Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

DFN1: Governance, Risk, and Compliance

Security Assessment Report

for

Fielder Medical Center (FMC)

Prepared by

  Pruhart Security Consulting

FOR OFFICIAL USE ONLY

Document Revision History

The security assessment report (SAR) is a living document that is changed as required to reflect system, operational, or organizational changes. Modifications made to this document are recorded in the version history matrix below.

At a minimum, this document will be reviewed and assessed annually. Reviews made as part of the assessment process shall also be recorded below.

This document history shall be maintained throughout the life of the document and the associated system.

Date	Description	Version	Author
01/05/20XX	Document Publication	1.0	Sophia Martin

From: Sophia Martin, Head Consultant, Pruhart Security Consulting

To: Board of Directors, Fielder Medical Center (FMC)

On behalf of Pruhart Security Consulting, I would like to thank you for the opportunity to provide a security audit and assessment for FMC. We have finalized our preliminary reporting and are disseminating our findings below for your review.

Our key findings indicate FMC needs specialized support in updating and modernizing its network and internal controls to address the changing landscape of laws, regulations, and standards that apply to federal government compliance. Specifically, FMC needs to address the following:

1. There is a lack of security controls and policies, including access control policies and procedures, account management, least privilege, and security attributes.

2. The systems design is outdated, requiring immediate attention to remediate gaps between the previous and outdated systems security plan (SSP) and compliance requirements.

3. Security and privacy plans need to be updated to reflect the organizational needs and requirements. This includes:

a. an information security program plan based on compliance and the organization’s needs

b. an updated system inventory/asset list based on the organization’s systems

c. a risk assessment completed after updating the current SSP to reflect the new controls within the network and information systems

4. There is a lack of multifactor authentication (MFA) and a need to identify and authenticate organizational users requiring access to the network and information systems.

We appreciate the time FMC employees spent with us to help us compile this report. If you have any questions, please feel free to consult Pruhart Security Consulting at any time.

Regards,

Sophia Martin, Head Consultant, Pruhart Security Consulting

1 Overview

This document represents the security assessment report (SAR) for FMC as requested as part of the security assessment and posture for FMC and related entities. This SAR contains the summary results of the comprehensive security test and evaluation of FMC. This assessment report, and the results documented herein, supports program goals, efforts, and activities necessary to achieve compliance with organizational security requirements.

Title III, Section 3544, of the E-Government Act of 2002, dated December 17, 2002, requires agencies to conduct periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency. Appendix III of Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, requires federal agencies to do the following:

· Review the security controls in each system when significant modifications are made to the system, but at least every three years. §3(a)(3)

· Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information. §8(a)(1)(g); §8(a)(9)(a)

· Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time. §8(b)(3)(b)(iv)

· Ensure that a management official authorizes in writing the use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations. The application must be authorized prior to operating and reauthorized at least every three years thereafter. Management authorization implies accepting the risk of each system used by the application. §(3)(b)(4)

1.1 Applicable Standards and Guidance

The following standards and guidance are applicable to FMC:

· Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 800-53, Revision 5]

· Risk Management Guide for Information Technology Systems [NIST SP 800-30]

· Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199]

1.2 Purpose

The purpose of the SAR is to provide the system owner(s), CISO, and security authorization officials with a summary of the security assessment during the security review for FMC. A security assessment has been performed on FMC to evaluate the system’s implementation of and compliance with the organization's baseline security controls. As a federally funded healthcare facility, FMC must ensure it meets all Federal Information Security Management Act (FISMA) compliance mandates.

The organization requires information systems to use internal and third-party assessment organizations to perform independent security assessment testing and documentation of the SAR. Security testing for FMC was performed by the head consultant of Pruhart Security Consulting, Dr. Sophia Martin.

2 System Overview 

2.1 System Name

3 Assessment Methodology

The security assessment uses a logical and prescriptive process for determining risk exposure for the purpose of facilitating decisions, as is aligned with the risk management framework (RMF) described in NIST 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems. The RMF describes six steps that apply to the system development life cycle. Assessing security controls constitutes Step 4, as illustrated in the figure below: 

Figure 3.0.1: Risk Management Framework

This methodology, used to conduct the security assessment for FMC’s systems, is summarized in the following steps:

1. Perform tests from the systems security plan (SSP) and record the results.

2. Identify vulnerabilities on the platform.

3. Identify threats and determine which threats are associated with the cited vulnerabilities.

4. Analyze risks based on vulnerabilities and associated threats.

5. Recommend corrective actions.

6. Document the results.

3.1 Overall Security Findings

The following findings are based on a risk analysis and gap analysis between the current systems within FMC and their requirements to meet compliance to control families within NIST SP 800-53r5 and high-level requirements of PCI DSS compliance.

The current system does not provide adequate protection as outlined within the Privacy Act. Information stored on FMC systems contains personal identifiable information (PII), including and not limited to name, address, social security number (SSN), and other private information. This information is required to allow authorized government agencies access to this information and artifacts to verify doctor qualifications.

3.2 Overall Findings Across All Connected Systems

All connected systems at FMC are aging and in need of review, prioritization, compliance, upgrade, and the development of a maintenance plan. The following control families and/or control enhancements need to be addressed to ensure FMC’s governance and compliance:

1. During the audit process, we determined that the workstations connected to both switches do not have proper antivirus (AV) protection; specifically, some workstations have unlicensed AV solutions, and others do not have an active AV solution.

2. End-point protection is currently inadequate to protect the network and systems.

3. A multifactor authentication (MFA) is not present on the network.

4. FMC has stated its intent to meet PCI DSS compliance. FMC plans to eventually complete a point-of-sale (POS) system at its physical location for customers to purchase equipment. This POS requires a secure and maintained network, specifically a firewall and the removal of vendor-supplied defaults regarding passwords and other security requirements. In addition, this system is missing an AV solution.

5. Authorized government agencies require secure access to an FMC web portal to review documents and other artifacts to help in the verification process for certified doctors.

6. Doctors use FMC’s services to upload their PII and other artifacts. During our assessment, we determined there currently is no secure process to authenticate doctors on FMC’s network or to protect the PII from unauthorized access.

3.3 Security and Privacy Control Families/Control Enhancements

Pruhart Security Consulting was contracted by FMC to identify its security posture on its current system(s), conduct a risk analysis, and disseminate the results of Pruhart Security Consulting findings to FMC stakeholders. A brief gap analysis is provided below based on our findings and recommendations for the new system.

Control Identifier	Control / Control Enhancement	Notes	Rating
AC-6	Least Privilege	Least privilege needs to be employed based on duties and systems.
CA-5	Plans of Action and Milestones	Develop and track planned remediation actions.
CA-7	Continuous Monitoring	A continuous monitoring strategy is required to support business needs and the new system.
RA-3	Risk Assessment	An updated risk assessment that identifies and determines the likelihood and impact of risks associated to the new system is required.
RA-7	Risk Response	Justification or rationale on mitigation risk strategies based on either remediation or acceptance of risk is required.

Figure 3.3.1: Network Topology Based on Findings

  

Throughout your career in cybersecurity management, you will be asked to develop and improve an IT department to support a company’s strategic goals and mission. Assessments of the organization’s cybersecurity posture will need to be conducted to secure the company’s information and systems. The organization’s leadership may decide to hire external consultants to do this assessment. The consultants will review the security policies, standards, procedures, and guidelines that are used to secure the company’s assets. Additionally, they will look at compliance issues, personnel roles and assignments, continuity plans, and overall risk management.
In this task, you will serve as a chief information security officer (CISO) to review a security assessment report provided by an external consulting firm (see the attached "Security Assessment Report for Fielder Medical Center"). You will confirm or reject the findings by evaluating the focus points of the security assessment report and will develop a remediation plan for compliance based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5 and your company’s business needs.

SCENARIO

---

Fielder Medical Center (FMC) is a federally funded healthcare facility that seeks to expand its business into the local sale of medical equipment. As FMC sought to improve its data management in alignment with digitization goals, it implemented a system to manage the licensing, certificates, and relevant professional documents for the doctors working at FMC. Doctors are required to log in and upload sensitive artifacts that prove they are current in their licensing to practice. These artifacts may contain personally identifiable information about the doctor, including real name, home address, social security number, and other sensitive data.
Aside from the digitization of data for convenient management within FMC, the main purpose of this system is to allow access by the government for the purpose of validating information and securing federal funds on a recurring annual basis.
Concerns about security were discussed at a recent board meeting, and an external security consulting firm was hired to conduct a security assessment of FMC’s systems. This report identifies several potential compliance issues that would require the system security plan (SSP) to be updated, including security controls that are in place or planned for meeting system requirements.
As FMC’s CISO, you are responsible for identifying and developing a cyber strategy to address the risks identified in the attached “Security Assessment Report for Fielder Medical Center” to ensure that FMC’s security posture is brought into alignment with the Federal Information Security Management Act (FISMA) requirements. As the new FMC system includes only doctor information and does not include patient information, compliance focuses on FISMA requirements instead of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements.

REQUIREMENTS

---

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.
You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.
Tasks may not be submitted as cloud links, such as links to Google Docs, Google Slides, OneDrive, etc., unless specified in the task requirements. All submissions must be file types that are uploaded and submitted as single attachments (e.g., .doc., .docx, .pdf).

A.  Summarize the gaps that currently exist in the company’s security framework as described in the attached “Security Assessment Report for Fielder Medical Center” (SAR).

B.  For each of the five identified controls within the SAR, do the following:

1.  Identify the associated risk rating as low, moderate, or high and explain the risk.

2.  Justify FMC’s decision to remediate the risk associated with the identified control instead of accepting the risk based on compliance and industry guidelines and support the justification with industry-respected sources.

C.  Discuss how FMC should remediate the risks with each of the five controls identified in Section 3.3 of the SAR. For each risk, include any assets, actions, or changes that will be needed for remediation.

D.  Develop a PCI DSS–compliant policy to address the three concerns identified in Section 3.2.4 of the SAR, including the roles and responsibilities associated for each requirement identified within the SAR to meet PCI DSS compliance.

E.  Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.

F.  Demonstrate professional communication in the content and presentation of your submission.

File Restrictions

File name may contain only letters, numbers, spaces, and these symbols: ! - _ . * ' ( )
File size limit: 200 MB
File types allowed: doc, docx, rtf, xls, xlsx, ppt, pptx, odt, pdf, txt, qt, mov, mpg, avi, mp3, wav, mp4, wma, flv, asf, mpeg, wmv, m4v, svg, tif, tiff, jpeg, jpg, gif, png, zip, rar, tar, 7z

---