Mystar Hospice Risk Mgmt Plan

Scope Statement This agreement between Stronghold Securities and Mystery Hospice Care represents a common understanding of the project for the purpose of calculating telecommunication upgrades, new network hardware and software upgrades and executions. This also includes the implementation of security measures and programs for managers, network administrators, and security managers. A security program must be implemented to secure the integrity of the network, company interests, and peace of mind for current and future stakeholders.

Background Right now, Mystery Hospice Care has old technology as the basis of its network infrastructure. The company has been doing okay so far, but with the desire to upgrade and obtain more clientele, the current network infrastructure can easily become compromised from outside attackers as well as from those within. Description Briefly document components of the Security policy, and list server controls. Operational Security Describe the state of operational security at the client organization.

Vulnerabilities Listed below are the application security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. There is no standard for security management Explanation A security standard is a document that defines and describes the process of security management for an organization. Risk Without a guideline for security practices, those responsible for security may not apply adequate controls consistently throughout Mystery Hospice Care. Recommendations Evaluate existing security standards such as ISO 1 7799.

Modify an existing standard for use within Mystery Hospice Care. Inform and train personnel on use of the standard. Audit information systems and procedures to ensure compliance. Threats There are many types of computer incidents that may require Incident Response Team activation. Some examples include: Breach of personal information Denial of service/Distributed denial of service Excessive port scans Firewall breach Virus outbreak physical Security Specifically, list the building, security perimeter, and server room vulnerabilities.

Vulnerabilities Listed below are the physical security vulnerabilities discovered during the address them. The list is divided into a list of vulnerabilities that relate to the building, the security perimeter, and the server rooms. The building group contains vulnerabilities within Mystery Hospice Care office. The security perimeter group includes the exterior office windows, doors, alarm system, and the surrounding area. The server room are specific to rooms containing river equipment.

Building Vulnerabilities Several key doors within the building are unlocked or can be forced open There are several important doors in the interior office area that are normally unlocked or can be forced open even when locked. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box. The room containing the modem pool is normally open and unlocked. The system administrators office containing the office file and web server is usually unlocked and open.

Risk We must first identify the risks defined at any stage of the project life cycle. Stronghold Securities evaluates identified risks and outlines mitigation actions. A risk management plan should be periodically updated and expanded throughout the life cycle of the project or life of the company. These doors protect valuable assets of Mystery Hospice Care. A determined attacker, thief, or disgruntled employee could get through these important doors with minimal effort to steal and/or destroy. Recommendations Replace current doors with stronger fire doors.

Replace existing door hardware with high security locks. Weld exterior hinge pins in place. Security Perimeter Vulnerabilities There is no entryway access control system An entryway access control system limits physical access to a secure area to authorized personnel with the correct PIN number or access card. These systems have either a control panel where a correct PIN number must be entered before entry is allowed or a unique access card (contact or contactable) for each person to enter. Advanced systems provide log information each time personnel enter the secure area.

Risk There are several risks in not having an entryway access control system. Unauthorized people can enter secure areas unescorted. There is no record of personnel entries into secure areas. It is not possible to disable access for a specific person. Evaluate available and suitable entryway access systems. Develop appropriate procedures for assigning and removing access. Install an appropriate system and assign access rights. Policy A documented Policies and Procedures for Mystery Hospice Care must be in place, agreed upon by all current and future employees in writing.

Any violation of these policies will result in disciplinary actions. Approach In this section, we plan to hold meetings for current management personnel to address potential vulnerabilities and risks to the network infrastructure. These meetings will include identification, analysis, planning, tracking, control, communications, and threats. Server Controls Access Controls Uses user rights and authentications to gain proper access to network Server Access Gives or hides control access based on user logged in.

Drive Encryption Ensures files remain secure even if drives are stoles or discarded improperly. Physical Security If intruder is able to gain physical access to the server, then network is at risk o have machines physically walk out of the door. Anti-Virus Software updated virus signatures protect data from getting corrupted by new viruses. Delete or disabling unnecessary software No software should exist on the servers unless being used by company personnel for business purposes.