Security objectives

Security objectives

Define/update the "security objectives" for confidentiality, integrity, and availability of information resources, describing the potential harm/security impact that failure to achieve security objectives would have on the operations, function, image/reputation, or ability to protect personal  information. Biefly describe your cyber security plan recommendations for ABC include objectives and any action/security plans resulting from your security review.  

Education & Security Awareness Training

Conduct appropriate security awareness training for employees. QUESTIONS: Describe your recommendations to provide security information to your client's workforce, including the proper handling of information and how information about relevant policies and laws is distributed. Is training required for access to this system or service? If so, does it include security information, either general or specific to the systems/service (e.g. restricted data reminders)?  Do you include security information in response to security-related events? More generally, how are people made aware of the reources described above?   

Identity and Access Management    

* Control accurate identification of authorized parties and that provides authenticated access to and use of network-based services.
* Control access by authentication and authorization mechanisms to insure that only identifiable individuals with appropriate authorization gain access to specified computing and information resources.  QUESTIONS:  How Is authentication used for access to these systems or services? Does this system or service utilize the name as part of authentication?  Is the authentication system local or is it integrated with something central, e.g. kerberos or Active Directory? What is the mechanism for handling authorization, e.g., is it technically enforced within the application?  

Security Program Processes    

Risk Assessment, Asset Inventory & Classification

 Inventory computing devices (servers, desktop computers, laptops, mobile devices, storage devices, etc.) and the characteristics of the information/data stored on or transmitted from/to those computing devices. Inventory applications and the characteristics of the data stored by or transmitted from/to those applications.
 Classify each computing device and application based on the characteristics of the associated stored data or data transmitted from/to the computing device or application. Are you taking into account all the places where your data may be stored, including desktops, reports portable devices, etc. Additionally, is education in place instructing people to minimize storage and transmission of restricted data, such as by deleting, redacting or de-identifying restricted data whenever possible, including from storage devices? Are people aware of electronic discovery and data retention requirements (when it’s OK to delete something and when it’s not? where authoritative copies live?)   

Vulnerability Assessment

Understand and document the risks in the event of failures that may cause loss of confidentiality, integrity, or availability of information resources.
Ÿ Identify the level of security necessary for the protection of information resources. QUESTIONS: What are your gaps in required security controls (based on your assessment)?  Identify if the risk is low, medium or high.  Determine cost-effective actions, and document an action plan to address areas of high risk.  

[Workforce] Administrative 

* Control how employees and other affiliates are granted access privileges to computing and information resources and how those privileges for individuals are altered or revoked. Review privileged account access. QUESTIONS:
Is there a formal authorization process for obtaining access to systems or data? Who is responsible for granting authorization? Please describe the authorization process. How about for obtaining privileged/admin access at any level, e.g. root access, superuser access, privileged application or database access, etc.? Does the Support Center have a role in account management for your system or service?

Are procedures in place to ensure prompt modification or termination of access or authorization levels in response to user separation or change in role? Including for people with privileged access? Are privileged accounts and individuals with access to these accounts reviewed periodically for appropriateness? Describe the review process, including frequency.  

* Conduct appropriate background checks for personnel handling information classified as "sensitive" or "to be protected." BACKGROUND: ABC HR procedures exist for identifying positions requiring background checks. ABC requires all staff to have background checks as standard part of recruitment process. 

QUESTIONS: Are required background checks for employees in your organization implemented promptly upon hire or reclassification? Do you know whether other departments do the same for people who have access to your system?   

* Take appropriate personnel/disciplinary action(s) for violations of policy/procedures. BACKGROUND: Organizational procedures for reporting violations of law or security policies/procedures. 

QUESTION: Is management aware of  procedures for reporting violations of law or policy/procedures? Are individuals? Does the department have any local procedures in addition to campus procedures? Are violations and responses reported and documented?  

Applications Systems Management

* Control application systems development/maintenance through conformance with specifications in local standards, procedures, guidelines, and conventions; conduct application vulnerability assessments as appropriate.   QUESTIONS: Describe the process used to develop/deploy new application(s) from inception (requirements, function, funding), to development (coding standards, application security, authentication/authorization), and deployment (workflow, management approval, alpha/beta testing and pilot, release). How will application development take into account business decisions about how restricted or confidential information should be collected, stored, shared, and managed? How are application vulnerability assessments performed? Is appropriate separation of duties in place? Is data in test, training and development systems protected according to its classification, including storage, transmission, bug reports, and bug reporting systems?  

* Control production application software modification through change management procedures for major systems. BACKGROUND: ABC has adopted divisional change management process for outage communications and maintenance window guidelines.

QUESTIONS: Explain procedures used to manage and document changes. Include any method in place to provide history of changes. Are change management procedures in place where restricted data is involved and for essential systems? Are changes tested and backout plans developed? Is documentation updated based on changes?  

Risk  Mitigation Measures

Protect resources in the event of emergencies.  BACKGROUND: The system or service is in the IT DataCenter, this information is provided by the ABC Core Tech Operations group.  The DataCenter has regular data backups and mitigations for infrastructure failures, including power, fire, flooding.

QUESTIONS: Where is this system or service housed, including backups? If not in the IT DataCenter, or for any portions not in the DataCenter, describe what is in place for the prevention, detection, early warning of, and recovery from emergency conditions. For example, are there locks, is there UPS or generator back-up power, is there fire suppression? Are procedures in place to protect restricted data during emergencies when focus may be elsewhere? Are there regular backups of critical/essential data and are they securely stored in an off-site location?  

Incident Response Planning & Notification Procedures

Maintain incident response and notification processes. BACKGROUND: Does the organization have an implementation plan for protection of electronic restricted data  and data security incidents are to be reported?

QUESTIONS: How will employees become aware of procedures for reporting and responding to potential security incidents? Do additional departmental procedures exist, and if so, are people aware of them?  

Third Party Agreements

Ensure that contracts with external entities include data security language. QUESTIONS: Is additional language, e.g. for HIPAA or PCI, required?  Assuming a third party managing a web site for you that collects sensitive data, such as SSN, credit card info, or other PII or restricted data, how will compliance aspects be handled?   

Security Controls    

* Control passwords through password management conventions and vulnerability assessment procedures. - [Passwords and other authentication credentials] QUESTIONS: How will the password policy be monitored and enforced by your system or service? Describe any limitations that prevent this and additional mitigations to compensate. How will passwords be tested for strength? Are there any expiration or password aging policies? Will individuals have unique access credentials? How about vendors/contractors?  

* Control access to working sessions through session timeout mechanisms. -[Session protection] QUESTIONS: Is there a session timeout for the application, including for administrators? Are users encouraged to implement screensaver locks at the desktop? Are desktops configured to automatically lock or go to screensaver after a period of inactivity?  

* Control privileged account access through defined procedures for providing privileged accounts and reviewing activity under privileged account. - [Privileged access] QUESTIONS: See "[Workforce] Administrative," above for process for obtaining privileged access/accounts. Is privileged access and activity logged? Are logs reviewed periodically? Are they reviewed in response to potential security events? Do individuals have unique access credentials for privileged access?  

Systems and Application Security

* Control systems-level access through review of personnel assignments for appropriate classification, security responsibilities, and separation of duties. BACKGROUND: Centralized systems and applications are supported by ABC employees with IT-related classifications.

QUESTIONS: Do job descriptions for individuals who provide application and system support accurately reflect their duties and access to restricted data or systems? Are individuals who provide IT-related services trained and knowledgeable in these areas of responsibility? Do defined procedures exist for reviewing personnel assignments for appropriate classification, security responsibilities, and separation of duties?  

* Backup systems supporting essential activities; encrypt data where required to secure backup data.  
QUESTIONS: How will system backups containing restricted data be secured? How will data integrity/user functionality be ensured/verified upon recovery or restore? Is a retention and disposition schedule in place for backups?   

* Protect computing and information resources from malicious software (e.g., viruses, worms, Trojans, spyware, etc.)-  QUESTIONS: How will the system protect against computer viruses and spyware?  How is this verified? What about for systems not in the DataCenter?  

* Maintain currency of operating systems and application systems software. - [Patch Management] QUESTIONS: Describe the patching process, including frequency, whether it is a manual or automatic process, and verification. Is there a testing or backout procedure? What is the process for severe or critical updates?   

Audit Logs

Monitor for attempted/actual unauthorized access through review of access and audit logs. QUESTIONS: Where will audit logs be enabled? What  types of activiteis will be captured in the logs? What procedures are in place to proactively review logs or is review event-driven, such as in the case of problems or potential security incidents?  


Control risk of unauthorized access to "sensitive"/"restricted" data by use of encryption.  QUESTIONS: Describe encryption methods or mitigating controls: Are passwords or other authentication tokens encrypted in transit and in storage? Is restricted data encrypted during transmission, including printing? Is stored restricted data encrypted? How about database tables or columns with restricted data elements? Is restricted data on backups, portable devices and media encrypted or otherwise protected? Are encryption keys secure? Are encryption keys managed to ensure availability of essential data?   

Physical/Environmental Controls

 Control access to facilities by appropriate measures - [Physical Access Controls]
 Track movement of devices - [Tracking Reassignment or Movement of Devices & 
Stock Inventories]
 Remove data before equipment is re-deployed, recycled, or disposed. - [Disposition of Equipment] BACKGROUND: The system or service is in the Data Center, this information is provided by the Core Tech Operations group.  Access to the Data Center is regulated by the Data Center Access Policy as well as physical security controls (i.e. locks). Movement of equipment is tracked; rack inventory is updated as needed, reviewed quarterly.  Devices are stored securely pending secure destruction.

QUESTIONS: Where will this system or service be housed, including backups?
  * Describe the physical security controls protecting access to the facility, systems and data, including backups and portable devices.
  * Are facility access policies in place, including procedures to verify the identity of individuals and tracking of entry and exit, including for visitors and guests?
  * Are all critical and restricted systems locked down? 
  * Is there a unit inventory of all computers and storage devices with restricted or critical data, including portable devices (data sticks, CDs, PDAs, etc.) and media? Is there frequent movement of equipment? Is there a check-out/in or tracking system in place?
  * Are procedures in place to ensure secure removal or destruction of data before equipment or electronic media is re-deployed, recycled or disposed?  

* Control physical security of portable media. - [Portable & Media Devices (III.C.3.e)] QUESTIONS: Are portable devices and media used? If so, are procedures in place to ensure their physical security? Are laptop computers locked down? Is restricted data on portable devices and media encrypted? Is there a practice of reviewing and deleting data from portable devices when no longer needed?  
* Control access to networked devices How will the system control access to networked devices?  

* Protect passwords or other authentication tokens while in transit? How will the system protect passwords or authentication tokens in transit?  

* Control potential security loopholes for operating system, application software, and firmware code on all devices connected to the network.  How will the system control potential security loopholes for operating system, application software, and firmware code on all devices connected to the network?  

* Protect networked devices against malicious software. - [Malicious Software Protection  Question: How will the system protect against malware and other types of malicioius software?  

* Control the use of networked devices for intended purposes by eliminating unnecessary services from devices. QUESTIONS: How will the system control the use of networked devices for intended purposes by eliminating unnecessary services from devices  

* Control network communications to/from networked devices through host-based firewall software, as available. QUESTIONS: How and where will host-based firewalls be used? What about network firewalls and Intrusion Detection System/Intrusion Prevention System?  

* Prevent networked devices from becoming unauthorized email relays.  QUESTIONS: How will the system secure devices from becoming unauthorized email relays? How will they be configured?  

* Control access to network proxy servers through authentication  QUESTIONS: Does organization run any network proxy servers? Is access controlled through authentication?  

Special Categories of Data    

HIPAA Security Rule /Practices for HIPAA Security Rule Compliance Since ePHI is present, how will organizational resources be ensured to comply with HIPAA and SOX Security Requirements? How will the compliance practices be monitored?  

Payment Card Industry Data Security Standard (PCI DSS) How will credit card information be stored, processed or transmitted so as to ensure compliance with PCI? (e.g. ensure that credit card environment is PCI compliant)   

  You are to answer each of the five questions and to complete the Cyber Security Action Plan template based on best practices and your understanding of the case. 


Healthcare companies, like ABC Healthcare, that operate as for-profit entities, are facing a multitude of challenges. The regulatory environment is becoming more restrictive, viruses and worms are growing more pervasive and damaging, and ABC Healthcare’s stakeholders are demanding more flexible access to their systems.

The healthcare industry is experiencing significant regulatory pressures that
mandate prudent information security and systems management practices.
Furthermore, the continued pressure to reduce cost requires that management
focus on streamlining operations, reducing management overhead and minimizing human intervention. The regulatory focus at ABC Healthcare is on the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX). Both pieces of legislation highlight the need for good systems administration and controls, but focus on different aspects of the business. The main focus of HIPAA is to protect personally identifiable health information while SOX is concerned with data that impacts financial reporting. Violations may be met with both civil and criminal penalties. Therefore, the company must be ever watchful of new threats to their systems, data, and business operations. 

The most prevalent security related threat to on going business operations is the
continued development and propagation of viruses and worms. Virus and worm
prevention or containment is a vital component to the overall risk mitigation strategy. Virus and worm outbreaks have multiple cost aspects for the company including lost patient charges due to system unavailability, lost productivity because of recovery efforts due to infection, and potential regulatory impacts depending on the virus or worm payload. However, the company must balance
risk with opportunities in order to serve the stakeholders and grow the business. 

ABC Healthcare’s stakeholders include multiple groups that depend on or need access to clinical and/or financial systems in order to help support and grow the company. The access requirements and associated risk model varies by user group. The main access groups are internal only users (i.e. nurses, hourly employee, etc.), internal/remote users (i.e. salaried employees, doctors, etc.), and business partners (i.e. collection agencies, banks, etc.). Risk mitigation solutions must be developed for each user group to help ensure that the company recognizes the benefit that each group brings and to minimize the risk to business operations.

The high-level management goals of the network design implementation are as

Support the business and balance security requirements without introducing significant overhead and complexity;

Maintain and enhance security without significantly increasing management overhead or complexity;

Implement systems that are industry supported (standards where appropriate), scalable, and fault-tolerant;

Ensure that the design is implemented to help ensure compliance with any and all applicable regulations;

Proper management of access control for legitimate users and malicious users is of the utmost importance for the security of the ABC Healthcare management system. The threat is not limited to outside malicious users but also legitimate users engaged in illegitimate activity.

Based on the above description you are to provide a recommendation of how you would address each of the following ABC Healthcare’s computer network security requirements. Note, whereas cost is typically an important factor, this is not a consideration for this case analysis. Therefore, you do not need to include cost estimates. Your solution should have the “right feel”, despite the lack of depth or details necessary to be accepted by upper management.  Be specific in your answers.  Write them as if you were writing a proposal to your boss.  Since you are developing a solution to a specific circumstance, material that is copied from an outside source will not likely fit so everything should be in your own words. 

Describe your technical recommendation for addressing the security requirements in the overall technical design of the ABC Healthcare network. This should include both internal and external (untrusted and trusted) aspects. Untrusted would include user connectivity to the Internet. The “trusted” network has the main purpose of supporting the business functions of known entities (i.e. partners, suppliers, etc.) which have a business relationship with the company. Note that you are to concentrate on the physical and logical level, including the type of hardware  and software, however you are not expected to provide specific low level details in terms of equipment suppliers or model numbers, etc. for your recommended design.   

Discuss the way you will address requirements for system monitoring, logging, auditing, including complying with any legal regulations. 

Describe how the system will identify and authenticate all the users who attempt to access ABC Healthcare information resources.  

Discuss how the system shall recover from attacks, failures, and accidents. 

Discuss how the system will address User Account Management and related security improvements. 

Complete the Cyber Security Action Plan template (EXCEL ATTACHMENT)
Powered by