WGU D486 DFN1 Task 1 |Latest Update
with Complete solution
Security Assessment Report for
Fielder Medical Center (FMC)
Security Assessment
October 10th, 2024
D486
Western Govern University
1. Risk..Analysis..Summary
The..findings..presented..here..come..from..a..risk..and..gap..analysis..comparing..the..e
xisting..systems..at..Fielder..Medical..Center..(FMC)..with..the..requirements..for..compliance..
with..NIST..SP..800-53r5..control..families..and..the..high-level..standards..of..PCI..DSS.
Currently,..the..system..lacks..sufficient..protection..as..required..by..the..Privacy..Act..
.FMC's..systems..store..personally..identifiable..information..(PII),..such..as..names,..addresse
s,..social..security..numbers..(SSNs),..and..other..sensitive..data...This..information..is..essential
..for..authorized..government..agencies..to..access..and..verify..doctors'..qualifications.
All..systems..at..FMC..are..outdated..and..need..a..thorough..review,..prioritization,..comp
liance..checks,..upgrades,..and..a..maintenance..plan...The..following..control..families..and..e
nhancements..must..be..addressed..to..ensure..FMC's..governance..and..compliance:
i) During..the..audit,..Pruhart..Security..Consulting..found..that..workstations..connected..t
o..both..switches..lack..proper..antivirus..(AV)..protection;..some..have..unlicensed..A
, V..software,..while..others..do..not..have..any..active..AV..solution.
ii) End-point..protection..is..insufficient..to..safeguard..the..network..and..systems.
iii) There..is..no..multifactor..authentication..(MFA)..implemented..on..the..network.
iv) FMC..has..expressed..its..goal..to..achieve..PCI..DSS..compliance...The..center..plans..to..
set..up..a..point-of-
sale..(POS)..system..at..its..physical..location..for..customer..equipment..purchases...Thi
s..POS..system..requires..a..secure..and..well-
maintained..network,..including..a..firewall..and..eliminating..default..vendor..passwor
ds..and..other..security..measures...Additionally,..this..system..currently..lacks..an..AV..s
olution.
v) Authorized..government..agencies..need..secure..access..to..an..FMC..web..portal..to..revie
w..documents..and..other..materials..for..verifying..certified..doctors...Doctors..utilize..F
MC’s..services..to..upload..their..PII..and..other..documents.
vi) During..our..evaluation,..Pruhart..Security..Consulting..found..that..there..are..issues..th
at..need..addressing.
2. NIST..Special..Publication..800-53r5..Controls
According..to..Amazon..Security..Hub..(2024),..“NIST..SP..800-
53..Rev...5..is..a..cybersecurity..and..compliance..framework..developed..by..the..National..Inst
itute..of
Standards..and..Technology..(NIST),..an..agency..that..is..part..of..the..U.S...Department..of..C
ommerce...This..compliance..framework..helps..you..protect..the..availability,..confidentialit
y,..and..integrity..of..your..information..systems..and..critical..resources...U.S...federal..govern
ment..agencies..and..contractors..must..comply..with..NIST..SP..800-
53..to..protect..their..systems,..but..private..companies..may..voluntarily..use..it..as..a..guiding..
framework..for..reducing..cybersecurity..risk.”
Pruhart..Security..Consulting..performed..the..subsequent..NIST..800-
53r5..Control..Identifiers..assessment..to..evaluate..the..existing..security..posture..of..the..syst
ems...This..evaluation..utilized..risk..analysis..tools..to..analyze..and..communicate..the..findin
gs...Each..Control..Identifier..is..assigned..a..risk..rating..categorized..as..Low,..Moderate,..or..
High,..accompanied..by..a..rationale..for..the..assigned..risk..ratings.
AC-6:..Least..Privilege
with Complete solution
Security Assessment Report for
Fielder Medical Center (FMC)
Security Assessment
October 10th, 2024
D486
Western Govern University
1. Risk..Analysis..Summary
The..findings..presented..here..come..from..a..risk..and..gap..analysis..comparing..the..e
xisting..systems..at..Fielder..Medical..Center..(FMC)..with..the..requirements..for..compliance..
with..NIST..SP..800-53r5..control..families..and..the..high-level..standards..of..PCI..DSS.
Currently,..the..system..lacks..sufficient..protection..as..required..by..the..Privacy..Act..
.FMC's..systems..store..personally..identifiable..information..(PII),..such..as..names,..addresse
s,..social..security..numbers..(SSNs),..and..other..sensitive..data...This..information..is..essential
..for..authorized..government..agencies..to..access..and..verify..doctors'..qualifications.
All..systems..at..FMC..are..outdated..and..need..a..thorough..review,..prioritization,..comp
liance..checks,..upgrades,..and..a..maintenance..plan...The..following..control..families..and..e
nhancements..must..be..addressed..to..ensure..FMC's..governance..and..compliance:
i) During..the..audit,..Pruhart..Security..Consulting..found..that..workstations..connected..t
o..both..switches..lack..proper..antivirus..(AV)..protection;..some..have..unlicensed..A
, V..software,..while..others..do..not..have..any..active..AV..solution.
ii) End-point..protection..is..insufficient..to..safeguard..the..network..and..systems.
iii) There..is..no..multifactor..authentication..(MFA)..implemented..on..the..network.
iv) FMC..has..expressed..its..goal..to..achieve..PCI..DSS..compliance...The..center..plans..to..
set..up..a..point-of-
sale..(POS)..system..at..its..physical..location..for..customer..equipment..purchases...Thi
s..POS..system..requires..a..secure..and..well-
maintained..network,..including..a..firewall..and..eliminating..default..vendor..passwor
ds..and..other..security..measures...Additionally,..this..system..currently..lacks..an..AV..s
olution.
v) Authorized..government..agencies..need..secure..access..to..an..FMC..web..portal..to..revie
w..documents..and..other..materials..for..verifying..certified..doctors...Doctors..utilize..F
MC’s..services..to..upload..their..PII..and..other..documents.
vi) During..our..evaluation,..Pruhart..Security..Consulting..found..that..there..are..issues..th
at..need..addressing.
2. NIST..Special..Publication..800-53r5..Controls
According..to..Amazon..Security..Hub..(2024),..“NIST..SP..800-
53..Rev...5..is..a..cybersecurity..and..compliance..framework..developed..by..the..National..Inst
itute..of
Standards..and..Technology..(NIST),..an..agency..that..is..part..of..the..U.S...Department..of..C
ommerce...This..compliance..framework..helps..you..protect..the..availability,..confidentialit
y,..and..integrity..of..your..information..systems..and..critical..resources...U.S...federal..govern
ment..agencies..and..contractors..must..comply..with..NIST..SP..800-
53..to..protect..their..systems,..but..private..companies..may..voluntarily..use..it..as..a..guiding..
framework..for..reducing..cybersecurity..risk.”
Pruhart..Security..Consulting..performed..the..subsequent..NIST..800-
53r5..Control..Identifiers..assessment..to..evaluate..the..existing..security..posture..of..the..syst
ems...This..evaluation..utilized..risk..analysis..tools..to..analyze..and..communicate..the..findin
gs...Each..Control..Identifier..is..assigned..a..risk..rating..categorized..as..Low,..Moderate,..or..
High,..accompanied..by..a..rationale..for..the..assigned..risk..ratings.
AC-6:..Least..Privilege
