Security Management & Governance: Griffith University Medical Centre
VerifiedAdded on 2023/06/10
|16
|3484
|265
Report
AI Summary
This report outlines the needs and requirements for implementing an ICT Security Program at Griffith University Medical Centre (GUMC). It discusses how information security can be better managed through a Security Management Program, detailing tasks and roles for its development. The report includes a preliminary Risk Assessment/Management Plan for the patient information system, incorporating a contingency plan and a discussion of costs and benefits. Key components of the security management plan include organization of information security, asset management, human resources, physical and environmental security, communications and operations management, access control, and information security incident management. The report emphasizes compliance with legal and statutory requirements to ensure the protection of information assets and avoid breaches of law and contractual obligations.
Running head: SECURITY MANAGEMENT AND GOVERNANCE
[Security Management and Governance]
[Name of the Student]
[Name of the University]
[Author note]
[Security Management and Governance]
[Name of the Student]
[Name of the University]
[Author note]
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1SECURITY MANAGEMENT AND GOVERNANCE
Table of Contents
Part A:..............................................................................................................................................3
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Benefits of Security Management:..............................................................................................3
Reasons for having a policy:....................................................................................................5
Development of Security policy and Security management plan................................................6
Security Management Plan of GUMC:........................................................................................6
Organization of Information Security......................................................................................6
Asset Management...................................................................................................................7
Human Resources....................................................................................................................7
Physical and Environmental Security......................................................................................7
Communications and Operations Management.......................................................................8
Access Control.........................................................................................................................8
Information Security Incident Management............................................................................9
Model or Methods for Security Management Plan..........................................................................9
Implications of Legal and Statutory requirements:.........................................................................9
Conclusion:......................................................................................................................................9
References:....................................................................................................................................11
Part B (APPENDIX)......................................................................................................................14
Table of Contents
Part A:..............................................................................................................................................3
Introduction:....................................................................................................................................3
Discussion:.......................................................................................................................................3
Benefits of Security Management:..............................................................................................3
Reasons for having a policy:....................................................................................................5
Development of Security policy and Security management plan................................................6
Security Management Plan of GUMC:........................................................................................6
Organization of Information Security......................................................................................6
Asset Management...................................................................................................................7
Human Resources....................................................................................................................7
Physical and Environmental Security......................................................................................7
Communications and Operations Management.......................................................................8
Access Control.........................................................................................................................8
Information Security Incident Management............................................................................9
Model or Methods for Security Management Plan..........................................................................9
Implications of Legal and Statutory requirements:.........................................................................9
Conclusion:......................................................................................................................................9
References:....................................................................................................................................11
Part B (APPENDIX)......................................................................................................................14
2SECURITY MANAGEMENT AND GOVERNANCE
Risk Management:.....................................................................................................................14
1. Identification of the different kind of risks........................................................................14
2. Evaluation and analysis of the risks...................................................................................15
3. Identification and evaluation of the options so as to provide treatment to the risk...........15
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.............................................................................................................15
Risk Management:.....................................................................................................................14
1. Identification of the different kind of risks........................................................................14
2. Evaluation and analysis of the risks...................................................................................15
3. Identification and evaluation of the options so as to provide treatment to the risk...........15
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.............................................................................................................15
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3SECURITY MANAGEMENT AND GOVERNANCE
Week 4:
Part A:
Introduction:
Most of organizations in today’s world are associated with dealing with the Information Security
at the strategic level in the information policies and plans. Besides this at the operation level this
security management helps in determination of the tools and the other security products that are
required by the organization. Basically insufficient amount of attention is provided to the active
process of managing the information security, and besides this, the policy translation to technical
options is associated with making sure of the fact that the security measures are effective
whenever there is a change occurring in the requirements and the environment (Laudon and
Laudon 2016). This report would be associated with discussing about the needs and requirements
of implementing an ICT security program for the organization GUMC. The major contents of
this report would be including the discussion about the information system and how this
information system can be managed in a better way by the development of security management
plan. Besides this the report would be consisting of an appendix section which would be
including the preliminary risk assessment and the management plan for the new patent
information system that is to be prepared.
Discussion:
Benefits of Security Management:
The new patient information system that is to be developed would be associated with serving the
interest of GUMC. In this the information and the information services would be acting as an
important aspect for the success of the business and would lace GUMC above any other
Week 4:
Part A:
Introduction:
Most of organizations in today’s world are associated with dealing with the Information Security
at the strategic level in the information policies and plans. Besides this at the operation level this
security management helps in determination of the tools and the other security products that are
required by the organization. Basically insufficient amount of attention is provided to the active
process of managing the information security, and besides this, the policy translation to technical
options is associated with making sure of the fact that the security measures are effective
whenever there is a change occurring in the requirements and the environment (Laudon and
Laudon 2016). This report would be associated with discussing about the needs and requirements
of implementing an ICT security program for the organization GUMC. The major contents of
this report would be including the discussion about the information system and how this
information system can be managed in a better way by the development of security management
plan. Besides this the report would be consisting of an appendix section which would be
including the preliminary risk assessment and the management plan for the new patent
information system that is to be prepared.
Discussion:
Benefits of Security Management:
The new patient information system that is to be developed would be associated with serving the
interest of GUMC. In this the information and the information services would be acting as an
important aspect for the success of the business and would lace GUMC above any other
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4SECURITY MANAGEMENT AND GOVERNANCE
organization associated with conducting similar type of business. Security is one of the crucial
factors that is to be implemented in the new information system (Jensen et al. 2016). There are
various standards that are to be adopted by GUMC so as to cover the following sections of the
new information system:
The standards would be covering the scope definition of the system along with the risk
assessment plan and the management of the documents.
The principles objectives of the new Patient Information system
The roles and responsibilities of the people who would be associated with the usage of the
new Patient Information System
Provide protection to the information, the different facilities and the equipment’s that are to
be used (Spiegel et al. 2014). The human risks and the abuse of the information would be
minimized
Management of the hardware and telecommunications
Maintenance and development of the required software
Backup plans for the system
Compliance with the legislation
The major benefits of the information security management have been listed below:
Reduction of the various kind of risks by making improvements in the risk management
strategy (Nguyen, Bellucci and Nguyen 2014).
The various operations of GUMC would be conducted more efficiently.
The security would be acting as a signal of reliability for the various stakeholders of
GUMC
organization associated with conducting similar type of business. Security is one of the crucial
factors that is to be implemented in the new information system (Jensen et al. 2016). There are
various standards that are to be adopted by GUMC so as to cover the following sections of the
new information system:
The standards would be covering the scope definition of the system along with the risk
assessment plan and the management of the documents.
The principles objectives of the new Patient Information system
The roles and responsibilities of the people who would be associated with the usage of the
new Patient Information System
Provide protection to the information, the different facilities and the equipment’s that are to
be used (Spiegel et al. 2014). The human risks and the abuse of the information would be
minimized
Management of the hardware and telecommunications
Maintenance and development of the required software
Backup plans for the system
Compliance with the legislation
The major benefits of the information security management have been listed below:
Reduction of the various kind of risks by making improvements in the risk management
strategy (Nguyen, Bellucci and Nguyen 2014).
The various operations of GUMC would be conducted more efficiently.
The security would be acting as a signal of reliability for the various stakeholders of
GUMC
5SECURITY MANAGEMENT AND GOVERNANCE
Would be associated with the usage of the various kind of tools that would be helping in
ensuring the development of processes related to the management of the information
(Peltier 2016).
Tools would also be used for the purpose of ensuring business continuity whenever new
problem arises.
Tools would also be used so as to involve the other employees which is very important
for ensuring the securing of the information.
This would be reducing the interfaces
Reasons for having a policy:
There are two major reasons lying behind the adaptation of adequate information security
policies which are very important for the organization and the reasons have been provided
below:
1. Internal reason: GUMC would only become capable of operating effectively if correct
information is available which are complete. The policies would be associated with making
sure that correct information is available which are appropriate for providing healthcare
services (Soomro, Shah and Ahmed 2016).
2. External reasons: The processes in GUMC is associated with creating services that are made
available for the society so as to meet the objects as defined. In case of absence of adequate
supply of information would lead to services which are of substandard and besides this the
use of information would not be possible for meeting the objectives of the organization. This
in turn would be associated with threatening the organizations survival. Appropriate and
sufficient amount information security is essential for the purpose of obtaining adequate
amount of information supply (Cavusoglu et al. 2015). So it can be stated that the
Would be associated with the usage of the various kind of tools that would be helping in
ensuring the development of processes related to the management of the information
(Peltier 2016).
Tools would also be used for the purpose of ensuring business continuity whenever new
problem arises.
Tools would also be used so as to involve the other employees which is very important
for ensuring the securing of the information.
This would be reducing the interfaces
Reasons for having a policy:
There are two major reasons lying behind the adaptation of adequate information security
policies which are very important for the organization and the reasons have been provided
below:
1. Internal reason: GUMC would only become capable of operating effectively if correct
information is available which are complete. The policies would be associated with making
sure that correct information is available which are appropriate for providing healthcare
services (Soomro, Shah and Ahmed 2016).
2. External reasons: The processes in GUMC is associated with creating services that are made
available for the society so as to meet the objects as defined. In case of absence of adequate
supply of information would lead to services which are of substandard and besides this the
use of information would not be possible for meeting the objectives of the organization. This
in turn would be associated with threatening the organizations survival. Appropriate and
sufficient amount information security is essential for the purpose of obtaining adequate
amount of information supply (Cavusoglu et al. 2015). So it can be stated that the
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6SECURITY MANAGEMENT AND GOVERNANCE
significance of the external reasons can be determined only after knowing the significance of
the internal reasons. The policies are generally adopted so as to provide significant amount of
added value to the information system. Effective security would also be ensuring the
continuity of business and would be helping in meeting the objectives.
Development of Security policy and Security management plan
The main objective that the security policies are having mainly includes providing the
management of GUMC with directions along with providing support to the new patient
information system according to the business requirements of the GUMC along with considering
the business laws and the regulations. This policies related to the information security are to be
approved by the management of GUMC which would be followed by the publishing and
communication of this policies amongst other employees and the external parties who are
relevant to the system (Oppliger 2015). This policies would be associated with setting up the
GUMC’s approach toward the management of the information security and would also be
associated with aligning the policies which are relevant.
Security Management Plan of GUMC:
Organization of Information Security
GUMC would be associated with managing the Information security. The Management
of GUMC would be responsible for approving the various information security policies. Along
with this the security roles would be assigned, coordinated and reviewed so as to implement the
security all across the organization. Coordination of this information by referring the relevant
roles and jobs all across the organization. Definitions of the responsibilities would be provided in
a clear way along with communicating them properly (Hoffmann, Kiedrowicz and Stanik 2016).
significance of the external reasons can be determined only after knowing the significance of
the internal reasons. The policies are generally adopted so as to provide significant amount of
added value to the information system. Effective security would also be ensuring the
continuity of business and would be helping in meeting the objectives.
Development of Security policy and Security management plan
The main objective that the security policies are having mainly includes providing the
management of GUMC with directions along with providing support to the new patient
information system according to the business requirements of the GUMC along with considering
the business laws and the regulations. This policies related to the information security are to be
approved by the management of GUMC which would be followed by the publishing and
communication of this policies amongst other employees and the external parties who are
relevant to the system (Oppliger 2015). This policies would be associated with setting up the
GUMC’s approach toward the management of the information security and would also be
associated with aligning the policies which are relevant.
Security Management Plan of GUMC:
Organization of Information Security
GUMC would be associated with managing the Information security. The Management
of GUMC would be responsible for approving the various information security policies. Along
with this the security roles would be assigned, coordinated and reviewed so as to implement the
security all across the organization. Coordination of this information by referring the relevant
roles and jobs all across the organization. Definitions of the responsibilities would be provided in
a clear way along with communicating them properly (Hoffmann, Kiedrowicz and Stanik 2016).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7SECURITY MANAGEMENT AND GOVERNANCE
The information security would be maintained so as to access along with being processed,
communicated to, and external party management.
Asset Management
Asset management mainly includes the achieving and maintenance of the protections
which are appropriate for the assets. The assets of GUMC would be identified along with
identifying the Owners of information assets. Besides this the assets are to be classified and
maintained so as to have appropriate controls. In order to make sure that appropriate security is
received by the information they will be classified so as to indicate the sensitivity along with
indicating the required degree of protection so as to handle the information. In this stage the
Rules for acceptable usage would also be identified followed by documentation and
implementation (Tu and Yuan 2014).
Human Resources
In this stage the Security and responsibilities of everyone associated with GUMC is to be
identified which would be followed by assigning of the roles to them so as to eliminate the
probability of various kind of risks (Baskerville, Spagnoletti and Kim 2014). Addressing of the
Security responsibilities would be done before employing new individuals along with defining
the various aspects like the description of the position along with the associated terms and
conditions related to employment. Management of GUMC would be responsible for ensuring the
application of security to an individual employed with the organization.
Physical and Environmental Security
Major constituent of this security plan is to provide protection against any kind of
unauthorized physical access, compromise, damage, theft, and interference to information and
facilities. Application of certain security barriers and entry control would be associated with
The information security would be maintained so as to access along with being processed,
communicated to, and external party management.
Asset Management
Asset management mainly includes the achieving and maintenance of the protections
which are appropriate for the assets. The assets of GUMC would be identified along with
identifying the Owners of information assets. Besides this the assets are to be classified and
maintained so as to have appropriate controls. In order to make sure that appropriate security is
received by the information they will be classified so as to indicate the sensitivity along with
indicating the required degree of protection so as to handle the information. In this stage the
Rules for acceptable usage would also be identified followed by documentation and
implementation (Tu and Yuan 2014).
Human Resources
In this stage the Security and responsibilities of everyone associated with GUMC is to be
identified which would be followed by assigning of the roles to them so as to eliminate the
probability of various kind of risks (Baskerville, Spagnoletti and Kim 2014). Addressing of the
Security responsibilities would be done before employing new individuals along with defining
the various aspects like the description of the position along with the associated terms and
conditions related to employment. Management of GUMC would be responsible for ensuring the
application of security to an individual employed with the organization.
Physical and Environmental Security
Major constituent of this security plan is to provide protection against any kind of
unauthorized physical access, compromise, damage, theft, and interference to information and
facilities. Application of certain security barriers and entry control would be associated with
8SECURITY MANAGEMENT AND GOVERNANCE
securing sensitive information or information assets. Physical protection would be provided from
any access which are unauthorized, damages and interference. Appropriate security entry
controls would be providing security to the secure areas by restricting the authorized personnel.
The off-site equipment would also be secured (Webb et al. 2014). Checking of the equipment
having storage media would be done so as to ensure that before disposal all the sensitive data and
licensed software are removed or overwritten in a secure way according to the policies.
Communications and Operations Management
Establishment of the responsibilities and procedures would be done which are needed for
managing the various operation related to information processing. According to the policies the
implementation of segregated duties would be done so as to eliminate or minimize the risk
associated with negligence of the systems which are done deliberately or misuse of the
information. Adaptation of certain precautions would help in preventing and detecting any kind
of malicious code and unauthorized mobile code which would be helping in protecting the
integrity of software and information (Ahmad, Maynard and Park 2014). Handling and storing of
the information would be done by adapting certain procedures that would be established and
communicated to provide protection to the information from disclosure or misuse.
Access Control
Controlling of the access to different type of information would be done by depending
upon the business and security requirements. Development of formal procedures and
implementation of control access rights would prevent access which are unauthorized (Wager,
Lee and Glaser 2017). The users would be made aware about the responsibilities that they are
having so as have an access control that is effective, along with making them aware of the
responsibilities to ensure protection of unattended equipment.
securing sensitive information or information assets. Physical protection would be provided from
any access which are unauthorized, damages and interference. Appropriate security entry
controls would be providing security to the secure areas by restricting the authorized personnel.
The off-site equipment would also be secured (Webb et al. 2014). Checking of the equipment
having storage media would be done so as to ensure that before disposal all the sensitive data and
licensed software are removed or overwritten in a secure way according to the policies.
Communications and Operations Management
Establishment of the responsibilities and procedures would be done which are needed for
managing the various operation related to information processing. According to the policies the
implementation of segregated duties would be done so as to eliminate or minimize the risk
associated with negligence of the systems which are done deliberately or misuse of the
information. Adaptation of certain precautions would help in preventing and detecting any kind
of malicious code and unauthorized mobile code which would be helping in protecting the
integrity of software and information (Ahmad, Maynard and Park 2014). Handling and storing of
the information would be done by adapting certain procedures that would be established and
communicated to provide protection to the information from disclosure or misuse.
Access Control
Controlling of the access to different type of information would be done by depending
upon the business and security requirements. Development of formal procedures and
implementation of control access rights would prevent access which are unauthorized (Wager,
Lee and Glaser 2017). The users would be made aware about the responsibilities that they are
having so as have an access control that is effective, along with making them aware of the
responsibilities to ensure protection of unattended equipment.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9SECURITY MANAGEMENT AND GOVERNANCE
Information Security Incident Management
Communication of the Information security incidents would be done in such a way that it
would help allowing the process of taking corrective action timely (Kruse et al. 2017). In order to
communicate all the users it is essential to establish Formal incident reporting and escalation
procedures. Besides this the establishment of the Responsibilities and procedures would also be
done so as to handle the incidents of information.
Model or Methods for Security Management Plan
Implications of Legal and Statutory requirements:
Designing, operating, usage and managing of the information as well as the information
assets are generally subjected to the statutory, contractual and regulatory security requirements.
It is essential to have compliance with the necessary legal requirements for the purpose of
avoiding the breaches of the law, statutory, regulatory or contractual obligations along with
making sure that there is no breach of the security requirements (Weaver et al. 2016). The legal
requirements mainly includes the state statute, statewide and agency policy, regulations,
contractual agreements, intellectual property rights, copyrights, and protection and privacy of
personal information but the requirements are not limited to all this. Establishments of the
controls would be maximizing the audit process of the information system.
Conclusion:
The above report helps in understanding the new patient information system where
certain processes are needed in order to provide information security. The report also presents
the Security Management plan which includes the tasks and the roles that are needed in order to
develop the Security Management Program. The various processes have been discussed in brief
Information Security Incident Management
Communication of the Information security incidents would be done in such a way that it
would help allowing the process of taking corrective action timely (Kruse et al. 2017). In order to
communicate all the users it is essential to establish Formal incident reporting and escalation
procedures. Besides this the establishment of the Responsibilities and procedures would also be
done so as to handle the incidents of information.
Model or Methods for Security Management Plan
Implications of Legal and Statutory requirements:
Designing, operating, usage and managing of the information as well as the information
assets are generally subjected to the statutory, contractual and regulatory security requirements.
It is essential to have compliance with the necessary legal requirements for the purpose of
avoiding the breaches of the law, statutory, regulatory or contractual obligations along with
making sure that there is no breach of the security requirements (Weaver et al. 2016). The legal
requirements mainly includes the state statute, statewide and agency policy, regulations,
contractual agreements, intellectual property rights, copyrights, and protection and privacy of
personal information but the requirements are not limited to all this. Establishments of the
controls would be maximizing the audit process of the information system.
Conclusion:
The above report helps in understanding the new patient information system where
certain processes are needed in order to provide information security. The report also presents
the Security Management plan which includes the tasks and the roles that are needed in order to
develop the Security Management Program. The various processes have been discussed in brief
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10SECURITY MANAGEMENT AND GOVERNANCE
so as to understand the importance of the security and how this process would be helping in
securing Patient Information System. The report also discusses the legal and the statutory
requirements. The report also depicts the importance of having security management along with
understanding the various benefits that can be obtained by making use of the Security
management plan and the security policies.
so as to understand the importance of the security and how this process would be helping in
securing Patient Information System. The report also discusses the legal and the statutory
requirements. The report also depicts the importance of having security management along with
understanding the various benefits that can be obtained by making use of the Security
management plan and the security policies.
11SECURITY MANAGEMENT AND GOVERNANCE
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
management, 51(1), pp.138-151.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in
security management: Direct and indirect influences on organizational investment in information
security control resources. Information & Management, 52(4), pp.385-400.
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic
paradigm of the information security management system in an organization. In MATEC Web of
Conferences (Vol. 76, p. 04010). EDP Sciences.
Jensen, R.E., Moinpour, C.M., Keegan, T.H., Cress, R.D., Wu, X.C., Paddock, L.E., Stroup,
A.M. and Potosky, A.L., 2016. The Measuring Your Health study: Leveraging community-based
cancer registry recruitment to establish a large, diverse cohort of cancer survivors for analyses of
measurement equivalence and validity of the Patient Reported Outcomes Measurement
Information System®(PROMIS®) short form items. Psychological Test and Assessment
Modeling, 58(1), p.99.
Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare:
A systematic review of modern threats and trends. Technology and Health Care, 25(1), pp.1-10.
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-
370.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security:
Managing a strategic balance between prevention and response. Information &
management, 51(1), pp.138-151.
Cavusoglu, H., Cavusoglu, H., Son, J.Y. and Benbasat, I., 2015. Institutional pressures in
security management: Direct and indirect influences on organizational investment in information
security control resources. Information & Management, 52(4), pp.385-400.
Hoffmann, R., Kiedrowicz, M. and Stanik, J., 2016. Risk management system as the basic
paradigm of the information security management system in an organization. In MATEC Web of
Conferences (Vol. 76, p. 04010). EDP Sciences.
Jensen, R.E., Moinpour, C.M., Keegan, T.H., Cress, R.D., Wu, X.C., Paddock, L.E., Stroup,
A.M. and Potosky, A.L., 2016. The Measuring Your Health study: Leveraging community-based
cancer registry recruitment to establish a large, diverse cohort of cancer survivors for analyses of
measurement equivalence and validity of the Patient Reported Outcomes Measurement
Information System®(PROMIS®) short form items. Psychological Test and Assessment
Modeling, 58(1), p.99.
Kruse, C.S., Frederick, B., Jacobson, T. and Monticone, D.K., 2017. Cybersecurity in healthcare:
A systematic review of modern threats and trends. Technology and Health Care, 25(1), pp.1-10.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.