In this assignment, you step into the role of a cybersecurity analyst. In Part 1, you will evaluate a healthcare organization’s network vulnerabilities. In Part 2, you write a policy designed to mitigate them.
Scenario
Choose one of the following scenarios in the CIS598 Project Scenarios [PDF] Download CIS598 Project Scenarios [PDF] document to focus on for this assignment and the remainder of the course. Below is a snapshot of each:
HealthSure Alliance – A multi-state healthcare network faces growing risks from weak physical security, poor password policies, and unregulated AI pilots.
CareFirst Medical Group – A nonprofit healthcare system launching a new mobile health app, and that struggles with third-party risk, cloud security, and AI tool governance.
MediSure Partners – A healthcare management firm with a distributed remote workforce and contractor access struggles with BYOD security, insider threats, and unregulated use of AI-generated content.
Instructions
Consider your chosen scenario and complete the following:
Part 1: Identify Network Vulnerabilities
Describe 5 types of network vulnerabilities found in your selected scenario. For each vulnerability, your description must include:
Vulnerable system(s): Clearly identify the system(s) at risk (e.g., cloud-hosted EMR, HR database, shared workstation, physical access point).
Potential intrusion point(s): Describe how an attacker could exploit the vulnerability (e.g., phishing, weak password, outdated patch, etc.).
Responsible party: Identify which role or department (e.g., IT, HR, Compliance) should be accountable for addressing the issue.
Impact on operations or compliance: Explain how this vulnerability affects patient care, data integrity, legal compliance, or business continuity.
NIST CSF Mapping: Correctly assign one of the NIST Cybersecurity Framework (CSF) core functions to each vulnerability:
Identify.
Protect.
Detect.
Respond.
Recover.
Part 2: Vulnerability Mitigation Security Policy
Note: Work completed here will be used in your Week 10 assignment, Cybersecurity Policy Manual.
Craft 3 distinct policies that effectively mitigate 3 of the 5 vulnerabilities identified in Part 1. Each policy should:
State a purpose and scope.
Be realistic for the organization’s structure and technical environment.
Comprehensively define enforceable practices, procedures, protocols, and safeguards for vulnerability mitigation.
Be written as a formal policy statement (e.g., “All remote devices must use Mobile Device Management (MDM) enforced encryption”) that includes its goals and purposes.
Reference regulatory, procedural, or technology-based solutions (i.e., ISO2700, NIST, HIPAA, etc.).