Fluent Essays

Assessment Description Using all of the previous assignment information, students will present a comprehensive Cybersecurity Program that reports on the final state of their enterprise. Refer to the Cybersecurity Program Template, prior to beginning the assignment to become familiar with the expectations for successful completion. . APA style is not required, but solid academic writing is expected. This assignment uses a rubric. Please review the rubric prior to beginning the assignment to become familiar with the expectations for successful completion. You are not required to submit this assignment to LopesWrite. Benchmark Information This benchmark assignment assesses the following programmatic competencies: MS Cybersecurity 4.1: Develop cybersecurity program aligned with business needs, regulations, and compliance standards to enhance an organization’s security posture (CAE KU 2, 10, 11, 12, 13, 17). 4.2: Determine appropriate business strategies to ensure business sustainability, availability, and reliability and articulate these needs to relevant stakeholders (CAE KU 13, 14, 16). 4.4: Interpret risk assessments, gap analysis, and current cybersecurity trends to formulate a cybersecurity governance strategy that establishes mitigation plans for future challenges to achieve security objectives (CAE KU 6, 10, 11, 12, 15). Attachments CYB-690 Cybersecurity Program Template Directions: The following program components are required within the Cybersecurity Program. Note: Add sections or subsections to the template as needed. Program Components Executive Summary To include a business description. Applicable Security Policies, Laws, and Regulations Current System Description To include a Workflow Diagram. Cybersecurity Risk Assessment/Testing To include an Organizational Risk Assessment Chart. Recommendations Cybersecurity Countermeasures Proposed System Description To include a Web Portal Diagram, Architectural Diagram, and System Design Document. Monitoring Incident Response Management To include an Incident Response Plan. Training and Communication To include a Training Plan. Continuous Improvement To include a Cybersecurity Program Maintenance Plan. © 2018. Grand Canyon University. All Rights Reserved. Running Head: SECURITY ARCHITECTURE 1 SECURITY ARCHITECTURE 5 Student Name School NAME Date TABLE OF CONTENT 1.0 Introduction……………………………………………………………………………………3 2.0 Identify all types of data and sensitive data the organization will store………………………3 3.0 Define where that information is stored……………………………………………………….3 4.0 Hardware and software devices in your network……………………………………………...4 5.0 How the security controls are positioned and how they relate to the overall systems architecture…………………………………………………………………………………….4 6.0 Define security attacks, mechanisms, and services, and the relationships between these categories……………………………………………………………………………………4-5 7.0 Specify when and where to apply security controls…………………………………………...5 8.0 Present in-depth security control specifications………………………………………………5 9.0 Restricting access, layering security, employing authentication, encrypting storage, automating security, and IT infrastructure………………………………………………….5-6 10.0 Full scope of policy, procedural, and technical responsibilities………...………………...6 11.0 Reference………………………………………………………………………………….7 Security architecture is an overall term used to describe the system required to protect an organization’s IT infrastructure. This security design addresses the potential necessities and potential risks involved in a certain scenario or an environment. Security architecture translates the business requirements to executable security requirements. The security architecture protects the organization from security threats (Kamatchi, 2012). An ethical reason may warrant the need to have tougher restrictions on individuals who can access the organizations personal information especially when it pertains to property rights or individual privacy. Identify all types of data and sensitive data the organization will store Sensitive data is information whether in physical or electronic form that must be protected and is inaccessible to outside parties unless specifically granted permission. The information that will be stored by the organization includes (Kamatchi, 2012); Intellectual properties, IT service information, contact information and documents, visa and other traveling documents, social security numbers, identifiable human subject research, protecting patient’s health data, trade secrets, industry-specific data, confidential information, potentially identifiable data, credit card details, and more. Define where that information is stored. Copies of the personal data are stored in separate locations from the original and are kept to a minimum to minimize risks of disclosure. The information is also stored in the USBs, external hard drives, desktop computers, external servers, laptops, tablets, and smartphones. This information should be encrypted using strong passwords or passcodes and is responsibly managed and regularly reviewed by the IT professions to avoid data access from unauthorized parties. Hardware and software devices in your network Hardware devices in the healthcare organization include a central processing unit (CPU), printers, monitors, hard drives, computer data storage, and others. On the other hand, software devices in the healthcare setting include Virtru Email and Data Encryption, Electronic Health Record (EHR) Software, medical database software, Medical research software Medical diagnosis software Medical imaging and visualization software, and Telemedicine. How the security controls are positioned and how they relate to the overall systems architecture Security architecture is a design artifact that describes how the security controls are positioned and how they relate to the system architecture (Almuairfi & Alenezi, 2020). These controls serve the purpose of maintaining the quality attributes of the system such as confidentiality, availability, and integrity. Before the implementation of security controls, there are guidelines to follow. First assess the size of the organization to help IT personnel identifies controls that should be implemented to mitigate existing challenges. Other guidelines include: determining the scope of the IT infrastructure and the security levels of IT assets and information systems and confirming investments in cybersecurity. Define security attacks, mechanisms, and services, and the relationships between these categories A security attack is unauthorized access, damage, or exposure of users systems without their consent. Security mechanisms are the techniques and technical tools used to implement security services. An example is digital signatures and access control. Security services are the services used to implement security policies and implemented by the security mechanisms. Examples include authentication, confidentiality, authorization, non-repudiation, and source authentication. These three categories are closely related because a security mechanism is used to implement security services to prevent a users system from security attacks (Kamatchi, 2012). Specify when and where to apply security controls Security controls should be used all time as long as technology is used to run operations within the organization (Almuairfi & Alenezi, 2020). Security controls are used to avoid, detect, counteract, or reduce security risks to the computers systems, physical properties, servers, or other technology assets. Present in-depth security control specifications Security control is categorized into three subdivisions which include physical security, management security, and operational security. Physical security control is the protection of personal information from any physical threat that could damage, harm, or disrupt operations (Almuairfi & Alenezi, 2020). Operational security control is the individual’s effectiveness of controls which include authentication, and the security topologies implemented to applications, networks, and systems. Management security control is the overall technique of user’s controls and they offer guidance, rules, and procedures for applying a security environment. Restricting access, layering security, employing authentication, encrypting storage, automating security, and IT infrastructure Restricting access: this is a service used in security architecture in which system users are denied access to one or more features of operating levels. Layering security: Layering security refers to the use of multiple components on a security system to protect operations on multiple layers or levels. This network security aims to ensure every individual defense component has a backup to counter any flaws or gaps in other defenses of security (Rudra & Vyas, 2015). Employing authentication: authentication is one of the methods used by organizations and companies to protect users information. A straightforward process, user authentication consists of identification, authentication, and authorization. Encrypting storage: this is the use of encryption of information both in transit and on the storage media. This is one of the best ways to ensure data is secured if its lost. Automating security: this is a machine-based execution of the security actions with the power to programmatically detect, investigate and remediate cyberthreats with or without user’s intervention by identifying incoming threats, triaging and prioritizing alerts as they emerge, then responding to them in a timely fashion (Rudra & Vyas, 2015). IT infrastructure: is described as composite hardware, software, network resources, and services required for the existence, operation, and management of an enterprise IT environment Full scope of policy, procedural, and technical responsibilities Security policies and procedural roles are very crucial in the security architecture because they help in addressing cyber threats and implements strategies on how threats can be mitigated and how to recover from threats that could have exposed the organizations data. Reference Almuairfi, S., & Alenezi, M. (2020). Security controls in infrastructure as code. Computer Fraud & Security, 2020(10), 13-19. Kamatchi, R. (2012). Security Visualization Collaborative Security Framework for Service Oriented Architecture. International Journal Of Modeling And Optimization, 558-562. Rudra, B., & Vyas, O. (2015). Investigation of security issues for service-oriented network architecture. Security And Communication Networks, 9(10), 1025-1039. Soltani, D. (2020). Network security in the OSI model. SSRN Electronic Journal. Running Head: INCIDENCE REPORTING INCIDENCE REPORTING 3 Student Name School NAME Date TABLE OF CONTENT 1.0 Procedure to initially identify and document an incident…………...…………......…………3 2.0 How to inform tactical operational managers, internal and external stakeholders, and/or individuals affected…………………………………………………………………………...3 3.0 How to investigate the breach, mitigate harm to individuals, and protect against further breaches……………………………………………………………………………………….4 4.0 Enforcement mechanisms for breaches and non-adherences……………………………...….4 5.0 Procedures to assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts…………………………………………...……………….4 6.0 Procedures to review response and update policies…………………………………………..5 7.0 Reference……………………...…………………………………...…………………………6 Procedure to initially identify and document an incident An incidence response plan is a set of instructions applied by the IT staff to detect, respond to, and recover from the security incidents. Incidence response plan addresses issues such as data loss, cybercrimes, and service outages that pose threats to the daily tasks.This should be conducted in 10 steps (Abimbola, 2007). The first step is the security incident report-contact information. The security incidence report should contain information to meet compliance, thus its crucial to make a form where certain information will be contained in various segments. The information should include reporting personnels name and title, work and mobile numbers, the name of the organizations security officer, and any other crucial information. The other steps include the description of the security incidence, the sensitivity of the information involved in the security breach, notification, mitigation, security officer signature, security incident log, and lastly the retention of all security incident reports and logs. How to inform tactical operational managers, internal and external stakeholders, and/or individuals affected Risks need to be communicated to the involved stakeholders who might be impacted by the security incident before, during, and after a project to ensure their expectations and opinions are upheld (Abimbola, 2007). The procedure of informing the stakeholders of the security incident involves four basic steps. The first step is to involve the whole team. Risk management requires the involvement of all members especially if individuals hold expertise in certain risk areas. Considering the stakeholders location is the next step that should be taken. If the stakeholders are not located near the project, it might be difficult to communicate effectively. However, you can choose communication channels such as telephone calls, email, or instant messages to reach out to the stakeholders. You can utilize technology to conduct the risk analysis will help in identifying high-risk areas of the users systems. You can also use reports and alerts to communicate effectively with tactical operational managers and other involved stakeholders. How to investigate the breach, mitigate harm to individuals, and protect against further breaches To investigate the breach, one should first detect the data breach, and then take urgent incident response action, gather evidence related to the data breach from all cybersecurity tools, then analyze the breach (Abimbola, 2007). After analyzing the incident, IT professionals should take containment, eradication, and recovery measures to prevent the breach from spreading. The other step is to notify the related parties such as employees, business partners, and other stakeholders and lastly conduct post-incident activities to prevent a similar issue from occurring in the future. Enforcement mechanisms for breaches and non-adherences At the federal level, cybersecurity standards are executed using different methods. The federal trade commission acts as the primary federal consumer protection agency that is responsible for enforcing cybersecurity laws (Abimbola, 2007). Its vital to implement enforcement mechanisms for non-adherences and breaches. Positive enforcement mechanisms encourage compliance with an agreement through the provision of rewards. Negative enforcement mechanisms encourage compliance by threatening or using punishments such as withdrawal of agreements. Procedures to assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts Accurate recovery from cybersecurity incidents depends on fast and perfect damage assessment. To assess the damage, the log of the impacted database should be scanned beginning from the attacking transaction to the end. This process is tedious thus other procedures can be followed to accelerate the damage appraisal process. The organization can use data dependency and transactional dependency approaches to assess the damages of cybersecurity incidents to the organization. Procedures to review response and update policies Information security policies enable organizations to control information security assets and enable them to build an organized and formal security program (Abimbola, 2007). During the policy updates and response reviews, the IT personnel should keep track of the policies in a centralized location to minimize policy management struggles. Policies should be reviewed annually or when changes are required. The other step is to communicate the policy changes accordingly to the stakeholders, who ensure the language used is simple and precise and ensure the policy has a revision and version information table and lastly ask questions related to the reviewed policies to ensure stakeholders are satisfied with the changes. Reference Abimbola, A. (2007). Information security incident response. Network Security, 2007(12), 10-13. doi.org/10.1016/s1353-4858(07)70103-4. DeVoe, C., & M. Rahman, S. (2013). Incident Response Plan for a Small to Medium-Sized Hospital. International Journal of Network Security & Its Applications, 5(2), 1-20. doi.org/10.5121/ijnsa.2013.520. Kesari, A. (2020). Predicting Cybersecurity Incidents Through Mandatory Disclosure Regulation. SSRN Electronic Journal. doi.org/10.2139/ssrn.3700243. Running Head: CYBERSECURITY TEST AND VALIDATION SCHEME 1 CYBERSECURITY TEST AND VALIDATION SCHEME 2 Student Name School NAME Date Metrics Matrix of organisations framework controls Criteria S/N Security Control Domain Pass Fail 1 Strong Encryption Server and application security Yes 2 Patch Management Maintenance Yes 3 Validating and sanitizing application users input and output Authentication validity Yes 4 Securing servers Server security Yes 5 Implement power user authentication Power user authentication Yes Technical Controls: 1. Strong Encryption: These vulnerabilities straightforwardly bargain the center idea of encryption, bringing about the tradeoff of the secrecy of any encoded traffic utilizing these. Since the arrival of these weaknesses the PCI-DSS gathering has affirmed that the proceeds with utilization of SSL and TLSv1.0 will bring about a fail when surveyed as of June 2018, expanding the significance from both consistent and security viewpoints, (Mitchell,2020).  2. Patch Management: More than 700 of the weaknesses recognized in the most recent year were identified with software data or gadgets using programming which is not, at this point upheld. Of the weaknesses distinguished because of absence of powerful fixing controls, 36\% of these were delegated high hazard and bringing risky weaknesses into creation conditions, which could be evaded with a successful fix the board practice. 3.Validating and Sanitizing Application Users Input and Output: Regularly, client input is shipped off the web worker facilitating the application and prepared or put away by the database server or  application server in the back end. Permitting client contribution to straightforwardly interface with these frameworks can permit an assailant to submit noxious info which is at that point prepared by the application bringing about basic vulnerabilities, (Mitchell,2020).  This guarantees just approved info is permitted to be prepared by the application and that any information given by a client is changed over into a protected structure and not executed as code inside the program.  4. Securing Servers:  Reliably making sure about and solidifying gadgets is fundamental for an association with a remotely confronting worker bequest. The presence and adherence to these systems guarantees that all remotely confronting resources are made sure about and solidified reliably and any differences from this standard are recorded and affirmed.  From our investigation, a typical issue presented through an absence of security solidifying is uncovering pointless ports and administrations to the Internet.  These issue increments the assault surface of a gadget for an aggressor and keeping in mind that controls, for example, solid information approval might be set up all through an application sitting on this worker, these controls are totally avoided if SQL administrations are straightforwardly accessible to Internet borne assailants. 5. Implement Power User Authentications: Client validations are the cycles for checking the authenticity of a framework client. For a client to be verified, he needs to give exact data which incorporates usernames and passwords. A significant method of actualizing solid client confirmation is executing two-factor or multifaceted validation. The procedures expect clients to give a blend of exact authenticators. The mix should incorporate a username, a secret key, and an actual token or code. Multifaceted validation gives extra security since a client should give a token or code created naturally once a client starts a login meeting.  Test cases for server management: Test authentication: To make encryption confirmation safer, SSL/TLS utilizes a reliable Certificate Authority (CA) to check each gathering, and handles encryption key administration consequently. At the point when a user sends an email with TLS, the users customer makes an encoded association with users server mail, and sends a user message.  Check redundancy level: An excess code RC is respectability furnishing regarding security thought SSS-AAA if for all base encryption plans SE that are SSS-AAA secure, the encryption-with-repetition plot ER acquired from SE and RC is secure in the sense of honesty of ciphertexts.  Response time: Two fish is considered among the quickest encryption norms and is henceforth preferred for use among equipment and programming undertakings. It is unreservedly accessible and consequently makes it well known. The keys utilized in this calculation might be up to 256 pieces long and just one key is required. Bug testing: Bug testing is the first priority in any security testing. These testing, different models of code are tested with different inputs. And the expected output is compared to the actual result. Testing is the way toward distinguishing surrenders, where a defect is any fluctuation among genuine and anticipated outcomes, (Biagioli & Lippman, 2020).   A slip-up in coding is called Error, mistake found by analyzer is called Defect, imperfection acknowledged by advancement group then it is called Bug, fabricate doesnt meet the necessities then it Is Failure.  Check repair techniques: Software repair techniques help users configure better experiments. Since comprehensive testing is preposterous. Manual Testing Techniques help lessen the quantity of experiments to be executed while expanding test inclusion. They help distinguish test conditions that are generally hard to perceive.  Testing credentials: Credentials are verification subtleties utilized by admin to get to the far off gadget for observing and the board.  References Biagioli, M., & Lippman, A. (2020). Gaming the metrics: Misconduct and manipulation in academic research. Mitchell, (2020). Five metrics of peak performance culture. Place of publication not identified: JOHN WILEY & Sons. Running head: CYBERSECURITY TRAINING 1 CYBERSECURITY TRAINING 2 Student Name School NAME Date CYBERSECURITY TRAINING Building a culture that values cybersecurity is an essential part of reducing cybersecurity threats. To accomplish this, everyone must adopt a new mindset. Involved workers are more likely to adhere to the companys security policies in their day-to-day activities and decision-making. You can reduce cyber risks and improve compliance by incorporating security best practices into your employees daily routines. Cybersecurity fosters an atmosphere in which good cyber hygiene becomes common practice, allowing the entire organization to operate more securely with less effort, freeing up time and energy to focus on its core business (Nel & Drevin, 2019). The aims of a cybersecurity culture must be strategic, aligned with the organization, and risk based. You must know how your companys present cyber security culture appears. You must investigate how your lived culture, mission, and values affect how people engage with cyber risk. There are different types of cybersecurity risks, which include malware, ransomware, and crypto jacking. Malware is the most prolific and common type of security threat. Malware occurs when an undesirable program or software application hijacks a target system and starts acting strangely. This includes preventing users from accessing applications, destroying data, data theft, and spreading to other computers. Malware can be avoided by the use of the latest anti-malware programs (anti-virus) as well as recognizing suspicious files, links, and websites. Ransomware is a type of malware that is usually installed on the users system or network and prevents access to functionalities until a ransom is paid to the third party. Ransomware can be prevented by the use of anti-virus. The user should always ensure that their anti-virus software is always updated since once ransomware is installed; it becomes a challenge to remove it. Crypto-jacking is an effort to infect a system with malware that forces it to engage in crypto-mining, a popular method of earning crypto-currency. Unsecure systems can be infected by this virus, as well as others. Its used since crypto-mining necessitates a lot of hardware. Crypto-jacking can be avoided by keeping all the software updated. Some of the policies that have been developed for critical electronic devices and communication networks include the acceptable use policy (AUP), information management policy (IMG), access control policy (ACP), and email/communication policy. An AUP specifies the limitations and procedures that an employee using IT resources of the business must accept to access the companys network. Its standard procedure for new hires to go through this process. AUP must be reviewed and signed by the user before a network ID can be issued. This documents rules and principles must be followed by everyone who uses information technology resources within the company or on its network systems, due to the companys main information security policy. There are several methods described in the ACP for giving employees access to a companys information and data system(s). A companys email policy is a formal document that outlines how workers can end up making use of the companys selected electronic communication link. Employees will be provided with guidelines on ethical and unethical uses of organization telecommunications under this policy. An organization should have proper use of critical electronic devices and communication networks. Install any software updates as soon as they are available from the vendor of your device. By putting them in place, youre making it harder for hackers to exploit known issues or flaws. Use password protection on your devices. Choose complex passwords that are difficult to crack, and use a unique password for each program and gadget you use. If youre storing sensitive data, like financial or private data, check to see if you have the choice to encrypt it. By encrypting files, you make sure that even if someone has physical access to them, they cant view the data. Bluetooth, for example, is a wireless technology that can be used to link cellphone devices and computers. When not in use, turn off these options. While handling information, we are required to adhere to a slew of rules and policies. For example, its not uncommon for sensitive documents to require two levels of access control. Dual control is a mechanism that necessitates the consent of other managers before a crucial document can be retrieved. These needs can be met with the help of technologies like selective encryption plans, user authentication, and model control techniques. Also, critical information needs tight security against landing by unauthorized users. Several security technologies must be integrated to establish a critical infrastructure for communicating information and protect it from being exposed. For example, strong authentication consisting of multiple factors is needed to successfully make sure the people with whom we exchange critical information. Every company should have malware detection and prevention software installed to protect its data (Cichonski et al., 2012) An operational plan and a recovery strategic plan for critical electronic systems and communication connectivity work best together. There are a few principles that are used in developing a recovery plan, which includes prevention, which entails a proper backup, detection, which is involved in detecting possible threats and risk, and correction, which entails proper insurance policies. The recovery plan for critical electronic devices and communication networks should include plan goals, recovery procedures, backup procedures, and the restoration process. There are many risks as well, which result from the insecure behaviors of employees. For example, humans are prone to errors such as forgetting to use backups, which may lead to the loss of data. Additionally, some steal organizational data such as passwords and emails. Only a quarter of data theft is traced to outside intrusions, indicating that most data theft is not the product of an external attack by some cybercrime genius (Tyler, 2016). References Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide: Recommendations of the National Institute of standards and technology. Retrieved from:https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjYs9nqkY7zAhWHHxQKHYnyBasQFnoECAYQAQ&url=https\%3A\%2F\%2Fnvlpubs.nist.gov\%2Fnistpubs\%2Fspecialpublications\%2Fnist.sp.800-61r2.pdf&usg=AOvVaw30silDnlF3FuLCqAVsK8KV Nel, F., & Drevin, L. (2019). Key elements of an information security culture in organisations. Information & Computer Security, 27(2), 146-164. Retrieved from:https://www.emerald.com/insight/content/doi/10.1108/ICS-12-2016-0095/full/html Tyler, J. (2016). Dont be your own worst enemy: Protecting your organisation from inside threats. Computer Fraud & Security, 2016(8), 19-20. Retrieved from:https://www.sciencedirect.com/science/article/abs/pii/S136137231630063X?via\%3Dihub Running Head: CYBERSECURITY PROGRAM MAINTENANCE CYBERSECURITY PROGRAM MAINTENANCE 4 Student Name School NAME Date TABLE OF CONTENT 1. Procedure to track performance………………….……………………………………3 2. Procedures to monitor and measure performance for areas of improvement…............3 3. Procedures to identify new threats, vulnerabilities, or any countermeasures…............4 4. Procedures to obtain feedback on the effectiveness of policies………………….........4 5. Procedures and technical tools to monitor the internal and external environment……………………………………………………...……………….…...4 6. Procedures for budget allocation……………………………………………...………5 7. Procedures to catch any oversights……………………………………………………5 Procedure to track performance Organizations that track their performance can improve their employees efficiency and enhance the effectiveness of their operations and be able to find out any type of vulnerabilities occurring, or any issue related to cybersecurity (Zarreh et al., 2019). Tracking the cybersecurity performance should be tracked through the following procedure. One, you need to track the level of preparedness such as the number of devices on your organization network that is fully patched and update. The other step is to identify the number of unidentified devices on internal networks. The fourth procedure is to identify how often attackers breached the information asset and also identify how long do security threats go unnoticed, the meantime you took to respond to the cyberattacks, and the meantime you took to contain the threat. The other steps to track performance include, first-party security rating, track the average vendor security rating, patching cadence, access management, track your company and peer performance, and lastly track the meantime for vendors incident responses. Procedures to monitor and measure performance for areas of improvement A critical requirement for any cybersecurity program maintenance is to continuously verify the effectiveness of an established controls. Periodic evaluation of organisation security controls helps to determine whether the security control is operating as intended. Monitoring and performance measurement is vital for business success. Its important to identify the areas that need to be improved to maximize the productivity of the organization (Zarreh et al., 2019). First, you can evaluate the users system performance and their vulnerabilities to cyber threats. This procedure is very vital because, through it, one can identify the possibility of hackers or any other unauthorized access to the systems. You can also review the work in progress on regular basis in those areas. This will prevent the organization from recurring cyber threat instances. Procedures to identify new threats, vulnerabilities, or any countermeasures Cybersecurity threats are common in many organizations and to mitigate these risks, routine network vulnerability and threats assessment should be conducted (Choudhary et al., 2021). There are various steps to identify new network threats and vulnerabilities assessment, which include conducting risk identification and analysis, formulating vulnerability and security threats scanning policies and procedures, recognizing the type of vulnerabilities scan, configuring and performing the scan, assessing risks, analyzing the scanning results, and lastly developing a remediation and mitigation plan. Procedures to obtain feedback on the effectiveness of policies This can be conducted by surveying to learn their early employee experience. You can also conduct employee engagement surveys to obtain a large number of feedbacks at once. Review sites can also be a very effective channel where feedbacks on policy effectiveness can be obtained. Many employees feel it difficult to share feedbacks with their top management, but they may share it on review sites, thus monitoring the sites will help in obtaining feedback on policy effectiveness. Procedures and technical tools to monitor the internal and external environment Technical tools or techniques to monitor the internal and external environment include antivirus software, penetrating testing, firewall, staff training, and managed detection services. To monitor the internal and external environment, you are required to determine the scope of risk assessment, and then determine the number of unauthorized devices used for business tasks and ensure they are encrypted to prevent unauthorized access. The last step of monitoring the internal and external environment is to implement security policies to safeguard the organizations intellectual information. Procedures for budget allocation Getting the c-levels to approve an IT security budget is one of the most critical tasks that IT professionals experience during their working period (Zarreh et al., 2019). A clear and effective procedure for budget allocation can help mitigate this tough task. First, the IT professionals should outline all the expenditures and financial obligations they plan to cover with their cybersecurity program budget. The next step is to determine your method of cybersecurity program funding. Then there is the execution process where the resources are allocated to various budget items and lastly the allocated budget is monitored and maintained. Procedures to catch any oversights To catch any cybersecurity oversight, the IT professionals should one, make cybersecurity an enterprise-wide initiative (Zarreh et al., 2019). A good oversight requires aligning the companys core values and ethical attributes with the company’s cybersecurity strategies, risk tolerance, and business approach. The next step is to test your cyber protection more frequently to ensure they are functioning. The other process is to develop a better rapport with your CISO on issues related to cyber risks within the organization and the last process is to think hard on the skills required to mitigate the cybersecurity incidents. Reference Choudhary, Y., Umamaheswari, B., & Kumawat, V. (2021). A Study of Threats, Vulnerabilities, and Countermeasures: An IoT Perspective. Shanlax International Journal Of Arts, Science, And Humanities, 8(4), 39-45. doi.org/10.34293/sijash. v8i4.3583. Zarreh, A., Wan, H., Lee, Y., Saygin, C., & Janahi, R. (2019). Cybersecurity Concerns for Total Productive Maintenance in Smart Manufacturing Systems. Procedia Manufacturing, 38, 532-539. doi.org/10.1016/j.promfg.2020.01.067. Bakertilly (2017). Monitoring and verifying cybersecurity controls effectiveness. Student Name School NAME Date CYB-690 Business Profile Directions: Select an area of industry that you are interested in and create a hypothetical business. Use the following sections to define the business environment; these items will vary depending on your business type. Feel free to adapt this document as needed. Note: Students may adapt their hypothetical business developed in CYB-630 or CYB-650 for this assignment. However, additional details will be required. Business Details Company Name: United Health Group Established date: the organization was established in 1977 and went public in 1984. The company was named UnitedHealth Group in 1998 and achieved its first significant success in 1997. Physical Address: P.O Box 1459, Minneapolis, MN 55440-1459, USA Phone and fax numbers: +1.952.9361300, 800328-5979 (For corporate headquarters); fax number:  877-232-7902 Website URL: www.unitedhealthgroup.com Email address: Unitedhealthgroup.com, [email protected] (CEO email address), Business Basics Vision Mission Statement and Goals 1. Mission statement: to help people live healthier lives and to help make the health system work better for every citizen 1. Vision statement: committed to diversity and inclusion. The organization’s core values are relationships, performance, compassion, integrity, and innovation that are embedded in its greater mission. 1. Goals and objectives: the organizations goals and objectives are to help make healthcare work better for every person. The organization seeks to enhance the healthcare systems performance and to improve the wellbeing of the people they serve. 1. Information/experience: UnitedHealth Group is ranked top 10 on the 2021 fortune global 500. It has a market capitalization of $400.7 billion as of March 31, 2021 1. Organizational flow: this is represented in form of a chart to indicate the relationship between job positions and illustration of the structure of all the jobs by rank. Products and services 1. Main product: UnitedHealth Group is an American multinational managed healthcare and insurance firm based in 9900 Bren road east, Minnetonka, Minnesota, 55343, USA. The major products offered by this organization are healthcare products through UnitedHealth care (AULT, 2009). 1. Main services: the organization offers services such as information technology-enabled health service through Optum. It also offers healthcare coverage and benefits services such as health and accident insurance. 1. Consumer base: the consumers of UnitedHealth Group include those who need healthcare such as patients, those who provide care such as physicians and other health practitioners, hospitals and clinical facilities that seek to modernize in ways that enable the best patient care and experience possible, delivered cost-effectively (AULT, 2009). Other consumers include those who pay for care such as insurers and government agencies and those who innovate for care such as life science and research organizations dedicated to developing more effective approaches, enabling technologies and medicines that improve the delivery and quality of care. Technology and security solution Many evolving and existing organizations are innovating heavily into technology appliances and due to the mass use of technology, cyber threats have become challenges to many organizations. UnitedHealth Group has not been exempted on this issue and it has been innovating heavily to ensure its consumers personal information is secure. Optum had expanded IT services to assist healthcare facilities to modernize their technology infrastructure which will facilitate better access to information, analytics, and tools for making data-driven decisions about treatments, resource management, and costs. A website privacy policy had been implemented to enable customers to see how their confidential information collected on the website is handled. The organization had maintained reasonable administrative, technical, and physical safeguards that are designed to protect information provided by clients through the website. The information technology team conducts a security risk assessment at least once a year to identify, assess, and deploy key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. As required by HIPPA security rule, UnitedHealth group ensures their consumers data is encrypted whenever possible. Consumers are authenticated with login names and authentication factors such as use thumb, eyes, signatures, or passwords. These security solutions have enabled the company to run its business effectively while retaining its reputation. References AULT, A. (2009). UnitedHealth Expands Medical Home Program. Family Practice News, 39(6), 42. Plourde, R. (2012). The UnitedHealth Group and Gaming. Games For Health Journal, 1(1), 18-20. UnitedHealth Group Mission, Benefits, and Work Culture | Indeed.com. Indeed.com. (2021). Retrieved 31 August 2021, from https://www.indeed.com/cmp/UnitedHealth-Group/about. UnitedHealthcare Introduces the Use of Predictive Analytics to Expand its Capabilities to Address Social Determinants of Health. Unitedhealthgroup.com. (2021). Retrieved 31 August 2021, from https://www.unitedhealthgroup.com/newsroom/2021/2021-7-8-uhc-predictive-analytics-social-determinants-health.html. UnitedHealth Group and Microsoft Collaborate to Launch ProtectWell™ Protocol & App. Unitedhealthgroup.com. (2020). Retrieved 31 August 2021, from https://www.unitedhealthgroup.com/newsroom/posts/2020-05-15-uhg-microsoft-launch-protectwell.html. Running head: LEGAL AND ETHICAL CHALLENGES OF CYBERSECURITY LEGAL AND ETHICAL CHALLENGES OF CYBERSECURITY 2 Student Name School NAME Date TABLE OF CONTENT 1.0 INTRODUCTION…………………………………………………………………………....3 2.0 LEGAL AND ETHICAL CHALLENGES OF CYBERSECURITY……………….….….3-5 3.0 REFERENCE……………………...…………………………………………………………6 INTRODUCTION Organizations that possess personal information about their users are ethically responsible for protecting that information from hackers. Unfortunately, in many high-profile data breaches the organizations that got hacked were at least partially at fault. It is possible to start building trust in your organization right now by listening to a coworker, following through on a sense of personal responsibility, or receiving new support and motivation from a true leader. You cant just blindly put your faith in someone. If you want to live your values, you must make a conscious effort to act as you do. To maintain trust, its important to put forth the effort necessary to establish trust again. Tell the truth, even though its difficult, and not just what you think others want to hear. Recognize what information employees require and communicate it clearly, all the while keeping in mind their efforts and feelings. Doing something that you say youll do consistently build trust over time; it cant be something you do only occasionally. Your behavior in all relationships should be based on keeping commitments, every day, and every year. To ensure that everyone feels truly cared for, leadership has a significant role to play. Most companies strive to build and maintain relationships of trust with the various parties who make up their value chain, the ability to maintain a trusting relationship with employees has long been a top priority for companies (Ozmen, 2018). Each employee, as well as the interdependent workgroup or department, must be shown concern and care. Employees are motivated to build strong working relationships with their managers and coworkers. Its also important for them to believe that the people they rely on truly care about them. Employees should raise their issues about whistleblowing as early as possible if they witness or become aware of any wrongdoing, threat, or professional misconduct at work that they believe should be disclosed to their employer. While hotlines like the National Whistleblowing Hotline and the NHS Whistleblowing Helping have been used in the public sector in the past to report suspected misconduct, this is changing. Human resource management software advances, on the other hand, can assist managers in maintaining thorough records. Allowing employees to self-regulate while keeping an eye on their behavior and fostering a positive work environment. Organizations should keep track of the number of whistleblowing disclosures they receive, as well as the date and feedback are given to those who come forward. Automated tools also help organizations human resource teams by enhancing efficiency and reducing the possibility of human error by ensuring that information is automatically fed into the suitable human resource or payroll system. Additionally, the level of privacy provided by an intelligence-led platform is by far the most important consideration. Enhanced confidentiality protects the investigation and the identity of witnesses, as well as the identity of the whistle-blower. For each trade-off dimension, there is a definition and illustrative examples in the trade-off typology structure. There are implicit trade-offs, including the loss of the stack trace, which could make things more difficult to debug. However, I believe you must remember that software is about making trade-offs, and just because the circumstances permit it, it does not follow that the trade-off is worthwhile. These tradeoffs can be made more explicit by first ensuring enterprise-wide awareness. Regulatory compliance is a great way to get the boardroom interested in cybersecurity. Organizations can be held personally liable for non-compliance in these situations, so there is a great motivation to act. Secondly, it is analyzing vulnerabilities and risks. Defending against these malware attacks requires an integrated strategy that considers all aspects of your business, including employee education, policies and procedures, and technical safeguards like firewalls and antivirus software. As well, keep in mind your companys goals and strategy when analyzing this. Finally, an organization should take a security-by-design approach. You should also think about where your company fits into the ecosystem. Maintaining order in your own home isnt always enough. For example, if you heavily rely on an external entity, their security may be vital to your business. Contracts and agreements have been used by some companies to try and handle this, but they may be insufficient. Most state and federal confidentiality laws allow companies to monitor their employees to a certain extent. Depending on legal requirements, employers may not be required to tell employees if they are under surveillance (Kaupins, 2009). Some rules do necessitate the consent of employees. Even if monitoring is reported as a prospect, some controls must be in place. A few examples of these are the methods and timing of monitoring, as well as who has the authority to do so or use the data gleaned from monitoring. Using monitoring tools can computerize the monitoring system and provide a consolidated view of the associated data – the big picture – without disclosing the personality or violating the privacy of any single individual. References Kaupins, G. (2009). Legal and ethical implications of employee location monitoring. Handbook of Research on Technoethics, 825-842. https://doi.org/10.4018/978-1-60566-022-6.ch053 Ozmen, Y. S. (2018). How employees define organisational trust: Analysing employee trust in organisation. Journal of Global Responsibility, 9(1), 21-40. https://doi.org/10.1108/jgr-04-2017-0025 Snapshot (n.d.). Ethical issues in cybersecurity. Retrieved from https://www.futureoftech.org/cybersecurity/4-ethical-issues-in-cybersecurity/ Running Head: SYSTEM DESIGN 1 SYSTEM DESIGN 2 Student Name School NAME Date TABLE OF CONTENT 1.0 Introduction……………………………………………………………………………………3 2.0 Goals and Considerations…………………………………………………...………………...3 3.0 Overview of the system design document…………………...……………………………...3-4 4.0 How is data design associated with system design document?.................................................4 5.0 Describe the human-machine interface and operational scenarios………………………….4-5 6.0 System architecture design……………………………………………………………………5 7.0 Hardware security diagram………………………………………………………………….5-6 8.0 Security software design………………………………………………………………………6 9.0 Reference……………………………………………………………………………………...7 The system design document discusses the system design aspects, how the non-functional and functional requirements are recorded in the requirement document, and the preliminary data design documented in the local data. System design documents the high-level system design and the low-level detailed design specifications. An example of system design is the architectural design which is a concept that focuses on components of a structure (QIU & OMURA, 2016). This system consists of multiple volumes of individual design documents. This document is important because it helps individuals to understand what is possible, not possible, and the system that will be favorable for that scenario. Goals and Considerations The goal of this design is to track any required data to effectively define the system architecture and system design to ensure the development team has attained guidance on the architecture of the system to be developed (QIU & OMURA, 2016). Given that the system will integrate data from various sources and conduct a systematic correlation of real-time information, its architecture is based on enterprise application integration (EAI) The considerations of the system design document include a description of the purpose of the output such as identification of the primary users, report distribution requirements if any (include frequency for periodic reports) description of any access restrictions or security considerations. Other goals include ease of use. The system will be easy to use and provide a strong user experience. Overview of the system design document In this section, the system is described in a more narrative form using non-technical terms. The system design document is a concept that focuses on components of a structure. It’s guided by certain principles such as high coupling, good modularity, and low cohesion (QIU & OMURA, 2016). Design concepts such as architectural patterns, reference architectures, externally developed components, and tactics are the building blocks of the system architecture and they form the basis of the architectural design. This system has three layers. The first layer covers the software and the hardware needed to have a secure computer system. The second layer entails the logical techniques needed to keep the system secure and the third layer covers the evaluation techniques that quantify how the system is secured. System design documents are developed to ensure efforts of a large team are coordinated, to give them a stable reference point, and to expound all parts of the system software and how they will operate. The system design document ensures products are created to meet the needs and is per what was agreed upon before the inception of the software. How is data design associated with system design document? Data design can be described as the first design activity which leads to fewer complexes, modular, and efficient program structure. The system views how information security controls and safeguards are implemented in the IT system to protect the confidentiality, integrity, and availability of information. Data design is associated with system design documents in various ways. Describe the human-machine interface and operational scenarios A human-machine interface (HMI) is an interface used by organizations to connect a person to a machine, server, device, or system (Afrianto et al., 2019). It enables the operators to manage their industrial and process control machinery through a computer-based graphical user interface (GIU). The human-machine interface provides a visual presentation of the control system and provides real-time data acquisition. Operational scenarios are the description of an imagined Sequence of events that include the interaction of the services and products with its users and the environment as well as the interaction among its products or service components (Afrianto et al., 2019). System Architecture Diagrams Systems and subsystems architectures for the organization are expounded in this section. External system design Hardware security diagram This part describes the system hardware and the organization. Under this section, hardware components and the connectivity between the components are presented in form of a diagram. Security software design Overall system software and the organization are explained in this section. It includes a list of software techniques, computer languages, and computer-aided software engineering tools. References Afrianto, I., Heryandi, A., Finadhita, A., & Atin, S. (2019). Design Of E-Document System with Digital Signature Using User-Centered Design Method. Conference SENATIK STT Adisutjipto Yogyakarta, 5. Jang, S. (2017). Design of Access Control System for Hangul document System. Journal of Digital Information Management, 15(4), 170. Qiu, Q., & Omura, K. (2016). Developing a Document Creating System for Affective Design: A Case Study in Card Design. International Journal of Affective Engineering, 15(2), 91-99. Running Head: CYBERSECURITY FRAMEWORK 1 CYBERSECURITY FRAMEWORK 6 Student Name School NAME Date TABLE OF CONTENT 1.0 INTRODUCTION…………………………………………………………………………....3 2.0 ORGANISATIONAL OBJECTIVES AND PRIORITIES…………………………….…….3 3.0 CURRENT RISK MANAGEMENT……………………………………………………….3-4 4.0 THREATS ENVIRONMENTS………………………………………………………………4 5.0 LEGAL AND REGULATORY REQUIREMENTS…………………………………………4 6.0 MISSION……………………………………………………………………………….…….4 7.0 OBJECTIVES………………………………………………………………………………...4 8.0 CONSTRAINTS USING HIPPA FRAMEWORK……………………………………….….4 8.0.1 COMMON DECISION WORKFLOW………………………………….………….5 9.0 FUTURE CYBERSECURITY POLICIES…………………………………………………...5 10.0 OPERATIONAL COMPLIANCE AND RISK ASSESSMENT………………………….5-6 10.0.1 ORGANIZATIONAL RISK ASSESSMENT CHART…………………………...6 11.0 PRIVACY RISK MANAGEMENT……………………………………………………….6-7 11.0.1 WEB PORTAL DATA FLOW DIAGRAM……………………………………….7 12.0 REFERENCE………………………………………………………………………………...8 Introduction In this assignment, I will assess a healthcare facilitys cyber security framework to identify and close the gap between the facilitys current cybersecurity status and its target cybersecurity status. This process will adhere to the Health Insurance Portability and Accountability Act (HIPPA) regulations (Allodi & Massacci, 2017). This cybersecurity framework is very vital because it enables a healthcare organization to establish national standards that will protect patient’s medical health records and other personal health information. it also applies to the health plans, clearinghouses, healthcare, and care practitioners who perform certain healthcare transactions electronically. Organizational Objectives and Priorities According to the facilitys Information Technology personnel, the organization had already implemented a security framework per the HIPPA privacy rule (Allodi & Massacci, 2017). The framework had provided the healthcare facility with security guidelines, standards, and best practices that can be implemented to manage cyber threats instances. Patients, health practitioners, and physician’s integrity, confidentiality, and availability of personal health information or private information are well secured and protected from cyberthreats such as malware, phishing, and virus and only shared when there are justifiable reasons for doing so. However, there was a case where the facility received a computer network outage due to security incidences. This means the healthcare facility was unable to detect and mitigate malicious threats on time (Allodi & Massacci, 2017). Current risk management: To manage these risks, the facility has managed to communicate effectively and involve all its stakeholders to create awareness of cyber risks. It had also implemented clear risk management policies that define the roles and responsibilities of every individual within the organization (Allodi & Massacci, 2017). The health facility had also established a clear continuous risk monitoring process to ensure its risk mitigation efforts are working effectively. Threats environments: these environments include all online spaces where cyber hackers conduct malicious cyber threat activities. These environments include health facilities networks, devices, processes, stored or transit data, services, and systems. Legal and regulatory requirements: The institution’s cybersecurity laws and regulations are under the HIPPA regulation rules. The institute has been following all security rules and meeting any requirements (Allodi & Massacci, 2017). Mission: to provide quality care with excellence in service and access Objectives: to ensure quality healthcare is provided to all citizens Constraints using HIPPA framework: Some of the constraints encountered by using this framework include shortcomings in the enforcement, extra staff required to keep up with HIPPA requirements, consent not required for payment, and no standing to sue companies because of their HIPPA violation (Allodi & Massacci, 2017). Fig 1: common decision workflow Future cybersecurity policies To ensure minimal cyber threats in the health facility, the organization is required to implement strong cyber security policies to help all stakeholders understand how to maintain the security of data and applications (Gellert, 2015). To comply with HIPPA regulations, the facility is required to implement policies and regulations that will combat cyber abuse, fraud, and waste in health insurance and healthcare delivery. The policies and regulations should also provide systematic health insurance coverage for the workforce who lose or change their jobs. The facility should also implement policies that protect patient’s personal health information (PHI) and ensures patient’s rights are not violated. Operational Compliance and Risk Assessment The likelihood cyber security risks in this facility include malware and Ransomware. Malware results in unusual behaviors or the system such as denying access to programs, deleting files, and stealing information of patients or other stakeholders within the health facility. On the other side, ransomware installs itself on the users system, disrupting programs and prevents access to functionality until a ransom is paid. These two cyber risks result to access to patients information without their consent (Gellert, 2015). The systems are also vulnerable to internal threats such as viruses, hacking, and cloud computing vulnerabilities. These threats originate within the facility and are currently conducted by either former or current employees. External cyber threats include ransomware and malware. To prevent external threats, a proactive approach is the best. This includes the installation of anti-malware and anti-ransomware programs to mitigate the risks. To minimize these risks, users can use strong passwords, or monitor user behavior. They can also implement identity and access control or use multifactor authentication (Gellert, 2015). Fig 2: organizational risk assessment chart Privacy risk management: To integrate privacy laws and regulations, the institute is required to have an up-to-date and keen awareness on how to comply with the policies at all levels of organizational workflow, systems, tools, and processes (Gellert, 2015). The institute is required to have a legal counsel on board that can comprehend its operations by balancing it with the right privacy laws at the right levels. Both internal and external audits should be conducted to help in keeping a consistent measure of cyber risks. These audits will help to evaluate certain characteristics of the facility against HIPPA standards and policies. The type of gap analysis that can be performed to identify security elements and variables is to perform a risk assessment. This process will help in identifying which risks are the biggest threats to the organization. Fig 3: web portal data flow diagram From the above web portal, cyber risks will be handled per the Health Regulation Act. Staff will be trained to help them understand what roles they will be taking to keep the organizations systems and servers secure from cyber threats. There will also implement controlled system access to regulate who and what can view or use resources in the health facility computing environment (Gellert, 2015). Reference Allodi, L., & Massacci, F. (2017). Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37(8), 1606-1627. Butman, S. (2014). HIPPA for the interventional cardiologist. Catheterization And Cardiovascular Interventions, 83(4), 528-529. Gellert, R. (2015). Data protection: a risk regulation? Between the risk management of everything and the precautionary alternative. International Data Privacy Law, 5(1), 3-19.