Report on Implementing Security Management Program at Griffith University Medical GUMC
Verified
Added on  2023/06/04
|16
|3393
|138
AI Summary
This report discusses how information security can be better managed by GUMC organization. It covers the development of a security policy and plan, roles and responsibilities, and legal compliance.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Security Management and Governance1 A Report on the Need to Implement Security Management Program at Griffith University Medical GUMC Student Course Tutor Institutional Affiliations State Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance2 Abstract The purpose of this document is to develop a report that discusses how information security can be better managed by GUMC organization. Security management information is akin to an organization’s nervous system. Security system management is a core component of every organization activities as it embrace confidentiality, availability as well as integrity assurance in an organization’s information system and assets. It as well minimize crisis such as disasters that may compromise the organization’s operations. Key words:Security management, risks, threats, assessments, NIST, GUMC. Table of Contents
Security Management and Governance3 Abstract......................................................................................................................................................2 The development of a Security Policy and Security Management Plan................................................4 i.Information system assets to be secured......................................................................................5 ii.The reason why the policy security is developed.........................................................................5 iii.Mission and vision......................................................................................................................5 iv.Identify who will take responsibility.........................................................................................6 v.Draft a policy..................................................................................................................................6 Security management plan........................................................................................................................6 The functions, tasks, roles and responsibilities that need to be defined for the Security Management Program.....................................................................................................................................................7 The roles of different individuals/groups would play in terms of governance in general....................7 GUMC administrator............................................................................................................................8 Chief information officer......................................................................................................................8 The entire information management team in the organization will guarantee the following:.........9 The model that would be useful in development of security management plan in GUMC’s case.....10 The legal and statutory that will be addressed......................................................................................10 Reference list............................................................................................................................................11 Appendix..................................................................................................................................................13 Risk Assessment/Management............................................................................................................13 Assessment process..........................................................................................................................13 Risk identification............................................................................................................................14 Threats identified in patient information area..................................................................................15 Priorities set to mitigate the risks.......................................................................................................15
Security Management and Governance4 Introduction Security management is an overreaching process that involves protection of systems, network as well as other information assets to prevent them from security threats. The benefits that various organizations have achieved by security management plan are far reaching. Security management planning creates indicators that help in identifying a potential hazard occasion and give an early cautioning (Subashini, and Kavitha, 2011, pp.1-11). Key estimations and estimations of danger moreover improve the advantage of reporting an examination and enable to track potential vulnerabilities that can compromise system. Another noteworthy advantage is that security management plan prompts detection of hazards. Security management planning facilitates detection and examination of security dangers that may compromise system thus initiating immediate action (Whitman, and Mattord, 2013, pp.11). Following the indispensable advantages of implementing the security management technique, it is imperative that every organization adopt the security management program (Ernest Chang, and Lin, 2007, pp.438-458; Robson, 2015, pp. 31). The Griffith University Medical GUMC is no exception. As a critical action to venture into this fundamental aspect, the organization personnel shall take their roles and responsibilities as defined in the following section. The development of a Security Policy and Security Management Plan Security policy refer to procedures that governs the use of information system in an organization. The primary objective of security policy is to protect an organization’s information system from cyber-attacks (Peltier, 2016, pp.234-246). This section focus on development of
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Security Management and Governance5 information security policy and security management plan that would address the risks at GUMC. The development of security policy involve a few steps that will be followed in order to ensure a robust security policy for GUMC organization: i.Information system assets to be secured “Before getting on with policy formulation the question: what do we want to secure?” must be answered. What is to be secured should be the first consideration when designing a policy. This will ensure the development of a pertinent policy. In GUMC’s case, this apply to the organization’s assets that needs to be secured including but not limited to patient data and hardware equipment among other assets. ii.The reason why the policy security is developed This involve the rationale or needs that have called for the development of the policy. In GUMC’s case, assessment reveals that the organization, besides the online platform which facilitates service delivery, the organization does not have a formal security policy that govern it’s the privacy and security of sensitive information. This therefore calls for the development of a structured policy in order to guarantee privacy and security to patients’ information. iii.Mission and vision Mission and vision define an organization’s goals and objectives. They are important in policy development for a strategic information security management. Mission and vision will be worth consideration in the GUMC policy development.
Security Management and Governance6 iv.Identify who will take responsibility “Who will take which responsibility?” is an important question that will be addressed at this stage. This step involve identification of who will take the responsibility and the responsibilities that will ensure protection of the system. v.Draft a policy This step involves outlining the organization’s policy which meets the needs of the organization. This stage should involve the organization’s security management staffs including chief information security manager at GUMC and the relevant authorities. Security management plan This involve a plan for which aid in identification of all information security assets of an organization and including but not limited to computers, data, and management staff which is then followed by the formulation, documentation and implementation of the appropriate policies and procedures for protecting the assets (Almorsy, Grundy, and Ibrahim, 2011, pp. 364-371). This tool is handy as it provides for a secure deployment, maintenance, operation as well as disposal of assets of an assets. It will be essential for GUMC organization during implementation of security management program. An important step into developing a pertinent security management plan that would suit GUMC is by first of all having an accurate information concerning the configuration including network connections, system configurations among other system properties that aid in service delivery in the organization (Whitman, and Mattord, 2011, pp. 22-39).
Security Management and Governance7 The second step include development and implementation of security requirements that will be followed prior to modification, configuration, addition or removal of any asset from the information system. The functions, tasks, roles and responsibilities that need to be defined for the Security Management Program The functions, roles, tasks and responsibilities that are defined for security program in GUMC organization lies in the following areas (Hu, Dinev, Hart, and Cooke, 2012, pp.615-660): Security of data assets:all information including but not limited to patients data shall be safeguard from unauthorized access to ensure safety and privacy. Network connection threats:all GUMC information system and physical assets facilitating connections shall be protected from any external or internal threat. Access control:any unauthorized access shall be blocked by system to protect information system from frauds. The roles of different individuals/groups would play in terms of governance in general. To ensure system security, every IT management staff must be cognizant of his/her responsibilities. In this section, the roles and responsibilities for every IT management personnel in the GUMC Corporation having responsibilities concerning IT security or any related governance for safeguarding the information system as well as the data they manage, operate and support are defined (Susanto, Almunawar, and Tuan, 2011, pp.23-29).
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance8 GUMC administrator i.Guaranteeing that the chief information officer and other key authorities, reports every year the adequacy of the GUMC data security program, including advancement of healing activities, to the GUMC Administrator, Congress, Department of Security management and different substances as required by law and Executive Branch course (Larson, and Gray, 2015). ii.Furnishing data security insurances proportionate with the hazard and extent of the damage coming about because of unapproved get to, utilize, exposure, disturbance, alteration, or demolition of data gathered or kept up by or for the Agency, and on data frameworks utilized, oversaw, or worked by the Agency, another Agency, or by a temporary worker or other association for the benefit of the Agency (Larson, and Gray, 2015). iii.Guaranteeing that data security management forms are coordinated with Agency vital and operational arranging forms. iv.Guaranteeing that an all-inclusive data security program is produced, archived, executed, and kept up to ensure data and data frameworks. Chief information officer i.Helping senior Agency and other key authorities with comprehension and executing their data security obligations. ii.Building up least compulsory hazard based specialized, operational, and administration data security control prerequisites for Agency data and data frameworks (Larson, and Gray, 2015).
Security Management and Governance9 iii.Creating, keeping up, and issuing all inclusive data security strategies, methods, and control procedures to give guidance for actualizing the prerequisites of the data security program. iv.Creating, recording, executing, and keeping up far reaching, very much outlined, all around oversaw ceaseless observing and institutionalized hazard evaluation forms (Larson, and Gray, 2015). v.Keeping up proficient capabilities required to manage the elements of the GUMC Information Security Program and do the chief information officer obligations under GUMC strategy and pertinent data security laws, Executive Branch arrangement, and different orders. The entire information management team in the organization will guarantee the following: i.Executing approaches, frameworks, control systems and methodology perceived in the Agency information security program that incorporate activities that are under their ordinary operational control or supervision (Larson, and Gray, 2015). ii.Guaranteeing all GUMC information and information system customers inside their affiliation's successfully whole information security care going before basic access to GUMC structures and information and in any occasion yearly starting there to take care of access. iii.Hazard related contemplations for individual data frameworks, to incorporate approval choices, are seen from an association wide point of view as to the by and large key objectives and targets of the Agency in doing its center missions and business capacities.
Security Management and Governance10 iv.Organizing with the chief information officer, Risk Executive, Risk Executive Group, and others required with anchoring Agency data and frameworks to guarantee dangers are figured out how to a worthy level. The model that would be useful in development of security management plan in GUMC’s case The security model refers to a generic blue print of security management that is provided by a service organization. This section will present the appropriate model for GUMC security management. The selected model for GUMC is NIST model. This model is chosen for the following reason. GUMC organization needs a more structured formal security program to govern its system. Drawing from the organization’s needs, the NIST model would be the most appropriate for GUMC due to the fact that this model have been publicly available for access unlike other models (Greer et al. 2014, pp.47). As a result, NIST have been broadly reviewed by industry professionals and government making it the best for this project particular project. The legal and statutory that will be addressed This section presents the legal compliance that must be adhered to in the process of security management (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). They are acts that have to be applied during formulation of information security policies. The policy that will be used for information security in GUMC must conform to the regulations that are in force in Australia and cannot violate any policy since it is legal sanction. Below are three crucial acts that must not be violated: i.Private security act 2004 ii.Security and related activities act 1996
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Security Management and Governance11 iii.Security providers regulation 2008
Security Management and Governance12 Reference list Almorsy, M., Grundy, J. and Ibrahim, A.S., 2011, July. Collaboration-based cloud computing security management framework. InCloud Computing (CLOUD), 2011 IEEE International Conference on(pp. 364-371). IEEE. Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness.MIS quarterly,34(3), pp.523-548. Ernest Chang, S. and Lin, C.S., 2007. Exploring organizational culture for information security management.Industrial Management & Data Systems,107(3), pp.438-458. Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T., FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014.NIST framework and roadmap for smart grid interoperability standards, release 3.0(No. Special Publication (NIST SP)-1108r3). Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture.Decision Sciences,43(4), pp.615-660. Larson, E.W. and Gray, C.F., 2015. A Guide to the Project Management Body of Knowledge: PMBOK (®) Guide. Project Management Institute. Peltier, T.R., 2016.Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications, pp.234-246.
Security Management and Governance13 Rittinghouse, J.W. and Ransome, J.F., 2016.Cloud computing: implementation, management, and security. CRC press, pp.23. Robson, W., 2015.Strategic management and information systems. Pearson Higher Ed, pp. 31. Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of cloud computing.Journal of network and computer applications,34(1), pp.1-11. Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2011. Information security management system standards: A comparative study of the big five.International Journal of Electrical Computer Sciences IJECSIJENS,11(5), pp.23-29. Whitman, M. and Mattord, H., 2013.Management of information security, Nelson Education, pp.11. Whitman, M.E. and Mattord, H.J., 2011.Principles of information security. Cengage Learning, pp. 22-39. Young, A.L. and Quan-Haase, A., 2013. Privacy protection strategies on Facebook: The Internet privacy paradox revisited.Information, Communication & Society,16(4), pp.479-500
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance14 Appendix Risk Assessment/Management Assessment process The purpose of this risk assessment was to assess the needs and requirements for implementing information and communication technology at Griffith University Medical Center GUMC. This risk assessment got performed by a group of technology students from Melbourne polytechnic hired by Bay Pointe Security Consulting BPSC. The project team leader got selected and assigned to lead, schedule and document the project assessment result throughout the session. All project assessment results including risks identified were preserved in a project file. The assessments was carried out throughout the project life cycle to help in change request process when there was a need for baseline adjustments and to help in decision making process involving selection as well as implementation of technical alternatives for implementation of the program. The risk management plan was then made by the project leader on basis of risks identified. Risk identification Upon completion of the risk assessment on the needs for adopting the system security program, various threats were found to be hazardous to GUMC information system. The threats were categorized in the following manner including information system management, Information system security and disaster recovery. Information system management The risk assessment revealed that IT management program in the organization has been one without pertinent controls regarding ICT system security.
Security Management and Governance15 Information system security The GUMC organization was found to handle very critical information i.e. patients data and patient’s prescriptions that were not secured from potential cyber-attack. Disaster recovery Upon assessment, the GUMC it was found that the organization did not have a disaster recovery control. The disaster recovery program is a fundamental aspect in information system security program. Risk management is a considerable aspect in every organization including GUMC, this is because without risk management, the organization will not be able to define its objectives for the future needs. If an organization define its objectives without taking into account the risks, the chances that the organization will lose direction when hit by the risk is very high. The risk management will ensure that the risks identified are managed properly to mitigate the negative effects of risks as it explore more opportunity for GUMC. Contingency planning and disaster recovery program are other critical aspects of in every organization as it helps in recover as fast as possible when hit by unforeseen security-attack. Threats identified in patient information area. 1.Risk of cloud computing services The patients information are provided in cloud based application which are interfaced with GUMC staff through interactive web pages to make operations easy. Besides being overlooked by GUMC, such systems are prone to cyber-attacks (Rittinghous and Ransome, 2016, pp.23). There is therefore a need to put more consideration on IT security program under this sector.
Security Management and Governance16 2.Network connections The networking in GUMC contain devices for medications like medication scanners, patient monitoring system and embedded connections among other assets which helps in tracking, monitoring and managing operations. However, the embedded connections in the network may be exploited by attackers to gain access into the organization’s information system and compromise it. Therefore precipitating the need for information security program at GUMC. Priorities set to mitigate the risks i.All sensitive information including patient data and organization’s important information will continue to reside within PEW organization’s system and will be subject to security and access control policies to secure privacy (Young, and Quan-Haase, 2013, pp.479- 500). ii.To minimize the network connection risk, the PEW organization should adopt pertinent security policy and controls to protect its assets, both hardware and software alongside networking devices. iii.PEW organization shall prioritize in selecting a vendor that adopt more security options in order to avoid data breach.