Enterprise Security Concerns

 

After reviewing the material your group has prepared so far, the management team has returned with a list of five specific concerns. They include:

• Access control
• Security enterprise
• The impact of implementing a change management system
• Mitigation
• Risk management

Management has asked you to address concerns with a visual presentation. Address these concerns by providing the following information:

1. An overview of the access control

2. The required mitigation steps for each concern

3. Prioritized concerns

4. Concerns with vendor relations from the enterprise security standpoint

5. A description of how the organization can apply risk management principles in its efforts

6. A description of iterative maintenance effort, including audits and frequency

Include at least two references formatted according to APA guidelines.

Present the information in this format:

• A detailed chart, along with a brief 1- to 2-page executive summary, explaining the decisions made

Enterprise Security Concerns
Auburn Regional Medical Center
[NAME]
CMGT/430: Enterprise Security
August 8, 2019

OVERVIEW
Access Control
Security Enterprise
Change Management System
Mitigation
Risk Management

Overview:
Access Control
Security Enterprise
Change Management System
Mitigation
Risk Management

Access Control
1

Access Control

access control
Information Security has a broad set of responsibilities, ranging from training & awareness to digital forensics. Given this wide range of job roles, there are many ways to organize access control at Auburn Regional Medical Center. To control access we will organize access control into several different ways to align both the skills and the primary functions of the team members.

Security Team
Non-Technology Function
Technical Operations
Security
Enforcement
4

Auburn Regional Medical Center must utilize information systems to accomplish key business goals. These goals can include operational proficiency, customer intimacy, better decision making, and new products and services. Information systems are an integral part of our organization. In reviewing the hospital’s structure, it is important to show the significance of securing the organizations structure, organizational units, and business functions. The hospital achieves and manages employment by means of a structured chain of command and through its business processes, which are logically interrelated tasks and behaviors for completing work.

access control: roles
Manage: Functions that encompass overseeing a program or technical aspect of a security program at a high level and ensuring currency with changing risk and threat environments.
Design: Functions that encompass scoping a program or developing procedures, processes, and architectures that guide work execution at the program and/or system level.
Implement: Functions that encompass putting programs, processes, or policies into action within an organization.
Evaluate: Functions that encompass assessing the effectiveness of a program, policy, process, or security service in achieving its objectives.
5

Auburn Regional Medical Center on has four operational departments that span across the enterprise. To address the security needs of each of the organizations departments separating the duties will place limitations on employee’s capabilities to damage or compromise the confidentiality integrity, and availability of the organization. Separating duties within a business or organization helps limit any individual’s ability to cause harm or commit theft. Meaning if someone is attempting to manipulate a system without management noticing, it would take multiple persons to conspire to be successful.

access control: role-based access control
6

Role based controls are centered around the roles that employees are assigned to in a system. The user’s identity is used to connect him or her to resources, normally the RBAC models describes the responsibility and purpose inside the organization. The benefit of this control allows the role base access control method to designates access rights to roles and not the users. This technique is very useful because the users are given distinctive roles, that are static or dynamic, based upon the user’s tasks. The role-based access control allows numerous users designated to the same task utilizing a minimum set of permissions.

access control: role-based access control
7
The hospital will also establish different user roles. The following roles will be implemented:
IT Staff: Employees in the IT department. Full system access.
Doctors: Doctors with their case load.
Nurses: Nurses with their case load.
Vendors: Vendor access. Highly controlled and monitored.

Role based controls are centered around the roles that employees are assigned to in a system. The user’s identity is used to connect him or her to resources, normally the RBAC models describes the responsibility and purpose inside the organization. The benefit of this control allows the role base access control method to designates access rights to roles and not the users. This technique is very useful because the users are given distinctive roles, that are static or dynamic, based upon the user’s tasks. The role-based access control allows numerous users designated to the same task utilizing a minimum set of permissions.

Security Enterprise
2

Security Enterprise

security enterprise
Security is a need when dealing with privileged information, but more so when that information is people’s confidential medical records. In particular, the adoption of electronically formatted medical records, so called Electronic Health Records (EHRs), has become the primary concern for a broad range of health information technology applications and practitioners.
9

Auburn Regional Medical Center must take security seriously. There can be serious legal issues to face if a patient’s EHRs get released without the patients authorization. See the next slide on how the team will secure the IT systems.

security enterprise
10

An overview of how data will flow from the EHR to the end-user and how it will be secured in-between.

Change Management System
3

Change Management System

change management system
Changes in the hospitals systems is necessary. Whenever new operating system or EHR application updates are released, patches, or new equipment is deployed there will be changes that are required to be made to the configuration of the hospital’s IT network.
To monitor the configuration changes, Auburn Regional Medical Center will implement a Change Management team to analyze, approve, develop, implement, and review a planned or unplanned change within the IT infrastructure.
12

Changes to the IT system will be necessary. To monitor and implement these changes the hospital will establish a Change Management team.

change management system
The change request begins with the submission of a Change Request. The Change Management team will see the Change Request all the way through until satisfactory implementation of the change and the communication of the result of that change to all interested parties.
Review Change Request and approve the request.
Implement the changes in a planned and controlled environment.
Prepare user test cases to test the changes once the Change Request is complete.
13

Once a Change Request has been submitted the team will:
Review the change request and approve or deny.
Implement the changes.
Prepare user test cases to test the changes.

change management system
Have a rollback plan in case the changes fail.
Inform internal and external customers of any planned maintenance so they are aware of the possible downtime.
Review the changes to determine if they negatively impact the hospital in any way.
To keep record of all changes. Future request can be compared to the historical changes to learn from those changes.
14

4. Prepare a rollback plan in the event the changes fail.
5. Inform internal and external customers of any planned maintenance so they are aware of possible downtime.
6. Review changes to determine if they will negatively impact the hospital in any way.
7. Document all changes for record and historical purposes.

Mitigation
4

Mitigation

mitigation
Mitigation is the management method that attempts to lessen, whereby planning and preparation for the loss triggered by the manipulation of vulnerabilities. This method consists of:
incident response
disaster recovery
business continuity
16

Mitigation is the management method that attempts to lessen, whereby planning and preparation for the loss triggered by the manipulation of vulnerabilities. This method consists of incident response, disaster recovery, and business continuity.

mitigation: incident response
The IT team will proactively monitor the hospital’s IT systems and networks. In the event the team discovers an issue within the system and/or network the team will create an Incident Response using their reporting application.
The IT team will work with the necessary staff and/or vendors to resolve the incident. The IT staff will notify the Change Management team if changes will need to be made to resolve the incident.
The IT team will also keep all upper-management informed of the incident so their engagement can occur when needed.
17

The IT team will monitor the systems and networks. In the event of an incident the team will record the incident in their reporting application, resolve the incident, and information management of the incident and status updates.

mitigation: disaster recovery
Backing up the IT systems, securely, is also a priority for the hospitals IT staff. The goal of having a backup of data is to make sure that in an event of a disaster, such as flooding, hurricane, tornado, fire or other malicious activities, this data will be available and can be easily accessed, during the recovery phase.
The security of the backup data is also important because backup data would be no use if it gets corrupted or damaged. Certain guidelines must be followed to accomplish these tasks.
18

In case of Disaster Recovery the hospitals IT staff will implement a backup policy.

mitigation: disaster recovery
Various options are available for backups.
Full System: all data on the systems is backed up, once the backup is initiated, but it does require a lot of space (Smith, 2016).
Incremental: once a full system backup is complete, then only those files get backed up are the ones that get changed from the original backup and this type of backup does not use a lot of space and less time to backup or create (Smith, 2016).
19

Different backup types.
Full System: all data on the systems is backed up.
Incremental: only those files get backed up are the ones that get changed from the original backup.

mitigation: disaster recovery
Differential: like incremental, but a differential backup would include changed files from the last full backup (Smith, 2016). The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc. (Smith, 2016).
20

Differential: like incremental, but a differential backup would include changed files from the last full backup . The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc (Smith, 2016).

mitigation: business continuity
Hospitals must stay open 24x7x365. To do so, all IT data will reside in 2 different geographic located data centers.
Data backups will occur using 3 types of backups: full, incremental and differential.
In the event of a disaster, some employees can work from home or a remote location to ensure the hospital continues to serve the community.
21

Differential: like incremental, but a differential backup would include changed files from the last full backup . The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc (Smith, 2016).

Risk Management
5

Risk Management

risk management
There are six steps to Risk Management Framework (Soto, 2013).
First, is how data that is stored, handled, and communicated on their information technology network needs to be categorized, which basically means that if one of the concepts of CIA Triad is infiltrated, then what kind of impact it is going to have (Soto, 2013).
Second, the hospital will establish an initial set of policies for the the IT systems and this is where necessary controls, which will be used to create a baseline for the information system will be (Soto, 2013).
23

6 steps to RMF.
How data is stored and handled.
Establish an initial set of IT policies.

risk management
Third, implement the controls and figure out how to use these control, while having the ability to explain the reason behind selecting these security controls (Soto, 2013).
The fourth step is the assess the controls and, in this process, the IT staff must assess the controls that have been implemented to see if it meets the security requirements (Soto, 2013). Regular audits will be preformed to ensure the hospital is complaint with licensees: The Joint Commission, HIPPA and Medical College of Georgia.
24

3. Implementation and use of control.
4. Asses the control and perform regular audits.

risk management
The fifth step is the authorization of the IT operation and in this step, the data custodian must evaluate the security controls and provide a risk-based decision, which will be used to determine, if the security controls can mitigate risks allowing the systems to process, store, and transfer information (Soto, 2013).
The last step is the monitoring of the controls on a regular basis against the mission and updating the documents pertaining to those security controls (Soto, 2013).
25

5. Establish a data custodian and evaluate security controls.
6. Monitoring the controls and updating documentation pertaining to the security controls.

Soto, D. (2019). Intro to the Six Step Risk Management Framework for ICD 503. Retrieved from http://icd503training.org/introduction-to-the-six-step-risk-management-framework-for-icd-503/.
Smith, R. (2016). Module10: Data Backup and Disaster Recovery. Retrieved from UOP.
Whitman, M., & Mattord, H. (2019). Management of information security (6th ed.). Boston, MA: Cengage.
26
REFERENCES

References
Soto, D. (2019). Intro to the Six Step Risk Management Framework for ICD 503. Retrieved from http://icd503training.org/introduction-to-the-six-step-risk-management-framework-for-icd-503/.
Smith, R. (2016). Module10: Data Backup and Disaster Recovery. Retrieved from UOP.
Whitman, M., & Mattord, H. (2019). Management of information security (6th ed.). Boston, MA: Cengage

Enterprise Security Concerns

Cmgt/430

August 8, 20

1

9

1

Access control

Security enterprise

Impact of implementing a change management system

Mitigation

Risk management

Access control is a security component that electronically monitors and controls traffic through things like doors, entrances and elevators; It arises from the old need to protect these resources well. Access controls function as a type of gateway capable of filtering who enters a computer system and who does not, through permissions, codes or passwords, that effectively identify a user or group of users.
2

What is the access control?
Access control is an automated system that effectively allows, approve or deny the passage of people or groups of people to restricted areas according to certain security parameters established by a company, company, institution or any other entity.
Types of Access Control:
Autonomous Access Control Systems- are systems that allow controlling one or more doors, without being connected to a PC or a central system, therefore, they do not keep a record of events.
Network Access Control Systems- are systems that are integrated through a local or remote PC, where control software is used to keep track of all operations performed on the system with date, time, authorization, etc. They range from simple applications to very complex and sophisticated systems as required.

One of the systems that must be consolidated when placing a powerful access control strategy is the exercise of least path or less rights. What this implies is that users should have a limited volume of access needed to do their function.
3

Mitigation steps: Access Controls

The crucial isn’t to wait for the crystallization of the hazards or allow them to succeed, but to act to optimize the forces and take benefit of the occasions, as well as reduce or mitigate the menaces that may appear. For example: It all begins with acquiring clarity and control across user access perquisites. Primarily so for very susceptible data or applications. Then, we require effective limitations such as periodical access certifications, which are prepared to identify and deny unsuitable access. And access plan that can block or identify deadly alliances of access rights.
4

Enterprise Security
Enterprise security is when firms come up with methods and strategies for minimizing the risk of unapproved access to the data and information systems.
Enterprise security exercises involve:
The advancement Institutionalization
Evaluation and change of an organization’s enterprise risk management (ERM)
Security procedures

Enterprise security, like most disciplines, has also evolved to the point that it is currently managed as a “management system”, which is composed of a coherent set of principles, policies, objectives, strategies, norms and security procedures, as well as guidelines and guidelines that allow the systematic and effective administration of plans and programs that have the purpose of preserving the resources and activities of the companies.
5

Mitigation steps: Security Enterprise

Enterprise security is a company’s scheme or procedure for declining the chance that substantial assets held by the company can be taken or crippled. According to (Rouse, n.d.) Enterprise security governance is an organization’s plan for decreasing the hazard of illegal access to IT data and systems. Governance of enterprise security involves discovering how several market units, administrators, employees, and personnel should operate together to defend a business’s digital-assets, secure data destruction and defend the business’s unrestricted respect.
6

Implementing a change management system

The goal of CM is to allow the administration of IT services to satisfy both anticipations, enabling accelerated change and lessening the likelihood of service interruption. All companies usually have a couple of principal expectancy about the assistance given by IT:
The services should be solid, predictable and safe.
Services should be ready to adjust quickly to fit changing company terms
7

Mitigation steps: Implementing a change management system

Before implementing any adjustment, the risks linked with any designed, interim or continual change that may have an influence on the achievement of the asset control goals must continue evaluated. The organization must control the designed changes and analyze the unforeseen outcomes of the changes, applying measures to decrease any unfavorable impacts, as required. The success of implementing a management system requires considering the project as a change that will especially affect the culture of the company. This process of change must be understood as a decisive intervention of the directorate to generate new concepts for the operational patterns of the organization.
8

Risk Management
Risk management is a high priority in all departments. It includes strategies such as risk knowledge, risk prevention and management, and disaster and emergency management.

Knowing how to manage risks is key to the success of any company. Knowing the nature and profile of the risk is vital to achieving better performance.
9

Mitigation Steps: Risk Management

The mitigation actions for a strong Risk Management method is to develop a risk management pattern. The principal purpose of generating a risk pattern is to concentrate on the risks. And following these four steps, we will create a strong RM. Avoidance, Acceptance, Reduction/control, and Transfer. Within our business’s risk management structure there must be both informed of the several plans concurrently with the knowledge of the guidelines for their implementation.
10

how risk management is applied to securing enterprise systems?
According to (Jeffrey A. ) Enterprise Security RM is a cyclical, iterative strategy to handling entire security risk over an enterprise applying stabilized risk-management systems.

Risk management is applied to securing enterprise systems:
Generates a connection between enterprise goals and risk management, Shared duty, Conclusive settlement = business, Security “controls”, in
company with business, Comprises all perspectives/fields of
security
11

Prioritized Concerns
One approach for prioritizing is to comprehend what vulnerabilities are most suitable to be pointed. Understanding the classifications of vulnerabilities criminals examination for the most can aid decide which assets demand prioritized patching.

Setting priorities in organizations allow them to determine objectives and give the organization a plan to appropriately allocate the resources needed to achieve the expected results.
12

Concerns with vendor relations from the enterprise security standpoint

Setting priorities concerns in organizations allow them to determine objectives and give the organization a plan to appropriately allocate the resources needed to achieve the expected results. And have in place a powerful Vendor Risk Management (VRM) plan benefits organizations predict latent risks sooner than just responding to disadvantageous circumstances and events after they happen. Businesses are more concentrating on establishing VRM, and reaching the increasing requirements of the administrative conditions through conventional methods such as:
Efficient Vendor Preference
Proper Care and Overlooking
Vendor Risk Estimate
Vendor Administration Oversight
A Trained Vendor Governance Structure
13

Iterative maintenance efforts including audits and frequency

In the Iterative model, begins with a single implementation of a base circle of the software fundamentals and iteratively improves the evolving format until the entire system is completed and available to be used. One of the main advantages offered by this model is that it is not necessary for the requirements to be fully defined at the beginning of development, but they can be refined in each of the iterations. Like other similar models, it has the advantages of carrying out development in small cycles, which allows to better manage risks and better manage deliveries.
14

REFERENCES
Change Management Process Information retrievd from https://www.prosci.com/resources/articles/change-management-process
3 Ways to Mitigate Insider Security Risk Information Retrieved from https://www.esecurityplanet.com/network-security/3-ways-to-mitigate-insider-security-risk.html
4 Effective Risk Mitigation Strategies Information Retrieved from https://accendoreliability.com/4-effective-risk-mitigation-strategies/
E N T E R P R I S E S E C U R I T Y R I S K M A N A G E M E N T Information Retrieved from https://www.mapyourshow.com/mys_shared/asis17/handouts/4304_Slotnick_Worman1
Managing Vendor Risk: A Critical Step toward Compliance Information Retrieved from https://www.metricstream.com/insights/5-best-practices-VRM.htm

15

CMGT/430

v8

IT System Connection Table

CMGT/430

v8

Page 2 of 2

IT System Connection Table

Syamasundara Dasshort

8/18/2020

CMGT/430

R. Bradley Andrews

IT System

Target System

Connection Type

Possible Security Vulnerability

Related Risk

Employee Management System (EMS)

Identity Management System

Database Connection

Poor authentication methods

Accounts can be hacked because a single password is all that is required

Supply chain Systems

1. Supply management chain
2. Enterprise resource planning

1. File
2. Common networks

1. Theft
2. Hacking

1. Distrust in the company
2. Unable to perform operation reviews
3. Interruption of the business

Administration and Management

1. Supply chain information Management systems
2. Information resource
planning systems

1. Common Customer Database

1. Improper management change

1. Can cause management to make wrong decisions
2. Man-made disruptions

Accounting system

1. Enterprise resource planning
2. Supply chain management

1. Integrated network
2. Files

1. Attacks from other enterprise

1. Fraud
2. Mismanagement
3. Supply chain performance

Data Warehouses

Information Management System

Web communications (https)

Denial of service or Man in the middle  

1. Unable to access data.
2. Data stolen

Enterprise
information systems

1. Systems information module
2. Management information system

1. Information module

1. Unauthorized access to data
2. Management theft

1. Information loss
2. Data stolen or corrupted

Copyright© 2018 by University of Phoenix. All rights reserved.

Copyright© 2018 by University of Phoenix. All rights reserved.