Risk Management Lab 1

1. Healthcare is under a strict HIPPA privacy requirements which require that an organization have proper security controls for handling personal healthcare information (PHI) privacy data. This includes security controls for the IT infrastructure handling PHI privacy data. Which one of the listed risks, threats, or vulnerabilities can violate HIPPA privacy requirements? List one and justify your answer in one or two sentences.

Hacker penetrates your IT infrastructure and gains access to your internal network – If a hacker is able to penetrate your internal network he has the potential to gain access to patient files or other private data that is covered under HIPPA guidelines.

2. How many threats and vulnerabilities did you find that impacted risk within each of the seven domains of a typical IT infrastructure?

a. User Domain: 2

b. Workstation Domain: 5

c. LAN Domain: 7

d. LAN-to-WAN Domain: 2

e. WAN Domain: 2

f. Remote Access Domain: 2

g. System/Application Domain: 1

3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?

LAN Domain

4. What is the risk impact or risk factor (critical, major, minor) that you would qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the healthcare and HIPPA compliance scenario?

I would consider the both minor for the most part. Unless performance becomes a work stoppage, both would be considered minor in relation to HIPPA.

5. Of the three Systems/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and a business continuity plan to maintain continued operations during a catastrophic outage?

Loss of production data

6. Which domain represents the greatest risk and uncertainty to an organization?

User Domain

7. Which domain requires stringent access controls and encryption for connectivity to corporate resources from home?

Remote Access Domain

8. Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risk from employee sabotage?

User Domain

9. Which domains need software vulnerability assessments to mitigate risk from software vulnerabilities?

Workstation Domain

10. Which domain requires AUPS to minimize unnecessary User initiated Internet traffic and can be monitored and controlled by web content filters?

User Domain

11. In which domain do you implement web content filters?

LAN-to-WAN Domain

12. If you implement a wireless LAN (WLAN) to support connectivity for laptops in the Workstation Domain, which domain does WLAN fall within?

LAN Domain

13. A bank under Gramm-Leach-Bliley-Act (GLBA) for protecting customer privacy has just implemented their online banking solution allowing customers to access their accounts and perform transactions via their computer or PDA device. Online banking servers and their public Internet hosting would fall within which domains of security responsibility?

a. LAN-to-WAN Domain

14. Customers that conduct online banking using their laptop or personal computer must use HTTPS:, the secure and encrypted version of HTTP: browser communications. HTTPS:// encrypts webpage data inputs and data through the public Internet and decrypts that webpage and data once displayed on your browser. True or False.

a. TRUE

15. Explain how a layered security strategy throughout the 7-domains of a typical IT infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from the Systems/Application Domain.

Well as you travel through the layers, each layer should add a little more security features to help protect you IT assets. When you come to your Systems/Application Domain, the applications should work with your network based on how you set up the other layers.