Risk Assessment FOR THE Fictional Enterprise Computer Science Essay

Introduction The Risk Assessment plan is necessary for this Fictional Organization as this uses the programmed information to cope with the patient data and to process these details for better support of these objective risk management plan plays a critical role in guarding the organization's information assets. This risk diagnosis is to evaluate risk in the regions of technical, operational and management of EMR systems. This statement will provide the detail conclusion of possible risk that can damage the EMR data in the sent out environment. Its provides detail research of current controls, recommend alternatives and methodologies.

2. System Characterization

· Hardware

o Machines, routers, LAN cords, switch.

· Software

o Microsoft Exchange Server can be an e-mail-based communication server for businesses which is used for sharing e-mail, calendaring, contacts, keeping data files centrally creating the conference requests.

o Microsoft SQL Server provides the patient data and used to get their data using concerns based on the requirement.

o Domains Controller job is to help the assortment of consumer accounts that are grouped collectively so that they can be centrally managed.

o Citrix Server that delivers server and desktop virtualization, marketing, and cloud processing technologies.

o Web Server jogging IIS to present main program as web pages

· System Interface

o The servers are linked to the LAN using routers and switches.

o The machines are linked to the internet by using a single Firewall via a single connection to a single Internet Service Professional (ISP).

o The machines do hook up to a WAN using this internet connection by using a VPN and the nodes upon this WAN (treatment centers around the condition) each have an individual connection to an ISP in their local area.

o Physically all the Servers are within a unlocked room that has no fireplace suppression equipment apart from the normal building sprinkler system and there are two sprinkler systems in the server room.

o The machines are connected to a trunk electrical line that is not part of the medical center's disaster electricity system and there is no line conditioning.

o For heat range control, the server room depends on the existing building HVAC system with high temperature exchangers located on the rooftop of the building. There is one air-con vent and one room thermostat portion the server room.

· Data and information

o The patient data is stored in the Microsoft SQL server.

· Folks who support and use the IT system

o All the employees in the hospital, doctors, patients and friends utilize this to get the information.

· System and data criticality

o This EMR is necessary on a 24 hour basis as this is a cardiology specialty and is used in medical clinic rooms AND essentially, it is utilized by emergency medical professionals in the neighborhood trauma middle for treatment of patients suffering from life threatening center issues. This requires a WAN link with be made available 24 hours a day.

3. Threat Identification

· The normal Threat Resources that can occur to any IT system is Natural Risks, Human Dangers and Environmental Hazards.

· The Natural Dangers like Floods, earthquakes, tornadoes, landslides, avalanches, electric storms and other such incidents are unpredictable and the damage triggered by them is complete lack of the gear and the info. The thing that helps after influenced by this position is having a disaster restoration plan and returning up's. The existing environment doesn't have any of those so it is a higher risk thing if these hazards happen.

· The Human Hazards that are unintentional functions like deleting the directories or wrong access of data cause the harm to the machine and the intentional functions like network centered attacks, destructive software upload, unauthorized usage of confidential information and SQL treatment causes the loss of data and miss use of the patients data by the hackers.

· Environmental Hazards like Long-term electricity failure, pollution, chemicals, liquid leakage and other create a higher dame to the servers and the data as they are linked to a trunk electric powered line that's not part of the medical center's disaster electric power system and there is absolutely no line conditioning.

4. Vulnerability Identification

· Potential vulnerabilities

o The previous employees who are no more dealing with the agency accounts has to be removed and their access to the servers must be denied if this won't happen then there's a chance for those users to have the important information or even to make changes and cause Sevier damage to the machines.

o The Citrix Display Server Customer for Glass windows includes support to make ICA relationships through proxy machines. An execution flaw in this efficiency may allow an attacker to do arbitrary code in the context of the client process.

o This vulnerability could potentially be exploited by any destructive Web site seen by the user. This vulnerability is likely to be exploitable generally in most consumer deployments.

o The vulnerabilities could allow remote control code execution in the security framework of the transcoding service on the Exchange server when a individual previews a specially constructed file using Outlook Web App (OWA). The transcoding service in trade that can be used for Web Ready Report Viewing is operating in the Local Service account. The Local Service account has bare minimum privileges on the neighborhood computer and presents private credentials on the network.

o If there is a false security alarm or fire or carelessness of the person the sprinkler system will be turned on in the room and this will damage the machines.

o The Website Controller has two vulnerabilities null procedure / security password NetBIOS Access and NetBIOS Remote control Consumer List Disclosure

o Web server running IIS is vulnerable to run remote code and SQL shot.

o Microsoft SQL server allows remote control code execution and allows elevation of privileges and the data in it is stored in not encrypted form and the private data can be seen by everyone.

o Three vulnerabilities reported in Microsoft Internet Information Services (IIS) could lead to a denial of service strike, escalation of privilege, and remote code execution.

5. Control Analysis

· All of the previous employee gain access to must be removed and they should not have any access to the servers.

· The guest users should not be given complete rights and right to access the data as soon as their work is performed their accounts must be removed.

· All of the data that is transmitted from the hospital to outdoors must be encrypted.

· The vulnerability has been resolved in the Citrix Display Server Customer for Home windows version 10. 0 and later which is strongly recommended that up gradation needs to be done using their Citrix Demonstration Server Customer for Windows to version 10. 0 and later.

· The security update is rated Critical for all supported editions of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010.

· The security control that needs to be taken should be in a noted format get together the plans and types of procedures of the security.

· There must be a team working on the implementation of disaster recovery and the steps that require to be studied in order to recover from the damage.

· Records of security control buttons used for the IT systems. These adjustments should meet up with the requirements of the plan, standards.

Vulnerabilities and possibility table Vulnerability

Likelihood Rating

Untrained Professional or terminated employees


Hackers and Alternative party access




Long Term Ability Loss


Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)