Wk4_415
Bandos051814Need help with a question
8 months ago
40
files (2)Wk4_415Assignment.docx
NewTabProjectProfileWk4_415.docx
Wk4_415Assignment.docx
Due 9/1/2024
The health care organization IT staff has notified the CISO that one of the new NewTab iPads® has been misplaced, though it is not known if it was lost or stolen. The NewTab information system does not have a mobile device management capability that could track and wipe the device before the sensitive data on the device can be compromised.
Refer to the NewTab Project Profile as you complete Parts A and B below.
Part A: Create an Incident Response Plan
Create a 4- to 4.5-page incident response plan (IRP) specifically for the NewTab missing iPad incident, based on the 4 major components of incident response. Include the following in the IRP:
· Introduction
· Bulleted list of key stakeholders on the health care organization’s Response Team for the NewTab information system
· Bulleted list of compliance/regulatory requirements with respect to the health care organization and NewTab information system
· Component 1: Discovery, including the following:
· Events that should be logged and monitored with respect to the NewTab information system
· How the lost or stolen iPad® incident was discovered and reported
· Component 2: Escalation, including the following:
· Bulleted list of what triggers an event into an incident with respect to the NewTab information system
· Bulleted list of the severity of impact
· Summary of the steps for escalating the NewTab incident
· Component 3: Response, including the following:
· Summary of the planned response for the NewTab incident, including the following:
· Response to the notification of the NewTab incident
· Notification of applicable members on the Response Team
· Summary of the response
· Component 4: Reporting and Lessons Learned, including the following:
· Summary of who participates in the lessons learned for the NewTab information system incident
Part B: Create a Penetration Testing Agreement
Based on the recent incident with the NewTab information system, the CISO has been tasked with hiring a vendor to conduct independent penetration testing on the NewTab information system.
A penetration test agreement is very important to ensuring that both parties, the penetration tester and the client (your company), understand the purpose and scope of the penetration test.
Create a 2- to 3-page penetration testing agreement for the NewTab information system with the major sections listed below. Include the purpose and examples for each section.
· Scope for testing of the NewTab information system, including the following:
· Compliance/regulatory requirements
· Internal or external testing or both
· Technical testing
· Physical security testing
· Threat identification (i.e., who and what are the threats to the NewTab information system)
· Legal issues that must be considered
· Components to be tested, including the following:
· Gathering publicly available information
· Network scanning
· System/application scanning
· Privilege escalation
NewTabProjectProfileWk4_415.docx
CYB/415 v2
NewTab Project Profile
CYB/415 v2
Page 2 of 2
NewTab Project Profile
Refer to this project profile as you complete the Wk 2 – Security Assessment Plan, the Wk 4 – Incident Response Plan and Penetration Testing Agreement, and the Wk 5 – Strategic Plan assignments.
Scenario
The health care organization is adding a tablet (iPad® 2, iOS 8.0.1) to its personnel reporting information system, called HI-PHI. It will be attached to the health care organization ’s secured network infrastructure.
NewTab provides the health care organization with the capability to view and modify Protected Health Information (PHI) from the master registration database on a mobile device (i.e., iPad®). The PHI is transmitted wirelessly to the iPad® into HI-PHI.
User Community: 25 users (doctors)
Data: HI-PHI includes protected health information (PHI)
NewTab Suite
· iPads®:
· Model: iPad® 2, iOS 8.0.1
· Pre-loaded with standard iOS apps
· Use standard 6-number passcode to access iPad®
· Use VPN client to remotely access health care organization network with user’s network account login
· Within the network, the iPad® automatically connects to health care organization ’s wireless network
· HI-PHI Application:
· Uses single sign-on (from network account) to log into HI-PHI
· Accesses PHI from the PHI database
· PHI Database (protected health information)
Architecture
Security Requirement Control Families
Note: A detailed description of these families can be found in FIPS Publication 200.
1. AC Access Control
2. AT Awareness and Training
3. AU Audit and Accountability
4. CP Contingency Planning
5. IA Identification and Authentication
6. IR Incident Response
7. MP Media Protection
8. PE Physical and Environmental Protection
9. PS Personnel Security
10. SC System and Communications Protection
11. SI System and Information Integrity
List of Vulnerabilities Discovered From a Security Test and Evaluation
Vulnerability #1: Tools for the review of audit records and the reports generated from audit records are not available. Audit records do not include some or all of the mandatory data. The contents of audit trails are not protected against unauthorized access, modification, or deletion.
Vulnerability #2: The authentication required to access the iPads®, once screen-locks are activated, are not unique to each device. Non-unique authentication for screen unlock is utilized throughout system. All iPads® are set to the same screensaver unlock password.
Vulnerability #3: No information security personnel training plan has been developed that identifies initial and refresher training and familiarization requirements for assigned information security roles.
Vulnerability #4: iPads® are not configured to enforce the password stringency required by NIST Policy. The iPads® are not configured to enforce the required password strength, complexity, and aging. The health care organization senior leadership has specified that passwords will have a minimum of 12 characters using at least one upper case character, one lower case character, a number, and a special character. The policy will also enforce mandatory changing of passwords after every 90 days.
Vulnerability #5: The iPads® are not stored and locked in a secured location when employees are not using them. There is no policy for employees to sign out iPads®.
Vulnerability #6: There is no set of Employee Rules of Behaviors for users to sign holding them accountable for their actions.
Vulnerability #7: There is no mobile device management capability.
Financial Plan for Implementation of the Information Security Organization
1. Total Annual Infrastructure Budget: $1.2 million (hardware, software, licenses, spares, etc.)
2. Total Annual Supplies Budget: $0.2 million (user computers, batteries, etc.)
3. Total Annual Personnel Budget: TBD (will be determined in Week 5 financial plan)
4. Total Training Budget: TBD (will be determined in Week 5 financial plan)
The Total Annual Operating Budget will be the sum of the 4 areas above.
The Infrastructure Budget includes SOC equipment which is to include SIEM servers and software (e.g., vulnerability scanners, log correlation, event monitoring).
Information Security Personnel Resources
|
Position |
Level |
Certification |
Salary and Benefits Cost Per Year Note: This is not the individual salary per year; this includes the complete cost to the company, factoring in vacation, health insurance, 401K, etc. |
Training Costs Per Year |
|
CISO |
Senior |
CISSP, CCISO |
$300,000 |
$15,000 |
|
Senior Information Security Manager |
Senior |
CISSP, CISM |
$250,000 |
$15,000 |
|
Senior Security Architect |
Senior |
CISSP, CISM |
$200,000 |
$5,000 |
|
Security Architect |
Mid-Level |
CISSP, Sec+, SSCP |
$150,000 |
$5,000 |
|
Senior Security Engineer |
Senior |
CISSP, CISM |
$200,000 |
$5,000 |
|
Security Engineer |
Mid-Level |
CISSP, Sec+, SSCP |
$150,000 |
$5,000 |
|
Senior Security Risk Analyst |
Senior |
CISSP, CISM |
$200,000 |
$2,000 |
|
Security Risk Analyst |
Mid-Level |
CISSP, Sec+, SSCP |
$150,000 |
$2,000 |
|
Junior Security Risk Analyst |
Entry Level |
Sec+, SSCP |
$100,000 |
$2,000 |
|
Security Incident Responder |
Mid-Level |
CISSP, Sec+, SSCP |
$125,000 |
$2,000 |
