Cyber Security Policy Development
VerifiedAdded on 2021/04/21
|13
|3312
|278
AI Summary
This report identifies various threats in healthcare industries, including man-in-the-middle attacks, SQL injection attacks, and distributed denial-of-service (DDoS) flooding attacks. It provides a detailed analysis of vulnerabilities present in a company and devises solutions to address these issues. The document also emphasizes the importance of developing security policies, procedures, and standards for effective information security management.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: INFORMATION SECURITY AND MANAGEMENT
Information security and management
Name of the student:
Name of the University:
Author Note:
Information security and management
Name of the student:
Name of the University:
Author Note:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1INFORMATION SECURITY AND MANAGEMENT
Abstract
A company in New Zealand, which is known by the name of Sermelles Limited,
became a victim of cyber attack. The company has more than three thousand employees and
in one of largest health insurance providers in New Zealand. This report will study the
following situation thoroughly. This report will pinpoint various existing security issues in an
organization and will provide solutions to improve the same. Security management models
will be discussed briefly. A concluding paragraph will be provided at the end after thorough
analysis of the report.
Abstract
A company in New Zealand, which is known by the name of Sermelles Limited,
became a victim of cyber attack. The company has more than three thousand employees and
in one of largest health insurance providers in New Zealand. This report will study the
following situation thoroughly. This report will pinpoint various existing security issues in an
organization and will provide solutions to improve the same. Security management models
will be discussed briefly. A concluding paragraph will be provided at the end after thorough
analysis of the report.
2INFORMATION SECURITY AND MANAGEMENT
Table of Contents
1. Introduction:...........................................................................................................................3
2. Literature review:...................................................................................................................3
2.1 Information security:........................................................................................................3
2.2 Information security threats:............................................................................................4
2.3 Types of cyber attacks:.....................................................................................................5
2.4 Information security policies:..........................................................................................6
2.5 Information Security Awareness:.....................................................................................6
3. Scenario:.................................................................................................................................6
3.1 Security issues in the given scenario:...............................................................................7
3.2 Possible solutions:............................................................................................................8
3.3 Security policies:..............................................................................................................9
4. Conclusion:..........................................................................................................................10
5. References:...........................................................................................................................11
Table of Contents
1. Introduction:...........................................................................................................................3
2. Literature review:...................................................................................................................3
2.1 Information security:........................................................................................................3
2.2 Information security threats:............................................................................................4
2.3 Types of cyber attacks:.....................................................................................................5
2.4 Information security policies:..........................................................................................6
2.5 Information Security Awareness:.....................................................................................6
3. Scenario:.................................................................................................................................6
3.1 Security issues in the given scenario:...............................................................................7
3.2 Possible solutions:............................................................................................................8
3.3 Security policies:..............................................................................................................9
4. Conclusion:..........................................................................................................................10
5. References:...........................................................................................................................11
3INFORMATION SECURITY AND MANAGEMENT
1. Introduction:
A company in New Zealand, which is known by the name of Sermelles Limited,
became a victim of cyber attack. The company has more than three thousand employees and
in one of largest health insurance providers in New Zealand. Large healthcare organizations
in all parts of the world have fallen victims to cyber bullying. Private data of employees were
siphoned off. This report will study the following scenario and based on that will provide
some insights. Few security management models will be discussed, existing security issues in
health care industry will be analyzed and based on the analysis strategy and framework will
be developed.
Information security is critical in the modern world since there are various threats in
the cyberspace. There are various threats including virus attacks, malware and phishing.
Procedures or set of policies incorporated within an organization to protect sensitive data is
termed as Information security management (Disterer 2013). The main goal of information
security management is to enable framework so that risk can be minimized and continuity of
business is ensured. Information security management addresses process, data, technology
and employee behavior. This system is mainly targeted to a specific type of data such as
employee and customer data. Implementation of this system is also an important part because
if not implemented properly then it would not serve the purpose for which it was made. It is
critical to safeguard data since it is the most important asset of any company, organization
and institutions. Data can be protected in various ways. One such way is data encryption. In
this technology, data is transformed from one form to the other. A form such as code, so that
the people having right access key such as passwords or a secret key can decrypt the data.
According to statistics, data encryption is the most popular and effective method used by an
organization.
1. Introduction:
A company in New Zealand, which is known by the name of Sermelles Limited,
became a victim of cyber attack. The company has more than three thousand employees and
in one of largest health insurance providers in New Zealand. Large healthcare organizations
in all parts of the world have fallen victims to cyber bullying. Private data of employees were
siphoned off. This report will study the following scenario and based on that will provide
some insights. Few security management models will be discussed, existing security issues in
health care industry will be analyzed and based on the analysis strategy and framework will
be developed.
Information security is critical in the modern world since there are various threats in
the cyberspace. There are various threats including virus attacks, malware and phishing.
Procedures or set of policies incorporated within an organization to protect sensitive data is
termed as Information security management (Disterer 2013). The main goal of information
security management is to enable framework so that risk can be minimized and continuity of
business is ensured. Information security management addresses process, data, technology
and employee behavior. This system is mainly targeted to a specific type of data such as
employee and customer data. Implementation of this system is also an important part because
if not implemented properly then it would not serve the purpose for which it was made. It is
critical to safeguard data since it is the most important asset of any company, organization
and institutions. Data can be protected in various ways. One such way is data encryption. In
this technology, data is transformed from one form to the other. A form such as code, so that
the people having right access key such as passwords or a secret key can decrypt the data.
According to statistics, data encryption is the most popular and effective method used by an
organization.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4INFORMATION SECURITY AND MANAGEMENT
2. Literature review:
2.1 Information security:
A practice to prevent unauthorized access, disclosure, use, inspection, modification,
disruption, destruction and recording of information is termed as information security.
Information Security is abbreviated, as Info Sec. Data can be physical or electronic. The
focus of Information security is on the availability, integrity and confidentiality of data while
there is an increased emphasis on policy implementation so that it does not hamper
productivity of the organization (Crossler et al. 2013). Proper implementation is only
achieved through risk management that has multiple steps. Multiple steps may include a
process created for identifying vulnerabilities, threat sources, impacts and a step including
assessment of risk management plan. This discipline must be standardized and collaboration
among professional and academics must be sought after so that the standard can be adopted
by any organization irrespective of their sizes. Strong policies and standards must be set on
antivirus software, password, encryption software and firewall. Training standards must also
be there for the perfect implementation of information security.
2.2 Information security threats:
This portion will mainly address threats surrounding information. Information is
nothing but valuable data’s. There are different forms of threats such as sabotage, information
extortion, sabotage, cyber bullying, and identity theft, theft of intellectual property rights,
phishing, equipment theft and malwares. Trojan horses, worms and viruses are few types of
software attacks (Jouini, Rabai & Aissa 2014). Various forms of threats will be taken up and
explained individually. Theft of intellectual property rights means stealing ideas from
companies, authors, inventions and gaining benefits from them. In identity theft, an attempt is
made to impersonate the person whose identity is being stolen and then advantage is taken to
gain access to valuable information about that person. Equipment theft is a type of physical
2. Literature review:
2.1 Information security:
A practice to prevent unauthorized access, disclosure, use, inspection, modification,
disruption, destruction and recording of information is termed as information security.
Information Security is abbreviated, as Info Sec. Data can be physical or electronic. The
focus of Information security is on the availability, integrity and confidentiality of data while
there is an increased emphasis on policy implementation so that it does not hamper
productivity of the organization (Crossler et al. 2013). Proper implementation is only
achieved through risk management that has multiple steps. Multiple steps may include a
process created for identifying vulnerabilities, threat sources, impacts and a step including
assessment of risk management plan. This discipline must be standardized and collaboration
among professional and academics must be sought after so that the standard can be adopted
by any organization irrespective of their sizes. Strong policies and standards must be set on
antivirus software, password, encryption software and firewall. Training standards must also
be there for the perfect implementation of information security.
2.2 Information security threats:
This portion will mainly address threats surrounding information. Information is
nothing but valuable data’s. There are different forms of threats such as sabotage, information
extortion, sabotage, cyber bullying, and identity theft, theft of intellectual property rights,
phishing, equipment theft and malwares. Trojan horses, worms and viruses are few types of
software attacks (Jouini, Rabai & Aissa 2014). Various forms of threats will be taken up and
explained individually. Theft of intellectual property rights means stealing ideas from
companies, authors, inventions and gaining benefits from them. In identity theft, an attempt is
made to impersonate the person whose identity is being stolen and then advantage is taken to
gain access to valuable information about that person. Equipment theft is a type of physical
5INFORMATION SECURITY AND MANAGEMENT
theft where mobile devices are stolen. The mobile device holds valuable information. In
terms of organization, sabotage refers to destruction of valuable information pertaining to the
company resulting in defamation. Defamation results in customer loss, which is not at all
desirable from a company perspective. Extortion of information is another type of threat
where valuable data is taken hostage. Cyber criminals then demands certain ransom amount
in lieu of returning access to data that is stolen. This is achieved with the use of ransomwares.
2.3 Types of cyber attacks:
This paragraph will provide a brief about various types of cyber attacks prevalent in
modern times. There are various types of cyber attacks, which affect data, and this includes
SQL injection, phishing attacks, and malware attacks, Denial of services, cross-site scripting
and man in the middle attacks. Malware can be referred to as a harmful software or sort of
ransomware that can take control of a system. Once it takes control, it can monitor user
activities such as keystrokes and can send private data silently to a remote server (Divya
2013). It mainly occurs when a user clicks on an email attachment containing that malware.
Phishing attack in a sense is a sort of malware attack but there is a catch. Here, the email that
is sent will seem legitimate and the user will be provoked to download any attachment linked
with it (Jesudoss & Subramaniam 2014). Structured query language is abbreviated as SQL.
This programming language is used for databases. A server that stores databases uses SQL
for managing data. SQL injection attack is a type of attack, which targets those servers that
holds databases and uses malicious code to extract or to destroy data (Pawar 2015). Cross-site
scripting is similar to SQL injection however; this targets a specific individual instead of an
organization or a company. Denial of service also known as ‘DoS’, is a special type of attack.
A website gets affected when there is huge load on the server. In this attack, a website is
flooded with traffic intentionally to overload the server so that the website fails to serve up
the content it is intended to serve. Since it is done from several IP addresses, it is known as
theft where mobile devices are stolen. The mobile device holds valuable information. In
terms of organization, sabotage refers to destruction of valuable information pertaining to the
company resulting in defamation. Defamation results in customer loss, which is not at all
desirable from a company perspective. Extortion of information is another type of threat
where valuable data is taken hostage. Cyber criminals then demands certain ransom amount
in lieu of returning access to data that is stolen. This is achieved with the use of ransomwares.
2.3 Types of cyber attacks:
This paragraph will provide a brief about various types of cyber attacks prevalent in
modern times. There are various types of cyber attacks, which affect data, and this includes
SQL injection, phishing attacks, and malware attacks, Denial of services, cross-site scripting
and man in the middle attacks. Malware can be referred to as a harmful software or sort of
ransomware that can take control of a system. Once it takes control, it can monitor user
activities such as keystrokes and can send private data silently to a remote server (Divya
2013). It mainly occurs when a user clicks on an email attachment containing that malware.
Phishing attack in a sense is a sort of malware attack but there is a catch. Here, the email that
is sent will seem legitimate and the user will be provoked to download any attachment linked
with it (Jesudoss & Subramaniam 2014). Structured query language is abbreviated as SQL.
This programming language is used for databases. A server that stores databases uses SQL
for managing data. SQL injection attack is a type of attack, which targets those servers that
holds databases and uses malicious code to extract or to destroy data (Pawar 2015). Cross-site
scripting is similar to SQL injection however; this targets a specific individual instead of an
organization or a company. Denial of service also known as ‘DoS’, is a special type of attack.
A website gets affected when there is huge load on the server. In this attack, a website is
flooded with traffic intentionally to overload the server so that the website fails to serve up
the content it is intended to serve. Since it is done from several IP addresses, it is known as
6INFORMATION SECURITY AND MANAGEMENT
distributed denial of service (Zargar, Joshi & Tipper 2013). Man in the middle attacks
belongs to other domain. Here a hacker captures the session between a private computer and
a remote server so that the hacker is able to log in as the individual and extract valuable data
(Conti, Dragoni & Lesyk 2016). It is evident from the paragraph that due to variety of types
of attacks there is a strong need to formulate an effective policy.
2.4 Information security policies:
Information security policies are nothing but a set of rules implemented by a
company, organization or institutes so that users and networks within the Information
technology domain abides by the prescribed rules. In simple words, policies govern
protection of data. This is the most important asset in any organization. The main goal of
information security policy is to create a general framework that will detect misuse of
networks, data and computer systems (Siponen, M, Mahmood, MA & Pahnila 2014). Once,
detection is done restrictive measures are put in place. It is also framed to safeguard
reputation of the organization related to legal and ethical aspects.
2.5 Information Security Awareness:
Awareness in general sense means gaining knowledge about an issue. Awareness is
an important part of information security, which helps in increasing consciousness about
potential risks involved in information field. Threats are constantly evolving at the same pace
as information. There are now more sophisticated ways of attacking and identifying
loopholes. Because of this, existing infrastructure needs constant up gradation and there is an
increased need in awareness (Lebek et al. 2013). People who are unaware may without their
knowledge may expose loopholes within an organization and enable data breach.
distributed denial of service (Zargar, Joshi & Tipper 2013). Man in the middle attacks
belongs to other domain. Here a hacker captures the session between a private computer and
a remote server so that the hacker is able to log in as the individual and extract valuable data
(Conti, Dragoni & Lesyk 2016). It is evident from the paragraph that due to variety of types
of attacks there is a strong need to formulate an effective policy.
2.4 Information security policies:
Information security policies are nothing but a set of rules implemented by a
company, organization or institutes so that users and networks within the Information
technology domain abides by the prescribed rules. In simple words, policies govern
protection of data. This is the most important asset in any organization. The main goal of
information security policy is to create a general framework that will detect misuse of
networks, data and computer systems (Siponen, M, Mahmood, MA & Pahnila 2014). Once,
detection is done restrictive measures are put in place. It is also framed to safeguard
reputation of the organization related to legal and ethical aspects.
2.5 Information Security Awareness:
Awareness in general sense means gaining knowledge about an issue. Awareness is
an important part of information security, which helps in increasing consciousness about
potential risks involved in information field. Threats are constantly evolving at the same pace
as information. There are now more sophisticated ways of attacking and identifying
loopholes. Because of this, existing infrastructure needs constant up gradation and there is an
increased need in awareness (Lebek et al. 2013). People who are unaware may without their
knowledge may expose loopholes within an organization and enable data breach.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7INFORMATION SECURITY AND MANAGEMENT
3. Scenario:
A health insurance provider in New Zealand known as Sermelles Limited was hacked.
It has more than three thousand employees and spans across New Zealand with eighty
branches. Net income of this company as of 2015 was about NZ$150 million. Hackers were
able to steal 470,000 records. Employees were a victim of malware attack.
3.1 Security issues in the given scenario:
Massive data breach occurred in Sermelles Limited. Few employees received email
that looked like an internal email informing them to backup their emails. They had no reason
to suspect and so they knowingly clicked on a link. There were unauthorized data queries to
the network server of the company. Two types of attack have been identified in this case. One
is phishing and the other one is SQL injection attack. Cyber criminals in this case made use
of both the methods. Phishing is a special type of attack, which is used to steal data such as
personal information, login credentials and debit and credit card details. This happens when
cyber criminals impersonate as trusted entity and tactfully extracts information from the
victim. Often, the victim is tricked into clicking a spam link. Upon clicking the link without
the user’s knowledge malware can be installed into the system. Phishing is mainly used to
infiltrate large organizations or government sectors as a part of larger plan. SQL injection
attack mainly relates to server. It uses malicious codes of SQL to manipulate database for
revealing information that was not to be displayed under any circumstance. Information
revealed may include sensitive data of company and employee data. This type of attacks can
have far-reaching consequence. An attack of this scale can result in deletion of database table,
unauthorized viewing and gaining administrative rights to make changes within a table. This
is highly detrimental for any company, institution and organization. Five security
vulnerabilities present in healthcare will be discussed now. First on is mobile devices, mobile
devices are inexpensive and highly portable. Healthcare industry workers use mobile devices
3. Scenario:
A health insurance provider in New Zealand known as Sermelles Limited was hacked.
It has more than three thousand employees and spans across New Zealand with eighty
branches. Net income of this company as of 2015 was about NZ$150 million. Hackers were
able to steal 470,000 records. Employees were a victim of malware attack.
3.1 Security issues in the given scenario:
Massive data breach occurred in Sermelles Limited. Few employees received email
that looked like an internal email informing them to backup their emails. They had no reason
to suspect and so they knowingly clicked on a link. There were unauthorized data queries to
the network server of the company. Two types of attack have been identified in this case. One
is phishing and the other one is SQL injection attack. Cyber criminals in this case made use
of both the methods. Phishing is a special type of attack, which is used to steal data such as
personal information, login credentials and debit and credit card details. This happens when
cyber criminals impersonate as trusted entity and tactfully extracts information from the
victim. Often, the victim is tricked into clicking a spam link. Upon clicking the link without
the user’s knowledge malware can be installed into the system. Phishing is mainly used to
infiltrate large organizations or government sectors as a part of larger plan. SQL injection
attack mainly relates to server. It uses malicious codes of SQL to manipulate database for
revealing information that was not to be displayed under any circumstance. Information
revealed may include sensitive data of company and employee data. This type of attacks can
have far-reaching consequence. An attack of this scale can result in deletion of database table,
unauthorized viewing and gaining administrative rights to make changes within a table. This
is highly detrimental for any company, institution and organization. Five security
vulnerabilities present in healthcare will be discussed now. First on is mobile devices, mobile
devices are inexpensive and highly portable. Healthcare industry workers use mobile devices
8INFORMATION SECURITY AND MANAGEMENT
to access resources of the organization. Mobile devices are one of the major contributors in
data breaches. Second vulnerability is thievery. Data breaches can occur due to a stolen
external drives or laptops. Third vulnerability is identified in data dissemination. Breaches
have occurred during data dissemination within employee and third party. FTP sites with
weak controls have serious loopholes. Fourth vulnerability is outsourcing. There are certain
times when vendors or business associates resort to unfair tactics to win contracts. Finally,
the fifth vulnerability is due to cloud. Health care industries are increasingly moving towards
the clouds and that is where vulnerability exists.
3.2 Possible solutions:
This paragraph will prove few recommendation and solutions to the scenario given.
Electronic health records are used extensively in healthcare industry. Secure electronic health
records sharing environment must be there in order to prevent data leak. An Electronic Health
Record reference model can be developed to manage issues relating to security in cloud
servers. The organization should take steps to create a Cyber Security Body, which will be
responsible for defining and framing security policies for the entire organization. The body
must work independently within the organization. Next thing is that a tech emergency team
can be created which in case of an emergency will be ready to put their expertise in action.
The Cyber Security Body should be in complete control of emergency team and their
strategies must be aligned. Training session must be incorporated within the organization so
that the employees are trained and made aware of existing threats. They should be trained on
what should be their course of action after being attacked. Systems must have adequate
security, which means they must have anti-virus software, anti-malware software and anti-
spyware installed. Network infrastructure within the organization must be upgraded. Systems
should be updated regularly. If software update is not done on a regular basis then the system
becomes much more vulnerable. Additionally, employees must be informed to change
to access resources of the organization. Mobile devices are one of the major contributors in
data breaches. Second vulnerability is thievery. Data breaches can occur due to a stolen
external drives or laptops. Third vulnerability is identified in data dissemination. Breaches
have occurred during data dissemination within employee and third party. FTP sites with
weak controls have serious loopholes. Fourth vulnerability is outsourcing. There are certain
times when vendors or business associates resort to unfair tactics to win contracts. Finally,
the fifth vulnerability is due to cloud. Health care industries are increasingly moving towards
the clouds and that is where vulnerability exists.
3.2 Possible solutions:
This paragraph will prove few recommendation and solutions to the scenario given.
Electronic health records are used extensively in healthcare industry. Secure electronic health
records sharing environment must be there in order to prevent data leak. An Electronic Health
Record reference model can be developed to manage issues relating to security in cloud
servers. The organization should take steps to create a Cyber Security Body, which will be
responsible for defining and framing security policies for the entire organization. The body
must work independently within the organization. Next thing is that a tech emergency team
can be created which in case of an emergency will be ready to put their expertise in action.
The Cyber Security Body should be in complete control of emergency team and their
strategies must be aligned. Training session must be incorporated within the organization so
that the employees are trained and made aware of existing threats. They should be trained on
what should be their course of action after being attacked. Systems must have adequate
security, which means they must have anti-virus software, anti-malware software and anti-
spyware installed. Network infrastructure within the organization must be upgraded. Systems
should be updated regularly. If software update is not done on a regular basis then the system
becomes much more vulnerable. Additionally, employees must be informed to change
9INFORMATION SECURITY AND MANAGEMENT
passwords occasionally. The organization must perform risk assessments on a regular basis.
The Information technology team within the organization must be given authority to find out
existing vulnerabilities within the organization (Hinduja & Kooi 2013).
3.3 Security policies:
This portion will formulate some security policies based on the scenario provided.
Information security policies are nothing but a set of rules implemented by a company,
organization or institutes so that users and networks within the Information technology
domain abides by the prescribed rules. The first security policy should provide risk
assessment. This policy will help to identify every possible risk. This policy will also provide
accountability. Contingency plans are also included along with this policy, which will outline
what needs to be done when a breach happens (Peltier 2016). Information technology is
complicated and therefore, specialists need to be assigned to do a particular task. The second
security policy should revolve around assigning a specialist. Policy will make it clear for the
specialist to learn about government compliance. The specialist for any circumstances should
follow guidelines. Third security policy should address everyday common practices of the
employees such as changing password. This might seem to be a trivial issue but this problem
probably exists nearly in every organization. Policy should advocate that every employee
must ensure his or her passwords changed frequently and their passwords should contain a
mix of letters, numbers and special characters. Fourth policy should talk about disabling
accounts that are not required such as for ex-employees. Fifth policy should be about data
security. This policy must be followed strictly by the organization. Customer data should not
be stored in an unencrypted form. Information technology team should use good encryption
algorithm to store customer or customer specific data. Sixth policy should address access
issues. Internal servers must be located in locked room so that a person with access will be
able to enter. Biometric will achieve this purpose.
passwords occasionally. The organization must perform risk assessments on a regular basis.
The Information technology team within the organization must be given authority to find out
existing vulnerabilities within the organization (Hinduja & Kooi 2013).
3.3 Security policies:
This portion will formulate some security policies based on the scenario provided.
Information security policies are nothing but a set of rules implemented by a company,
organization or institutes so that users and networks within the Information technology
domain abides by the prescribed rules. The first security policy should provide risk
assessment. This policy will help to identify every possible risk. This policy will also provide
accountability. Contingency plans are also included along with this policy, which will outline
what needs to be done when a breach happens (Peltier 2016). Information technology is
complicated and therefore, specialists need to be assigned to do a particular task. The second
security policy should revolve around assigning a specialist. Policy will make it clear for the
specialist to learn about government compliance. The specialist for any circumstances should
follow guidelines. Third security policy should address everyday common practices of the
employees such as changing password. This might seem to be a trivial issue but this problem
probably exists nearly in every organization. Policy should advocate that every employee
must ensure his or her passwords changed frequently and their passwords should contain a
mix of letters, numbers and special characters. Fourth policy should talk about disabling
accounts that are not required such as for ex-employees. Fifth policy should be about data
security. This policy must be followed strictly by the organization. Customer data should not
be stored in an unencrypted form. Information technology team should use good encryption
algorithm to store customer or customer specific data. Sixth policy should address access
issues. Internal servers must be located in locked room so that a person with access will be
able to enter. Biometric will achieve this purpose.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10INFORMATION SECURITY AND MANAGEMENT
4. Conclusion:
Based on the discussion in this report, it can be concluded that by developing certain
policies and framework, potential attacks can be averted. Organizations having the means and
resources must invest heavily in infrastructure because once a data breach happens losses are
huge. Cyber Security Body must be independent and aligned with the security framework of
the organization. It can also be concluded that awareness is important in this sector. By
providing proper training to the employees, awareness can be increased and this in turn will
lead to lower risks for the organization. This report identifies various threats in healthcare
industries and provides insights into each. Vulnerabilities present in the company mentioned
in the scenario have also been discussed. Based on the vulnerability, solutions have been
devised. Appropriate security policy has been devised to implement the prescribed solutions.
4. Conclusion:
Based on the discussion in this report, it can be concluded that by developing certain
policies and framework, potential attacks can be averted. Organizations having the means and
resources must invest heavily in infrastructure because once a data breach happens losses are
huge. Cyber Security Body must be independent and aligned with the security framework of
the organization. It can also be concluded that awareness is important in this sector. By
providing proper training to the employees, awareness can be increased and this in turn will
lead to lower risks for the organization. This report identifies various threats in healthcare
industries and provides insights into each. Vulnerabilities present in the company mentioned
in the scenario have also been discussed. Based on the vulnerability, solutions have been
devised. Appropriate security policy has been devised to implement the prescribed solutions.
11INFORMATION SECURITY AND MANAGEMENT
5. References:
Conti, M, Dragoni, N & Lesyk, V 2016, ‘A survey of man in the middle attacks’, IEEE
Communications Surveys & Tutorials, 18(3), pp.2027-2051.
Crossler, RE, Johnston, AC, Lowry, PB, Hu, Q, Warkentin, M & Baskerville, R 2013,
‘Future directions for behavioral information security research’, computers & security,
no. 32, pp.90-101.
Disterer, G 2013, ‘ISO/IEC 27000, 27001 and 27002 for information security management’,
Journal of Information Security, 4(02), p.92.
Divya, S 2013, ‘A survey on various security threats and classification of malware attacks,
vulnerabilities and detection techniques’, International Journal of Computer Science &
Applications (TIJCSA), 2(04).
Hinduja, S & Kooi, B 2013, ‘Curtailing cyber and information security vulnerabilities
through situational crime prevention’, Security journal, 26(4), pp.383-402.
Jesudoss, A & Subramaniam, N 2014, ‘A survey on authentication attacks and
countermeasures in a distributed environment’, Indian J Comput Sci Eng IJCSE, 5, pp.71-77.
Jouini, M, Rabai, LBA & Aissa, AB 2014, ‘Classification of security threats in information
systems’, Procedia Computer Science, no. 32, pp.489-496.
Lebek, B, Uffen, J, Breitner, MH, Neumann, M & Hohler, B 2013, ‘ Employees' information
security awareness and behavior: A literature review’. In System Sciences (HICSS), 2013 46th
Hawaii International Conference on (pp. 2978-2987). IEEE.
Pawar, RG 2015, ‘SQL Injection Attacks’, KHOJ: Journal of Indian Management Research
and Practices, pp.125-129.
5. References:
Conti, M, Dragoni, N & Lesyk, V 2016, ‘A survey of man in the middle attacks’, IEEE
Communications Surveys & Tutorials, 18(3), pp.2027-2051.
Crossler, RE, Johnston, AC, Lowry, PB, Hu, Q, Warkentin, M & Baskerville, R 2013,
‘Future directions for behavioral information security research’, computers & security,
no. 32, pp.90-101.
Disterer, G 2013, ‘ISO/IEC 27000, 27001 and 27002 for information security management’,
Journal of Information Security, 4(02), p.92.
Divya, S 2013, ‘A survey on various security threats and classification of malware attacks,
vulnerabilities and detection techniques’, International Journal of Computer Science &
Applications (TIJCSA), 2(04).
Hinduja, S & Kooi, B 2013, ‘Curtailing cyber and information security vulnerabilities
through situational crime prevention’, Security journal, 26(4), pp.383-402.
Jesudoss, A & Subramaniam, N 2014, ‘A survey on authentication attacks and
countermeasures in a distributed environment’, Indian J Comput Sci Eng IJCSE, 5, pp.71-77.
Jouini, M, Rabai, LBA & Aissa, AB 2014, ‘Classification of security threats in information
systems’, Procedia Computer Science, no. 32, pp.489-496.
Lebek, B, Uffen, J, Breitner, MH, Neumann, M & Hohler, B 2013, ‘ Employees' information
security awareness and behavior: A literature review’. In System Sciences (HICSS), 2013 46th
Hawaii International Conference on (pp. 2978-2987). IEEE.
Pawar, RG 2015, ‘SQL Injection Attacks’, KHOJ: Journal of Indian Management Research
and Practices, pp.125-129.
12INFORMATION SECURITY AND MANAGEMENT
Peltier, TR 2016, ‘Information Security Policies, Procedures, and Standards: guidelines for
effective information security management’, CRC Press.
Siponen, M, Mahmood, MA & Pahnila, S 2014, ‘Employees adherence to information
security policies: An exploratory field study’, Information & management, 51(2), pp.217-
224.
Zargar, ST, Joshi, J & Tipper, D 2013, ‘A survey of defense mechanisms against distributed
denial of service (DDoS) flooding attacks’, IEEE communications surveys & tutorials, 15(4),
pp.2046-2069.
Peltier, TR 2016, ‘Information Security Policies, Procedures, and Standards: guidelines for
effective information security management’, CRC Press.
Siponen, M, Mahmood, MA & Pahnila, S 2014, ‘Employees adherence to information
security policies: An exploratory field study’, Information & management, 51(2), pp.217-
224.
Zargar, ST, Joshi, J & Tipper, D 2013, ‘A survey of defense mechanisms against distributed
denial of service (DDoS) flooding attacks’, IEEE communications surveys & tutorials, 15(4),
pp.2046-2069.
1 out of 13
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.