”
Health Network, Inc. is a fictitious health services organization headquartered in Minneapolis, Minnesota.
Health Network has over 600 employees throughout the organization and generates $500 million USD in
annual revenue. The company has two additional locations in Portland, Oregon and Arlington, Virginia, which
support a mix of corporate operations. Each corporate facility is located near a data center, where the three
major systems below are located and managed by third-party data center hosting vendors. 


Health Network has three main products: HNetExchange, HNetPay, and HNetConnect.
 HNetExchange is the primary source of revenue for the company. The service handles secure electronic
medical messages that originate from its customers, such as large hospitals, which are then routed to
receiving customers such as clinics. HNetExchange is housed in the data center.
 HNetConnect is an online directory that lists doctors, clinics, and other medical facilities to allow
Health Network customers to find the right type of care at the right locations. It contains doctors’
personal information, work addresses, medical certifications, and types of services that the doctors
and clinics offer. Doctors are given credentials and are able to update the information in their profile.
HNetConnect is housed in the data center.
 HNetPay is a Web portal used by many of the company’s HNetExchange customers to support the
management of secure payments and billing. The HNetPay Web portal, hosted at the data center,
accepts various forms of payments and interacts with credit-card processing organizations much like a
Web commerce shopping cart. HNetPay is housed in the data center.
 Health Network customers, which are the hospitals and clinics, connect to all three of the company’s
major products using HTTPS connections.
 The Minneapolis office is the primary location for business units, such as Finance, Legal, and Customer
Support. Some of the corporate systems, such as the payroll and accounting applications, are located
only in the corporate offices. Each corporate location is able to access the other two, and remote
virtual private network (VPN) exist between the corporate locations. The corporate systems are not
currently being backed up.
Information Technology Infrastructure Overview:
The 3 major Health Network systems are housed at the data centers where their fully-trained IT specialists
manage all Information Technology and security needs. The data centers host about 1,000 production servers.
Health Network, Inc. maintains 650 corporate laptops and company-issued mobile devices for its
employees. Small IT staffs at each corporate office manage and support the hardware and software needs of
the employees. Internal LAN/WAN networks at each corporate office are housed in isolated rooms that have
no windows and are kept locked at all times. Servers are rack-mounted and UPS systems provide power in
case of a power outage. Firewalls exist at each corporate office. Environmental factors such as air
conditioning, building power, fire alarms and flooding/water are not an issue and do not need to be mitigated.
A Project Manager, specializing in Cybersecurity, has been hired to develop a Risk Management plan and each
corporate office has assigned IT staff and users to be part of the team. The teams have conducted their
preliminary review of each corporate office and provide the following details:
Minneapolis: The Minneapolis facility is located in a large 2 story building and is its only resident. There is
only one entrance to the facility and guest services is the first offices at the entryway. When customers arrive
at guest services, they wait in a visitor area until they are called to the front counter to be helped by customer
service personnel. Customers remain on one side of the counter and the employee on the other side so there
is very limited access to the employee area. Access to the remainder of the building is restricted and
employees must show their employee badge and scan their carry-ins before entering the office area.
Employees are expected to wear their employee badge at all times while at work. Human Resources, Payroll
and other Administrative offices are located on the first floor. The remainder of the 1st floor is used for
meetings and the cafeteria/break area. The IT department and LAN/WAN Server room, Finance office and
Legal office are located on the 2nd floor. The Finance office is a large open area with only one entry door. The
office is to be locked at the end of the day and when all employees are away from the office for lunch or
breaks. The Legal office is a large area with individual offices on the outside walls. The office is to be locked at
the end of the day and when all employees are away from the office for lunch or breaks.
1. In Customer Services, one team member noticed a new employee taped his password to the screen
and although it may not be obvious, it was of concern.
2. In the LAN/WAN Server room, inspections noted that the UPS system was not operational.
3. After discussions with the IT staff, it was discovered regular maintenance of Firewalls has not been
conducted.
4. A new SysAdmin has little-to-no security awareness training.
5. Network Servers may not contain the latest patches.
6. Corporate Finance databases and systems are not backed-up on a scheduled basis.
7. One computer was always left logged-in to the system and shared by everyone in the office because it
had access to all the system files and some employees just didn’t have access to them unless they used
this computer.
8. An employee said she uses a very simple password so that it is easier to remember.
9. InfoSec audits (to include penetration testing, asset management scans, and InfoSec policy/procedure
compliance reviews) are not conducted
10. Some employees are using their personal laptops to do corporate business.
Portland: The Portland facility is located in a medium-sized 1 story building and is its only resident. There is a
front and a back entrance to the facility and signage attempts to point customers to guest services which is
located near the front entryway. Office areas are located in the main hallway and sometimes clients enter
into an area to asks where they can find guest services. When customers arrive at guest services, they wait in
a visitor area until they are called to the customer service personnel’s desk. Customer service personnel must
be very careful to lock any client files away before calling the next customer to the desk. Employees are
expected to wear their employee badge at all times while at work. All offices are to be locked at the end of
the day and when all employees are away from the office for lunch or breaks.
11. Client files were found to be left out on the desk overnight.
12. In the Administrative area, a report listing customers who were in default and their personal data was
created and shared with everyone in the office via email.
13. An employee indicated she hasn’t changed her password in over a year.
14. It has been reported that office areas are left unlocked when everyone leaves for lunch or breaks.
15. A retired employee is still able to login and access the company databases.
16. Administrators are issued laptops for home use but inventory control and access control policies are
not followed.
17. Some Client record cabinets cannot be locked.
18. Computers may not have the latest software patches.
19. Unauthorized software was discovered on the corporate computers.
Arlington: The Arlington facility is located in a large 1 story building and shares the facility with another
business. There are a number of entrances to the facility and signage attempts to point customers to guest
services. Sometimes clients enter into office area to asks where they can find guest services. When customers
arrive at guest services, they wait in line until they are called to the customer service personnel’s desk. When
the lines become long, customer service personnel get into a hurry and may not lock client files away before
calling the next customer to the desk. Employees are expected to wear their employee badge at all times
while at work. All offices are to be locked at the end of the day and when all employees are away from the
office for lunch or breaks.
20. On a number of occasions, the janitor found the office areas unlocked after everyone left for the day.
21. An employee said he is still using the default password that was provided when he first started working
for the company.
22. Sensitive files are supposed to be stored in locked cabinets but sometimes the cabinets are left
unlocked after hours.
23. Company issued Laptops often contain sensitive data but the hard-drives are not encrypted.
24. Client records are supposed to locked away unless they are being processed but are sometimes left out
in the office after hours so it is easier to work on them the next day.
25. A master login was created by IT so that employees in the area could access all the databases,
regardless of their role in the office.
26. Users can download data to USB drives.
Using the Project Template and the vulnerabilities/weaknesses identified in the 1st column, complete the
Threats, Risks, and Controls/Countermeasures that correspond to each weakness.
 More than one Threat and/or one Risk and/or one Control/Countermeasure may exist for each
weakness.
 Do not include the Data Centers because they are owned by 3rd party vendors who maintain their
own Risk Management plan.
Your grade will be based on the information provided above. You may be able to use the Risk Management
template from the Group project but do NOT use any of them that do not apply to this scenario.
This is a group project. One student from the group will submit the assignment.
 SafeAssign will be used –
a. Do not share your work with other students –
b. If SafeAssign finds a large percentage of work is attributed to another student’s work, you will
be assigned a grade of zero. In addition, a zero will be assigned to all the other students who
shared their work
 Assignments will NOT be accepted after the due date assigned in the course blackboard calendar.
NOTE: one of the issues I discovered in the Group project was that some Threats were listed as Risks; some
Risks as Threat, etc. Make sure you understand these terms.
A Weakness is something that violates an existing (or potential) policy/procedures
A Threat is a danger that exploits the Weakness
A Risk involves the loss/impact of a tangible or intangible asset (Quantitative/Qualitative)
A Countermeasure reduces/eliminate the Threat/Loss