Risk Management
Risk Management
By Mary Collera
Creating a risk management plan and understanding concept of controls in risk mitigation process. This includes how to use control to implement in the identification, protection, detection, responding and recovering from attacks. Below is an example of a Startup Healthcare Industry.
First Target Selection (Identify)
Creating a risk management plan and understanding concept of controls in risk mitigation process. This includes how to use control to implement in the identifiaiton, protection, detection, responding and recovering from attacks.
A. Target selection: Startup Healthcare
B. Assets: Super admin, Admin User, team member user, patient user, computer, CRM software.
C: Potential threats to assets:
Spoofing =
· When an attacker is pretending to be a patient asking permission to investigate a patient’s data that does not belong to them.
· When an attacker is pretending to be a practitioner asking for a patience credit card info to put into their system only to steal their information.
Tampering =
· Changing a patient’s billing cycle so that they get charged more often than they opt in to.
· Charging someone more for the same service as with anyone else.
Repudiation =
· Saying that card was not charge by the company when in fact, it was charged.
· Saying that patient signed a form of release when patient did not.
Information Disclosure =
· Giving patients data to social media when they did not consent a release info form.
· Practitioner accidentally telling another patient about the previous patient practitioner saw and what illnesses they had.
Denial of Service =
· When patient opt in for a lower tier of membership but got bumped up to pay more without notifying.
· Practitioners not having access to their notes because they did a poor job in performance.
Elevation of Privilege =
· Patients having access to other patients’ data.
· Employees having access to company financial information.
Next comes the scoring system. Risk equals likelihood times impact.
Score of Super admin: 1.0 X 100 = 100
Score of Admin User: 1.0 X 90 = 90
Score of team member user: 0.1 X 50 = 5
Score of patient user: 0.1 X 10 = 1
Score of main computer: 1.0 X 1 = 1
Score of CRM software: 1.0 X 100 = 100
First Target Selection (Identify)
Next comes the scoring system. Risk equals likelihood times impact.
Score of Super admin: 1.0 X 100 = 100
Score of Admin User: 1.0 X 90 = 90
Score of team member user: 0.1 X 50 = 5
Score of patient user: 0.1 X 10 = 1
Score of main computer: 1.0 X 1 = 1
Score of CRM software: 1.0 X 100 = 100
Controls
Protect:
Physical Assets Protection Implementation - To protect physical assets is through limiting access control and monitoring by constantly responding to any security incidents.
Cyber Assets Protection Implementation - To protect cyber assets is identity management, based on their credentials and the endpoints authorizations. In addition, authenticate certain access to make sure that identity is proven.
Employee Training Program Implementation - Employees who have privileged user access based on their job role should be trained through a security program. Training individuals of certain privileges on what risk they are exposed and of being in constant monitoring of frequent security updates to users with high privilege roles.
Detect:
Using detection programs or monitoring logs, are ways to know if someone is attempting to change any of the devices or systems in the facility
Systems such as sensor devices, cameras and security guards, are implemented to identity occurrences of physical security breaches.
Systems such as monitoring of network activity software are ways to identify occurrences of cybersecurity breaches.
Respond:
Responding to the anomalies and events By containing the anomalies and understand what it is and recovering from it are the systems you would implement?
When a facility breach has occurred, a response plan by containment of the breach facility through assessing impact, notifying executives and starting the recovery measures.
When a cybersecurity breached at the facility, a response plan of isolation of the affected systems, investigation of the breached, notifying the executives and starting back-up measures.
Recover:
The steps taken recover from actions intended to access, disable, degrade or destroy assets is first start a recover plan, then handle the incident through log analysis. Afterwards, track the logs and start the data recovery.
A recover plan of restoring the physical controls for security, and the damage of the breached it caused the assets, replacing the assets necessary and immediate action to revise security is needed for physical security breaches.
A recovery plan for cybersecurity breaches includes restoration of the affected areas of the facility, analyzing the damages and starting backup restoration procedures.
References
Allen-Addy, C. (2023, September 29). IriusRisk. Retrieved from Threat Modeling Methodology: STRIDE : https://www.iriusrisk.com/resources-blog/stride-threat-modeling-methodologies
Center for Internet Security. (2018). CIS Controls. Greenbush.
CVE. (2023). CVE-2023-5391. Retrieved from CVE List: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5391
Joint Task Force. (2020). Security and Privacy Controls for Information Systems and Organizations. Gaithersburg: NIST Special Publication 800-53.
Microsoft. (2023, May 14). Microsoft Outlook Elevation of Privilege Vulnerability. Retrieved from MSRC Security Updates: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Microsoft. (2023, April 11). Windows CNG Key Isolation Service Elevation of Privilege Vulnerability . Retrieved from MSRC Security Updates: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229
National Institute of Standards and Technology. (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity. NIST SCWP, p. 55.