Fluent Essays - Security Audits Task 3

SECURITY AUDITS TASK 3

Security Audits Task 3 - Programming

PLACE ORDER

Task3 rubric is attached.It wouldnt let me copy and paste this time so I attached all the requirements task_3_healthy_body_wellness_center_risk_assessment.pdf task_3_question_sets.docx task3.docx Unformatted Attachment Preview HEALTHY BODY W ELLNESS CENTER, OFFICE OF GRANTS GIVEAWAY HEALTHY BODY WELLNESS CENTER OFFICE OF GRANTS GIVEAWAY SMALL HOSPITAL GRANTS TRACKING SYSTEM INITIAL RISK ASSESSMENT PREPARED BY: WE TEST EVERYTHING LLC Jerry L. Davis, CISSP, Sr. Analyst EXECUTIVE SUMMARY .......................................................................................................... 4 1. INTRODUCTION..................................................................................................................... 7 Background................................................................................................................. ..............................................7 Purpose ............................................................................................................................. ........................................7 Scope ............................................................................................................................. ...........................................7 Report Organization..................................................................................................................................................8 2. RISK ASSESSMENT APPROACH........................................................................................ 9 2.1 Step 1: Define System Boundary ................................................................................................................... .9 2.2 Step 2: Gather Information ............................................................................................................................. .9 2.2.1 Interviews.......................................................................................................... ...................................10 2.2.2 Site Visit ............................................................................................................................. ..................10 2.2.3 Documentation.....................................................................................................................................10 2.2.4 Network Scanning ................................................................................................................................10 2.3 Step 3: Conduct Risk Assessment ................................................................................................................ .11 2.3.1 Impact ............................................................................................................................. .....................11 2.3.2 Likelihood ............................................................................................................................. ...............12 2.3.3 Risk ......................................................................................................................................................12 3. SYSTEM CHARACTERIZATION ...................................................................................... 14 System Overview ............................................................................................................................. .......................14 System Interfaces ............................................................................................................................. .......................14 Data ............................................................................................................................. ..........................................14 System and Data Criticality and Sensitivity ...........................................................................................................15 3.4.1 Criticality ............................................................................................................................. ................15 3.4.2 Sensitivity ............................................................................................................................. ................15 3.4.2.1 Confidentiality .....................................................................................................................................15 3.4.2.2 Integrity ............................................................................................................................. ..................15 3.4.2.3 Availability...........................................................................................................................................15 Users ............................................................................................................................. ..........................................16 4. THREAT STATEMENT ....................................................................................................... 17 Threat Sources ............................................................................................................................. ...........................17 Threat Actions ............................................................................................................................. ...........................17 5. FINDINGS ............................................................................................................................... 19 Management Security ............................................................................................................................. ................19 Operational Security .............................................................................................................................................. .20 2 Technical Security ............................................................................................................................. .....................22 APPENDIX A. RISK ASSESSMENT MATRIX................................................................ 25 APPENDIX B. ACRONYMS ............................................................................................... 28 APPENDIX C. SAMPLE BASELINE SECURITY REQUIREMENTS ......................... 29 3 Executive Summary The mission of the Healthy Body Wellness Center’s (HBWC) Office of Grants Giveaway (OGG) is to promote improvements in the quality and usefulness of medical grants through federally supported research, evaluation, and sharing of information. The OGG distributes a variety of medical grants, but the majority of grants are disbursed to small hospitals. As a result, the OGG contracted We Automate Anything (WAA) to design and implement the Small Hospital Grant Tracking System (SHGTS). The SHGTS is used to assist in the assignment and tracking of small hospital grants. The OGG assigns a particular grant to one hospital for one month and then the unused grant funds are rotated to another hospital for another month. The database tracks the initial delivery of the grant funds and its pertinent information, and then follows the grant through five hospital facilities. Only executive office staff can assign grant funds, but all grant users must complete their grant evaluations in the database. A weekly grant status report is prepared for the executive officer. Each month, the grant assignor is briefed on the grant status with reports generated from the database. During the inception of the SHGTS, the Technical Review Board (TRB) and Configuration Control Review Board (CCRB) did not review the SHGTS because these boards did not yet exist. The SHGTS has never had a risk assessment or an OMB Circular No. A-130 review. As a result, the OGG contracted We Test Everything (WTE) to perform a risk assessment of the SHGTS. To identify the potential threats and vulnerabilities associated with the SHGTS, WTE gathered information through the following techniques: Document review Onsite visits to the SHGTS computer room Interviews with designated OGG management and technical personnel Network scanning using an automated tool This report documents risk assessment activities in the following security domain areas: Management Security Operational Security Technical Security A total of eight observations were made in the areas of management, operational, and technical security. Table ES-1 presents these observations, providing observation numbers and descriptions, as well as associated risk levels. The risk associated with each observation is described as high, medium, or low, as defined below. The risk level represents the degree or level of risk to which the OGG assets and resources may be exposed. High Risk: A threat is at least moderately likely to exploit the identified vulnerability, and such exploitation is likely to severely and adversely affect SHGTS tangible and 4 intangible resources. This level of risk indicates a strong need for corrective measures and actions, and a plan must be developed to incorporate these actions within a reasonable period of time. Medium Risk: The exploitation of the identified vulnerability by a threat is possible, and such exploitation is likely to affect the OGG significantly. This exploitation would include the loss of some tangible assets or resources, which could impede the SHGTS mission, reputation, or interest. This level of risk indicates corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. Low Risk: The identified weaknesses may be subject to exploitation by a threat, but the probability of exploitation is low, and the impact on the OGG would be minor. This level of risk indicates that OGG management should be cautioned and corrective measures applied where required. The findings section of this report analyzes each observation in detail. Appendix A summarizes the observations and presents the observation number and description as well as the potential threats, potential impacts, associated level, and countermeasures for each observation. Table ES-1 OBSERVATION NUMBER OBSERVATION DESCRIPTION RISK LEVEL Management Security M1 The accounts of SHGTS users who no longer require access may not be deleted immediately from the system. Operational Security Medium O1 A system security plan (SSP) has not been developed for the SHGTS. A disaster recovery plan (DRP) has not been developed for the SHGTS. There are no sign-in logs for visitors accessing the computer room. Technical Security Medium Passwords on the grants server are not required to be changed at least every ninety days. There is no limit to the number of invalid access attempts that may occur for a given user. Null session login may be possible. Medium O2 O3 T1 T2 T3 5 Medium Low Medium Low OBSERVATION NUMBER T4 OBSERVATION DESCRIPTION Remote registry access is not restricted to administrators. 6 RISK LEVEL High 1. INTRODUCTION Background The mission of the Healthy Body Wellness Center’s (HBWC) Office of Grants Giveaway (OGG) is to promote improvements in the quality and usefulness of hospital grants through federally supported research, evaluation, and sharing of information. The OGG distributes a variety of medical grants, but the majority of grants are disbursed to small hospitals. As a result, the OGG contracted We Automate Anything (WAA) to design and implement the Small Hospital Grant Tracking System (SHGTS). The SHGTS is used to assist in the assignment and tracking of small hospital grants. The OGG assigns a particular grant to one hospital for one month and then the unused grant funds are rotated to another hospital for another month. The database tracks the initial delivery of the grant funds and its pertinent information, and then follows the grant through five hospital facilities. Only executive office staff can assign grant funds, but all grant users must complete their grant evaluations in the database. A weekly grant status report is prepared for the executive officer. Each month, the grant assignor is briefed on the grant status with reports generated from the database. During the inception of the SHGTS, the Technical Review Board (TRB) and Configuration Control Review Board (CCRB) did not review the SHGTS because the boards did not exist. The SHGTS has never had a risk assessment or an OMB Circular No. A-130 review. As a result, the OGG contracted We Test Everything (WTE), under Contract No. ABCD12-34-E00567, Task Order # TO111111, to perform a risk assessment of the SHGTS. Purpose The purpose of this report is to provide the HBWC and OGG management with an assessment of the adequacy of the management, technical, and operational security controls used to protect the confidentiality, integrity, availability, and accountability of the SHGTS. This risk assessment report identifies threats and vulnerabilities applicable to the SHGTS; the impact associated with these threats and vulnerabilities; the likelihood that a vulnerability will be exploited; countermeasures in place to mitigate the risk; and the existence of any residual risk. This report documents the risk assessment activities that WTE performed during a two-and-ahalf week period that will help OGG management understand the security posture of the SHGTS and its risk exposure. The risk assessment is part of the OGG’s continuing effort to ensure compliance with federal policies and guidance as well as the HBWC’s IT security policy. Scope This risk assessment is limited to the SHGTS (a Microsoft Access), its host general support system (GSS) (JINX server EOC3FPR02\Groups\SSR), and the remote access server (RAS). The servers are housed in room 1234 at the HBWC’s executive office facility. OGG staff 7 access the SHGTS from their workstations in room 5678. The risks were evaluated in the following security domains: Managerial Technical Operational Site visits at HBWC headquarters were restricted to room 1234, where the JINX server and the RAS are located, and OGG offices in 5678. To observe remote access capability, the homes of two users were visited to review the dial-up networking and virtual private networking (VPN) process. Report Organization This document is divided into five sections. Section 1 is the introduction. The remainder of the document consists of the following sections: Section 2 provides a description of the risk assessment methodology used by WTE. Section 3 describes the characteristics of the SHGTS including the hardware, software, connectivity, data, and system users. Section 4 contains the threat statement including threat categories, threat agents, and actions. Section 5 provides an analysis of the findings in the management, technical, and operation security domains. Additionally, the document contains three appendixes: Appendix A contains the Risk Assessment Matrix BLSR checklist, Appendix B lists acronyms and abbreviations listed throughout the report, and Appendix C provides the sample baseline security requirements (BLSR). 8 2. RISK ASSESSMENT APPROACH Risk was evaluated qualitatively, meaning that numerical values were not assigned. Instead a rating of high, medium, or low was provided. The WTE risk assessment methodology involved three major steps that are described below. Step 1 – Determine System Boundary Step 2 – Gather Information Step 3 – Conduct Risk Assessment. The methodology used to perform the risk assessment for the SHGTS was developed by WTE with reference to the guidelines found in the following publications: Federal Information Processing Standards (FIPS) Publication (PUB) 65: Guidelines for Automated Data Processing Risk Analysis National Institute of Standards and Technology (NIST) Special Publication 800-30: Risk Management Guide for Information Technology Systems The level of risk was assessed by evaluating all collected risk-related attributes regarding threats, vulnerabilities, assets and resources, current controls, and the associated likelihood that a vulnerability could be exploited by a potential threat as well as the impact (i.e., magnitude of loss) resulting from such exploitation. Figure 2-1: Risk Assessment Approach Determine System Boundaries 2.1 Gather Information Conduct Risk Assessment 1. 2. 3. 4. 5. Identify Requirements Identify Threats Identify Vulnerabilities Analyze Risk Recommend Countermeasures Step 1: Define System Boundary The system boundaries, which determine the risk assessment scope, were restricted to the SHGTS and its Windows Server host JINX server EOC3FPR02\Groups\SSR. Meetings with the OGG system owner and the HBWCs information system security officer (ISSO) and chief information officer (CIO) along with reviewing the current system diagrams led to a determination of the boundaries. 2.2 Step 2: Gather Information WTE assessed the SHGTS based on the risk assessment team’s understanding of the operational environment and OGG and HBWC information technology (IT) policies and guidelines. Information about the SHGTS was gathered through interviews, site visits, documentation review, and the use of a network-scanning tool. 9 2.2.1 Interviews To collect relevant information, WTE developed a questionnaire on IT system management and operations of the SHGTS and support platform. The interviews were conducted on-site, via telephone, and through e-mail with the following OGG management and technical personnel: JINX server administrator OGG ISSO OGG CIO SHGTS Users 2.2.2 Site Visit The WTE team toured the computer room which houses the SHGTS hardware, software, and data at rooms 1234 and 5678 at executive office complex in the course of a day to observe the physical and environmental measures provided for the SHGTS. The visit also included a demonstration of how the system is accessed and administered, including adding and removing data. WTE also visited the homes of two OGG staff members to observe remote connections via virtual private network and dial-up networking. 2.2.3 Documentation The team reviewed all relevant information security (INFOSEC) documents in order to develop a better understanding of the SHGTS. Listed below are all system and organizational documents reviewed in support of the assessment: OGG mission statement OGG organization chart SHGTS administrator’s guide SHGTS user’s guide SHGTS configuration management plan (CMP) OGG request for proposal (RFP) for development of tracking database WAA SHGTS documentation Standard operating procedures (SOPs). 2.2.4 Network Scanning The team used a scanning tool to discover additional vulnerabilities, or vulnerabilities missed by another scanner, and to minimize the impact of false positives. The JINX host was scanned once on two different days for a total of two scans. 10 2.3 Step 3: Conduct Risk Assessment The risk assessment encompassed the following subtasks: Determining the relative value of the SHGTS based on the criticality and sensitivity of the data the SHGTS processes, stores, and transmits Compiling the BLSR checklist Identifying and assessing potential threats Identifying and assessing potential vulnerabilities Determining risks Developing countermeasure recommendations. The value of the SHGTS is measured in terms of system and data criticality and sensitivity, which are described in Section 3. The BLSR checklist encompasses the security requirements, policies, and guidelines applicable to the SHGTS. Appendix C provides a sample BLSR checklist. To assess risks to the SHGTS, the WTE risk assessment team identified a list of potential threats that could exploit identified vulnerabilities of the SHGTS operational environment. Section 4 provides an analysis of the SHGTS threat environment. Section 5 presents the findings and includes a discussion of the threat and vulnerability pair, identification of existing mitigating security controls, impact analysis discussion, risk rating, and recommended countermeasures. A summary of the findings is listed in Appendix B. In order to determine risk, the team identified the impact an exploited vulnerability would have on the s ... Purchase answer to see full attachment

85535

CATEGORIES

Economics Nursing Applied Sciences Psychology Science Management Computer Science Human Resource Management Accounting Information Systems English Anatomy Operations Management Sociology Literature Education Business & Finance Marketing Engineering Statistics Biology Political Science Reading History Financial markets Philosophy Mathematics Law Criminal Architecture and Design Government Social Science World history Chemistry Humanities Business Finance Writing Programming Telecommunications Engineering Geography Physics Spanish ach e. Embedded Entrepreneurship f. Three Social Entrepreneurship Models g. Social-Founder Identity h. Micros-enterprise Development Outcomes Subset 2. Indigenous Entrepreneurship Approaches (Outside of Canada) a. Indigenous Australian Entrepreneurs Exami Calculus (people influence of others) processes that you perceived occurs in this specific Institution Select one of the forms of stratification highlighted (focus on inter the intersectionalities of these three) to reflect and analyze the potential ways these ( American history Pharmacology Ancient history . Also Numerical analysis Environmental science Electrical Engineering Precalculus Physiology Civil Engineering Electronic Engineering ness Horizons Algebra Geology Physical chemistry nt When considering both O lassrooms Civil Probability ions Identify a specific consumer product that you or your family have used for quite some time. This might be a branded smartphone (if you have used several versions over the years) or the court to consider in its deliberations. Locard’s exchange principle argues that during the commission of a crime Chemical Engineering Ecology aragraphs (meaning 25 sentences or more). Your assignment may be more than 5 paragraphs but not less. INSTRUCTIONS: To access the FNU Online Library for journals and articles you can go the FNU library link here: https://www.fnu.edu/library/ In order to n that draws upon the theoretical reading to explain and contextualize the design choices. Be sure to directly quote or paraphrase the reading ce to the vaccine. Your campaign must educate and inform the audience on the benefits but also create for safe and open dialogue. A key metric of your campaign will be the direct increase in numbers. Key outcomes: The approach that you take must be clear Mechanical Engineering Organic chemistry Geometry nment Topic You will need to pick one topic for your project (5 pts) Literature search You will need to perform a literature search for your topic Geophysics you been involved with a company doing a redesign of business processes Communication on Customer Relations. Discuss how two-way communication on social media channels impacts businesses both positively and negatively. Provide any personal examples from your experience od pressure and hypertension via a community-wide intervention that targets the problem across the lifespan (i.e. includes all ages). Develop a community-wide intervention to reduce elevated blood pressure and hypertension in the State of Alabama that in in body of the report Conclusions References (8 References Minimum) *** Words count = 2000 words. *** In-Text Citations and References using Harvard style. *** In Task section I’ve chose (Economic issues in overseas contracting)" Electromagnetism w or quality improvement; it was just all part of good nursing care. The goal for quality improvement is to monitor patient outcomes using statistics for comparison to standards of care for different diseases e a 1 to 2 slide Microsoft PowerPoint presentation on the different models of case management. Include speaker notes... .....Describe three different models of case management. visual representations of information. They can include numbers SSAY ame workbook for all 3 milestones. You do not need to download a new copy for Milestones 2 or 3. When you submit Milestone 3 pages): Provide a description of an existing intervention in Canada making the appropriate buying decisions in an ethical and professional manner. Topic: Purchasing and Technology You read about blockchain ledger technology. Now do some additional research out on the Internet and share your URL with the rest of the class be aware of which features their competitors are opting to include so the product development teams can design similar or enhanced features to attract more of the market. The more unique low (The Top Health Industry Trends to Watch in 2015) to assist you with this discussion. https://youtu.be/fRym_jyuBc0 Next year the $2.8 trillion U.S. healthcare industry will finally begin to look and feel more like the rest of the business wo evidence-based primary care curriculum. Throughout your nurse practitioner program Vignette Understanding Gender Fluidity Providing Inclusive Quality Care Affirming Clinical Encounters Conclusion References Nurse Practitioner Knowledge Mechanics and word limit is unit as a guide only. The assessment may be re-attempted on two further occasions (maximum three attempts in total). All assessments must be resubmitted 3 days within receiving your unsatisfactory grade. You must clearly indicate “Re-su Trigonometry Article writing Other 5. June 29 After the components sending to the manufacturing house 1. In 1972 the Furman v. Georgia case resulted in a decision that would put action into motion. Furman was originally sentenced to death because of a murder he committed in Georgia but the court debated whether or not this was a violation of his 8th amend One of the first conflicts that would need to be investigated would be whether the human service professional followed the responsibility to client ethical standard. While developing a relationship with client it is important to clarify that if danger or Ethical behavior is a critical topic in the workplace because the impact of it can make or break a business No matter which type of health care organization With a direct sale During the pandemic Computers are being used to monitor the spread of outbreaks in different areas of the world and with this record 3. Furman v. Georgia is a U.S Supreme Court case that resolves around the Eighth Amendments ban on cruel and unsual punishment in death penalty cases. The Furman v. Georgia case was based on Furman being convicted of murder in Georgia. Furman was caught i One major ethical conflict that may arise in my investigation is the Responsibility to Client in both Standard 3 and Standard 4 of the Ethical Standards for Human Service Professionals (2015). Making sure we do not disclose information without consent ev 4. Identify two examples of real world problems that you have observed in your personal Summary & Evaluation: Reference & 188. Academic Search Ultimate Ethics We can mention at least one example of how the violation of ethical standards can be prevented. Many organizations promote ethical self-regulation by creating moral codes to help direct their business activities *DDB is used for the first three years For example The inbound logistics for William Instrument refer to purchase components from various electronic firms. During the purchase process William need to consider the quality and price of the components. In this case 4. A U.S. Supreme Court case known as Furman v. Georgia (1972) is a landmark case that involved Eighth Amendment’s ban of unusual and cruel punishment in death penalty cases (Furman v. Georgia (1972) With covid coming into place In my opinion with Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA The ability to view ourselves from an unbiased perspective allows us to critically assess our personal strengths and weaknesses. This is an important step in the process of finding the right resources for our personal learning style. Ego and pride can be · By Day 1 of this week While you must form your answers to the questions below from our assigned reading material CliftonLarsonAllen LLP (2013) 5 The family dynamic is awkward at first since the most outgoing and straight forward person in the family in Linda Urien The most important benefit of my statistical analysis would be the accuracy with which I interpret the data. The greatest obstacle From a similar but larger point of view 4 In order to get the entire family to come back for another session I would suggest coming in on a day the restaurant is not open When seeking to identify a patient’s health condition After viewing the you tube videos on prayer Your paper must be at least two pages in length (not counting the title and reference pages) The word assimilate is negative to me. I believe everyone should learn about a country that they are going to live in. It doesnt mean that they have to believe that everything in America is better than where they came from. It means that they care enough Data collection Single Subject Chris is a social worker in a geriatric case management program located in a midsize Northeastern town. She has an MSW and is part of a team of case managers that likes to continuously improve on its practice. The team is currently using an I would start off with Linda on repeating her options for the child and going over what she is feeling with each option. I would want to find out what she is afraid of. I would avoid asking her any “why” questions because I want her to be in the here an Summarize the advantages and disadvantages of using an Internet site as means of collecting data for psychological research (Comp 2.1) 25.0\% Summarization of the advantages and disadvantages of using an Internet site as means of collecting data for psych Identify the type of research used in a chosen study Compose a 1 Optics effect relationship becomes more difficult—as the researcher cannot enact total control of another person even in an experimental environment. Social workers serve clients in highly complex real-world environments. Clients often implement recommended inte I think knowing more about you will allow you to be able to choose the right resources Be 4 pages in length soft MB-920 dumps review and documentation and high-quality listing pdf MB-920 braindumps also recommended and approved by Microsoft experts. The practical test g One thing you will need to do in college is learn how to find and use references. References support your ideas. College-level work must be supported by research. You are expected to do that for this paper. You will research Elaborate on any potential confounds or ethical concerns while participating in the psychological study 20.0\% Elaboration on any potential confounds or ethical concerns while participating in the psychological study is missing. Elaboration on any potenti 3 The first thing I would do in the family’s first session is develop a genogram of the family to get an idea of all the individuals who play a major role in Linda’s life. After establishing where each member is in relation to the family A Health in All Policies approach Note: The requirements outlined below correspond to the grading criteria in the scoring guide. At a minimum Chen Read Connecting Communities and Complexity: A Case Study in Creating the Conditions for Transformational Change Read Reflections on Cultural Humility Read A Basic Guide to ABCD Community Organizing Use the bolded black section and sub-section titles below to organize your paper. For each section Losinski forwarded the article on a priority basis to Mary Scott Losinksi wanted details on use of the ED at CGH. He asked the administrative resident