Description
The following directions are below:
In this task, you will analyze an independent assessment and respond to it in a detailed written report. You will need to read the attached “Company Overview” and “Independent Security Report” that correspond with the following scenario.
A. Describe both the physical vulnerabilities and physical threats that put the security posture of Psinuvia Inc. at risk. Provide details from the attached “Independent Security Report,” including how each vulnerability or threat is negatively impacting the security posture of the company.
B. Describe both the logical vulnerabilities and logical threats that put the security posture of Psinuvia Inc. at risk. Provide details from the attached “Independent Security Report,” including how each vulnerability or threat is negatively impacting the security posture of the company.
C. Summarize industry standards for securing organizational assets regarding policies for acceptable use, mobile devices, passwords, and personally identifiable information (PII), using industry-respected sources to support your claims.
D. List the IT department duties that belong in the Compliance and Risk Department and the Security Department, as described in part six of the attached “Independent Security Report,” by organizing them into a chart or table.
E. Develop a PCI DSS-compliant policy to address the concerns in the “Independent Security Report,” including the roles and responsibilities of each component of the policy.
F. Propose methods for bringing Psinuvia Inc. into compliance with General Data Protection Regulation (GDPR) requirements, including specific examples for how each method will address international regulations.
G. Identify the HIPAA provisions Psinuvia Inc. needs to address, including the associated consequences for continued noncompliance.
H. Develop a business continuity plan to address the natural disaster described in part four of the “Independent Security Report.” CISSP best practice should inform execution and maintenance of mission critical tasks in the business continuity plan for Psinuvia Inc.
I. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
J. Demonstrate professional communication in the content and presentation of your submission.
Unformatted Attachment Preview
Autojor Security Consultants
ATTN:
Chief Technology Officer
Psinuvia, Inc.
927 E. Speight Ave.
Dallas, TX 75116
Dear Psinuvia Incorporated,
In response to a request from your company, Psinuvia Incorporated, Autojor Security Consultants
conducted a comprehensive security audit of this company’s cybersecurity posture. The specific
operational details can be found within the report, but as a high-level overview, the review included an
external assessment using the tools and techniques available to an advanced threat actor. Additionally,
we conducted an on-site investigation and review of the technological and procedural issues
surrounding the products, services, and infrastructure of Psinuvia Inc. We also visited its facilities in
Singapore and collected information regarding that location as well.
In summary, we found there were a number of issues surrounding Psinuvia Inc.’s implementation of a
strong cybersecurity posture as well as the subsequent projects and programs to enforce that security.
Some of our specific findings are listed below:
1. From a programmatic standpoint, Psinuvia Inc. needs a structured security program. Its chief
technology officer (CTO) is doing as much as possible to implement the right tools and processes
to resolve current issues that need immediate attention. However, the organization lacks an
overall comprehensive approach to security that would lessen its day-to-day problem-solving.
We therefore recommend that Psinuvia Inc. should develop a set of policies, procedures,
standards, and guidelines that will guide its cybersecurity program. In terms of overall security
policy, Psinuvia Inc. lacks the most basic policy documents in regard to its overall security
posture. To start, the company needs to develop policies regarding acceptable use, passwords,
and mobile devices. These administrative fixes should be accompanied by a cybersecurity
awareness training and education program for all employees.
2. The majority of Psinuvia Inc.’s functions relate to its development, manufacturing, sales, and
service of implantable or wearable medical devices. These devices collect data from each
recipient, which are then transferred via electronic means to a data repository. In some cases,
this repository is under the control of a customer. In others, Psinuvia Inc. is hired to retrieve and
store this data for future use or analysis. In all cases, this information is considered personally
identifiable information (PII). This PII is subject to a number of laws in the United States, within
the European Union, and in other countries as well. At this time, Psinuvia Inc. has few specific
measures placed, both technical and administrative, to meet the provisions of these applicable
laws.
a. In regard to U.S. law, the Health Insurance Portability and Accountability Act (HIPAA)
controls the ways in which PII can be gathered, stored, used, and accounted for by any
organization in the healthcare industry. As a medical device company collecting PII from
patients, Psinuvia Inc. is under this legal jurisdiction. Psinuvia Inc. should develop
policies and procedures to handle PII both internally and externally. Failure to do so may
subject Psinuvia Inc. to significant federal penalties and sanctions. Psinuvia Inc. should
ensure it complies with all applicable HIPAA statutes and provisions.
b. The European Union enacted the General Data Protection Regulation (GDPR) on May 25,
2018. This regulation, enforceable as law, carries a number of significant financial
penalties for noncompliance. All companies that collect information on any citizen of
the European Union must comply with several requirements when collecting, storing,
manipulating, or using the PII of a citizen. Autojor consultants were unable to find any
specific measures existing at Psinuvia Inc. to protect the collection, storage, or use of
the data.
3. Psinuvia Inc. uses a number of financial procedures to collect payment for its goods and
services. In many cases, the customer can use either a personal or a company-controlled
payment card (credit or debit) to pay for these goods or services. In so doing, Psinuvia Inc. needs
to follow the procedures outlined in the Payment Card Industry Data Security Standard (PCI
DSS). Failure to do so may subject Psinuvia Inc. to penalty or sanction as outlined in the
standard. At this time, a policy document or standardized procedure or other guidance is lacking
to outline how Psinuvia Inc. accepts these payments in accordance with PCI DSS.
4. The audit also covered Psinuvia Inc.’s business continuity planning efforts. At this time, Psinuvia
Inc. has only a rudimentary plan to deal with the effects of a natural disaster. Specifically, the
main hub of operations is located in Dallas, Texas, and the area could be subject to flooding and
tornadoes. Many organizations fail to recognize the need for a continuity plan that outlines how
the organization will come back to an operational capability as quickly as possible to avoid loss
of customer revenue. In reviewing Psinuvia Inc.’s documents, it became evident that its plan for
recovery is lacking for these types of natural disasters. The report needs to include a section to
ensure the continuous operation of the business in the case of an emergency.
5. When assessing the administrative controls within Psinuvia Inc., our team looked at how this
organization approached cybersecurity risk management. Although this company has a fairly
complete and up-to-date list of its assets, it does not have an assessment of the threats to the
organization (both physical and logical). It also does not have an assessment of its vulnerabilities
to these physical and logical threats. The lists of threats and vulnerabilities will help Psinuvia Inc.
compute its risks and take the steps necessary to determine how it will mitigate risks.
6. The company must have a structured approach to its functional areas and responsibilities. The
development of this structure is paramount to Psinuvia Inc.’s mission success. The report should
include the IT department duties for a Compliance and Risk Department (under a director of
compliance and risk) and a Security Department (under a director of security).
Sincerely,
Autojor Security Consultants
Purchase answer to see full
attachment