Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Information Security in Healthcare Cloud

Verified

Added on 2020/03/23

AI Summary

This assignment delves into the critical topic of information security management within the context of cloud computing for healthcare. It examines the unique risks associated with storing and processing sensitive patient data in a cloud environment. The assignment encourages the exploration of established frameworks and best practices, such as ISO 27001 and NIST Cybersecurity Framework, to ensure robust security controls are implemented. Furthermore, it highlights the importance of policy development, risk assessment, and continuous monitoring to mitigate potential threats and safeguard patient privacy.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: INFORMATION SECURITY MANAGEMENT GUIDELINES
Information Security Management Guidelines
Name of the Student
Name of the University
Author Note

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1
INFORMATION SECURITY MANAGEMENT GUIDELINES
Executive Summary
The purpose of this report is to provide guidelines on improving the information security for the
organization and introduce and effective and efficient information security risk assessment
management for A4A organization. A4A is about to transform it’s traditional of data and
information into computerized based methods using information technology. These guidelines
cover from context establishment to the risk assessment management. An overview over this risk
assessment management has been introduced in this report that emphasis on the various steps
that could be helpful in successful implementation of the risk assessment processes. This report
also emphasis on the Australian laws that could be complementary for the A4A in establishing a
better risk assessment management system regarding the safeguard of the information and data
that are critical for the organization. It is very necessary to implement an information security
risk assessment management system for enhancing the performance of the technology and taking
benefits of the technology with complete efficiency, which has also been explained in this report.
This report focuses on the determining the context for A4A in manner to pave a platform for the
whole risk assessment processes that includes risks in outsourcing, cloud storage, cloud
computing and many other risks related to the implementation of information technology into the
existing system of the organization.

2
INFORMATION SECURITY MANAGEMENT GUIDELINES
Table of Contents
Introduction......................................................................................................................................4
Applicable Policy and Legislation...................................................................................................4
Applicable Policy.........................................................................................................................4
Australian Privacy Law...............................................................................................................5
Privacy Legislation......................................................................................................................5
Risk Management Overview...........................................................................................................5
Risk Assessment Framework.......................................................................................................5
Applying ISO 31000....................................................................................................................6
Establishment of the Context.......................................................................................................8
Determining Context for the A4A...............................................................................................8
Identifying Risk...........................................................................................................................9
How to Determine Agency Risk Tolerance.................................................................................9
Considering Factors while Determining the Cloud integration Risk.........................................10
Potential Threats While Outsourcing Information....................................................................11
Mapping Risks...........................................................................................................................12
Assessing Risk...........................................................................................................................12
Guidance on Determining Potential Consequences...................................................................13
Evaluating the Risks..................................................................................................................13
How to Consider Potential Risk Treatment Options 2795........................................................14
Communication and Consultation.............................................................................................14
Risk Monitoring and Review.....................................................................................................15
Conclusion.....................................................................................................................................15
References:....................................................................................................................................16

3
INFORMATION SECURITY MANAGEMENT GUIDELINES
Introduction
Following report aims at proving guidance on the information security and assessment
management for the organization A4A considering the storage of data and the way of keeping
them safer. The scope of this report is to present an information security management system for
the organization in manner to maintain the confidentiality, availability, and integrity of the data
about the operational activities and sensitive information about the employees working in the
same organization including the safety measures for the stakeholders too.
According to the case study, A4A is Non-Governmental Organization, which is going to
transform the existing system into a technology based system and about to set up information
systems to keep those data saved into the database of the systems. For this transformation
assumptions can be made that there will be need of outsourcing of Information and
Communication technology (ICT) and computers.
The guidelines provided in this report can be much efficient for the risk assessment
management and better protecting the information that is being store into the systems or in the
cloud. This is the most important aspect for all the organization, which is migrating data or
information into systems or in cloud.
Applicable Policy and Legislation
Applicable Policy
Australian Government policy promotes the PSPF and ISM for the policy related to the
information security. A4A can manage the information security with better efficiency through
the mandatory requirements that has been already stated in the PSPF. For A4A it is a very
important factor for its growth to establish a better and effective risk management for the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4
INFORMATION SECURITY MANAGEMENT GUIDELINES
information security regarding the stored information. Risk management process can be achieved
only if these processes and systems becomes the integral part of A4A’s culture, operational, and
practices plans (Sylves 2014). There should be governance processes in manner to mitigate these
risks rather than building a proactive security system to manage the information security. The
risks should be identified at its very early stage and proper precautions should be taken regarding
elimination of the identified risks.
Australian Privacy Law
Regulation and handling of data and information of the A4A can be managed through the
set thirteen Australian Privacy Principles (APPs) those have been introduced within the Privacy
Act 1988. It emphasis on the privacy of the information of employees of the organization that are
very sensitive and personal to them (Arregui, Maynard and Ahmad 2016). Very personal
information should be determined by the A4A and that information should be handled according
to the principles of the APPs.
Privacy Legislation
Pieces of legislations applicable to this privacy legislations policy are: Firstly, Archives
Act 1983, secondly, Freedom of Information Act 1982, and lastly, Privacy Act 1988 (Zetler
2015).
Risk Management Overview
Risk Assessment Framework
Framework for the risk assessment can be referred to the set of guidelines that can be
applicable in assessing the risks based on the existing framework defined by the Australian
Standards AS/NZS ISO 31000:2009 Risk management and HB 167:2006 Security Risk

5
INFORMATION SECURITY MANAGEMENT GUIDELINES
Management, and principles, and guidelines (Saint-Germain 2015). This is a subjective process
for all the organizations and in this case A4A should make sure that the process that is about to
be defined for the risk management should be justifiable, transparent, and documented.
Assessing risks on the basis of framework can be helpful in many objectives like risk tolerance
identification, identifying particular risk with each employee, and managing the risks as per the
priority of the types of information and about the information related to the assets those are being
stored in the system. Another beneficial aspect is that appropriate decision making can be made
based on the type of risk.
Applying ISO 31000
The risk assessment process should be consistent with the standard for the successful
management of the risk assessment. The whole process can be divided in to five steps and should
be executed accordingly after each step that can be listed as:
Establishing Context
Under this step the external and internal influences should be addressed those could have the
potential to impact the implementation of this management system in the existing system directly or
indirectly (Draper and Ritchie 2014).
Identifying Risks
After the completion of the first step there should be proper development of the robust list for the
risks that has been identified that could have the potential to affect the working of the organization as that
of in the first strep. Risks identifying could be first step towards arranging mitigation processes in context
with the risks.
Assessing Risks

6
Control risksEvaluate RisksAnalyze riskIdentify riskEstablished Context
Consultation and communication
Monitor and Review
INFORMATION SECURITY MANAGEMENT GUIDELINES
This is the third step that discusses the main objective but can only be achieved successfully after
the completion of first two steps. This includes assessing the risks comparing it with the impact,
tolerances, and likelihood of the identified risks on the performance of the organization.
Selecting Treatments
Selection of the proper treatments for the risks should be given the same priority as the above
steps that includes providing control to the identified risk assessment strategies those been collected
through the above steps.
Developing overall Risk Assessment
Development of overall risk assessment is the final step in addressing the risks and mitigating the
threats through summarizing the identified risks in accordance with the control on the steps mentioned
above. Following is a diagram that can be better explainable for the risk assessment processes.
Figure 1: Risk Assessment Process
(Source: Created by Author)

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7
INFORMATION SECURITY MANAGEMENT GUIDELINES
Establishment of the Context
Establishing context puts emphasis on the addressing the assessment processes that needs
to be implemented with the system of A4A in manner to address the security, strategic and
organizational risk management contexts for eliminating the risks that are going to be identified
throughout the whole risk management system (Whittman and Mattord 2013). The security risk
assessment will be covering all the facets of the activities or functions of the organization during
these processes. The risk assessment management processes should be according to the
prevailing and emerging environment for the risks. This will provide platform for the whole
managerial processes for the risk assessment that makes it a very critical objective for its
successful execution.
Determining Context for the A4A
Determination of context for the A4A can be for improving and promoting security of the
internal environment in which the organization is willing to achieve its goals. Objectives for the
successful completion of this section can be listed as:
 Extent and contractual relationships’ nature.
 The organizational structure, accountabilities, governance, roles and responsibilities of
the designated employees of the A4A.
 Overall working culture and security culture of the A4A.
 Values, relationship, and Perception with the internal stakeholders.
 Consideration of proper Policies and objectives and the strategies that are being made to
achieve the assessments successfully (Wensveen 2016).
 Information system and flows including the processes of decision-making

8
INFORMATION SECURITY MANAGEMENT GUIDELINES
 Standards, guidelines, and models adopted by the organization for the betterment in the
security of the information.
 The Strategic Context of Outsourcing
The strategic contexts relevant to the situation should be considered by the A4A in
manner to implement a successful risk assessment management processes. Other than above
stated objectives it should include the Australian regulation, Australian legislation and Australian
policies in manner to increase the information security and make the system list risk affected
system (Peppard and Ward 2016).
Identifying Risk
This section explains the comprehensively determination of the sources of risks that have
the potential to impact the information that are being stored in the system and alternatively affect
the performance of the organization. The identified issues should be well described for the heads
or the executives who are going to take decisions for this management system. The information
or data should be categorized on the basis of integrity, availability, and confidentiality and the
A4A risk management team should give priority to the risks on this determination or
classification (Webet al. 2014). In the AS/NZS 4360:2004, definition of the risk is “The chance
of something happening that will have an impact on the objectives”.

9
Intolerable risk
Scope for A4A
Tolerable risk
Increasing risk
Incapacity to manage
INFORMATION SECURITY MANAGEMENT GUIDELINES
How to Determine Agency Risk Tolerance
Figure 2: Risk Tolerance
(Source: Created by author)
The risk tolerance can be identified during the execution of ‘Establishing the context’
step at its very early stage as it fully dependent on the context of the organization and the heads
of the organizational structure. Risk Tolerance is nothing but the sum of risk appetite of A4A
that is based on the principle of risk management to the extent level (Boyens et al. 2014). The
risk tolerance determination can allow the organization to raise scope of innovative and flexible
business practices. The risk tolerance can be manipulated or affected through changing the
evolution criteria that results in variable factors for the risk management by the heads of the A4A
and that will depend upon: First political expectations and sensitivities, and prevailing, Second
factor is the incident security nature like terrorist attack etc. Third factor is the existence or
emergence of trends in security like data breaches, trusted insider, cyber-attacks etc.
Considering Factors while Determining the Cloud integration Risk
While integrating Cloud storage system within the existing system of the organization, it
is important to establish context regarding the cloud implementation. This can be helpful in

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10
INFORMATION SECURITY MANAGEMENT GUIDELINES
understanding the nature of the criticality, vulnerabilities and other potential threats or risks
related to the information that is being stored in the cloud (Rebello et al. 2015). Following are
some of the considerable facts while determining the Cloud integration risks but not limited to:
firstly, the impact on the availability, integrity, and confidentiality of the data or information of
the A4A. The picture of the unintended disclosure or the incident or event can be stated as
second aspect. Third aspect is the impact of the risks that will occur due to the outsourcing of
technologies and introducing third party. Another fact can be the types of threats and risk related
to the information or data that is being saved into the system. Lastly the impact of losing data
should also be considered while identifying the risk. An individual plan can also be considered as
they focuses only on the information security related issues and their management. 1669
Potential Threats While Outsourcing Information
Following are the threats that might affect the proper functionality of the organization:
Data Breaches: This could affect the saved data in all the aspect as data breaches put all
the information and data at the sake by allowing access to an unauthorized user (Peltier 2016).
Data Loss: Due to some technical glitches and bugs there are chances of losing the whole
data that is being saved into the systems.
Service traffic or Account Hijacking: All the operational activity is being transferred
into the information technology that will be accessible through different accounts for different
level staffs and this could be hijacked by an attempt of any intruder that could access to the data
and manipulate them without having any authority (Dhillong, Syed and Sa-Soares 2017).

11
INFORMATION SECURITY MANAGEMENT GUIDELINES
API (Application Programming Interface) and Interfaces Insecure: For circumventing the
vulnerable interfaces or security processes may be exploited through malicious attacks or
accidentally.
DOS (Denial of service): This type of risk will block the access for a user to enter the
network of the organization and do the desired work.
Insufficient Due Diligence: There should be proper consideration of the advantages and
disadvantages of implementing the new technology within the organizational infrastructure such
as Cloud storage or Cloud computing and many more.
Malicious Insider: This is related to the formal stakeholders either the employee or
contractor or any other individual who might have access to the organizational network even
after leaving the bond with the organization. There might be misused of those accounts for the
personal benefits (Luthra et al. 2014).
Shared Technology Vulnerabilities: Cloud infrastructure has been offering share the
stored data between more than one user that implies some risks related to the multi-tenant
architecture that will become the ‘must’ factor for the organization.
Mapping Risks
Mapping risk can be helpful in managing the risks separately through dividing them
according to the priority of the risks that are identified in the above steps. Emphasis should be
made on the impact of the risks that may hamper the functionality of the organization (Beckers et
al. 2013). The facts that are considerable during mapping the risks includes: identifying the areas
and the level of impacts on those sectors, frequency of the risk occurrence, the stakeholders who
will be impacted by the risks that had been identified. These are the facts but not limited to this

12
INFORMATION SECURITY MANAGEMENT GUIDELINES
only that must be considered while mapping the risk related to the information security of the
A4A.
Assessing Risk
Assessing risk process can be executed after identifying relevance risks those have been
identified and thereafter categorizing them based on the priority. This section describes that there
should be holistic evaluation for likelihood of the identified risks through the acceptable level of
the tolerance and there responding consequences. For addressing these consequences and levels
of likelihood an individual should consider the effectiveness of control and source of the risks
(Oppliger, Pernul and Katsikas 2017). There are levels of controls and oversights in the
processes of risk assessment for the risks related to the use of information technology within the
premises of the organization for performing the operational activities. For example, the
information that is confidential and sensitive for the A4A should be assessed on the basis of
confidentiality, availability and integrity of the type of information (Soomro, Shah and Ahmed
2016). This section should only be executed after the completion of above steps mentioned in
this report.
Guidance on Determining Potential Consequences
Guidance on determining the potential consequences is dependent on the type of
information that is being saved into the database of the system of A4A. Information that is being
stored in the A4A systems’ are sensitive information related to the employees, transactional
details made between the organization and its partners, operational activities details and many
more (Albakri et al. 2014). The expose of this information to an unauthorized user could lead to
many serious issues such as los of data, compromising data, manipulation of data, and many
more.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13
INFORMATION SECURITY MANAGEMENT GUIDELINES
Evaluating the Risks
The unintended or unauthorized expose or access of the information related to the
employees and other activities related to the organization should be evaluated properly that
involves considering the risks within the context of the risk tolerance and potential treatment for
A4A (Feng, Weng and Li 2014). It could be resulted in the matter of financial calculation for the
cases in which the expose of information those are quantified in the terms of finance. For such
cases or situations A4A can consider the factors such as: impact on the reputation and business
output because of the expose or loss of such sensitive information and data related to the
organizational operations (Yang, Shieh and Tzeng 2013). The facts mentioned above increases
the complexity in identifying and assessing the risks related to the information security and the
acceptance resides within the head of the organization.
How to Consider Potential Risk Treatment Options
Due the fact that the risks related to the information security cannot be eliminated rather
it could be minimized at the extent level, security of information becomes absolute. This results
in focusing to reducing the risks rather than eliminating them. Selections should be on the basis
of: the rating level of identified risks while making selections for the risk treatments (Raghupati
and Raghupati 2014). This could be divided into six step processes
 Prioritise the intolerable risks
 Establishment of the treatment options
 Identification and development of treatment options
 Evaluating the treatment options (Haufe, Dzombeta and Brandis 2014)
 Detailing the review and design the selected options also considering the
management of residual risks

14
INFORMATION SECURITY MANAGEMENT GUIDELINES
 Communication and implementation
Communication and Consultation
Consultation and communication plan management should be established at the early
stage while paving the platform for the risk assessment management to determine the processes
that need to be communicated or informed to the internal and external stakeholders. This could
be helpful in communicating effective processes of the risk assessment among the stakeholders
and other individuals related to the organization (Itradat et al. 2014). It will be helpful in them
successful implementation of the risk assessment processes and listening to the employees could
result in some more innovative ideas that could be applied within the system ion manner to
enhance the performance of the organization. Priority should be given to the perceptions of the
stakeholders in response to the identified risk and type of the information that should be saved
into the systems.
Risk Monitoring and Review
This guideline has the same priority as that of the guidelines stated above for assessing
the risks related to the information security. While monitoring and reviewing the risks following
are the considerable facts:
 The strategies and controls of the implementation play an important and effective role
and for this case tokenization and encryption of the files should be done before uploading
to the Cloud.
 Cloud services and outsourcing should have continuous program and cloud vendors are
whether applicable to provide it or not.

15
INFORMATION SECURITY MANAGEMENT GUIDELINES
 The changes that are being introduced comply with the existing regulations or not. For
example the cloud services should fulfil criteria of the Australian legislations (Layton
2016).
 Do the processes and controls that are being practiced in the risk assessment management
are cost effective or not regarding the budget of the whole project (Baskerville,
Spangnoletti, and Kim 2014).
Conclusion
Considering the above facts it can be concluded that for enhancing the performance and
increasing the output there should be proper information security risk assessment. For A4A
assumptions had been made that there will be need of outsourcing the ICT for the better
implementation of information technology and third party can be introduced for the cloud
storage and cloud computing. These are related to the information security as they could also
raise several issues related to the information security during the transformation of all the
operational activities into computerized manner. The use of these technologies will no doubt
enhance the performance of each employee and alternatively enhance the performance of the
organization but also raises many concerns. For eliminating these concerns or risks, a proper and
successful risk assessment system should be implemented within the system in manner to fight
back or stop these threats from affecting the performance of the organization. The guidelines
mentioned in the above report can be very helpful in mitigating the threats that are related to the
information security within the organization and A4A should follow the above guidelines for the
betterment in securing the information and data that is about to be stored into the system.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

16
INFORMATION SECURITY MANAGEMENT GUIDELINES
References:
Albakri, S.H., Shanmugam, B., Samy, G.N., Idris, N.B. and Ahmed, A., 2014. Security risk
assessment framework for cloud computing environments. Security and Communication
Networks, 7(11), pp.2114-2124.
Arregui, D.A., Maynard, S.B. and Ahmad, A., 2016. Mitigating BYOD Information Security
Risks.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
Management, 51(1), pp.138-151.
Beckers, K., Côté, I., Faßbender, S., Heisel, M. and Hofbauer, S., 2013. A pattern-based method
for establishing a cloud-specific information security management system. Requirements
Engineering, 18(4), pp.343-395.
Boyens, J., Paulsen, C., Moorthy, R., Bartol, N. and Shankles, S.A., 2014. Supply chain risk
management practices for federal information systems and organizations. NIST Special
Publication, 800(161), p.1.
Dhillon, G., Syed, R. and de Sá-Soares, F., 2017. Information security concerns in IT
outsourcing: Identifying (in) congruence between clients and vendors. Information &
Management, 54(4), pp.452-464.

17
INFORMATION SECURITY MANAGEMENT GUIDELINES
Draper, R. and Ritchie, J., 2014. Principles of security management: Applying the lessons from
crime prevention science. Professional Practice in Crime Prevention and Security Management,
p.91.
Feng, N., Wang, H.J. and Li, M., 2014. A security risk analysis model for information systems:
Causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, pp.57-73.
Haufe, K., Dzombeta, S. and Brandis, K., 2014. Proposal for a security management in cloud
computing for health care. The Scientific World Journal, 2014.
Itradat, A., Sultan, S., Al-Junaidi, M., Qaffaf, R., Mashal, F. and Daas, F., 2014. Developing an
ISO27001 Information Security Management System for an Educational Institute: Hashemite
University as a Case Study. Jordan Journal of Mechanical & Industrial Engineering, 8(2).
Layton, T.P., 2016. Information Security: Design, implementation, measurement, and
compliance. CRC Press.
Luthra, R., Lombardo, J.A., Wang, T.Y., Gresh, M. and Brusowankin, D., Citibank and NA,
2014. Corporate infrastructure management system. U.S. Patent 8,706,692.
Oppliger, R., Pernul, G. and Katsikas, S., 2017. New Frontiers: Assessing and Managing
Security Risks. Computer, 50(4), pp.48-51.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. CRC Press.
Peppard, J. and Ward, J., 2016. The strategic management of information systems: Building a
digital strategy. John Wiley & Sons.

18
INFORMATION SECURITY MANAGEMENT GUIDELINES
Raghupathi, W. and Raghupathi, V., 2014. Big data analytics in healthcare: promise and
potential. Health information science and systems, 2(1), p.3.
Rebollo, O., Mellado, D., Fernández-Medina, E. and Mouratidis, H., 2015. Empirical evaluation
of a cloud computing information security governance framework. Information and Software
Technology, 58, pp.44-57.
Saint-Germain, R., 2005. Information security management best practice based on ISO/IEC
17799. Information Management, 39(4), p.60.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.
Sylves, R., 2014. Disaster policy and politics: Emergency management and homeland security.
CQ Press.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Wensveen, J.G., 2016. Air transportation: A management perspective. Routledge.
Whitman, M. and Mattord, H., 2013. Management of information security. Nelson Education.
Yang, Y.P.O., Shieh, H.M. and Tzeng, G.H., 2013. A VIKOR technique based on DEMATEL
and ANP for information security risk control assessment. Information Sciences, 232, pp.482-
500.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

19
INFORMATION SECURITY MANAGEMENT GUIDELINES
Zetler, J.A., 2015. The legal and ethical implications of electronic patient health records and e-
health on Australian privacy and confidentiality law.

1 out of 20

+13062052269

info@desklib.com

Information Security in Healthcare Cloud

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Related Documents

Information Security Management Systems

Information Security Policy Compliance

Cloud Security Risk Assessment for Aztec

Cloud Computing Security and Privacy

Advantages and Disadvantages of Cloud Storage System

Cloud Computing and ICT Services