Cybersecurity Management: Risk Assessment for Advanced Medicos
VerifiedAdded on 2022/09/18
|13
|2349
|21
Report
AI Summary
This report provides a comprehensive cybersecurity risk assessment for Advanced Medicos Limited (AML), a healthcare product selling company aiming to expand its online presence. The report begins with an introduction and then classifies AML's assets into current, tangible, intangible, digital, and people assets. It emphasizes the importance of information governance in maintaining customer trust and outlines security policies for human resources, access control, operations, network communication, and vulnerability management. The report then details the risk management phases within the ISO framework, identifying vulnerabilities and threats such as database security issues, outdated antivirus software, lack of encryption, and inadequate access control. A risk register is presented, assessing the likelihood, impact, and mitigation strategies for each identified vulnerability. The overall goal is to provide AML with a clear understanding of its cybersecurity posture and actionable recommendations to enhance its security measures.
Running head: CYBER SECURITY
CYBER SECURITY
Name of the Student:
Name of the University:
Author note:
CYBER SECURITY
Name of the Student:
Name of the University:
Author note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
Task 1:.............................................................................................................................................3
Introduction:....................................................................................................................................3
Classification of the Assets:.............................................................................................................3
Identification of the Assets:.............................................................................................................4
Importance of Information Governance:.........................................................................................5
Security Policies for the information system:..................................................................................5
Task 2:.............................................................................................................................................8
Risk Management Phases in ISO framework:.................................................................................8
Identification of the vulnerabilities and threats:..............................................................................9
Risk Register for Risk Assessment and Management:..................................................................10
Task 1:.............................................................................................................................................3
Introduction:....................................................................................................................................3
Classification of the Assets:.............................................................................................................3
Identification of the Assets:.............................................................................................................4
Importance of Information Governance:.........................................................................................5
Security Policies for the information system:..................................................................................5
Task 2:.............................................................................................................................................8
Risk Management Phases in ISO framework:.................................................................................8
Identification of the vulnerabilities and threats:..............................................................................9
Risk Register for Risk Assessment and Management:..................................................................10
Task 1:
Introduction:
The Advanced Medicos Limited is a company involved in the selling of the health care
products. They are currently encountering certain issues in their cyber security for which they
have hired a cyber-security consultant to identify the threats and propose policy for the cyber
security issues after identifying the primary assets of the company and implementing the security
policies for the company.
Classification of the Assets:
Assets are the belongings of a company which is extremely valuable for the organization.
The company assets can be classified into a certain categories as well and they are discussed
briefly in this section.
Current Assets: The assets which were supposed to get converted to cash or financial
assets in the upcoming year.
Tangible assets:These are the assets that physically exists in the company. This include,
the buildings, cash, properties, equipment, stock, inventories and many other precious
consumption of the company (Parshakov and Zavertiaeva 2017).
Intangible assets: These are the assets which cannot be seen, like the reputation of the
company, copyrights, trademarks or goodwill (McCosh and Wayne 2018). The values of the
intangible assets are particularly difficult to determine (Lim, Macias and Moeller 2019).
Digital Assets: These are basically the assets that are stored in the system or the data
bases and is used for the purpose of the company. The information of the customers which are
Introduction:
The Advanced Medicos Limited is a company involved in the selling of the health care
products. They are currently encountering certain issues in their cyber security for which they
have hired a cyber-security consultant to identify the threats and propose policy for the cyber
security issues after identifying the primary assets of the company and implementing the security
policies for the company.
Classification of the Assets:
Assets are the belongings of a company which is extremely valuable for the organization.
The company assets can be classified into a certain categories as well and they are discussed
briefly in this section.
Current Assets: The assets which were supposed to get converted to cash or financial
assets in the upcoming year.
Tangible assets:These are the assets that physically exists in the company. This include,
the buildings, cash, properties, equipment, stock, inventories and many other precious
consumption of the company (Parshakov and Zavertiaeva 2017).
Intangible assets: These are the assets which cannot be seen, like the reputation of the
company, copyrights, trademarks or goodwill (McCosh and Wayne 2018). The values of the
intangible assets are particularly difficult to determine (Lim, Macias and Moeller 2019).
Digital Assets: These are basically the assets that are stored in the system or the data
bases and is used for the purpose of the company. The information of the customers which are
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
very important for the organization is a part of the digital asset of the organization. This is one of
the very important asset as it stores all sort of data in the organization, beginning from the
personal details, to the transaction details, VPNs, credit card details and many more crucial
information of the organization (Osinski et al. 2017).
People Assets: The last but not the least is the people asset. This is the asset which is
associated with the organization and they are employees and customers. These are the living
assets for the organization and without them the operations of the organization are impossible.
They help in improving the efficiency of the organization along with the quality of the services
and products, and hence can be considered to be one of the most important asset along with the
other mentioned assets.
Identification of the Assets:
As a medical product selling company, Advanced Medicos Limited has certain assets in its
possession. As it is trying to move the entire service to the online for the improvement and easy
availability of the customers, it has certain digital assets as well and they are listed in this
section:
The Digital Assets of the company are:
Database Server for storing the customer private data.
Web based servers for providing online services and payment-2
40 Personal Computers.
Operating System and Firewalls
Routers
10 IP phones
the very important asset as it stores all sort of data in the organization, beginning from the
personal details, to the transaction details, VPNs, credit card details and many more crucial
information of the organization (Osinski et al. 2017).
People Assets: The last but not the least is the people asset. This is the asset which is
associated with the organization and they are employees and customers. These are the living
assets for the organization and without them the operations of the organization are impossible.
They help in improving the efficiency of the organization along with the quality of the services
and products, and hence can be considered to be one of the most important asset along with the
other mentioned assets.
Identification of the Assets:
As a medical product selling company, Advanced Medicos Limited has certain assets in its
possession. As it is trying to move the entire service to the online for the improvement and easy
availability of the customers, it has certain digital assets as well and they are listed in this
section:
The Digital Assets of the company are:
Database Server for storing the customer private data.
Web based servers for providing online services and payment-2
40 Personal Computers.
Operating System and Firewalls
Routers
10 IP phones
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
The Tangible assets of the organization:
The Work space
Security
The People Asset of the Organization:
40 Staffs along with three Information Technology expert
Customers
Importance of Information Governance:
In any sector or organization, trust is one of the major aspect of the business. Gaining
trust of the organization is very important. It is trust which helps in maintaining good
relationship between the company and its customers. Likewise, health care sector also requires
accuracy so as to function properly and in an error free manner (Smallwood 2019). This is where
information governance can come into play. While increasing the security and protection of the
patients, it can help in improving customer relationships as well. Information governance reduces
the risks of a company and thus, the budget is under control. It also allows following of certain
governance principles so as to get maximum security, efficiency and good relationship between
customers and company sectors. These principles include principles of availability, retention,
disposition, accountability, compliance, protection, transparency and integrity (Smallwood2018).
Security Policies for the information system:
Once the assets of the company are identified, certain security principles are addressed
for the assets as well. Some of the Security Policies for the company are listed below:
Human Resources Security Policy:
The Work space
Security
The People Asset of the Organization:
40 Staffs along with three Information Technology expert
Customers
Importance of Information Governance:
In any sector or organization, trust is one of the major aspect of the business. Gaining
trust of the organization is very important. It is trust which helps in maintaining good
relationship between the company and its customers. Likewise, health care sector also requires
accuracy so as to function properly and in an error free manner (Smallwood 2019). This is where
information governance can come into play. While increasing the security and protection of the
patients, it can help in improving customer relationships as well. Information governance reduces
the risks of a company and thus, the budget is under control. It also allows following of certain
governance principles so as to get maximum security, efficiency and good relationship between
customers and company sectors. These principles include principles of availability, retention,
disposition, accountability, compliance, protection, transparency and integrity (Smallwood2018).
Security Policies for the information system:
Once the assets of the company are identified, certain security principles are addressed
for the assets as well. Some of the Security Policies for the company are listed below:
Human Resources Security Policy:
All the people involved in the organization must undergo the security procedures
during the tenure of working, before working and even after termination of their
role as an employee with respect to the guidance of the Company.
Employees should be provided with a training regarding the security awareness
while they are working for the company.
Access Control Policy:
The access to the information system of the company must be restricted to few
specific person or the person who are in charge of the system of information.
Security such as passwords must be used in order to address the information
assets of the company.
Operations Security:
The System Administrators are the ones responsible for documentation and
maintenance of the Standard Operating Procedures (SOP) for ICT resources and
information assets which are meant for them to manage.
Users who are involved in the process of the development, administration, ,
testing as well as allowance of the Company’s ICT resources should pursue
suitable change management processes.
System Administrators and System Owners are accountable for implementation,
prevention, detection and recovery of the data against any sort of malicious attack.
suitable user-awareness process for ICT resources must be implemented and
managed by them as well.
Back up must be created of each and every information asset such that any sort of
issues or attack in the system can be coped up with.
during the tenure of working, before working and even after termination of their
role as an employee with respect to the guidance of the Company.
Employees should be provided with a training regarding the security awareness
while they are working for the company.
Access Control Policy:
The access to the information system of the company must be restricted to few
specific person or the person who are in charge of the system of information.
Security such as passwords must be used in order to address the information
assets of the company.
Operations Security:
The System Administrators are the ones responsible for documentation and
maintenance of the Standard Operating Procedures (SOP) for ICT resources and
information assets which are meant for them to manage.
Users who are involved in the process of the development, administration, ,
testing as well as allowance of the Company’s ICT resources should pursue
suitable change management processes.
System Administrators and System Owners are accountable for implementation,
prevention, detection and recovery of the data against any sort of malicious attack.
suitable user-awareness process for ICT resources must be implemented and
managed by them as well.
Back up must be created of each and every information asset such that any sort of
issues or attack in the system can be coped up with.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Network communication Security Policy:
“The System Administrators and System Owner must segregate, control and
manage those parts of the network for which they have responsibility to save
information in applications and systems in accordance with the Information
Security Network Security Manual.”(Mozhaev et al. 2017)
Vulnerability Management Policy:
The system administrator are the ones responsible for the purpose of the ensuring
the level of the security patch and management of the vulnerability. The job of the
vulnerability management being the identification, prioritization and
determination of the remedies for the vulnerabilities.
“The System Administrators and System Owner must segregate, control and
manage those parts of the network for which they have responsibility to save
information in applications and systems in accordance with the Information
Security Network Security Manual.”(Mozhaev et al. 2017)
Vulnerability Management Policy:
The system administrator are the ones responsible for the purpose of the ensuring
the level of the security patch and management of the vulnerability. The job of the
vulnerability management being the identification, prioritization and
determination of the remedies for the vulnerabilities.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Task 2:
Risk Management Phases in ISO framework:
The most significant elements of the framework are the Policy and governance, designing
of the program for the management of the overall risk in the organization, implementation of the
structure for the management of the risk, monitoring and reviewing the risks and the
vulnerabilities, and lastly the continuous upgrading in the company with the regular maintenance
of the systems and the process of the organization (Olechowski et al. 2016).
The various phases of the ISO Framework of the risk management includes the following
stages (Barafort,Mesquida and Mas 2017). Following this effectively and efficiently, one may
avoid the vulnerabilities and the threats occurring in the system.
The major steps are:
These stages has certain sub stages as well and they are:
Active communication:
Consultation with all the stakeholders about the strategy that will be considered while the
risk management is conducted.
Execution process:
Establishment of Context
Risk Management Phases in ISO framework:
The most significant elements of the framework are the Policy and governance, designing
of the program for the management of the overall risk in the organization, implementation of the
structure for the management of the risk, monitoring and reviewing the risks and the
vulnerabilities, and lastly the continuous upgrading in the company with the regular maintenance
of the systems and the process of the organization (Olechowski et al. 2016).
The various phases of the ISO Framework of the risk management includes the following
stages (Barafort,Mesquida and Mas 2017). Following this effectively and efficiently, one may
avoid the vulnerabilities and the threats occurring in the system.
The major steps are:
These stages has certain sub stages as well and they are:
Active communication:
Consultation with all the stakeholders about the strategy that will be considered while the
risk management is conducted.
Execution process:
Establishment of Context
Risk Identification
Risk analysis
Risk evaluation
Risk treatment
Risk Oversight:
Review and monitoring the Risk on a regular basis such that the issues can be avoided.
Identification of the vulnerabilities and threats:
The vulnerabilities that has been identified with the help of the risk assessment are listed below:
1. A database without security. One SQL injection being implemented by the hacker may
lead to the unavailability of the entire information. This can be hazardous for the
company.
2. The back-up file being stored in a single computer (Thiyab, Ali and Basil 2017).
3. Outdated Antiviruses.Several new viruses have been developed today which can adapt
themselves to the older technologies. Hence any outdated antivirus might not be able to
track or treat them at all making them useless.
4. No Encryption. If any attack is initiated by the hackers on the system information and the
data base of the company, they will be able to get all the necessary details regarding the
company’s activities or even the sensitive information such as the financial details and
the customer details (Vaishnavi and Thiyagarajan 2018).
5. No Access Control as there is one server room which is accessible by all the staffs and
members of the organization. Thus the information may be misused or the privacy and
the integrity of the data may be at stake.
Risk analysis
Risk evaluation
Risk treatment
Risk Oversight:
Review and monitoring the Risk on a regular basis such that the issues can be avoided.
Identification of the vulnerabilities and threats:
The vulnerabilities that has been identified with the help of the risk assessment are listed below:
1. A database without security. One SQL injection being implemented by the hacker may
lead to the unavailability of the entire information. This can be hazardous for the
company.
2. The back-up file being stored in a single computer (Thiyab, Ali and Basil 2017).
3. Outdated Antiviruses.Several new viruses have been developed today which can adapt
themselves to the older technologies. Hence any outdated antivirus might not be able to
track or treat them at all making them useless.
4. No Encryption. If any attack is initiated by the hackers on the system information and the
data base of the company, they will be able to get all the necessary details regarding the
company’s activities or even the sensitive information such as the financial details and
the customer details (Vaishnavi and Thiyagarajan 2018).
5. No Access Control as there is one server room which is accessible by all the staffs and
members of the organization. Thus the information may be misused or the privacy and
the integrity of the data may be at stake.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6. No virtual or cloud storage facility. The data if lost, or if the computer storing the backup
data is distorted, there is no way of retrieving the data back (Rittinghouse and Ransome
2016).
7. There is one single floor or space for undertaking the operations of the system, hence, if
fire or other technical hazards take place in the organization it will lead to
8. The roles and responsibilities of the employees not documented., thus allowing any
employee to access different data
Risk Register for Risk Assessment and Management:
Vulnerabilities Threats Likelihood Impact Mitigation
A database without
security.
SQL injection High High Proper security enhanced
with the help of the
passwords and the
encryption of the
databases.
The back-up file
being stored in a
single computer
Loss of data due
to attacks and
hacking
High High Creating cloud based
technology for the storage
of the information such
that they can accessed
when the data s lost.
Outdated
Antiviruses
Malware attack High High Updating the system and
the antiviruses to its latest
version.
No Encryption Malware attacks,
loss of data,
manipulation of
data
High High Providing passwords and
encryption to the system
No Access control Loss of privacy,
integrity and
availability of the
data
High High Implementation of the
access control technique
by applying credentials
for verifying the identity
of the person who is
accessing the data.
No virtual storage Permanent loss of
data
High High functioning of the Cloud
based infrastructure for
the storage of the data and
sensitive information such
that recovery of the data is
data is distorted, there is no way of retrieving the data back (Rittinghouse and Ransome
2016).
7. There is one single floor or space for undertaking the operations of the system, hence, if
fire or other technical hazards take place in the organization it will lead to
8. The roles and responsibilities of the employees not documented., thus allowing any
employee to access different data
Risk Register for Risk Assessment and Management:
Vulnerabilities Threats Likelihood Impact Mitigation
A database without
security.
SQL injection High High Proper security enhanced
with the help of the
passwords and the
encryption of the
databases.
The back-up file
being stored in a
single computer
Loss of data due
to attacks and
hacking
High High Creating cloud based
technology for the storage
of the information such
that they can accessed
when the data s lost.
Outdated
Antiviruses
Malware attack High High Updating the system and
the antiviruses to its latest
version.
No Encryption Malware attacks,
loss of data,
manipulation of
data
High High Providing passwords and
encryption to the system
No Access control Loss of privacy,
integrity and
availability of the
data
High High Implementation of the
access control technique
by applying credentials
for verifying the identity
of the person who is
accessing the data.
No virtual storage Permanent loss of
data
High High functioning of the Cloud
based infrastructure for
the storage of the data and
sensitive information such
that recovery of the data is
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
possible (Marinescu2017).
Roles and
responsibilities of
the employees not
defined
Invading the
privacy and
security of the
data
Moderate High Defining proper roles and
responsibility of the
company’s employee such
that they can operate
within the boundaries of
their roles and
responsibilities towards
the organization.
Roles and
responsibilities of
the employees not
defined
Invading the
privacy and
security of the
data
Moderate High Defining proper roles and
responsibility of the
company’s employee such
that they can operate
within the boundaries of
their roles and
responsibilities towards
the organization.
References:
Barafort, B., Mesquida, A.L. and Mas, A., 2017. Integrating risk management in IT settings from
ISO standards and management systems perspectives. Computer Standards & Interfaces, 54,
pp.176-185.
Lim, S.C., Macias, A.J. and Moeller, T., 2019. Intangible assets and capital structure. Available
at SSRN 2514551.
Marinescu, D.C., 2017. Cloud computing: theory and practice. Morgan Kaufmann.
McCosh, J.G. and Wayne, K.T., 2018. Valuing the Goodwill and Intangibility of Employee
Assets. Proceedings of the Northeast Business & Economics Association.
Mozhaev, O., Kuchuk, H., Kuchuk, N., Mozhaev, M. and Lohvynenko, M., 2017, July.
Multiservice network security metric. In 2017 2nd International Conference on Advanced
Information and Communication Technologies (AICT) (pp. 133-136). IEEE.
Olechowski, A., Oehmen, J., Seering, W. and Ben-Daya, M., 2016. The professionalization of
risk management: What role can the ISO 31000 risk management principles play?. International
Journal of Project Management, 34(8), pp.1568-1578.
Osinski, M., Selig, P.M., Matos, F. and Roman, D.J., 2017. Methods of evaluation of intangible
assets and intellectual capital. Journal of Intellectual Capital.
Parshakov, P. and Zavertiaeva, M., 2017. Companies intangibles: Unique versus
generic. International Review of Economics & Finance, 49, pp.266-275.
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press.
Barafort, B., Mesquida, A.L. and Mas, A., 2017. Integrating risk management in IT settings from
ISO standards and management systems perspectives. Computer Standards & Interfaces, 54,
pp.176-185.
Lim, S.C., Macias, A.J. and Moeller, T., 2019. Intangible assets and capital structure. Available
at SSRN 2514551.
Marinescu, D.C., 2017. Cloud computing: theory and practice. Morgan Kaufmann.
McCosh, J.G. and Wayne, K.T., 2018. Valuing the Goodwill and Intangibility of Employee
Assets. Proceedings of the Northeast Business & Economics Association.
Mozhaev, O., Kuchuk, H., Kuchuk, N., Mozhaev, M. and Lohvynenko, M., 2017, July.
Multiservice network security metric. In 2017 2nd International Conference on Advanced
Information and Communication Technologies (AICT) (pp. 133-136). IEEE.
Olechowski, A., Oehmen, J., Seering, W. and Ben-Daya, M., 2016. The professionalization of
risk management: What role can the ISO 31000 risk management principles play?. International
Journal of Project Management, 34(8), pp.1568-1578.
Osinski, M., Selig, P.M., Matos, F. and Roman, D.J., 2017. Methods of evaluation of intangible
assets and intellectual capital. Journal of Intellectual Capital.
Parshakov, P. and Zavertiaeva, M., 2017. Companies intangibles: Unique versus
generic. International Review of Economics & Finance, 49, pp.266-275.
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 13
