Security Management & Governance: Griffith University Medical Centre
VerifiedAdded on 2023/06/10
|16
|3484
|265
Report
AI Summary
This report outlines the needs and requirements for implementing an ICT Security Program at Griffith University Medical Centre (GUMC). It discusses how information security can be better managed through a Security Management Program, detailing tasks and roles for its development. The report includes a preliminary Risk Assessment/Management Plan for the patient information system, incorporating a contingency plan and a discussion of costs and benefits. Key components of the security management plan include organization of information security, asset management, human resources, physical and environmental security, communications and operations management, access control, and information security incident management. The report emphasizes compliance with legal and statutory requirements to ensure the protection of information assets and avoid breaches of law and contractual obligations.
Running head: SECURITY MANAGEMENT AND GOVERNANCE
[Security Management and Governance]
[Name of the Student]
[Name of the University]
[Author note]
[Security Management and Governance]
[Name of the Student]
[Name of the University]
[Author note]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1SECURITY MANAGEMENT AND GOVERNANCE
Table of Contents
Part A:..............................................................................................................................................3
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Benefits of Security Management:..............................................................................................3
Reasons for having a policy:....................................................................................................5
Development of Security policy and Security management plan................................................6
Security Management Plan of GUMC:........................................................................................6
Organization of Information Security......................................................................................6
Asset Management...................................................................................................................7
Human Resources....................................................................................................................7
Physical and Environmental Security......................................................................................7
Communications and Operations Management.......................................................................8
Access Control.........................................................................................................................8
Information Security Incident Management............................................................................9
Model or Methods for Security Management Plan..........................................................................9
Implications of Legal and Statutory requirements:.........................................................................9
Conclusion:......................................................................................................................................9
References:....................................................................................................................................11
Part B (APPENDIX)......................................................................................................................14
Table of Contents
Part A:..............................................................................................................................................3
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Benefits of Security Management:..............................................................................................3
Reasons for having a policy:....................................................................................................5
Development of Security policy and Security management plan................................................6
Security Management Plan of GUMC:........................................................................................6
Organization of Information Security......................................................................................6
Asset Management...................................................................................................................7
Human Resources....................................................................................................................7
Physical and Environmental Security......................................................................................7
Communications and Operations Management.......................................................................8
Access Control.........................................................................................................................8
Information Security Incident Management............................................................................9
Model or Methods for Security Management Plan..........................................................................9
Implications of Legal and Statutory requirements:.........................................................................9
Conclusion:......................................................................................................................................9
References:....................................................................................................................................11
Part B (APPENDIX)......................................................................................................................14
2SECURITY MANAGEMENT AND GOVERNANCE
Risk Management:.....................................................................................................................14
1. Identification of the different kind of risks........................................................................14
2. Evaluation and analysis of the risks...................................................................................15
3. Identification and evaluation of the options so as to provide treatment to the risk...........15
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.............................................................................................................15
Risk Management:.....................................................................................................................14
1. Identification of the different kind of risks........................................................................14
2. Evaluation and analysis of the risks...................................................................................15
3. Identification and evaluation of the options so as to provide treatment to the risk...........15
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.............................................................................................................15
3SECURITY MANAGEMENT AND GOVERNANCE
Week 4:
Part A:
Introduction:
Most of organizations in today’s world are associated with dealing with the Information Security
at the strategic level in the information policies and plans. Besides this at the operation level this
security management helps in determination of the tools and the other security products that are
required by the organization. Basically insufficient amount of attention is provided to the active
process of managing the information security, and besides this, the policy translation to technical
options is associated with making sure of the fact that the security measures are effective
whenever there is a change occurring in the requirements and the environment (Laudon and
Laudon 2016). This report would be associated with discussing about the needs and requirements
of implementing an ICT security program for the organization GUMC. The major contents of
this report would be including the discussion about the information system and how this
information system can be managed in a better way by the development of security management
plan. Besides this the report would be consisting of an appendix section which would be
including the preliminary risk assessment and the management plan for the new patent
information system that is to be prepared.
Discussion:
Benefits of Security Management:
The new patient information system that is to be developed would be associated with serving the
interest of GUMC. In this the information and the information services would be acting as an
important aspect for the success of the business and would lace GUMC above any other
Week 4:
Part A:
Introduction:
Most of organizations in today’s world are associated with dealing with the Information Security
at the strategic level in the information policies and plans. Besides this at the operation level this
security management helps in determination of the tools and the other security products that are
required by the organization. Basically insufficient amount of attention is provided to the active
process of managing the information security, and besides this, the policy translation to technical
options is associated with making sure of the fact that the security measures are effective
whenever there is a change occurring in the requirements and the environment (Laudon and
Laudon 2016). This report would be associated with discussing about the needs and requirements
of implementing an ICT security program for the organization GUMC. The major contents of
this report would be including the discussion about the information system and how this
information system can be managed in a better way by the development of security management
plan. Besides this the report would be consisting of an appendix section which would be
including the preliminary risk assessment and the management plan for the new patent
information system that is to be prepared.
Discussion:
Benefits of Security Management:
The new patient information system that is to be developed would be associated with serving the
interest of GUMC. In this the information and the information services would be acting as an
important aspect for the success of the business and would lace GUMC above any other
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4SECURITY MANAGEMENT AND GOVERNANCE
organization associated with conducting similar type of business. Security is one of the crucial
factors that is to be implemented in the new information system (Jensen et al. 2016). There are
various standards that are to be adopted by GUMC so as to cover the following sections of the
new information system:
The standards would be covering the scope definition of the system along with the risk
assessment plan and the management of the documents.
The principles objectives of the new Patient Information system
The roles and responsibilities of the people who would be associated with the usage of the
new Patient Information System
Provide protection to the information, the different facilities and the equipment’s that are to
be used (Spiegel et al. 2014). The human risks and the abuse of the information would be
minimized
Management of the hardware and telecommunications
Maintenance and development of the required software
Backup plans for the system
Compliance with the legislation
The major benefits of the information security management have been listed below:
Reduction of the various kind of risks by making improvements in the risk management
strategy (Nguyen, Bellucci and Nguyen 2014).
The various operations of GUMC would be conducted more efficiently.
The security would be acting as a signal of reliability for the various stakeholders of
GUMC
organization associated with conducting similar type of business. Security is one of the crucial
factors that is to be implemented in the new information system (Jensen et al. 2016). There are
various standards that are to be adopted by GUMC so as to cover the following sections of the
new information system:
The standards would be covering the scope definition of the system along with the risk
assessment plan and the management of the documents.
The principles objectives of the new Patient Information system
The roles and responsibilities of the people who would be associated with the usage of the
new Patient Information System
Provide protection to the information, the different facilities and the equipment’s that are to
be used (Spiegel et al. 2014). The human risks and the abuse of the information would be
minimized
Management of the hardware and telecommunications
Maintenance and development of the required software
Backup plans for the system
Compliance with the legislation
The major benefits of the information security management have been listed below:
Reduction of the various kind of risks by making improvements in the risk management
strategy (Nguyen, Bellucci and Nguyen 2014).
The various operations of GUMC would be conducted more efficiently.
The security would be acting as a signal of reliability for the various stakeholders of
GUMC
5SECURITY MANAGEMENT AND GOVERNANCE
Would be associated with the usage of the various kind of tools that would be helping in
ensuring the development of processes related to the management of the information
(Peltier 2016).
Tools would also be used for the purpose of ensuring business continuity whenever new
problem arises.
Tools would also be used so as to involve the other employees which is very important
for ensuring the securing of the information.
This would be reducing the interfaces
Reasons for having a policy:
There are two major reasons lying behind the adaptation of adequate information security
policies which are very important for the organization and the reasons have been provided
below:
1. Internal reason: GUMC would only become capable of operating effectively if correct
information is available which are complete. The policies would be associated with making
sure that correct information is available which are appropriate for providing healthcare
services (Soomro, Shah and Ahmed 2016).
2. External reasons: The processes in GUMC is associated with creating services that are made
available for the society so as to meet the objects as defined. In case of absence of adequate
supply of information would lead to services which are of substandard and besides this the
use of information would not be possible for meeting the objectives of the organization. This
in turn would be associated with threatening the organizations survival. Appropriate and
sufficient amount information security is essential for the purpose of obtaining adequate
amount of information supply (Cavusoglu et al. 2015). So it can be stated that the
Would be associated with the usage of the various kind of tools that would be helping in
ensuring the development of processes related to the management of the information
(Peltier 2016).
Tools would also be used for the purpose of ensuring business continuity whenever new
problem arises.
Tools would also be used so as to involve the other employees which is very important
for ensuring the securing of the information.
This would be reducing the interfaces
Reasons for having a policy:
There are two major reasons lying behind the adaptation of adequate information security
policies which are very important for the organization and the reasons have been provided
below:
1. Internal reason: GUMC would only become capable of operating effectively if correct
information is available which are complete. The policies would be associated with making
sure that correct information is available which are appropriate for providing healthcare
services (Soomro, Shah and Ahmed 2016).
2. External reasons: The processes in GUMC is associated with creating services that are made
available for the society so as to meet the objects as defined. In case of absence of adequate
supply of information would lead to services which are of substandard and besides this the
use of information would not be possible for meeting the objectives of the organization. This
in turn would be associated with threatening the organizations survival. Appropriate and
sufficient amount information security is essential for the purpose of obtaining adequate
amount of information supply (Cavusoglu et al. 2015). So it can be stated that the
6SECURITY MANAGEMENT AND GOVERNANCE
significance of the external reasons can be determined only after knowing the significance of
the internal reasons. The policies are generally adopted so as to provide significant amount of
added value to the information system. Effective security would also be ensuring the
continuity of business and would be helping in meeting the objectives.
Development of Security policy and Security management plan
The main objective that the security policies are having mainly includes providing the
management of GUMC with directions along with providing support to the new patient
information system according to the business requirements of the GUMC along with considering
the business laws and the regulations. This policies related to the information security are to be
approved by the management of GUMC which would be followed by the publishing and
communication of this policies amongst other employees and the external parties who are
relevant to the system (Oppliger 2015). This policies would be associated with setting up the
GUMC’s approach toward the management of the information security and would also be
associated with aligning the policies which are relevant.
Security Management Plan of GUMC:
Organization of Information Security
GUMC would be associated with managing the Information security. The Management
of GUMC would be responsible for approving the various information security policies. Along
with this the security roles would be assigned, coordinated and reviewed so as to implement the
security all across the organization. Coordination of this information by referring the relevant
roles and jobs all across the organization. Definitions of the responsibilities would be provided in
a clear way along with communicating them properly (Hoffmann, Kiedrowicz and Stanik 2016).
significance of the external reasons can be determined only after knowing the significance of
the internal reasons. The policies are generally adopted so as to provide significant amount of
added value to the information system. Effective security would also be ensuring the
continuity of business and would be helping in meeting the objectives.
Development of Security policy and Security management plan
The main objective that the security policies are having mainly includes providing the
management of GUMC with directions along with providing support to the new patient
information system according to the business requirements of the GUMC along with considering
the business laws and the regulations. This policies related to the information security are to be
approved by the management of GUMC which would be followed by the publishing and
communication of this policies amongst other employees and the external parties who are
relevant to the system (Oppliger 2015). This policies would be associated with setting up the
GUMC’s approach toward the management of the information security and would also be
associated with aligning the policies which are relevant.
Security Management Plan of GUMC:
Organization of Information Security
GUMC would be associated with managing the Information security. The Management
of GUMC would be responsible for approving the various information security policies. Along
with this the security roles would be assigned, coordinated and reviewed so as to implement the
security all across the organization. Coordination of this information by referring the relevant
roles and jobs all across the organization. Definitions of the responsibilities would be provided in
a clear way along with communicating them properly (Hoffmann, Kiedrowicz and Stanik 2016).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7SECURITY MANAGEMENT AND GOVERNANCE
The information security would be maintained so as to access along with being processed,
communicated to, and external party management.
Asset Management
Asset management mainly includes the achieving and maintenance of the protections
which are appropriate for the assets. The assets of GUMC would be identified along with
identifying the Owners of information assets. Besides this the assets are to be classified and
maintained so as to have appropriate controls. In order to make sure that appropriate security is
received by the information they will be classified so as to indicate the sensitivity along with
indicating the required degree of protection so as to handle the information. In this stage the
Rules for acceptable usage would also be identified followed by documentation and
implementation (Tu and Yuan 2014).
Human Resources
In this stage the Security and responsibilities of everyone associated with GUMC is to be
identified which would be followed by assigning of the roles to them so as to eliminate the
probability of various kind of risks (Baskerville, Spagnoletti and Kim 2014). Addressing of the
Security responsibilities would be done before employing new individuals along with defining
the various aspects like the description of the position along with the associated terms and
conditions related to employment. Management of GUMC would be responsible for ensuring the
application of security to an individual employed with the organization.
Physical and Environmental Security
Major constituent of this security plan is to provide protection against any kind of
unauthorized physical access, compromise, damage, theft, and interference to information and
facilities. Application of certain security barriers and entry control would be associated with
The information security would be maintained so as to access along with being processed,
communicated to, and external party management.
Asset Management
Asset management mainly includes the achieving and maintenance of the protections
which are appropriate for the assets. The assets of GUMC would be identified along with
identifying the Owners of information assets. Besides this the assets are to be classified and
maintained so as to have appropriate controls. In order to make sure that appropriate security is
received by the information they will be classified so as to indicate the sensitivity along with
indicating the required degree of protection so as to handle the information. In this stage the
Rules for acceptable usage would also be identified followed by documentation and
implementation (Tu and Yuan 2014).
Human Resources
In this stage the Security and responsibilities of everyone associated with GUMC is to be
identified which would be followed by assigning of the roles to them so as to eliminate the
probability of various kind of risks (Baskerville, Spagnoletti and Kim 2014). Addressing of the
Security responsibilities would be done before employing new individuals along with defining
the various aspects like the description of the position along with the associated terms and
conditions related to employment. Management of GUMC would be responsible for ensuring the
application of security to an individual employed with the organization.
Physical and Environmental Security
Major constituent of this security plan is to provide protection against any kind of
unauthorized physical access, compromise, damage, theft, and interference to information and
facilities. Application of certain security barriers and entry control would be associated with
8SECURITY MANAGEMENT AND GOVERNANCE
securing sensitive information or information assets. Physical protection would be provided from
any access which are unauthorized, damages and interference. Appropriate security entry
controls would be providing security to the secure areas by restricting the authorized personnel.
The off-site equipment would also be secured (Webb et al. 2014). Checking of the equipment
having storage media would be done so as to ensure that before disposal all the sensitive data and
licensed software are removed or overwritten in a secure way according to the policies.
Communications and Operations Management
Establishment of the responsibilities and procedures would be done which are needed for
managing the various operation related to information processing. According to the policies the
implementation of segregated duties would be done so as to eliminate or minimize the risk
associated with negligence of the systems which are done deliberately or misuse of the
information. Adaptation of certain precautions would help in preventing and detecting any kind
of malicious code and unauthorized mobile code which would be helping in protecting the
integrity of software and information (Ahmad, Maynard and Park 2014). Handling and storing of
the information would be done by adapting certain procedures that would be established and
communicated to provide protection to the information from disclosure or misuse.
Access Control
Controlling of the access to different type of information would be done by depending
upon the business and security requirements. Development of formal procedures and
implementation of control access rights would prevent access which are unauthorized (Wager,
Lee and Glaser 2017). The users would be made aware about the responsibilities that they are
having so as have an access control that is effective, along with making them aware of the
responsibilities to ensure protection of unattended equipment.
securing sensitive information or information assets. Physical protection would be provided from
any access which are unauthorized, damages and interference. Appropriate security entry
controls would be providing security to the secure areas by restricting the authorized personnel.
The off-site equipment would also be secured (Webb et al. 2014). Checking of the equipment
having storage media would be done so as to ensure that before disposal all the sensitive data and
licensed software are removed or overwritten in a secure way according to the policies.
Communications and Operations Management
Establishment of the responsibilities and procedures would be done which are needed for
managing the various operation related to information processing. According to the policies the
implementation of segregated duties would be done so as to eliminate or minimize the risk
associated with negligence of the systems which are done deliberately or misuse of the
information. Adaptation of certain precautions would help in preventing and detecting any kind
of malicious code and unauthorized mobile code which would be helping in protecting the
integrity of software and information (Ahmad, Maynard and Park 2014). Handling and storing of
the information would be done by adapting certain procedures that would be established and
communicated to provide protection to the information from disclosure or misuse.
Access Control
Controlling of the access to different type of information would be done by depending
upon the business and security requirements. Development of formal procedures and
implementation of control access rights would prevent access which are unauthorized (Wager,
Lee and Glaser 2017). The users would be made aware about the responsibilities that they are
having so as have an access control that is effective, along with making them aware of the
responsibilities to ensure protection of unattended equipment.
9SECURITY MANAGEMENT AND GOVERNANCE
Information Security Incident Management
Communication of the Information security incidents would be done in such a way that it
would help allowing the process of taking corrective action timely (Kruse et al. 2017). In order to
communicate all the users it is essential to establish Formal incident reporting and escalation
procedures. Besides this the establishment of the Responsibilities and procedures would also be
done so as to handle the incidents of information.
Model or Methods for Security Management Plan
Implications of Legal and Statutory requirements:
Designing, operating, usage and managing of the information as well as the information
assets are generally subjected to the statutory, contractual and regulatory security requirements.
It is essential to have compliance with the necessary legal requirements for the purpose of
avoiding the breaches of the law, statutory, regulatory or contractual obligations along with
making sure that there is no breach of the security requirements (Weaver et al. 2016). The legal
requirements mainly includes the state statute, statewide and agency policy, regulations,
contractual agreements, intellectual property rights, copyrights, and protection and privacy of
personal information but the requirements are not limited to all this. Establishments of the
controls would be maximizing the audit process of the information system.
Conclusion:
The above report helps in understanding the new patient information system where
certain processes are needed in order to provide information security. The report also presents
the Security Management plan which includes the tasks and the roles that are needed in order to
develop the Security Management Program. The various processes have been discussed in brief
Information Security Incident Management
Communication of the Information security incidents would be done in such a way that it
would help allowing the process of taking corrective action timely (Kruse et al. 2017). In order to
communicate all the users it is essential to establish Formal incident reporting and escalation
procedures. Besides this the establishment of the Responsibilities and procedures would also be
done so as to handle the incidents of information.
Model or Methods for Security Management Plan
Implications of Legal and Statutory requirements:
Designing, operating, usage and managing of the information as well as the information
assets are generally subjected to the statutory, contractual and regulatory security requirements.
It is essential to have compliance with the necessary legal requirements for the purpose of
avoiding the breaches of the law, statutory, regulatory or contractual obligations along with
making sure that there is no breach of the security requirements (Weaver et al. 2016). The legal
requirements mainly includes the state statute, statewide and agency policy, regulations,
contractual agreements, intellectual property rights, copyrights, and protection and privacy of
personal information but the requirements are not limited to all this. Establishments of the
controls would be maximizing the audit process of the information system.
Conclusion:
The above report helps in understanding the new patient information system where
certain processes are needed in order to provide information security. The report also presents
the Security Management plan which includes the tasks and the roles that are needed in order to
develop the Security Management Program. The various processes have been discussed in brief
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
10SECURITY MANAGEMENT AND GOVERNANCE
so as to understand the importance of the security and how this process would be helping in
securing Patient Information System. The report also discusses the legal and the statutory
requirements. The report also depicts the importance of having security management along with
understanding the various benefits that can be obtained by making use of the Security
management plan and the security policies.
so as to understand the importance of the security and how this process would be helping in
securing Patient Information System. The report also discusses the legal and the statutory
requirements. The report also depicts the importance of having security management along with
understanding the various benefits that can be obtained by making use of the Security
management plan and the security policies.
11SECURITY MANAGEMENT AND GOVERNANCE
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
management, 51(1), pp.138-151.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in
security management: Direct and indirect influences on organizational investment in information
security control resources. Information & Management, 52(4), pp.385-400.
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic
paradigm of the information security management system in an organization. In MATEC Web of
Conferences (Vol. 76, p. 04010). EDP Sciences.
Jensen, R.E., Moinpour, C.M., Keegan, T.H., Cress, R.D., Wu, X.C., Paddock, L.E., Stroup,
A.M. and Potosky, A.L., 2016. The Measuring Your Health study: Leveraging community-based
cancer registry recruitment to establish a large, diverse cohort of cancer survivors for analyses of
measurement equivalence and validity of the Patient Reported Outcomes Measurement
Information System®(PROMIS®) short form items. Psychological Test and Assessment
Modeling, 58(1), p.99.
Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare:
A systematic review of modern threats and trends. Technology and Health Care, 25(1), pp.1-10.
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
management, 51(1), pp.138-151.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in
security management: Direct and indirect influences on organizational investment in information
security control resources. Information & Management, 52(4), pp.385-400.
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic
paradigm of the information security management system in an organization. In MATEC Web of
Conferences (Vol. 76, p. 04010). EDP Sciences.
Jensen, R.E., Moinpour, C.M., Keegan, T.H., Cress, R.D., Wu, X.C., Paddock, L.E., Stroup,
A.M. and Potosky, A.L., 2016. The Measuring Your Health study: Leveraging community-based
cancer registry recruitment to establish a large, diverse cohort of cancer survivors for analyses of
measurement equivalence and validity of the Patient Reported Outcomes Measurement
Information System®(PROMIS®) short form items. Psychological Test and Assessment
Modeling, 58(1), p.99.
Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare:
A systematic review of modern threats and trends. Technology and Health Care, 25(1), pp.1-10.
12SECURITY MANAGEMENT AND GOVERNANCE
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education
India.
Nguyen, L., Bellucci, E. and Nguyen, L.T., 2014. Electronic health records implementation: an
evaluation of information system impact and contingency factors. International journal of
medical informatics, 83(11), pp.779-796.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern
fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.
Spiegel, B.M., Hays, R.D., Bolus, R., Melmed, G.Y., Chang, L., Whitman, C., Khanna, P.P.,
Paz, S.H., Hays, T., Reise, S. and Khanna, D., 2014. Development of the NIH patient-reported
outcomes measurement information system (PROMIS) gastrointestinal symptom scales. The
American journal of gastroenterology, 109(11), p.1804.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Wager, K.A., Lee, F.W. and Glaser, J.P., 2017. Health care information systems: a practical
approach for health care management. John Wiley & Sons.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education
India.
Nguyen, L., Bellucci, E. and Nguyen, L.T., 2014. Electronic health records implementation: an
evaluation of information system impact and contingency factors. International journal of
medical informatics, 83(11), pp.779-796.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern
fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
pp.215-225.
Spiegel, B.M., Hays, R.D., Bolus, R., Melmed, G.Y., Chang, L., Whitman, C., Khanna, P.P.,
Paz, S.H., Hays, T., Reise, S. and Khanna, D., 2014. Development of the NIH patient-reported
outcomes measurement information system (PROMIS) gastrointestinal symptom scales. The
American journal of gastroenterology, 109(11), p.1804.
Tu, Z. and Yuan, Y., 2014. Critical success factors analysis on effective information security
management: A literature review.
Wager, K.A., Lee, F.W. and Glaser, J.P., 2017. Health care information systems: a practical
approach for health care management. John Wiley & Sons.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
13SECURITY MANAGEMENT AND GOVERNANCE
Weaver, C.A., Ball, M.J., Kim, G.R. and Kiel, J.M., 2016. Healthcare information management
systems. Cham: Springer International Publishing.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
Weaver, C.A., Ball, M.J., Kim, G.R. and Kiel, J.M., 2016. Healthcare information management
systems. Cham: Springer International Publishing.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for
information security risk management. Computers & security, 44, pp.1-15.
14SECURITY MANAGEMENT AND GOVERNANCE
Part B (APPENDIX)
Risk Management:
Risk Management is process which is adopted for the identification of the risk, which is
followed by the assessing of the risk and taking of certain steps in order to reduce the risk to a
level which is acceptable. Risk management acts as a critical factor for GUMC as this is
associated with providing assistance in the process of successful implementation and
maintenance of a secure environment. The process of risk assessments would be associated with
the identification, quantification, and prioritization of the risks against the criteria of GUMC so
as to accept the risks and the objectives. Obtained results would be associated with guiding and
determine the actions which are appropriate along with determining which actions are to be
prioritized so as to manage the risks related to information security along with implementing
controls which are required for protecting the information assets.
Following are the steps which are to be included in the Risk management process:
1. Identification of the different kind of risks
a. In this step the assets of the agency are identified along with the identification of the owners
of the information
b. Identification of various kind of threats that might be faced by the assets
c. Identification of the vulnerabilities that are having the possibility of getting exploited by the
different identified threats
d. Identification of the impacts on the assets that might occur due to loss of confidentiality,
integrity and availability.
Part B (APPENDIX)
Risk Management:
Risk Management is process which is adopted for the identification of the risk, which is
followed by the assessing of the risk and taking of certain steps in order to reduce the risk to a
level which is acceptable. Risk management acts as a critical factor for GUMC as this is
associated with providing assistance in the process of successful implementation and
maintenance of a secure environment. The process of risk assessments would be associated with
the identification, quantification, and prioritization of the risks against the criteria of GUMC so
as to accept the risks and the objectives. Obtained results would be associated with guiding and
determine the actions which are appropriate along with determining which actions are to be
prioritized so as to manage the risks related to information security along with implementing
controls which are required for protecting the information assets.
Following are the steps which are to be included in the Risk management process:
1. Identification of the different kind of risks
a. In this step the assets of the agency are identified along with the identification of the owners
of the information
b. Identification of various kind of threats that might be faced by the assets
c. Identification of the vulnerabilities that are having the possibility of getting exploited by the
different identified threats
d. Identification of the impacts on the assets that might occur due to loss of confidentiality,
integrity and availability.
15SECURITY MANAGEMENT AND GOVERNANCE
2. Evaluation and analysis of the risks
a. Business impacts upon the GUMC are to be assessed and this impacts might be due to the
failure in security and many more reasons. The consequences of the loss of confidentiality,
integrity or availability of the assets are taken into account so as to access the impacts.
b. The likelihood of the realistic of security failures are to be accessed
c. The risk level is also to be estimated
d. Determining of the fact that if the risks which would occur are acceptable or not
3. Identification and evaluation of the options so as to provide treatment to the risk
a. Application of controls which are appropriate
b. risks are to be accepted
c. risks are to be avoided
d. Transferring of the risk associated with the information system to some other parties
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.
It is not possible for a set of rules to provide a complete security and due to this reason
some additional amount of management actions are to be deployed so as to monitor, evaluate,
and improve the security controls effectiveness and the efficiency as well in order to provide
support to the GUMC’s goals and objectives.
2. Evaluation and analysis of the risks
a. Business impacts upon the GUMC are to be assessed and this impacts might be due to the
failure in security and many more reasons. The consequences of the loss of confidentiality,
integrity or availability of the assets are taken into account so as to access the impacts.
b. The likelihood of the realistic of security failures are to be accessed
c. The risk level is also to be estimated
d. Determining of the fact that if the risks which would occur are acceptable or not
3. Identification and evaluation of the options so as to provide treatment to the risk
a. Application of controls which are appropriate
b. risks are to be accepted
c. risks are to be avoided
d. Transferring of the risk associated with the information system to some other parties
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.
It is not possible for a set of rules to provide a complete security and due to this reason
some additional amount of management actions are to be deployed so as to monitor, evaluate,
and improve the security controls effectiveness and the efficiency as well in order to provide
support to the GUMC’s goals and objectives.
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.