1. What is the risk management framework (RMF)?

2. What are the components of the RMF? Describe each component (each)

3. Research and describe the ISO 31000 Risk management.

4. Case Study

Koala Health (KH) is an Australian medical centre. During COVID-19 pandemic, the company decided to adopt telehealth technology. Telehealth is the delivery of health care remotely using tools ranging from web-based videoconferencing to wearable technologies, complementing face-to-face consultation and offering significant benefits for patients, their carer, to the healthcare workers and the health system. This would also allow doctors to work from home and conduct medical consultation via video conferencing with their patients also from their homes. KH wishes to also streamline their pathology and pharmacy services and wishes to bring some sort of automation to this system as well. To help you understand how the system works, consider the following scenario:

Bob is a patient. He wishes to be examined by a Koala Health GP. To do that, Bob visited KH websites, downloaded KH mobile application and booked an appointment with one of the doctors via the company app. Bob had to first register for an account. Where he had to register his personal information (name, address, phone number etc.), his Medicare card details and payment details (e.g., credit card details). To book an appointment, Bob was presented with a list of GPs (doctors) available on that day with their available timeslots. Bob then booked an appointment with Doctor Alice.

At the time of the appointment, Dr Alice medically examined Bob via video conference- a function supported by KH mobile application. During the examination Dr Alice requested some blood tests to be done on Bob. The request was digitally processed using Alice's medical system and the request was digitally sent to Koala Health Pathology department. Bob was then issued with a transaction number on his mobile application. The following day, Bob presented to KH Pathology, showed the transaction number form his phone to the staff at the lab. The nurse then took some blood samples from Bob. Bob was then told that Dr Alice will be in touch with him to give him the results. Bob then happily went home. The next day, Bob received a video conference call from Dr Alice to discuss his blood test results. Alice explained to Bob that he must take a prescribed medication for 5 days. To do that, Dr Alice issued a digital prescription to Bob which was sent to Koala Health Pharmacy department. The pharmacy then received Alice's request, accessed Bob's records on the system (medicare details, credit card payment, delivery address etc.) and processed the order remotely for Bob. The next day. Bob received his medication in the mail box.

In addition to the telehealth examinations, all other three transactions (Processing the Blood test results, Alice issuance of the prescription, and medication processing and delivery) were all done remotely.

The above scenario assumes to use several interconnected systems or subsystems. These are:

The mobile app used by Bob for appointment and video conference

The system used by Alice to manage appointment and conduct telehealth consultations

The system used by Alice to order Bob blood test

The system(s) used by the pathology department to access and process the blood test results

The system used by Alice to order medications for Bob

The system(s) used by the pharmacy to process Bob's medication.

Activity 1:

1. Identify the main hardware, software, people, and procedures assets of Koala Health (about 20 in total)

2. Identify two possible attributes for each asset

3. Categorize these assets based on their sensitivity and security needs. Based on asking the following question: Which information asset is the most critical to the success of the organization?

4. Prioritize the assets based on their impact on Revenue.

5. Activity 1

What is the purpose of an EISP?

What is the purpose of an ISSP?

List and describe three functions that the ISSP serves in the organization.

Activity 2

Search the web and find some sample security policies for an organisation (e.g., try for a given bank, University etc.). Identify one EISP and one ISSP sample policies. Describe the content of these policies (describe each).

Activity 3

Using the framework presented in this chapter, draft a brief issue-specific security policy for Koala Health on the fair use of medical equipment.

At the beginning of your document, briefly describe the organization for which you are creating the policy and then complete the policy using the framework.

Additional resources: 5.3 Issue-Specific Policy (NIST An Introduction to Information Security)

6. Activity one

There are five risk treatment organization strategies. Describe them:

a) Describe the strategy of defence.

b) Describe the strategy of transference.

c) Describe the strategy of mitigation.

d) Describe the strategy of acceptance

e) Describe the strategy of termination.

Activity 2

What is residual risk.

What is risk appetite

What are the three common approaches to implementing the defence risk treatment strategy?