Create a 9- to 11-slide, media-rich presentation in Microsoft® PowerPoint® for the organization you chose in Week 1
Create a 9- to 11-slide, media-rich presentation in Microsoft® PowerPoint® for the organization you chose in Week 1, and ensure you provide: Descriptions of at least 3 roles employed in the organization you chose in Week 1Descriptions of at least 3 common attacks against access control methods, including the password policy vulnerability as described in the vulnerability reportCountermeasures to reduce vulnerabilities and mitigate potential attacks on access control methodsNote: A media-rich presentation should include multimedia such as graphics, pictures, video clips, or audio.Format your citations according to APA guidelines.
Security Vulnerability Report
The Security Vulnerability Report below details security issues discovered during an internal assessment review. The vulnerabilities outlined require immediate attention and must be addressed in order to prevent an impact on or loss of confidential and patient data.
Vulnerabilities Identified
| Vulnerability | Threat Level | Description | Potential Impact |
| Lack of Password Policy | High | Single factor authorization allowing for weak passwords | Potential for passwords to be compromised |
| Lack of Software Configuration Management | Medium | Different configurations allowed throughout servers | Changes to servers could inadvertently cause denial of service |
| Lack of Incident Response Plan | High | Lack of Incident Response Policy | Attacks may not be responded to properly exposing further risk. |
Incident Response Plan Recommendations
Lack of an Incident Response Plan. Incident Response Plans document procedures which associates follow in order to properly respond to incidents. The risk of data loss or corruption is higher should an employee fail to follow properly devised procedures in order to handle an incident appropriately. Lack of instituting an Incident Response Plan puts DuPage Medical Group at risk for litigation, fines, and additional financial loss. Mitigation of an incident will have a higher success rate with a properly instituted and trained Incident Response Plan.
Should a breach occur, loss or corruption of PII, financial data, company proprietary data, or information putting our business at a competitive advantage would cause a loss of patient trust and lead to a loss of investor confidence. Government mandates require our business to protect patient information financially and with regards to their personal health information. Any variance in proper procedure could allow us to face further government scrutiny should it be proven we lack policy or the ability to follow any established policy.
An Incident Response Plan should be implemented and documented with the input of all department leads. Once completed a review should be held with leadership and once approved, proper sign off by all involved parties should take place.
Password Policy
Weak passwords are a major security risk. Several associates have access to customer, employee, and contractor records. Finance and marketing have access to confidential data which could put our business at a disadvantage should our competitors have access to the data. Proper precautions need to be developed to protect our data from unauthorized access. Bad actors can easily crack common passwords with little effort. Common bad actor strategies include brute force, guessing, phishing, and dictionary attacks.
A formal Password Policy needs to be developed by information security. The policy will detail the character length requirements, strength, and duration prior to required password change. Once the policy is developed, it will be presented to leadership for formal signoff and implementation.
Software Configuration Management
Proper patch management processes are necessary to maintain confidentiality, integrity, and availability of the data on our servers. If patches are not carefully reviewed prior to release into our environment, we risk the change of compatibility issues, conflicts, or exposing our data to misconfiguration of a server. Patching should also be done in stages to ensure the availability of data while other servers are being patched. One side of the servers should remain available for use and the set being patched should be taken out of production until patching has been completed. Upon completion of patching one set of servers, they should be returned to production so that the next set of servers can move to the patching stage.
A proper patch management policy needs to be developed by the team implementing the patches. The policy should include a timeline to review the patch notes, compatibility, and testing. Uniform roll out including a change management process must be established to review the process prior to adoption and consecutive implementation going forward.
References
Chapple, M., Stewart, J., & Gibson, D. (2018). CISSP Certified Information Systems Security Professional Study Guide. Hoboken: Wiley.
EC-Council. (2016). Certified Network Defender. EC-Council.
Keller, G. (2020, December 9). 5 Password Policies to Up Your Securit. Retrieved from DevOps.com: https://devops.com/5-password-policies-to-up-your-security/
U.S. Department of Commerce. (2020, December 8). Information Security Handbook: A Guide for Managers. Retrieved from National Institute of Standards and Technology: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf
Create a 9- to 11-slide, media-rich presentation in Microsoft® PowerPoint® for the organization you chose in Week 1,
"Place your order now for a similar assignment and have exceptional work written by our team of experts, guaranteeing you "A" results."
