RiskManagementProjectPart1Report.docx

Risk Management Plan 2

Project Part 1: Risk Management Plan Outline and Research

Yogesh Jagarlamudi
Executive MSIT
University of the Cumberland’s
Summer 2021 – Info Security & Risk Mgmt (ISOL-533-A03)
Date:05/09/2021

Contents
Introduction 3
Outline of the plan 3
First step; identifying the risks. 4
Second step; evaluating the risks. 4
Third step; Ranking of the risks. 6
Forth step; Mitigating/reducing the risks 6
Fifth step; Monitoring and updating 7
The scope and boundaries 7
Compliance Laws and regulations 7
Roles and responsibilities 8
Report. 8
References 10

Introduction
According to the assignment given, the health network Inc. is an organization which has been identified with various risks and threats. Therefore, I have been assigned as an IT intern to develop a new risk management plan for the organization. Risk management plan is vital for the functions and the holistic performance of an organization. A risk management plan is developed in to identify any potential risks and as well mitigate the risks. Risks are harsh to the operations of an organization as they can even lead to the collapse of an organization if not taken care of. Therefore, this paper will discuss the risk management plan in the health network inc.
The process of risk management plan covers different steps and process that are verry important to ensuring that the problem has been taken care of and unlikely to rise again. This entails identification of the risk, and assign mitigation actions and evaluation of the identified risks and mitigation actions for each of the identified risk. According to FISMA publication, Risk assessment and management plan is all about discovering the risk and threats and then preventing the threats from happening again. IT is a very important feature to the operations of the organization. If not taken care of, the company will be in a hard position to achieve its main goals and aims.

Outline of the plan
An outline of the risk management plan details all the steps od discovering the risks up to monitoring and updating the initial risk plan to a more developed risk management that will solve for the new problems which have been identified. This is an outline of the health network Inc. organization.

First step; identifying the risks.
The health network Inc. has been diagnosed with different risks and threats. The identified risks in the organization are stated as follows. 1, There is loss of data due the hardware devices being removed, 2. Data is lost when the devices are stolen, 3. There is loss of customers as there is production outages, 4. internal threats in the organization and finally the changes in the regulatory landscape.

Second step; evaluating the risks.
Evaluation is all about describing the risks that have already been identified and analyzing the consequences related to the risks that have been identified. I have outlined the risks in the Network health Inc. on the first step. Therefore, I will discuss the impacts related to the identified risks.
1. There is loss of data due the hardware devices being removed
Since the operation of the company is based on three different data centers, it may be challenging for the IT management to always check the operations of the data center. Therefore, some will remove the hardware devices of the organization. This results to data loss. Since the devices contains the information of the patients, doctors, and all the payment details, this may be lost. Remember It is important to have all the operation details of any organization.
2. Data is lost when the devices are stolen
Adding up to the lost data due to the removal of the hardware devices and stealing of the devices, the severity of these two will be felt in a strong way. When the devices are stolen, this means that all the information of the organization is on the wrong hands. This may even result to bad reputation of the organization and even huge losses of money.
3. There is loss of customers as there is production outages
Production outages may be resulted by change management, natural disasters and even unstable software’s and hardware’s. For our case, the health organization operates online. Therefore, the main challenges are faced in the data centers. The instability has led to loss of customers. Likely to happen due to the problems experienced such as the loss of important patients and payment information. The impacts of this risk are likely to affect the revenue of the organization and the reputation of the organization.
4. internal threats in the organization
The organization operates in three different locations and data centers. Therefore, this requires for the confidential data and information being shared via the internet. Internet is prone to harmful viruses, hackers, and even data breaches that may affect the sherd information. The threats within the organization data network are likely to lead to the organization losing huge sum of money and even the most confidential information falling on the wrong hands.
5. The insider threats
An insider is any person working within the organization and has permission access to all the resources of the organization. These are very severe cases as the employees, management officer or any other person working in the organization may decide to attack the organization. This may be done intentionally or even unintentionally. These people are capable of leaking the most sensitive and confidential information to dangerous people outside of the organization.
6. changes in the regulatory landscape.
Laws and regulations are likely to change in the organization. This maybe changes in the management leadership or even the payment methods and amounts.

Third step; Ranking of the risks.
After the risks have been identified and the effects of the risks have been outlined, it is easier to rank the risks depending on the probability of the risk happening again. In this case, the risks are likely to be ranked as follows. The following is a table to demonstrate the rank based on probability and magnitude

Position

Threats/risks

Probability

Magnitude

6

Internet threats

Once in every six months

High

5

Customer loss as a result of production outage

Once in between two years

Very high

4

Loss of data and information as a result of stolen devices

Once a year

Medium

3

Threats from inside

once for two years

Medium

2

Removal of hardware leading to loss of data

Once every three years

Low

1

Changes happening in the regulatory landscape

Once every two years

Low

Forth step; Mitigating/reducing the risks
a. Data should be backed up every time the hardware devices have to be removed to avoid loss of data when hardware’s are removed.
b. Ensure data is well backed up daily. Then encrypt and protect all the devices that are likely to bee stolen. This is to prevent t loss of data when devices are stolen and at the same time protect the data inside.
c. To prevent loss of customers due to production outage, there needs to be a disaster management plan. This is to take care of risks that may affect the well being of the customers
d. To solve the internet threats, ensure all data to be transferred are encrypted and that all gaps that may be existing within the internet are fixed.
e. To prevent the insider threats, enforce strict measure which the people within the organization needs to follow. This will be reached by authentication and user authorization features.
f. To cater for the regulatory landscape, all tasks should be divided into short phases that will help in adapting to the changes.

Fifth step; Monitoring and updating
Risk is meant to happen within the organization. The important thing to do is record the risks and the steps which have been undertaken in to curb the risks or prevent them

The scope and boundaries
The organization, Health Network Inc. is made up off several components. These are the HNetcoonect, HNet Pay among others. The HNetConnect is a directory based online that allows the users to access the health services as well as the location where they can get the services as it is based on three different locations. The HNet Pay is a payment platform where the patients make their payments.

Compliance Laws and regulations
The organization is a subject to security regulation as all organizations as well do. These regulations are meant to ensure that the organizations are safe. The organization has to compile with different regulations in to give their services. These include, HIPAA, the work health and safety act. The privacy obligation to observe privacy, the state records act, FISMA among other regulations

Roles and responsibilities
The different personnel in the organization needs to be assigned different roles and responsibilities which they have to do. This will in a great way help in reducing the risks likely to happen in the organization. These roles are assigned to management as follows. The risk manager will monitor the organization and assess the potential risks. IT managers are assigned with the role of maintain the risks and promoting the operations of the IT devices. The IT administrator is supposed to make sure that all steps outlined are done. He/she will as well check through the listed threats and give recommendations on how to mitigate them.
Schedule of the process.
To assess and manage the risks, requires a series of events. The following is a schedule of the process that will be used in managing the risks. On the first week, discussion with different leader of departments will be undertaken in to distinguish the risks. On the second week, evaluation of the risks will be done as well as how the risks will be prioritized depending on the severity. On the third week, preparations to implement the risk management plan will be done. This will be conducted based on the cost and the best yields based on the solutions to be implemented.

Report.
A report is a tool consisting all the information on how to manage and reduce the risks which have been identified. The risks may be identified either before or during the assessment and management project. A report contains all the information regarding the steps undertaken during the process. In this case, our report will contain the identified risks and the solution to each

References
Fisma publication (n.d) NIST Risk Management Framework Overview. Retrieved from https://www.nist.gov/system/files/documents/2018/03/28/vickie_nist_risk_management_framework_overview-hpc.pdf
NIST Special publication 800-30 (2012) Guide for Conducting Risk Assessments. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf