Risk Assessment Report of the Assessment

Total Length: 2612 words ( 9 double-spaced pages)

Total Sources: 12

Page 1 of 9



Functional description

The Public Health Informatics and Technology Program's IT system was developed by the Office of Surveillance, Epidemiology, and Laboratory Services (OSELS).The CDC division response for its deployment and maintenance is the Division of Informatics Research and Development (DIRD) whose role is to advance the frontiers of public health informatics by means of appropriate research and development. The DIRD division is to collaborate with the other members of the CDC programs in order to come up with various innovative technologies to be utilized in positively impacting the various health practices in both short-term and long-term basis (CDC, 2010).

Public Health Informatics and Technology Program relies on various technologies in achieving its objectives. The underlying characteristic of these technologies is that they are client/server in their architecture are meant to aid in the handling of various forms of information in the CDC corporation and well as externally between CDC and its other partners.

System users

The major users of the Public Health Informatics and Technology Program's IT system are the various CDC personnel scattered across its global offices. However other stakeholders also have access to the system. The table below provides details of system users as well as their details and responsibilities

Table 1 Public Health Informatics and Technology Program's IT system Users

User Category

Access Level Read / Write/Full

Number (Aproximate)

Organization

Geographic Location

Developers

Read/Write

20

CDC (DIRD)

Atlanta

CDC personnel

Varied access

CDC

CDC offices

Stakeholders

Read

12

ACF, DOE etc.

Nationwide

System Dependencies

The system has various dependencies. The dependencies are telecommunication/Information Technology (IT) resources upon which the operations of the system under review are dependent in order to process, transport and to store information. The intricate relationship that exists between the various system components is crucial in order to ensure a seamless achievement of the basic Information Assurance tenets. Below is a list of the various CDC IT resources.

Policies governing CDC Enterprises

CDC's Enterprise Mid-Tier Data Center

CDC Network Infrastructures comprising of:

Information Technology Services Office's (ITSO) Local Area Networks (LANs)

Atlanta Metropolitan Area Network (AMAN)

CDC's Wide Area Network

Internet Connectivity

Technical Vulnerability Scanning Service

DMZ Connectivity

CDC Enterprise Windows Domain and the Active Directory Environment

CDC Enterprise Security Services which includes;

CDC's Border Firewall

RSA SecurID Authentication System

CDC's Border Router Access Control Lists

E-Mail Gateway Virus Scanning and Attachment Removal

Network-Based Intrusion Detection Systems

CDC Enterprise Mainframe

Protection Requirements

Both information and information systems have distinct life cycles. It is important that the degree of sensitivity of information be assessed by considering the requirements for the C/I/A of the information: the need for system data to be kept confidential; the need for the data processed by the system to be accurate, and the need for the system to be available. Confidentiality focuses on the impact of disclosure of system data to unauthorized personnel. Integrity addresses the impact that could be expected should system data be modified or destroyed. Availability relates to the impact to the organization should use of the system be denied.

The protection environment results

Confidentiality: The Public Health Informatics and Technology Program's Information Technology (IT) infrastructure contains information that is very sensitive since it holds identity information for various people who participate in CDC's surveys. There is therefore a need for the data to be protected against unauthorized disclosure.
In case this data leaks to the general public, there would be a drastic loss in the level of public confidence all forms of surveys being conducted by the CDC. The consequences could be great in terms of embarrassment and legal actions against the CDC.

It is therefore prudent to gauge the level of adverse effects that could results of unauthorized disclosure of sensitive information contained in the IT infrastructure. The level could be expected to be:

Limited

Serious

Severe

With a rating of being;

Low

Moderate

High

Integrity: The Public Health Informatics and Technology Program's Information Technology (IT) infrastructure collects as well as processes various health and nutritional data collected annually from various carefully selected representative data from the general U.S. population. Since the information obtained depends on the accuracy of the data collected. A modification of either the data or the final information would adversely affect the quality and accuracy of the survey results.

It is therefore prudent to gauge the level of adverse effects that could results of unauthorized disclosure of sensitive information contained in the IT infrastructure. The level could be expected to be:

Limited

Serious

Severe

With a rating of being;

Low

Moderate

High

Availability: If the Health Informatics and Technology Program's Information Technology (IT) infrastructure is to remain unavailable for a relatively short period of time, then the immediate effects of the interruption would affect the overall efficiency on the system's operation.

It is therefore prudent to gauge the level of adverse effects that could results of unauthorized disclosure of sensitive information contained in the IT infrastructure. The level could be expected to be:

Limited

Serious

Severe

With a rating of being;

Low

Moderate

High

Threat statement

The threat statements as outlined in the NIST SP 800-30 has a description of methods of threat identification, source of the threat and the appropriate action that is to be taken in order to carry out the assessment process.

The definitions are as follows:

Threat- this is the ability of a particular source of threat to cause utmost concern as vulnerability.

Threat sour nubuigh7uygtyhhuce- This is the event or circumstance that has the potential to harm an IT system. There are various sources of threats which can be attributed to human, environmental and natural sources.

Threat Action-This is the technique through which the attack on a particular system is perpetrated. Examples include intrusion, hacking, Denial of service attacks, spoofing etc.

Threat Source -- Any circumstance or event with the potential to cause harm to an IT system. The common threat sources can be natural, human or environmental.

Threat Action -- The method by which an attack might be carried out (e.g., hacking, system intrusion).

References

CDC, (2010).Public Health Informatics and Technology Program Office:Informatics Research and Development.

http://www.cdc.gov/osels/ph_informatics_technology/informatics_research_development.html

Chambers & Thomson, (2004).Vulnerability Disclosure Framework.

http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf

Madden, T.(2007). Draft Risk Assessment Report.

http://csrc.nist.gov/groups/SMA/fasp/documents/risk_mgmt/RAR_Template_07112007.doc

NIST,(2004).Risk Management Guide for Information Technology Systems

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Praxiom,(2010).ISO 27001 and ISO 27002* Plain English Information Security management

Definitions.

http://www.praxiom.com/iso-27001-definitions.htm.....

Need Help Writing Your Essay?