Instructions Instructions: This assignment will use NIST Special Publication XXXXXXXXXXavailable at http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf or in the Course...

SCENARIO
In this scenario We analysis risk assessment in ABC hospital that work computerized. This
hospital„s have wireless network and databases processes personal identifiable information, as
well as, storing tons of research and development data. The WLAN is composed of the following
four components: a wired network, various wireless access points, wireless bridges, repeaters, and
client devices. There are approximately twenty units, within the hospital, that have implemented
wireless access point. These wireless access points allow remote users to log into the hospital
network and access patient data as well as fill prescriptions. The access points connect to the
hospital‟s Ethernet backbone.
A CASE STUDY
ABC Hospital Management System includes registration of patient, storing information detail into
the system and provide computerized billing lab and pharmacy too. ABC hospital management
The Advanced Hospital Management System can be entered using a username and password. It is
accessible either by an administrator or receptionist. Only they can add data into the database. The
data can be retrieved easily. As well as, storing to research and development data.
ABC hospital with generally 200-225 employees has been around for just over a
decade, growing year after year. The current state of their security is in flux, as they begin to
position themselves for further growth. The ad hoc attitude towards Security is identified as an
area of weakness early on, and management has decided to begin using risk assessments as a
more organized way to address potential threats.
THE USERS
Approximately 40% of all employees are mobile users, and as such they have been
equipped with company laptops and smart phones. The laptops are all deployed using the same
image, and are all the same model. The users decide what phones they use, and will be synced
with their corporate email. Laptop users use a VPN to access internal network resources on the
road.
The rest of the users utilize virtual machines, and they connect to them using thin client
terminals. The virtual machines are deployed from a single image, and are destroyed and
recreated nightly.
THE INFRASTRUTRE
ABC hospital has two main datacenters, approximately 100 miles apart. Connecting to
these datacenters are several satellite offices. The satellite locations reference their nearest
datacenter for any non-local resources. A large amount of replication occurs between the two
datacenters, facilitating the existing disaster recovery plan which simply calls for failing critical
machines over to the living datacenter.
The server environment is approximately 70% virtualized. The only physical servers are
local satellite file servers, domain controllers, and virtual hosts. All other servers are virtualized,
which includes services such as email, application databases, and content filtering.
OBJCTIVE-:
1. Evaluate the termination plan and procedure to ensure that IT security and archival
concern
have been appropriate addressed.
2. Participated in the development of modification of the organization IT security programme
plans & requirement.
3. Developed IT security program me & how to save the information of hackers?
3. Review& approved various IT security plan for appropriate & effectiveness, set priority
for
allocation of resources
ASSESMENT
ABC hospital first time applying risk assessment methodology, ABC hospital chosen two
options that is compare and contrast..Risk assessment is the first process in the risk
management methodology. Normally Organizations use risk Assessment policy is identify the
potential thread and risk that is attach with IT system . The risk assessment report help to
identify the proper control reducing the risk value during risk assessment process .Risk is
function that check the threat sources and find the impact on the organization .Risk functioning
check the future aspect how much harm the organization by threats and what step require to
prevent from the threat . The level of impact is how the IT asset and resources affected .This
full observation called risk assessment .
OVERVIEW: NIST
The national bureau of standard established by congress on3rd march The national
bureau of standards was established by congress on 3
rd
march, 1901, with a take charge to take
custody of the standard of physical measurement in the united state and to solve” problem
which arise in connection with standards “Although minor variations occurred in the name of
institution, it was known for most of the century as NSB until congress mandated a major name
change . A y company change new responsibility in 1988.in this way bureau completed it first
century as national institute of standard & technology or NIST. Published in 2005 by the
national institute of standard & technology or NIST and International Electro technical
Commission (IEC), this standard introduces the importance of an Information Security
Management System, or an ISMS for short. Such a system, as defined by the standard, is one
that brings information security under one managerial umbrella. The information to be protected
includes digital and physical assets, the latter of which is sometimes overlooked in information
security. Organizations may be formally audited against this standard and receive a certification
displaying proficiency.
This figure shows how the risk assessment work. In risk assessment what important
point that all are included in this and what step are require on it
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
Figure One
30
Based on NIST standard firstly we find the System characterization and follow all the step that is
part if figure 1.
System Characterization
The first step of an NIST compliant risk assessment involves identifying all assets in the
organization. Assets can be classified in five (6) categories, with slight overlap. These categories
are as follows:
 Hardware
 Software
 System Interface
 Data and Information
 People
 System Mission
Figure 2(hardware identification)
Hardwar are those that are related to computer part or any other part t that may effect to
other assets. ABC hospital has identified a list of hardware , which may be seen in Figure 2. In
this scenario, here some virtual machines are identified on the hardware list. These virtual
machine count not a part of software it‟s a part of hardware due to some functionality
 Hardware
 Laptop
 Smart Phones
 Networking
 Equipment
 Terminal
 Domain Controllers
 File Servers
 Web Servers
 Sql Data Base
 Server
 Application Server
 Email Server
 Storage System
Figure 3 (software identification)
Software assets generally consist of applications running on
servers and end user machines. It is not uncommon for these
software assets to be critical for day-to-day business operations.
The list of identified software assets for ABC hospital may be
seen in Figure 4
 Payroll System Software
 Patient Information Software
 Hospital Management Software
 Anti virus
 Web Content Filter
 Email Gatewayl
 Virtualization Software
 Patch Management
 Active Directory
 Profile Management
 VPN
 Mirroring and Replication
Identified Software(figure 3)
Data and Information form either electronic or physical in nature. ABC hospital has chosen to
group their specific information in defined categories based on combination of sensitivity and
related department.
The identified list of Data and information may be seen figure 4
 Information
 Physical Files
 User Profile Data
...