1RISK MANAGEMENT Table of Contents Introduction:....................................................................................................................................2 Identification of Assets:...................................................................................................................2 Classification of the identified assets:.............................................................................................3 Explanation of the importance of the information governance:......................................................4 Security policies for the information system:..................................................................................5 Risk Management Phases in ISO Framework:................................................................................7 Threats in online business information system................................................................................8 Risk assessment...............................................................................................................................9 References:....................................................................................................................................11
2RISK MANAGEMENT Task 1: Introduction: Advanced Medicos Limited (AML) is a healthcare product selling company which facing certain difficulties in the contemporary information system of the company. They have currently planned upon selling products to their customers online such that more of the customers can be accommodated in the business and the business can gradually bloom. In order to do so, certain cyber security concerns has aroused leading to an asset identification and the risk assessment of the project (Singer and Friedman 2014). Identification of Assets: As the company has decided upon shifting their entire system online for the aiding the customers in their purchase the major assets includes the following: Customer Information Asset: One of the major assets of any organization is its customer details. The more numbers of customers getting involved in the organization, the more are the details of the customers getting to the system. These details are used for the purpose of the company or for providing suggestion. The pattern of the customer buying behavior can be provided which will lead to increasing the efficiency of the business as better suggestions can be provided (Goglia and Siddiqui 2018). Server assets: The system’s server is one of the major asset of the company as well. This is because, all the activities of the business can be stored in the server which the employees of the organization can access as per their requirements while they are working in the company.
3RISK MANAGEMENT Email accounts: Today, majority of the signing into the system is conducted with the help of the email, thus emails are important for an individual or an organization which has to be dealt properly as well. Computer or devices: This is a mandatory asset of the company which is dealing with online services. This is considered to be the basic needs of a process, without which the organization is most likely not to work. Workstation: the place where the work or the business is being conducted is an organizational asset as well. Health care organization here is an asset in itself (de Carvalho Junior, Ortolani and Pisa 2016). Routers: The routers are the sources of the internet access in the organization. With the help of the routers, the internet usage can be enhanced in the organization. Employee assets: Against all the odds, conflicts and other challenges, the employees are undeniably one of the most precious asset of the organization. Without them, running an organization would have been impossible. Classification of the identified assets: TheorganizationalassetscanbeclassifiedintoInfrastructureassets,Softwareassets, information assets, service assets and people assets. The infrastructural assets are also known as the physical assets of the organization. This includes, the Servers, networks and workstation.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4RISK MANAGEMENT Software assets: these are the tools or the applications that are used by the organization for increasing the benefits and the efficiency of the work, like the windows and other operating software. Information assets: These are one of the most critical assets of a business. The customer databases here, along with their email account or the log in details can be termed as one of the greatest information assets of the company. Service assets: Here the customer service is the main focus of the company and selling goods online is their main focus, hence the services assets are the services to the customers, both online and offline. People Assets: employees as mentioned before are the major assets of the organization as the organization is directly dependent upon them to improve the production and increase efficiency of the organization along with the business of the organization. Apart from this the customers are also considered as the people assets for the organization. Explanation of the importance of the information governance: In the health care sector, building up a trust is very important. Trust helps in marinating the customer’s loyalty towards that particular organization.Maintaining accuracy in the healthcare is not a demand it is rather a necessity such that the organization can work efficiently with less amount of error. Information governance helps in the improvement of the safety and security of the patient care. It helps in the process of the cost reduction in the company by reducing the risks as well. There are certain principles which are followed by the information governance in order to ensure work efficiency and maintain better customer relationship and they are, principles of accountability, principle of transparency, principle of integrity, principle of protection, principle
5RISK MANAGEMENT of compliance, principle of availability, principle of disposition and lastly principle of retention (Smallwood 2019). Security policies for the information system: The objective: The objective for creating this information security policy is to make the employers as well as the employees of the organization aware of the facts that what they should do and what they should not while they are accessing the information as well as other assets of the organization Principles: ï‚·Theinformationshouldbeclassifiedaccordingtotheleveloftheirintegrity, confidentiality and availability of the information. ï‚·The employees or the staff who are in charge of the information must be careful and abide by the laws as well. ï‚·The users involved in the scope of the policy must be aware of the classification of the information and handle the information appropriately. ï‚·The information will be protected against any unauthorised access. ï‚·The physical systems of the organization must be dealt with care as well, preventing the breakage in the system (Peltier 2016). Legal obligations of the security policy: Advanced Medicos Limited (AML) has the sole responsibility to adhere to and abide by all the current active laws of the country along with all the contractual requirement.
6RISK MANAGEMENT Suppliers: The suppliers will abide by the Advanced Medicos Limited (AML) information security policies while they are viewing any information or data on site of the project or from the remote access.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7RISK MANAGEMENT Task 2: Risk Management Phases inISOFramework: A process is developed after the framework of risk management has been established. This process can be iterative and have multiple steps which are designed for identification and analysis of the risks regarding the context of organization (Kruse et al. 2017). This process has several elements which include: ï‚·Active Communication ï‚·Consulting and communicating with all stakeholders ï‚·Execution of process ï‚·Context establishment ï‚·Identification of the risks ï‚·Analysis of the risks ï‚·Evaluation of the risks ï‚·Treatment of the risks ï‚·Oversight ï‚·Reviewing and monitoring regularly is also required The risk assessment process requires context as defined by ISO 31000. Setting the context begins during the phase of framework when the external and internal environments of the organizationischecked.Acontextisthusacombinationofbothexternalandinternal environments which is related to the strategies and objectives of the organization. The checking
8RISK MANAGEMENT done should be continued in detail and focusing on the extent of the process of risk management developed (Safa, Von Solms and Furnell 2016). The other steps of checking the process of risk management is the identification, analysis and evaluation of various specific tasks. Although the techniques and methods for documentation are several, the following few elements are key contents of those techniques (Evans 2016). Riskidentification:Itisveryimportanttoidentifythesource,causes, consequences and the impacts of a particular risk in order to develop a good risk management technique. The sources of external and internal risk analysis must be classified. Risk analysis: It is important to identify the consequences and their causes and factors and also assess the likelihood. It is also important to identify and evaluate the currently working controls. Risk evaluation: Compare the risks identified according o the criteria of risks established. Decisions are made accordingly to accept and treat those risks considering the requirements of the legal, external and internal party. Threats in onlinebusiness information system: There are 6 types of security threats which the business information systems are facing. Ransomware and Malware: Malwares and Ransomware are software which can install in a computer on their own and can perform their actions behind the users’ back without them getting to know about it, be it encrypting files, locking systems or stealing or hiding files from the user.
9RISK MANAGEMENT ï‚·Virus: It is software which can replicate itself inside a system and destroy files, software, and data or slow down computers. ï‚·Spyware: Spyware can gather and share information to any unauthorized user. They cannot be detected but can show symptoms like slowing down of system or increased advertisements. All kinds of viruses, malwares and others spread through emails, spam, or infected USB devices ï‚·Un-patched server and vulnerability to the software: A common security threat is the accessibility of software and servers that are un-patched. This can lead to DDOS or distributed denial of service attacks or remote desktop protocol attacks (Wang et al. 2015). ï‚·Physical damage: Physical damage to hardware is a major problem to any business causing loss of data and work issues. ï‚·Access threats: due to the lack of the security of the present inAdvanced Medicos Limited (AML), the routers are un-protected, the information in the server can be accessed by all, the threat of the manipulation of the information or even the loss of the privacy or the integrity of the data can occur. Risk assessment: Sl. no. ThreatsSourceExisting Controls Likeli hood ImpactRatingRecommendation 1Malwaresand Ransomware SQL Injection Outdated antiviruses, no system of backupto retrievethe datawhich maygetlost bythese attack. HighHighHighï‚·Updatetothe latestversionof the antiviruses. ï‚·Keepingthe entire system up to date. ï‚·Implementation ofCloud computing
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10RISK MANAGEMENT technologyto retain back up. 2VirusHackerOutdated antiviruses, Nosecurity configuration onthe routers, No protection mechanism active. HighHighHighCheckinguponthe entireinformation systemastheycan infectthedatabases and the software. Keeping track of the pattern of the attack such that they can be prevented. 3SpywareHackerNoexisting controls HighHighHighMonitoringthe systemonthedaily basis. Implementation of the security protocols like antiviruses,and updated firewalls. 4Physical damageEmployees orthe peopleof the organizatio n No control or policieswere there. Mediu m MediumMediu m Carefulhandlingof the devices. Trainingofthe employeesandthe staffswiththe devices. 5Un-patched server andvulnerability of the software Lackof updates Nosecurity controls HighHighHighPatching the server on a regular basis. 6Privacy,integrity and confidentiality threats Employees, hackers, criminals, andmany more No encryption mechanism HighHighHighEncryptionofthe data. Implementation of the cloudcomputing technology. Implementation of the accesscontrol protocols.
11RISK MANAGEMENT References: de Carvalho Junior, M.A., Ortolani, C.L.F. and Pisa, I.T., 2016. Health Information System (HIS)securitystandardsandguidelineshistoryandcontentanalysis.JournalofHealth Informatics,8(3). Evans, L., 2016. Protecting information assets using ISO/IEC security standards.Information Management,50(6), p.28. Goglia,R.andSiddiqui,K.,2018.Non-HealthcareDataisNowHealthcare’sBiggest Information Asset-an Analysis of Geographic Social Determinant Data and Its Relationship to Hypertension.Circulation,138(Suppl_1), pp.A16502-A16502. Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare: A systematic review of modern threats and trends.Technology and Health Care,25(1), pp.1-10. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press. Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations.computers & security,56, pp.70-82. Singer, P.W. and Friedman, A., 2014.Cybersecurity: What everyone needs to know. oup usa. Smallwood, R.F., 2019.Information governance: Concepts, strategies and best practices. John Wiley & Sons. Wang, B., Zheng, Y., Lou, W. and Hou, Y.T., 2015. DDoS attack protection in the era of cloud computing and software-defined networking.Computer Networks,81, pp.308-319.