on Linux
and old Mac operating systems but has to be separately installed on windows based operating
systems and macOS High Sierra 10.13 or later.
Wireless Access Points: In wireless local area networks (WLAN), every access point is
the station that transmits and receives data (transceivers). Wireless access points connect one
user with another in the network, also serving like interconnects between WLAN and the
wired network. Wireless access points are used for serving multiple users in specified
network areas. When people exit the range of an access point, they automatically get
connected to the next. Small WLANs might only be requiring a single wireless access point
but the number increases proportionally with the number of network users and the network
size.
Number
Asset ID Asset Asset
Location
Ownership Asset
Description

6RISK ASSESSMENT FOR MYHEALTH
1 R.01 Email server Servers
installed in
MyHealth
The company Email servers
also called
mail servers,
are
applications
or computers
placed in a
network the
purpose of
which is
acting as
virtual post
offices.
2 R.02 Web server Servers
installed in
MyHealth
The company Web servers a
re programs
that use the
HTTP
protocol to
serve the files
forming the
web page, as
response
against user
requests.
3 R.03 Database Servers The company Database

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7RISK ASSESSMENT FOR MYHEALTH
server installed in
MyHealth
server refers
to hardware as
well as
software
solutions used
for running
databases as
per
requirements.
4 R.04 DHCP and
DNS server
Servers
installed in
MyHealth
The company DNS is used
for mapping
domain names
to IP
addresses
while the
DHCP protoc
ol assigns IPs
to hosts
present in the
network
through static
or dynamic
methods.
5 R.05 ADSL Router Network The company Having built-

8RISK ASSESSMENT FOR MYHEALTH
components
of MyHealth
in ADSL
modem, lets
ADSL routers
plug directly
with the
telephone line
through
micro-filters.
6 R.06 Workstations Workstations
in MyHealth
The company Workstations
are computers
dedicated to
users or a user
group of
businesses for
performing
professional
tasks.
7 R.07 Operating
system
Computers
and
workstations
The company Operating
systems allow
users to work
with the
computer
without the
need of

9RISK ASSESSMENT FOR MYHEALTH
understanding
how
computers
work.
8 R.08 Firewalls Servers and
clients in
MyHealth
The company Firewalls are
security
systems that
use
predetermined
set of rules for
analysing and
controlling
traffic going
in and out of
the network.
9 R.09 Wireless
Access point
Network
components in
MyHealth
The company Access points
connect users
with other
users in the
network and
can also serve
as
interconnects
between

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10RISK ASSESSMENT FOR MYHEALTH
WLAN and
the wired
network.
10 R.10 Telnet
connection
Client
computers
The company The
Telnet protoco
l is used for
providing
communicatio
n through the
Internet or a
LAN by using
virtual
terminal
connections.
Information Security Governance and MyHealth
A multitude of compliance and legislative requirements on IT security mandate
overseeing of how information security issues ae addressed by institutions. They need to
adhere by the governance framework to meet these regulations. Information Security
Governance concerns with identifying and ranking of risks that are most critical to the
business and to provide means for monitoring information-related access controls and data
integrity violations.

11RISK ASSESSMENT FOR MYHEALTH
This formal approach makes Information Security Governance extremely essential for
MyHealth where all the IT staff help manage information security in a generic way without
defined roles. The above-mentioned approach alleviates this problem.
Cybersecurity policies for MyHealth
Cyber security policies outline assets that are needed to be protected, threats to these
assets as also controls and rules for protecting the members and the business. The policy must
tell the users and employees of the respective responsibilities for protecting technologies and
information assets of the business. Among these issues are:
 Type of business information to be shared
 Agreed upon usage policy of materials and devices
 Handling and storing sensitive material
Policies to secure operations of MyHEalth can be:
1. Authentication: Having segmented access levels for the different business
processes of MyHealth secured with passwords which should only be known to
the domain personnel and the IT staff and should be updated periodically.
2. Emailing standards: These should include opening of email attachments from
trusted businesses and contacts. Blocking of spam and junk emails and deleting
suspicious mail.
3. Locking of computers: The users must not forget to shut down the computers and
mobile after the day’s work and locking computer screen if not being used.

12RISK ASSESSMENT FOR MYHEALTH
Task 2 Vulnerability Management and risk management
Enterprise Risk Management
Enterprise risk management (ERM) refers to plan-based strategies which aim to
identify, prepare as also assess the hazards, dangers or other potentials for disaster both
physically and figuratively. Though this might interfere with organizational objectives and
operations. This discipline not just suggests corporations for identifying the risks faced and
which to address readily, but also makes the action plan available for all the stakeholders.
Step 1 – Establish an Enterprise Risk Structure
Corporate risk registers should look different from the operational risk register, with
greater focus towards risks on reputation, business strategy among others. This risk structure
must be matching the organisation’s structure both vertical and horizontal.
Step 2 – Assign responsibility
Assigning ownership and responsibility has to be straightforward. The selected
portions of the structure to have the concerned objectives worked out and be grouped with
associated managers (functional, business or executive) who should be achieving the
objectives and manage associated risks.
Step 3 – Creating enterprise risk maps
Enterprise risk map can be created by:
 List of global categories for communicating information to right places
 Setting relations between the risks like (parent, sibling, child)
 Scoring mechanisms having common and consistent types of impact

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

13RISK ASSESSMENT FOR MYHEALTH
Step 4 – Decision making and enterprise risk reporting
Among the critical aspects of managing risks are executing necessary actions for
managing the risks. Reporting across the enterprise so as to allow senior managers to review
risk exposures across organisation. This can be greatly achieved by metrics reports like risk
histograms.
Step 5 – Moving from local to enterprise culture
Business and functional based risk management must be initiated by means of risk
steering groups comprising managers and functional leads. The benefits are in uniting to gain
understanding on inter-discipline risks and help in eliminating stove-piping of processes.
This may enable inter discipline discussions focussing on how to align personal and business
objectives which generally leads towards dramatic progress on managing risks. Also, the
senior management must be engaged in ensuring changes to the organisational culture.
Vulnerabilities in assets of MyHealth
Asset (10 assets
should be
provided)
Vulnerability Threat Analysis
Email Server: SMTP Server
Listening on Non-
Default Port
Backdoor attack Counts as
‘Medium’ risk
vulnerability and
is often found in
networks
throughout the
world. The issue
was present for

14RISK ASSESSMENT FOR MYHEALTH
decades but were
difficult to detect
Web server: Cross-Site
Scripting (XSS)
System infection
from malicious
codes
The web server
vulnerability
which allows
hackers in
injecting client-
side scripts into
web pages. When
normal users visit
websites, which
display
susceptible
contents like
dynamic web
pages, attacks can
also use harmful
codes to infect the
user.
Database Server: This vulnerability
is present in Java
Virtual Machine
(JVM) component
in Oracle
Database Servers.
Hacking, JVM
takeover
For successful
attacks, human
interactions
people except the
attacker

15RISK ASSESSMENT FOR MYHEALTH
Versions affected
by this
vulnerability are
11.2.0.4, 12.1.0.2
and 12.2.0.1.
protocols for
compromising
JVM.
DHCP and DNS
server:
PowerDNS
Authoritative
Server before both
the 4.0.7 and 4.1.7
versions.
DoS attack Vulnerability was
modified since
last analysis by
the NVD.
Awaiting
reanalysis.
ADSL router Telindus 1100
ADSL routers
allow remote
attackers to gain
privileges to the
device via a
certain packet to
UDP port 9833
Authentication is
not required to
exploit the
vulnerability.
Workstations Integer overflow
vulnerability in
VMware NAT
service when IPv6
mode is enabled.
used to execute
code on the host in
conjunction with
other issues.
Vulnerability
valid when
product versions
older than
Vmware Fusion

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

16RISK ASSESSMENT FOR MYHEALTH
8.5.1 used with
Apple Mac OS X
Operating system Windows Jet
Database Engine
improperly handl
Remote execution
of malicious
codes.
Affects a wide
range of Windows
OS.
Firewalls Check Point
Firewall: 1 4.1 -
NG AI R55
Allow a remote
attacker to steal
sensitive
information.
CWE id is not
defined for this
vulnerability
Wireless Access
point
IP Version 4
(IPv4) fragment
reassembly
function
DoS attack,
constant reboots
The vulnerability
results from
corruption of
internal data
structure and
affects most
wireless LAN
controllers.
Telnet connection slc_add_reply
function
Buffer overflow CWE id not yet
defined for the
vulnerability.
Asset
When it comes to computer and network security, an asset is any device, application,
data, device or many other components which support information0specific activities. These
typically include hardware like servers, switches, software (be it mission critical applications

17RISK ASSESSMENT FOR MYHEALTH
or supporting systems) and confidential information. These assets need to be protected from
misuse, illicit access, unauthorized disclosure, modification, deletion or even theft leading to
loss for the organization.
Threat
In the world of computer security, threats are dangerous and might exploit
vulnerabilities for breaching security thus causing damages often irreparable. Threats can
either be intentional like hacking by individual crackers or criminal organizations or
accidental like malfunctioning of computers.
Vulnerability
Vulnerabilities in computers are cybersecurity terms which refer to defects in any
given system and can leave it open for attacks (Knowles et al. 2015). Network personnel and
computer users must stay aware and informed on current vulnerabilities in every software in
use and explore ways to remain protected against them.
Risk
Risks as well as opportunities in cybersecurity that devices, digital media and
technologies help come forth. Cyber risks were never purely for IT teams only, despite of
them playing vital roles. The risk management functions of organizations require thorough
understanding of the rapidly evolving risks and continue to explore tools and techniques for
addressing them.
Threat Vulnerability Likelihood Impact Risk rating Description

18RISK ASSESSMENT FOR MYHEALTH
DoS attack PowerDNS
Authoritative
Server before
both the 4.0.7
and 4.1.7
versions.
Likely Major 16(Extreme) Threat is
likely to
occur despite
firewall and
has major
impact on
systems
Remote
execution
of
malicious
codes.
Integer
overflow
vulnerability
Almost
certain
Moderate 15(High) Threat is
definitely to
occur but has
moderate
impact
Backdoor
Attack
SMTP Server
Listening on
Non-Default
Port
Possible Major 12(High) Threat might
occur and has
major impact

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

19RISK ASSESSMENT FOR MYHEALTH
Conclusion
In conclusion the report succeeds in conducting a risk assessment for MyHealth by
identifying and providing briefs on the assets following which they are classified in a tabular
format where the report provides location and ownership specific details. After that the report
discusses on how and why information security governance can be beneficial for the
MyHealth and following which cybersecurity policies are explained and suggestions are
given for the company where it is observed that the way MyHealth addresses security
incidents needs a revamp. Next the report proceeds to the vulnerability and risk management
section where enterprise risk management strategy is explained and the five steps are given
after which th vulnerability assessment table is made relating the assets with their
vulnerabilities and threats that might occur. Then after explaining about asset, threat,
vulnerability and risks, the risk assessment table is created. It is observed that DoS attack,
remote execution of malicious codes and backdoor attacks are the most critical threats to be
faced by MyHealth.
Bibliography
Chen, M.H., Dong, M. and Liang, B., 2016, March. Joint offloading decision and resource
allocation for mobile cloud with computing access point. In 2016 IEEE International
Conference on Acoustics, Speech and Signal Processing (ICASSP) (pp. 3516-3520). IEEE.
Chiu, D., Weng, S.H. and Chiu, J., 2017. Backdoor use in targeted attacks. A Trend Micro
Research Paper.

20RISK ASSESSMENT FOR MYHEALTH
Dukhovni, V. and Hardaker, W., 2015. SMTP Security via Opportunistic DNS-Based
Authentication of Named Entities (DANE) Transport Layer Security (TLS) (No. RFC 7672).
Ganin, A.A., Quach, P., Panwar, M., Collier, Z.A., Keisler, J.M., Marchese, D. and Linkov,
I., 2017. Multicriteria decision framework for cybersecurity risk assessment and
management. Risk Analysis.
Gruss, D., Maurice, C. and Mangard, S., 2016, July. Rowhammer. js: A remote software-
induced fault attack in javascript. In International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment (pp. 300-321). Springer, Cham.
Heo, H. and Shin, S., 2018, May. Who is knocking on the Telnet Port: A Large-Scale
Empirical Study of Network Scanning. In Proceedings of the 2018 on Asia Conference on
Computer and Communications Security (pp. 625-636). ACM.
Hoyt, R.E. and Liebenberg, A.P., 2015. Evidence of the value of enterprise risk management.
Journal of Applied Corporate Finance, 27(1), pp.41-47.
Hubbard, D.W. and Seiersen, R., 2016. How to measure anything in cybersecurity risk. John
Wiley & Sons.
Hydara, I., Sultan, A.B.M., Zulzalil, H. and Admodisastro, N., 2015. Current state
Jones, B., Feamster, N., Paxson, V., Weaver, N. and Allman, M., 2016, March. Detecting
DNS root manipulation. In International Conference on Passive and Active Network
Measurement (pp. 276-288). Springer, Cham.
Knowles, W., Prince, D., Hutchison, D., Disso, J.F.P. and Jones, K., 2015. A survey of cyber
security management in industrial control systems. International journal of critical
infrastructure protection, 9, pp.52-80.

21RISK ASSESSMENT FOR MYHEALTH
Kott, A. and Arnold, C., 2015. Towards Approaches to Continuous Assessment of Cyber
Risk in Security of Computer Networks. arXiv preprint arXiv:1512.07937.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs
more holistic approach: A literature review. International Journal of Information
Management, 36(2), pp.215-225.
Szewczyk, P. and Macdonald, R., 2017. Broadband router security: History, challenges and
future implications.
Younes, O.S., 2016. A Secure DHCP Protocol to Mitigate LAN Attacks. Journal of
Computer and Communications, 4(01), p.39.
Zhang, H., Cheng, P., Shi, L. and Chen, J., 2016. Optimal DoS attack scheduling in wireless
networked control system. IEEE Transactions on Control Systems Technology, 24(3),
pp.843-852.

1 out of 22

+13062052269

info@desklib.com

Risk Assessment for MyHealth

Contribute Materials

Secure Best Marks with AI Grader

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Information Assets

Security Hardening Requirements and Contents of Operating System and Application Security Contents

Unit Cybersecurity Management

IT Security and Risk Management

Risk Assessment on Network of CONVXYZ

Security and Risk Management