INTE2584 Introduction to Cybersecurity Governance
Assessment 1: Cyber security Risk Assessment and Control
Due date: Sunday, Week 6, 11:59pm (Melbourne Time)
Weighting: 25%
Word limit: 1500 words (+/-10%)
Assessment type: Report
Group or individual assessment: Individual
Overview
In this assignment, you will take on the critical role of a cybersecurity consultant tasked with advising the board of directors of a leading healthcare organization. Your mission is to conduct a comprehensive assessment of their cybersecurity risk landscape and develop a robust mitigation plan rooted in industry standards and best practices.
To begin, you will select a specific sector within the healthcare industry, such as hospitals, clinics, or pharmaceutical companies, and delve into a recent, high-profile cyberattack that occurred within that sector. Through meticulous analysis, you will identify the assets affected, the threat actors involved, the vulnerabilities exploited, and the tactics, techniques, and procedures (TTPs) employed by the attackers. This comprehensive understanding will provide invaluable insights into the potential risks faced by your client.
Next, you will conduct a thorough risk assessment for the Metropolitan Integrated Health System (MIHS), drawing on insights from your industry research and the MIHS case study. Your task is to identify critical assets within MIHS, potential vulnerabilities, and at least five distinct cyber risks they could encounter. For each risk, you will evaluate its likelihood and impact using risk matrices, aligning your assessment with the ISO 27005 framework. Additionally, you will assess the broader consequences of these risks, encompassing business operations, brand reputation, customer loyalty, regulatory compliance, and staff morale. To clarify the specific cybersecurity objectives under threat, you will map each risk to the CIA Triad: Confidentiality, Integrity, and Availability.
Based on your assessment, you will develop a tailored mitigation strategy that directly addresses the severity and potential impact of each identified risk. This strategy should encompass technical, operational, and governance controls, supported by thorough cost-benefit analyses to justify investments. To ensure alignment with industry best practices, you will structure your strategy according to the NIST Cybersecurity Framework (CSF) functions (Identify, Protect, Detect, Respond, Recover, govern) and relevant categories/subcategories.
Furthermore, you will leverage the lessons learned from the real-world attack case study to emphasize the relevance and effectiveness of your proposed measures. In addition, you will suggest specific actions MIHS could have taken to prevent or minimize the impact of the attack, incorporating security design principles such as least privilege, defence in depth, secure defaults, and fail-safe mechanisms.
Remember, the core cybersecurity objectives are confidentiality (protecting sensitive data), integrity (ensuring data accuracy and reliability), and availability (guaranteeing access to critical systems and data). Your proposed mitigation strategies should not only align with these objectives but also adhere to critical design principles to strengthen the healthcare organization's overall security posture.
Case: Metropolitan Integrated Health Systems (MIHS)
Metropolitan Integrated Health Systems (MIHS), a major healthcare provider in a bustling urban area, was renowned for its state-of-the-art facilities and comprehensive medical services. The morning of June 15, 2023, brought an unforeseen crisis that would shake the institution to its core.
MIHS operated a complex IT network, spanning multiple buildings and encompassing various departments, including the main hospital, an outpatient clinic, a research facility, and a dedicated data center. This network supported a wide array of critical systems and applications essential for patient care, administrative functions, and research activities.
Despite its technological advancements, MIHS faced significant challenges in maintaining a robust cybersecurity posture. The IT infrastructure was a heterogeneous mix of legacy and modern systems, with some departments having recently upgraded their technology while others continued to rely on outdated software and hardware. This mix created potential vulnerabilities that could be exploited by malicious actors.
The main hospital housed emergency services, operating rooms, and inpatient care units. It relied on an Electronic Health Record (EHR) system that was partially upgraded, with some departments still using legacy modules due to budget constraints. The outpatient clinic managed its own scheduling and billing systems, which were not fully integrated with the main hospital’s IT infrastructure. This siloed setup caused data synchronization issues and created additional attack vectors. The research facility conducted sensitive clinical trials and stored valuable intellectual property. It utilized cutting-edge technology but also maintained older systems for long-term data storage, creating a patchwork of security levels. The data center was the hub of MIHS’s IT operations, housing critical servers and databases. While equipped with advanced security measures, it was not immune to vulnerabilities due to the legacy systems connected to it.
MIHS had implemented a Bring Your Own Device (BYOD) policy, allowing staff to access the network using personal devices. This policy aimed to enhance flexibility and convenience but introduced additional security risks due to the potential for unpatched vulnerabilities and insecure configurations on personal devices. Furthermore, the hospital's cybersecurity awareness and training programs had not reached all staff members, leaving a significant portion of the workforce unaware of potential threats and best practices for data protection. This lack of awareness created a human element vulnerability that could be leveraged by attackers.
On the morning of June 15, 2023, the IT department was inundated with alerts indicating a major security incident. Critical systems began to malfunction, and it soon became clear that MIHS was under a full-scale cyberattack. The attackers had successfully infiltrated the hospital's network, exploiting vulnerabilities in both the upgraded and legacy systems. They deployed sophisticated ransomware, encrypting sensitive data across the network and holding it hostage for ransom.
The attack had immediate and severe repercussions. The emergency department was forced to close due to the inability to access patient records, disrupting critical care and forcing ambulances to be rerouted to other facilities. Elective surgeries were postponed, leaving patients in a state of uncertainty and distress. The outpatient clinic faced chaos as appointment schedules became inaccessible, causing confusion and delays.
Beyond the operational disruptions, the attackers claimed to have stolen confidential patient data, including medical histories, financial information, and personally identifiable information (PII). They threatened to expose or sell this data on the dark web, causing widespread panic among patients and eroding their trust in MIHS.
MIHS faced a multi-million dollar financial burden, encompassing the ransom demand, system restoration costs, legal fees, and potential regulatory fines. The hospital's reputation was severely damaged, with patients questioning the security of their health information and seeking care elsewhere. The incident served as a stark reminder of the vulnerabilities inherent in modern healthcare systems and the devastating consequences of a successful cyberattack.
Purpose
This assessment is designed to showcase your ability to evaluate and manage complex cybersecurity risks within the healthcare industry, demonstrating your proficiency in strategic risk identification, assessment, and mitigation. Through this assignment, you will leverage ISO 27005 and NIST CSF Frameworks to conduct a thorough risk assessment and develop a tailored mitigation strategy for Metropolitan Integrated Health Systems (MIHS), respectively. Your expertise in analysing real-world cyberattacks, understanding the multifaceted impacts of such incidents, and applying structured methodologies to assess and prioritize risks will be critical. This task will enhance your strategic thinking and decision-making skills, essential for effective cybersecurity management in a professional setting. Furthermore, this assignment aims to refine your professional communication abilities, equipping you with the skills to clearly and coherently present complex cybersecurity information and recommendations to anon-technical audience, such as aboard of directors.
This will prepare you to adeptly handle diverse cybersecurity challenges and governance tasks encountered in various business environments.
What do you need to deliver?
? 1 x report
Course learning outcomes
This assessment is linked to the following course learning outcomes:
CLO 1 |
Critically appraise cybersecurity governance frameworks, standards and practices and be able to evaluate their usage in business contexts. |
CLO 2 |
Critically analyse and develop strategies, policies, and organisational structure to protect business and information assets. |
Target audience
The target audience for this report is the board of directors for the selected organisation, therefore this should be explained using formal business language that can be understood by people with minimal technical knowledge. Technical terms should also be explained.
Recommended length and structure
Your report will be approximately 1500 words long (+/-10%), excluding figures and references. It should include the following sections:
1. Introduction (150 words)
? Introduce the assignment context and objectives.
? Briefly outline the purpose and importance of the cybersecurity assessment.
2. Industry and Case Study Analysis (350 words)
? Select a specific sector within the healthcare industry.
? Describe a recent high-profile cyberattack within that sector.
? Analyse the assets affected, threat actors involved, vulnerabilities exploited, and TTPs employed.
? Assess the impacts of the attack, including financial, operational, reputational, and legal consequences.
3. Risk Identification and Analysis (700 words)
? Use ISO 27005 framework for risk dentification by identification of critical assets, threat actors/vectors and potential vulnerabilities.
? Use ISO 27005 framework, to conduct a thorough risk assessment by evaluating each risk’s likelihood and impact using risk matrices. Map each risk to the CIA Triad: Confidentiality, Integrity, and Availability.
? Assess broader consequences of these risks, including business operations, brand reputation, customer loyalty, regulatory compliance, and staff morale.
4. Mitigation Strategy and Application of Design Principles (300 words)
? Develop a tailored mitigation strategy addressing the severity and potential impact of each identified risk, including technical, operational, and governance controls, and provide cost- benefit analyses to justify investments.
? Structure the strategy according to NIST CSF functions (Identify, Protect, Detect, Respond, Recover) and relevant categories/subcategories.
? Suggest specific actions MIHS could have taken to prevent or minimize the impact of the attack, incorporating security design principles such as least privilege, defence in depth, secure defaults, and fail-safe mechanisms.
You should aim to cite at least 10 references from reputable sources (e.g., academic, industry body publications, white papers).
Referencing guidelines
Use RMIT Harvardreferencing style for this assessment. If you are using secondary sources, include these as a reference list in your report.
You must acknowledge all the sources of information you have used in your assessments.
Refer to the RMIT Easy Citereferencing tool to see examples and tips on how to reference in the appropriate style. You can also refer to the Library referencing pagefor other tools such as EndNote, referencing tutorials and referencing guides for printing.
Submission instructions
The assessment will be submitted in Canvas as a file type upload Word document or PDF (.doc, .docx,.pdf).
Academic integrity and plagiarism information
Academic integrity is about honest presentation of your academic work. It means acknowledging the work of others while developing your own insights, knowledge, and ideas.
You should take extreme care that you have:
? Acknowledged words, data, diagrams, models, frameworks and/or ideas of others you have quoted (i.e., directly copied), summarised, paraphrased, discussed, or mentioned in your assessment through the appropriate referencing methods
? Provided a reference list and /or bibliography of the publication details so your reader can locate the source if necessary. This includes material used from Internet sites.
If you do not acknowledge the sources of your material, you may be accused of plagiarism because you have passed off the work and ideas of another person without appropriate referencing, as if they were your own.
RMIT University treats plagiarism as a very serious offence constituting misconduct. Plagiarism covers a variety of inappropriate behaviours, including:
? Failure to properly document a source
? Copyright material from the internet or databases
? Collusion between students
For further information on our policies and procedures, please refer to the University website.