7
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual
Assessment Worksheet
Identifying Threats and Vulnerabilities in an IT Infrastructure Course Name and Number: _____________________________________________________ Student Name: ________________________________________________________________ Instructor Name: ______________________________________________________________ Lab Due Date: ________________________________________________________________
Overview
In this lab, you identified known risks, threats, and vulnerabilities, and you organized them. Finally, you mapped these risks to the domain that was impacted from a risk management perspective.
Lab Assessment Questions & Answers
1. Health care organizations must strictly comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules that require organizations to have proper security controls for handling personal information referred to as “protected health information,” or PHI. This includes security controls for the IT infrastructure handling PHI. Which of the listed risks, threats, or vulnerabilities can violate HIPAA privacy and security requirements? List one and justify your answer in one or two sentences.
2. How many threats and vulnerabilities did you find that impacted risk in each of the seven domains of a typical IT infrastructure?
3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
4. What is the risk impact or risk factor (critical, major, and minor) that you would qualitatively assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for the health care and HIPAA compliance scenario?
5. Of the three System/Application Domain risks, threats, and vulnerabilities identified, which one requires a disaster recovery plan and business continuity plan to maintain continued operations during a catastrophic outage?
6. Which domain represents the greatest risk and uncertainty to an organization?
7. Which domain requires stringent access controls and encryption for connectivity to corporate resources from home?
8. Which domain requires annual security awareness training and employee background checks for sensitive positions to help mitigate risks from employee sabotage?
9. Which domains need software vulnerability assessments to mitigate risk from software vulnerabilities?
10. Which domain requires acceptable use policies (AUPs) to minimize unnecessary user-initiated Internet traffic and can be monitored and controlled by Web content filters?
11. In which domain do you implement Web content filters?
12. If you implement a Wireless LAN (WLAN) to support connectivity for laptops in the Workstation Domain, which domain does WLAN fall within?
13. Under the Gramm-Leach-Bliley-Act (GLBA), banks must protect customer privacy. A given bank has just implemented its online banking solution that allows customers to access their accounts and perform transactions via their computers or personal digital assistant (PDA) devices. Online banking servers and their public Internet hosting would fall within which domains of security responsibility?
9
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com Student Lab Manual
14. True or false: Customers who conduct online banking on their laptops or personal computers must use Hypertext Transfer Protocol Secure (HTTPS), the secure and encrypted version of Hypertext Transfer Protocol (HTTP) browser communications. HTTPS encrypts Web page data inputs and data through the public Internet and decrypts that Web page and data on the user’s PC or device.
15. Explain how a layered security strategy throughout the seven domains of a typical IT infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from the System/Application Domain.
Course Name and Number:
Student Name:
Instructor Name:
Lab Due Date:
Text1: Hackers penetrate into the IT infrastructure and gain access to the internal network. When hackers are in a position to access the internal network of a healthcare organization, the resulting consequences are always devastating. They may access, alter and damage the critical personal health information of the patients.
Text2: User Domain: 3 Workstation Domain: 3 LAN Domain: 3 LAN-to-WAN Domain WAN Domain: 2 Remote Access Domain: 2 System/ Application Domain: 3
Text3: LAN-to-WAN
Text4: Critical- The personal health information of a healthcare organization can be compromised by the Denial of Service attack
Text5: Fire destroys primary data center
Text6: The user domain acts as the greatest risk and uncertainty to an organization
Text7: The Remote Access Domain
Text8: The User Domain
Text9: The System/ Application Domain
Text10: The Workstation Domain
Text11: System/ Application
Text12: LAN Domain
Text13: System/ Application Domain
Text14: True
Text15: There exist a security feature in every domain which overlaps into the next beginning from the lowest to the highest, that is, user to the remote domain. This is essential as it enables mitigating possible exposure to the entire system.