risk management

1:Health care organizations must strictly comply with the Health Insurance Portability and
Accountability Act (HIPAA) Privacy and Security rules that require organizations to have proper
security controls for handling personal information referred to as “protected health information,”
or PHI. This includes security controls for the IT infrastructure handling PHI. Which of the listed
risks, threats, or vulnerabilities can violate HIPAA privacy and security requirements? List one
and justify your answer in one or two sentences.
2. How many threats and vulnerabilities did you find that impacted risk in each of the seven
domains of a typical IT infrastructure?
3. Which domain(s) had the greatest number of risks, threats, and vulnerabilities?
4. What is the risk impact or risk factor (critical, major, and minor) that you would qualitatively
assign to the risks, threats, and vulnerabilities you identified for the LAN-to-WAN Domain for
the health care and HIPAA compliance scenario?
5. Of the three System/Application Domain risks, threats, and vulnerabilities identified, which one
requires a disaster recovery plan and business continuity plan to maintain continued operations
during a catastrophic outage?
6. Which domain represents the greatest risk and uncertainty to an organization?
7. Which domain requires stringent access controls and encryption for connectivity to corporate
resources from home?
8. Which domain requires annual security awareness training and employee background checks for
sensitive positions to help mitigate risks from employee sabotage?
9. Which domains need software vulnerability assessments to mitigate risk from software
vulnerabilities?
10. Which domain requires acceptable use policies (AUPs) to minimize unnecessary user-initiated
Internet traffic and can be monitored and controlled by Web content filters?
11. In which domain do you implement Web content filters?
12. If you implement a Wireless LAN (WLAN) to support connectivity for laptops in the
Workstation Domain, which domain does WLAN fall within?
13. Under the Gramm-Leach-Bliley-Act (GLBA), banks must protect customer privacy. A given
bank has just implemented its online banking solution that allows customers to access their
accounts and perform transactions via their computers or personal digital assistant (PDA) devices.
Online banking servers and their public Internet hosting would fall within which domains of
security responsibility?
14. True or false: Customers who conduct online banking on their laptops or personal computers
must use Hypertext Transfer Protocol Secure (HTTPS), the secure and encrypted version of
Hypertext Transfer Protocol (HTTP) browser communications. HTTPS encrypts Web page data
inputs and data through the public Internet and decrypts that Web page and data on the user’s PC
or device.
15. Explain how a layered security strategy throughout the seven domains of a typical IT
infrastructure can help mitigate risk exposure for loss of privacy data or confidential data from
the System/Application Domain.