CS651_KristineCameron_Final
.docx
keyboard_arrow_up
School
Colorado Technical University *
*We aren’t endorsed by this school
Course
651
Subject
Computer Science
Date
Feb 20, 2024
Type
docx
Pages
30
Uploaded by MinisterSeal8216 on coursehero.com
Computer Systems Security Foundations: CS651
Security Management Document
Kristine Cameron
02 February 2024
Security Management Document 2
Abstract
A case study shows that Jackson Purchase Medical Center is growing, and its security posture
needs to be updated based on this growth. Based on a recent initial public offering (IPO), the
healthcare facility has new regulatory requirements that it must meet. To meet these
requirements, a review of the current security must be conducted. This provides a chance to
review the current security mechanisms and analyze the threats that the company could face. In
addition, the company needs to expand its current network infrastructure to allow employees to
work more efficiently but in a secure environment. This paper will identify the major
applications and resources that are used by Jackson Purchase. Then, for each application, it will
review the security threats that the company now faces and could face after the expansion. This
paper will also describe two access control mechanisms and consider whether they can be used
within the organization. It will also go on to describe single sign-on (SSO) and virtual private
network (VPN) technology and whether they can be used within the company. Policies and
controls will be identified and determined as to whether or not they can meet the regulatory
requirements imposed by the recent initial public offering (IPO). Because the network of Jackson
Purchase has to be re-evaluated from the beginning, the company wants to ensure that the new
network has many reasonable security controls and mechanisms in place.
Kristine Cameron: Security Management Document
Security Management Document 3
Table of Contents
Week 1: Introduction to Information Security
.............................................................................................
4
Company Description
..............................................................................................................................
4
Information Security Needs, Risks, and Benefits
....................................................................................
4
On-Site Consultant Challenges
................................................................................................................
6
Company IPO Challenges
........................................................................................................................
7
Week 2: Security Assessment
......................................................................................................................
8
Typical Assets
.........................................................................................................................................
8
Current Non-Network Segregation Risks
................................................................................................
9
Consultant Network Created Risks
........................................................................................................
10
Risk Tests and Security Assessment
......................................................................................................
11
Risk Mitigation
......................................................................................................................................
12
Week 3: Access Controls and Security Mechanisms
.................................................................................
13
Access Control Mechanisms
..................................................................................................................
13
Access Control Protection
.....................................................................................................................
15
SSO and VPN Technology
....................................................................................................................
16
Week 4: Security Policies, Procedures, and Regulatory Compliance
........................................................
18
Regulatory Requirements
......................................................................................................................
18
Company Policies
..................................................................................................................................
20
Company Controls
.................................................................................................................................
21
Data at Rest / Data in Motion
................................................................................................................
22
Week 5: Network Security
........................................................................................................................
23
Proposed Network Infrastructure
...........................................................................................................
23
Network Architecture Diagram
.............................................................................................................
23
Access Controls
.....................................................................................................................................
23
Intrusion Detection Systems (IDSs)
.......................................................................................................
24
Intrusion Prevention Systems (IPSs)
.....................................................................................................
24
References
.................................................................................................................................................
25
Security Management Document 4
Week 1: Introduction to Information Security
Company Description
This Security Management Document will cover the information security needs, risks, and benefits for Jackson Purchase Medical Center located in the heart of Mayfield, Kentucky. This facility opened its doors in 1993 and offers 107 private rooms for its patients. Jackson Purchase offers both emergent and elective inpatient and outpatient services. These include a New Beginnings Birthing Center, an Advance Healing Wound Care Center, and a state-of-the-art Chest Pain Center (
Jackson Purchase Medical Center
, n.d.). This medical center offers fourteen beds in its Emergency Department (ED), not including their triage room, and has set their goal to
thirty minutes from the time the patient walks into the ED until they exit (
Jackson Purchase Medical Center
, n.d.). While every situation is different, this is the goal that is set for Jackson Purchase and the eight counties that it provides quality care for.
Information Security Needs, Risks, and Benefits
A case study has been initiated for this growing medical center, showing that the security posture
of the company is in need of updating due to its rapid growth over the last few years. This has led to an initial public offering (IPO) requiring new regulatory requirements to be met by the company. Thus a review of the current information security that is in place needs to be conducted in order to successfully expand the current infrastructure, enabling the company to operate more efficiently, and yet still maintain an environment that is secure.
The need for an update of information security is greatly needed in the ED at Jackson Purchase Medical Center. Though the ED is set aside for emergency situations, this is no excuse for a
Security Management Document 5
violation of the Heath Insurance Portability and Accountability Act (HIPAA) which protects the patients’ private health information. This act protects a patients’ private information, restricting who can have access to the medical records. In addition to the doctors and nurses that are providing care for the patients, various registrars also have access to this information. Often times in the ED, the registrars are the first point of contact that a patient sees who has full access to their records. To ensure public health and safety, HIPAA also recognizes other various authorities to have access to personal medical files. These can include public health authorities, such as the Centers for Disease Control and Prevention (CDC), foreign government agencies in collaboration with a public health authority, and any persons that may be in risk of spreading or contracting a disease (
Office for Civil Rights BULLETIN: HIPPA Privacy in Emergency Situations
, 2014).
There are numerous risks to information security at the Jackson Purchase Emergency Department due to the fact that it is such a high-volume traffic area. With the lack of medical facilities available to patients in the evenings and on weekends, most of these patients end up in their local emergency room. This tends to make the ED one of the most stressful and challenging
areas in any hospital. Not only are the nurses and registrars challenged to ensure that all patient information is secure, they are also hidden security dangers that can come in the form of the individuals that come into the ED. Some of these risks are as follows (
Solving Emergency Department Security Challenges, 2020):
Patients or visitors who are under the influence of drugs or alcohol.
The circumstances that can arise from victims of gunshot wounds and/or gang violence.
Patients suffering from mental health behaviors.
Security Management Document 6
Domestic violence patients who are followed into the ED by their abusers.
Patients escorted into the ED by law enforcement officials.
The ED can benefit from a new update of the security posture by implementing access controls that would limit the access of emergency patients from other parts of the hospital, keeping the ambulance entrance separated from the walk-in entrance and waiting room, providing a security staff to provide protection to the registrars, nurses, and other care providers, and having a rapid lockdown program in place in the event of emergencies (
Solving Emergency Department Security Challenges, 2020).
On-Site Consultant Challenges
While on-site consultants can bring their knowledge and expertise to a project such as this, their agenda oftentimes does not match that of the hospital staff that they are consulting. Because the consultant’s behavior may be influenced and driven by a variety of motives, it can be challenging
for them to work with project managers without conflict arising (Davidson, 2009). Although one of the biggest challenges when it comes to on-site consultants in the ED is that this department is
almost always constantly busy. With the tasks of checking in patients, running back to get paperwork signed, taking payments, and filling out countless forms, there isn’t time to breathe, let alone have the time to sit down with a consultant to discuss changes to the company’s IPO. Company IPO Challenges
As with any IPO taking place, this process can be extremely complex and be faced with multiple challenges for the company. According to Deloitte, here is a list of a few of the challenges that
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Related Questions
Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.
arrow_forward
Computer Science
Pick one security law that most interests you with an emphasis on the areas that impact information security and assurance. Write a 1 page summary that includes what it is, what is its purpose/relevance, why is it important, who or what it applies to, ramnifications if not followed, and impact on information and assurance.
arrow_forward
A number of authorities in the field of information technology security are of the opinion that businesses might significantly improve their levels of protection by employing individuals who have previously worked as hackers in the capacity of consultants. Is that what you consider to be the case? Is this an acceptable reason or an unacceptable one?
arrow_forward
- There are many types of cybersecurity liability policies covering a host of eventualities. What insurance you should buy depends on your business model and your company board's risk appetite. For this discussion, pick one of the five cybersecurity laws, regulations, or policies you wrote about in the Module 5 assignment, and discuss what types of insurance you would recommend in case your company fails at compliance for that requirement. Discuss the risk-reward trade offs, and explain why you think your insurance recommendation is worth the cost.
arrow_forward
Susan is the lead investigator for a security incident and realizes that she will not be able to complete her investigation without causing severe disruption to the business. The action she feels she must take exceedsthe authority granted to her under the incident response plan. What should Susan do?
a)Shut down all business operations immediately until she develops a plan
b)Take the action immediately to protect the business
c)Discount the action as a possibility because it exceeds her authority
d)Consult with higher levels of management
arrow_forward
Chain Link Consulting is an information technology consulting company that focuses on system security concerns. When the company's president asks you to assist her with the preparation of a presentation for a group of potential clients at a trade show meeting next month, you say "yes." First and foremost, she would like you to examine system security concerns in light of all six security levels. Afterwards, she wants you to come up with a list of methods that Chain Link might evaluate a client's security procedures in order to obtain an accurate evaluation of their level of exposure.It was her way of making the situation more intriguing by saying that it was fine to be imaginative in your ideas, but that you should avoid proposing anything that would be unlawful or immoral. Example: It might be OK to pretend as a job candidate with phony references to see whether they were being reviewed, but it would be inappropriate to steal a lock and access the computer room to check on things.Your…
arrow_forward
What are the types of traditional security Model?
arrow_forward
The majority of individuals concur that creating proper security rules
and consistently implementing them are necessary actions to take. An
explanation of why creating, implementing, and maintaining security
rules is so important.
arrow_forward
Discuss the security implicationsFrom the perspective of your department and management level, discuss the implications of a security breach in the company's infrastructure (all forms - human, technology etc.)
1. Suggest TWO reasons why such breaches could occur and state how they can be avoided.
Based on the above requirements above, critique the below discussion:
A security breach is the loss of management, compromising, illicit public disclosure, unapproved acquiring, or acquisition, or any similar event in which sensitive data is accessed or potentially obtained by someone other than an authorized user, or in which a verified user accesses privately apparent data with a purpose other than that for which it is approved.A cyberattack and data breach at Trading could have a negative effect on the company's bottom line. It might harm your company's reputation and cause customers to lose faith in you. And both large and small businesses may be impacted by this. Furthermore, a…
arrow_forward
Book title: Cybersecurity Essentials - Charles J. BrooksChapter 1 - Infrastructure security in the Real world
From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category.
1. Policy creation sample ofmanaging access to authorized devices and resources based on the following items (NIST PR.AC-1).
2. Method creation sample of controlling physical access to secured assets (NIST PR.AC-2).
3. Action plan creation sample of informing and training general employees (NIST PR.AT-1).
4. Plan sample of helping privileged users understand their job roles and responsibilities (NIST PR.AT-2).
(Refer to screenshot for reference)
arrow_forward
Book title: Cybersecurity Essentials - Charles J. Brooks
Chapter 1 - Infrastructure security in the Real world
From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category.
2. Inventory creation sample of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2).
3. Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3).
4. Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3).
(Refer to screenshot for reference)
arrow_forward
Choose two principles of the Security Paradigm and describe each by giving an example based on your experiences as IT personel.
arrow_forward
define each concept and explain how it contributes to the development of security mechanisms that may be used to achieve desired security policies in companies.
arrow_forward
The following are some examples of how a security framework may help with security infrastructure design and deployment.
The definition and operation of information security governance are ambiguous.
Who in the firm should be in charge of long-term planning?
arrow_forward
Physical security is highly distinct from other forms of security in how much and how frequently it is different from other security types. We need to know what the most serious physical security risks of our day are, so we can defend ourselves. Do they make themselves known to the broader public in any way?
arrow_forward
explain why each principle is vital to security and how it facilitates the creation of security mechanisms that may be used to achieve desired security policies in companies.
arrow_forward
Having policies in place can mitigate the risk of physical security breachesC-suites and SBOs (Small Business Owners) indicated external threats from vendors or contractors(25% C-suites; 18% SBOs) and physical loss or theft of sensitive information (22% C-suites, 19%SBOs) are the top information security threats facing their business.Yet, the number of organizations with a known and understood policy for storing and disposing ofconfidential paper documents adhered to by all employees has declined 13% for C-suites (73% in 2019to 60% in 2020) and 11% for SBOs (57% in 2019 to 46% in 2020).In addition, 49% of SBOs have no policy in place for disposing of confidential information on end-of-lifeelectronic devices.While the work-from-home trend has risen over the years, the COVID-19 pandemic abruptly launchedemployees into work-from-home status, many without supporting policies.77% of C-suites and 53% of SBOs had employees who regularly or periodically work off-site. Despitethis trend, 53% of…
arrow_forward
To learn more about your institution's security rules, look them up on the intranet or website. Is there a corporate security policy somewhere? Where have you come across security rules that are tailored to address a particular problem? What agency or department is in charge of issuing or coordinating all of these policies, or are they dispersed across the organization?
Use the framework provided in this chapter to determine whether or not the policies you found in the preceding exercise are complete. What are the omissions in these areas?
arrow_forward
Book title: Cybersecurity Essentials - Charles J. BrooksChapter 1 - Infrastructure security in the Real world
From the information provided in the first scenario, consider the National Institute of Standards and Technology (NIST) functions detailed in this section and observe how they relate to each category.
1. Which steps could be put in place to recover from actions intended to access, disable, degrade, or destroy the assets that has been previously identified (NIST RC.RP-1)?
(Refer to screenshot for reference)
arrow_forward
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
arrow_forward
3.
As a security officer, you have been requested to assist the company’s recruitment officer with the drafting of a new
employee recruitment security protocol that the organization intends to adopt for all recruitment purposes in the future.
Provide a brief but comprehensive document which must cover the most important security areas the organization needs to
focus on when recruiting new employees.
arrow_forward
true or false
4. The security policy develops over time and is a living document that the company and security officer must review and update at regular intervals.
arrow_forward
Case study 1 Chapter 7 - Investigating Theft Act
Assuming you are an agent with the Federal Bureau of Investigation, do the following:
1. Plan and coordinate an investigation in a manner that would not arouse suspicion from Cummings and Baptiste.
2. Create a vulnerability chart to coordinate the various elements of the possible fraud.
3. Assuming your investigation used surveillance and/ or covert investigation techniques, what types of surveillance and/or covert operations would you use? How would technology play a role in this part of the investigation?
4. Finally, how would analysis of physical evidence help in this investigation? What types of physical evidence would be especially helpful?
arrow_forward
PurposeThis course project is intended to assess your ability to identify, design, and organize information technology (IT) security policies.Learning Objectives and OutcomesSuccessful completion of this project will ensure that you can develop draft IT security policies for an organization and apply learning constructs from the course. By the end of this project, you will be able to do the following:Evaluate compliance laws relevant to the U.S. Department of Defense.Assess policy frameworks appropriate for an organization in a given scenario.Evaluate security controls and standards for the seven domains of a typical IT infrastructure.Develop DoD-compliant policies for an organization’s IT infrastructure.Required Source Information and ToolsWeb References: Links to Web references in this document and related materials are subject to change without prior notice. These links were last verified on January 4, 2022. The following tools and resources will be needed to complete this…
arrow_forward
Deployment of information security requirements must be able to address
the most critical vulnerabilities at what stage do this steps happen or
conducted? *
Your answer
arrow_forward
Explain, contrast, and compare two security architectural models.
arrow_forward
The Operations Security Process consists of the following steps:
Step 1: Identification of Critical InformationStep 2: Analysis of ThreatsStep 3: Analysis of VulnerabilitiesStep 4: Assessment of RisksStep 5: Application of Countermeasures
If you were the information security manager of university and you were asked to applythe five steps of Operations Security Process to the university. Explain how should you apply these stepsand what are your expected outcomes for each step?
arrow_forward
Book title: Cybersecurity Essentials - Charles J. Brooks
Chapter 1 - Infrastructure security in the Real world
From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category.
1. Inventory creation sample of physical assets (devices and systems) within the organization (NIST ID.AM-1)?
2. Inventory creation sample of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2).
3. Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3).
4. Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3).
(Refer to screenshot for reference)
arrow_forward
The Operations Security Process consists of the following steps:
Step 1: Identification of Critical Information
Step 2: Analysis of Threats
Step 3: Analysis of Vulnerabilities
Step 4: Assessment of Risks
Step 5: Application of Countermeasures
If you were the information security manager of University of Hafr AIBatin, and you were asked to apply
the five steps of Operations Security Process to the university. Explain how should you apply these steps
and what are your expected outcomes for each step?
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Related Questions
- Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.arrow_forwardComputer Science Pick one security law that most interests you with an emphasis on the areas that impact information security and assurance. Write a 1 page summary that includes what it is, what is its purpose/relevance, why is it important, who or what it applies to, ramnifications if not followed, and impact on information and assurance.arrow_forwardA number of authorities in the field of information technology security are of the opinion that businesses might significantly improve their levels of protection by employing individuals who have previously worked as hackers in the capacity of consultants. Is that what you consider to be the case? Is this an acceptable reason or an unacceptable one?arrow_forward
- - There are many types of cybersecurity liability policies covering a host of eventualities. What insurance you should buy depends on your business model and your company board's risk appetite. For this discussion, pick one of the five cybersecurity laws, regulations, or policies you wrote about in the Module 5 assignment, and discuss what types of insurance you would recommend in case your company fails at compliance for that requirement. Discuss the risk-reward trade offs, and explain why you think your insurance recommendation is worth the cost.arrow_forwardSusan is the lead investigator for a security incident and realizes that she will not be able to complete her investigation without causing severe disruption to the business. The action she feels she must take exceedsthe authority granted to her under the incident response plan. What should Susan do? a)Shut down all business operations immediately until she develops a plan b)Take the action immediately to protect the business c)Discount the action as a possibility because it exceeds her authority d)Consult with higher levels of managementarrow_forwardChain Link Consulting is an information technology consulting company that focuses on system security concerns. When the company's president asks you to assist her with the preparation of a presentation for a group of potential clients at a trade show meeting next month, you say "yes." First and foremost, she would like you to examine system security concerns in light of all six security levels. Afterwards, she wants you to come up with a list of methods that Chain Link might evaluate a client's security procedures in order to obtain an accurate evaluation of their level of exposure.It was her way of making the situation more intriguing by saying that it was fine to be imaginative in your ideas, but that you should avoid proposing anything that would be unlawful or immoral. Example: It might be OK to pretend as a job candidate with phony references to see whether they were being reviewed, but it would be inappropriate to steal a lock and access the computer room to check on things.Your…arrow_forward
- What are the types of traditional security Model?arrow_forwardThe majority of individuals concur that creating proper security rules and consistently implementing them are necessary actions to take. An explanation of why creating, implementing, and maintaining security rules is so important.arrow_forwardDiscuss the security implicationsFrom the perspective of your department and management level, discuss the implications of a security breach in the company's infrastructure (all forms - human, technology etc.) 1. Suggest TWO reasons why such breaches could occur and state how they can be avoided. Based on the above requirements above, critique the below discussion: A security breach is the loss of management, compromising, illicit public disclosure, unapproved acquiring, or acquisition, or any similar event in which sensitive data is accessed or potentially obtained by someone other than an authorized user, or in which a verified user accesses privately apparent data with a purpose other than that for which it is approved.A cyberattack and data breach at Trading could have a negative effect on the company's bottom line. It might harm your company's reputation and cause customers to lose faith in you. And both large and small businesses may be impacted by this. Furthermore, a…arrow_forward
- Book title: Cybersecurity Essentials - Charles J. BrooksChapter 1 - Infrastructure security in the Real world From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category. 1. Policy creation sample ofmanaging access to authorized devices and resources based on the following items (NIST PR.AC-1). 2. Method creation sample of controlling physical access to secured assets (NIST PR.AC-2). 3. Action plan creation sample of informing and training general employees (NIST PR.AT-1). 4. Plan sample of helping privileged users understand their job roles and responsibilities (NIST PR.AT-2). (Refer to screenshot for reference)arrow_forwardBook title: Cybersecurity Essentials - Charles J. Brooks Chapter 1 - Infrastructure security in the Real world From the information provided in the second scenario, consider the NIST functions detailed in this section and then write what to observe as they relate to each category. 2. Inventory creation sample of cyber assets (software platforms and applications) within the organization (NIST ID.AM-2). 3. Prioritize the organization’s assets based on their criticality or value to the business functions of the organization (NIST ID.BE-3). 4. Identify any assets that produce dependencies or provide critical functions for any of the organization’s critical services (NIST ID.BE-4).Create a risk assessment of asset vulnerabilities identified (NIST ID.RA-1, 3). (Refer to screenshot for reference)arrow_forwardChoose two principles of the Security Paradigm and describe each by giving an example based on your experiences as IT personel.arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Principles of Information Systems (MindTap Course...Computer ScienceISBN:9781305971776Author:Ralph Stair, George ReynoldsPublisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning