Document
docx
keyboard_arrow_up
School
Strayer University *
*We aren’t endorsed by this school
Course
304
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
7
Uploaded by AtarisHuskey
Week 7 discussion People can gain physical access to the physician's office without anyone checking their ID.
Matching Control: PE-3 (Physical Access Control)
Mitigation: Implement access control measures such as ID checks, access badges, security personnel, or electronic access control systems to restrict physical access to authorized individuals only. This aligns with the requirements of PE-3 (CSF, 2021).
The server room does not have a lock on the door.
Matching Control: PE-6 (Monitoring Physical Access)
Mitigation: Install a lock on the server room door to restrict access to authorized personnel only. Additionally, consider implementing monitoring mechanisms such as surveillance cameras or access logs to track physical access to the server room, as required by PE-6 (CSF, 2021).
There are unused open ports on all of the servers.
Matching Control: SC-7 (Boundary Protection)
Mitigation: Regularly conduct port scanning and vulnerability assessments to identify
and close any unused open ports. Implement a robust firewall configuration to restrict
access to necessary ports only, as outlined in SC-7 (CSF, 2021).
The scheduling software shows verbose code.
Matching Control: SA-11 (Developer Security Testing and Evaluation)
Mitigation: Review and update the scheduling software to remove any verbose code that may expose sensitive information. Ensure that the software follows secure coding
practices and undergoes regular security testing, as required by SA-11 (CSF, 2021).
There are default admin accounts with elevated privileges.
Matching Control: AC-6 (Least Privilege)
Mitigation: Disable or rename default admin accounts and implement a strong password policy. Use individual user accounts with the principle of least privilege, granting only the necessary privileges to perform specific tasks, as outlined in AC-6 (CSF, 2021).
The office receptionist provided the server's password via an inbound phone call.
Matching Control: AC-6 (Least Privilege)
Mitigation: Educate employees on the importance of not sharing passwords and implement a strict password management policy. Consider implementing multi-factor authentication to enhance security, as required by AC-6 (CSF, 2021).
There is no encryption on the network. PHI/PII data is sent over the wireless network in clear text.
Matching Control: SC-8 (Transmission Confidentiality and Integrity)
Mitigation: Implement encryption protocols such as WPA2 or WPA3 for wireless networks (CSF, 2021). Use secure protocols (e.g., HTTPS, VPN) for transmitting
sensitive data over the network. Ensure that encryption is also applied to data at rest, as outlined in SC-8 (CSF, 2021).
The PHI/PII data on the database server resides on unencrypted drives.
Matching Control: SC-28 (Protection of Information at Rest)
Mitigation: Encrypt the drives where PHI/PII data is stored to protect it from unauthorized access (CSF, 2021). Implement strong access controls and regularly review user permissions to ensure only authorized individuals can access the data, as required by SC-28 (CSF, 2021).
In an interview with the Nurse, she stated no HIPAA Security or Privacy training was provided.
Matching Control: AT-3 (Security Training)
Mitigation: Develop and implement a comprehensive training program on HIPAA Security and Privacy for all employees. Regularly provide refresher training and ensure that employees understand their responsibilities and the importance of safeguarding sensitive data, as outlined in AT-3 (CSF, 2021).
There are Microsoft vulnerabilities in the Windows 10 OS on the desktops that have not been patched.
Matching Control: SI-2 (Flaw Remediation)
Mitigation: Establish a robust patch management process to regularly update and patch operating systems and software (CSF, 2021). Implement automated patching
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
tools and prioritize critical security updates to mitigate vulnerabilities, as required by SI-2 (CSF, 2021).
The auditor watched an employee make changes to the Oracle server without following change management.
Matching Control: CM-3 (Configuration Change Control)
Mitigation: Implement a formal change management process that includes proper documentation, approval workflows, and testing procedures for making changes to systems. Enforce strict adherence to the change management process to ensure proper
oversight and minimize risks, as outlined in CM-3 (CSF, 2021).
The provided information and mitigations primarily focus on cybersecurity and information security controls within a healthcare setting, specifically addressing the protection of sensitive patient information (PHI/PII) and ensuring compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act). These measures aim to safeguard data, systems, and processes from unauthorized access, breaches, and vulnerabilities.
Broadband technicians, while not directly mentioned in the context of the provided information, can still draw some parallels and considerations:
1. **Access Control**: Just like in a healthcare setting, it's important for broadband technicians to have appropriate access controls in place (Marron, 2022). This could
involve restricting physical access to critical network infrastructure and ensuring that only authorized personnel can make changes to network configurations.
2. **Security Training**: Similar to healthcare employees receiving HIPAA training, broadband technicians should also receive training on cybersecurity best practices and
how to handle sensitive customer information. This can help prevent inadvertent security breaches and ensure customer data privacy (Marron, 2022).
3. **Change Management**: The importance of proper change management applies to broadband technicians as well (Marron, 2022). When making changes to network configurations or infrastructure, technicians should follow a documented and controlled process to avoid disruptions, vulnerabilities, or misconfigurations (Marron,
2022).
4. **Vulnerability Management and Patching**: Broadband technicians should be vigilant about keeping network equipment and software up to date (Marron, 2022). Regularly applying security patches and updates helps protect against known vulnerabilities that could be exploited by malicious actors (Marron, 2022).
5. **Encryption and Data Protection**: Just as healthcare systems need encryption for PHI/PII, broadband technicians should consider encrypting sensitive data that travels over their networks to ensure confidentiality and integrity (Marron, 2022).
6. **Physical Security**: While not directly mentioned, ensuring the physical security of network infrastructure and equipment is crucial for broadband technicians.
Preventing unauthorized access to critical components can help prevent tampering and unauthorized changes (Marron, 2022).
7. **Compliance and Regulations**: While the specific regulations may vary, broadband service providers may need to comply with data protection and privacy regulations. Being aware of and adhering to these regulations is important for maintaining customer trust and avoiding legal issues (Marron, 2022).
In summary, the principles of cybersecurity, data protection, access control, and proper procedures are relevant to broadband technicians as well. While the context of the provided information is healthcare, these principles can be applied to various industries and settings, including the field of broadband technology and network management (Marron, 2022).
"Trust in the Lord with all your heart, and do not lean on your own understanding. In all your ways acknowledge him, and he will make straight your paths." - Proverbs 3:5-6
This scripture reminds us to trust in God's guidance and wisdom, rather than relying solely on our own understanding. In the context of addressing security findings and implementing mitigations, it serves as a reminder to seek guidance from experts, follow established best practices, and continuously seek improvement in our efforts to maintain a secure environment.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Physical Access Control - CSF Tools. CSF Tools - The Cybersecurity Framework for Humans. (2021, March 5). https://csf.tools/reference/nist-sp-800-53/r4/pe/pe-3/
Marron, J. (2022, July). NIST Technical Series Publications. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.ipd.pdf