Assessment on "Risk Assessment Report"

Assessment 9 pages (2612 words) Sources: 12

[EXCERPT] . . . .

Risk Assessment Report of the Center for Disease Control (CDC)

Risk Assessment Report

This is a Risk Assessment Report formulated for the staff of the IT department of the Centers for Disease Control and Prevention (CDC) located at Atlanta, GA .The specific CDC department being targeted is Office of Surveillance, Epidemiology, and Laboratory Services (OSELS).Due to the major role played by the CDC in the regulating and advising the general United States citizens on matters of health, it became necessary for the CDC Atlanta, GA's Office of Surveillance, Epidemiology, and Laboratory Services (OSELS) to undergo a thorough Risk Assessment as it is considered best practise for the organization to provide the most updated health information to the U.S. citizens as well as the whole world. The risk assessment was tailored to target the Public Health Informatics and Technology Program Office. Our role is to carry a risk assessment of their Information Assurance (AI) infrastructure for the sole purpose of coming up with a certification and accreditation (C&A) of their Information Technology (IT) system as outlined by the DHHS Information Security Program Policy. The risk assessment report is to be prepared in conjunction with the System Security Plan which is intended to be used as an assessment for the level of utilization of CDC resources as well as the control of their usage so as to eliminate and manage the various system vulnerabilities that can [pose both internal and external threat to the CDC. After the C&A procedure is executed successfully, what follows would be an authorization to operate the Public Health Informatics and Technology Program without fear of unwanted eventualities.

It is worth noting that the scope of the risk assessment is limited to the various applicable security controls that are used in the Public Health Informatics and Technology Program's Information Technology (IT) department and is to be tailored in conformity with the steps prescribed in the DHHS Information Technology Security Program: Baseline Security Requirements Guide. The guide provides a baseline to be used in the process of coming up with the most appropriate combination of requirements to be used in designing various security controls to be deployed in protecting the Information Technology infrastructure at the CDC. The infrastructure is the one to be used by CDC in handling its key operations in regard to management of facilities, employees, communication channels as well as other contingencies.

The Public Health Informatics and Technology Program risk assessment was carried out in line with the methodology prescribed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. This methodology is basically quantitative in nature and therefore means that there was no need to try to figure out various calculations in regards to costs of running the organization at present as well as in the future. Such costs would normally consist of elements such as the annual expected losses, projections of the organizations' assets cost among others.

It is worthwhile to point out that the risk assessment of the Public Health Informatics and Technology Program's Information Assurance (IA) system revealed that there were various vulnerabilities that affected the following three major areas of CDC.

Management

Operational Security

Technical Security

Vulnerability can be defined as "a set of conditions that leads or may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an Information

System" (Chambers and Thomson, 2004)

The vulnerabilities identified in the system can however be mitigated through sticking to the recommendation provided in this paper. The recommendations are presented in the form of safeguards. These safeguards are basically the controls that are put in place in the form of administrative, technical, managerial or even legal nature so as to manage the various risks associated with the vulnerabilities (Praxiom, 2010). The vulnerabilities are to be mitigated to levels that are manageable.

Before embarking on the mitigation process, it is fundamental to classify the vulnerabilities into three main levels. These are;

High

Moderate

Low

These ratings were in lieu with the standards referred to as Federal Information Processing Standards 199

Summary of the system on which vulnerability assessment was conducted

The system on which risk assessment was carried out is the Information Technology system who's Information Assurance (IA) vulnerability rating was carried out. The exact program of the CDC which we targeted our vulnerability assessment is the Public Health Informatics and Technology Program which are mandated to carry out the following key functions;

The development and maintenance of various IT applications that are meant to meet the various demands and requirements of the CDC

The creation and maintenance of a national surveillance standard as well as functions for messaging

The hosting of various research warehouses for research on various Public Health Sciences

The provision of various informatics to both the CDC and its relevant external partners.

The specification for the various requirements that are to be used by the external workforces on informatics development at state, federal and local levels.

Introduction

Purpose

The risk assessment's purpose is geared towards the evaluation of the Information Assurance (AI) rating of the CDC's Information System (IS) infrastructure for supporting its Public Health Informatics and Technology Program. The assessment provides a well structured and yet quantitative approach of assessment to gauge the organization's IT environment. The main concerns that it addresses are the levels of sensitivity, vulnerability, threats as well as risks and their corresponding safeguards.

Scope

The scope of the risk assessment was based on a thorough assessment of all the resources that are in the IS system as well as the controls in order to come up with a viable means of mitigating the vulnerabilities. The vulnerabilities of which if left unmitigated would result in both internal and external exploits to the Centers for Disease Control and Prevention (CDC)'s Information System (IS).The consequences of unmitigated vulnerabilities in this case would be;

Disclosure of the highly sensitive data by unauthorized persons

The modification of the system itself as well as the data contained within it

Denial of services attacks on various functions such as data access to persons with authorized login system credentials.

Since the risk assessment report is to evaluate the Information Assurance (AI) at CDC. It means that it will focus on a thorough evaluation of its basic tenets which are:

Evaluation of confidentiality- implies evaluation of the mechanisms involved in the protection of the IT infrastructure from cases of unauthorized access to parts of the system as well as the data contained within it.

Evaluation of integrity-which involves evaluating the extent to which the IT infrastructure is protected from inappropriate modification of the information that rides in it.

Evaluation of availability-which involves the evaluation of the level of loss of the IT infrastructure/system access.

After the above three basic tenets of Information Assurance (AI) are evaluated, appropriate mitigation is taken in order to avert the causes. All the taken actions are contained in the This Risk Assessment Report with recommendations to the management which would help in safeguarding CDC from both internal and external system attacks.

Approach adopted for the Risk Assessment

The methodology adopted for the execution of the Risk Assessment Report is outlined in the SP 800-30, Risk Management Guide for Information Technology Systems (NIST, 2004).The guide contains the steps of assessing and evaluating the various security parameters that are aimed at improving the confidentiality, integrity and availability of various Information Technology (IT) systems.

The results of the assessment is the recommendation of various security safeguards that are in place to allow the management initiate and successfully realized a solution based on knowledge as regards the IT security related issues This methodology is tailored to establish of the following countermeasures/controls;

Management Controls-Which is involved with the management of the security of CDC's Information technology (IT) infrastructure as well as a thorough definition of the risk acceptance levels and incidents.

Operation Controls-which involves the inclusion of certain security techniques that are tailored to be implemented as well as executed by the key personnel and management. This includes aspects of securing the personnel and other key strategic organizational resources such as inventory and media.

Technical controls-which entails the provision of both hardware and software countermeasures/controls that are automated to protect the various system components.

System Characterization

In this part of the risk assessment work plan, we analyze the various IT system boundaries as well as the resources that constitute the system. Other elements that are necessary in the description of the system are also noted. There is also a clarification of all the system dependencies (Madden,2007).

System Stewards and the corresponding Designated Approving Authority (DAA)

The CDC's Public Health Informatics and Technology Program rely heavily on the Acquisition Management Automation System (AMAS). The system must be secure at all times since it is important to the basic operation of the above mentioned program. The system must therefore be appropriately updated and maintained by the appointed System Stewards. The System Stewards are derived from the Management Information Systems Branch (MISB)… READ MORE

How to Reference "Risk Assessment Report" Assessment in a Bibliography

Related Assessments:

Risk Assessment the Science of Dangerousness Essay

Risk Assessment

The Science of Dangerousness

Dangerousness refers to the likelihood that a mentally ill person, or criminal will participate in an act that harms themselves or others. The prediction… read more

Essay 8 pages (2724 words) Sources: 11 Style: Harvard Topic: Psychology / Behavior / Psychiatry

---

Risk Assessment Document Term Paper

Risk Assessment

In the past thirty years there has been a sharp increase about the potential dangerous impacts, which from inadequate information security. But the scale of the problem has… read more

Term Paper 15 pages (5965 words) Sources: 1+ Topic: Management / Organizations

---

Risk Assessment for Cybertrans Ltd., a Logistics Research Paper

risk assessment for CyberTrans Ltd., a logistics firm that is faced with relocation and system upgrade issues. The company is to relocate its technology base to another site within two-year… read more

Research Paper 10 pages (2782 words) Sources: 10 Topic: Physics / Quantum Theory

---

Risk Management Tools Term Paper

Risk Management Tools

The IT environment is probably the most complex and rapidly developing field in the modern day society and it presents individuals and groups with numerous opportunities and… read more

Term Paper 4 pages (1118 words) Sources: 4 Topic: Computers / IT / Internet

---

Risk Management and Risk Assessment Term Paper

Risk Management & Risk Assessment

Risk management needs to be understood from a variety of angles. Firstly, risk should be defined for its nature and effect upon not only the… read more

Term Paper 4 pages (1382 words) Sources: 9 Topic: Disease / Virus / Disorder / Injury

---

View 100+ more related papers  >>