Cybersecurity Risk Management Plan for MyHealth Company (CMP73001)

Verified

Added on 2023/01/17

AI Summary

This report presents a cybersecurity risk assessment for MyHealth Company, focusing on the potential threat of unauthorized database access. The assessment identifies the hazard, evaluates the risk based on consequence and likelihood, and proposes control measures. These measures include restricting staff entry, implementing strong passwords, updating antivirus software, installing a network firewall, and providing role-based access levels. The report outlines implementation steps, responsible parties, and review schedules. The assignment, completed by a student, addresses the company's need to protect patient data and payment information, aligning with the assignment brief's requirements for cybersecurity management and risk assessment within the context of the CMP73001 unit at the School of Business and Tourism.

Risk management plan – single risk
Company name: MyHealth Completed by: Student name
Work area: Cybersecurity management Date completed: date
Hazard identification
Hazard: Unauthorized access of database server
Risk assessment
What harm could the
hazard cause?
Company can loss their reputation in the market and it is also risky for
treatment of patients. Database is having payment details.
What is the likelihood
of this happening
Because of open access to the server room of all the staff, it can cause to the
hacking of server. It increases likelihood of this threat.
Existing control
measure
1. Restrict entry for all the staff
2. IT people can entry in the room with permission
3. Server and other devices will be in physical security
Consequence $500,000
Likelihood 0.5
Outcome Annualized Loss Expectancy (ALE) = 250,000
Control measures
Detective controls Restrict entry of all the staff
Secure and strong password with the help of password creator tools
Corrective controls Update antivirus of all the systems
Preventive Install network firewall to secure network
Administrative
Provide different access level based on the requirements to all staff
members
Implementation
Associated activities Resources
required
Person(s)
responsible Sign off and date
Installing a firewall Firewall hardware
Chief information
security officer
(CISO)’s name
CISO signature and
date
Updating antivirus Antivirus
definition Allocated person CISO signature and
date
Update operating systems Windows 10
Chief information
security officer
(CISO)’s name
CISO signature and
date
REVIEW
Scheduled review date: / /
Are the control measures in place?
Yes/no based on the student assumption
Are the controls eliminating/minimising the risk?
Yes/no based on the student assumption
Are there any new problems with the risk?
Explain if the existing risk exceeds t the acceptable level of risk in the company
Adapted from: Workplace Health and Safety Queensland – How to manage work health and safety risks code of practice. 2011