BIT361 Security Management: Developing a Security Program for GUMC
VerifiedAdded on 2023/06/10
|7
|1663
|87
Report
AI Summary
This report outlines the development of an ICT Security Program for Griffith University Medical Centre (GUMC) in Tasmania, addressing the growing needs of the university's medical center. It details the components of a Security Management Program, including tasks, roles, cost-benefit analysis, and a ...
Running head: SECURITY MANAGEMENT AND GOVERNANCE
Security Management and Governance
[Name of the Student]
[Name of the University]
[Author note]
Security Management and Governance
[Name of the Student]
[Name of the University]
[Author note]
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1SECURITY MANAGEMENT AND GOVERNANCE
Risk Management:
Risk Management is process which is adopted for the identification of the risk, which is
followed by the assessing of the risk and taking of certain steps in order to reduce the risk to a
level which is acceptable. Risk management acts as a critical factor for GUMC as this is
associated with providing assistance in the process of successful implementation and
maintenance of a secure environment. The process of risk assessments would be associated with
the identification, quantification, and prioritization of the risks against the criteria of GUMC so
as to accept the risks and the objectives. Obtained results would be associated with guiding and
determine the actions which are appropriate along with determining which actions are to be
prioritized so as to manage the risks related to information security along with implementing
controls which are required for protecting the information assets.
Following are the steps which are to be included in the Risk management process:
1. Identification of the different kind of risks
a. In this step the assets of the agency identified along with identifying the owners of the
information
b. Identification of various kind of threats that might be faced by the assets
c. Identification of the vulnerabilities that are having the possibility of getting exploited by the
different identified threats
d. Identification of the impacts on the assets that might occur due to loss of confidentiality,
integrity and availability.
Risk Management:
Risk Management is process which is adopted for the identification of the risk, which is
followed by the assessing of the risk and taking of certain steps in order to reduce the risk to a
level which is acceptable. Risk management acts as a critical factor for GUMC as this is
associated with providing assistance in the process of successful implementation and
maintenance of a secure environment. The process of risk assessments would be associated with
the identification, quantification, and prioritization of the risks against the criteria of GUMC so
as to accept the risks and the objectives. Obtained results would be associated with guiding and
determine the actions which are appropriate along with determining which actions are to be
prioritized so as to manage the risks related to information security along with implementing
controls which are required for protecting the information assets.
Following are the steps which are to be included in the Risk management process:
1. Identification of the different kind of risks
a. In this step the assets of the agency identified along with identifying the owners of the
information
b. Identification of various kind of threats that might be faced by the assets
c. Identification of the vulnerabilities that are having the possibility of getting exploited by the
different identified threats
d. Identification of the impacts on the assets that might occur due to loss of confidentiality,
integrity and availability.
2SECURITY MANAGEMENT AND GOVERNANCE
2. Evaluation and analysis of the risks
a. Business impacts upon the GUMC are to be assessed and this impacts might be due to the
failure in security and many more reasons. The consequences of the loss of confidentiality,
integrity or availability of the assets are taken into account so as to access the impacts.
b. The likelihood of the realistic of security failures are to be accessed
c. The risk level is also to be estimated
d. Determining of the fact that if the risks which would occur are acceptable or not
3. Identification and evaluation of the options so as to provide treatment to the risk
a. Application of controls which are appropriate
b. risks are to be accepted
c. risks are to be avoided
d. Transferring of the risk associated with the information system to some other parties
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.
It is not possible for a set of rules to provide a complete security and due to this reason
some additional amount of management actions are to be deployed so as to monitor, evaluate,
and improve the security controls effectiveness and the efficiency as well in order to provide
support to the GUMC’s goals and objectives.
5. Benefits of the risk Assessment plan:
The risk management plan is to be included so as to make sure of the fact the risks are managed
in a proper way by the organization GUMC. The major goal of including this plan is for the
purpose of reducing the impacts that the negative risks are having upon the new system along
2. Evaluation and analysis of the risks
a. Business impacts upon the GUMC are to be assessed and this impacts might be due to the
failure in security and many more reasons. The consequences of the loss of confidentiality,
integrity or availability of the assets are taken into account so as to access the impacts.
b. The likelihood of the realistic of security failures are to be accessed
c. The risk level is also to be estimated
d. Determining of the fact that if the risks which would occur are acceptable or not
3. Identification and evaluation of the options so as to provide treatment to the risk
a. Application of controls which are appropriate
b. risks are to be accepted
c. risks are to be avoided
d. Transferring of the risk associated with the information system to some other parties
4. The last step includes the selection of the control objectives along with providing controls
so as to treat the risks.
It is not possible for a set of rules to provide a complete security and due to this reason
some additional amount of management actions are to be deployed so as to monitor, evaluate,
and improve the security controls effectiveness and the efficiency as well in order to provide
support to the GUMC’s goals and objectives.
5. Benefits of the risk Assessment plan:
The risk management plan is to be included so as to make sure of the fact the risks are managed
in a proper way by the organization GUMC. The major goal of including this plan is for the
purpose of reducing the impacts that the negative risks are having upon the new system along
3SECURITY MANAGEMENT AND GOVERNANCE
with increasing the opportunities as well. This plan would be associated with providing of certain
tools that are needed for reporting the risks to the senior management of the organization as well
as to the other project sponsors and team associated with the project. This plan would also be
associated with helping the team in management of the risks along with describing the various
level of risks which are not at all tolerable by the organization. The major reason for developing
the risk management plan and integrating it with the project management plan is for the purpose
of aligning the project with the other documents which begins from the project charter. In this
the cost plan is associated with the determining the ways by which the risk may be carried into
the project by means of the budgeting, expenditure and the procurement.
6. Major assets of the Organization vulnerable to risks:
Some of the major assets includes the following:
a. Certain components as well as the medical application system which might be including
the image creating modalities, network components and many more.
b. Some unspecific components or medical application systems present in the IT
infrastructure of the hospital which might be including the denial of service attack may
block the whole network traffic and many more
c. The Medical application software
d. Data regarding the configuration of hardware and the software
e. Patients personal data
f. Personal data of the staff and other persons associated with the organization
g. Healthcare procedure support information, including history of use and operator/user
details.
with increasing the opportunities as well. This plan would be associated with providing of certain
tools that are needed for reporting the risks to the senior management of the organization as well
as to the other project sponsors and team associated with the project. This plan would also be
associated with helping the team in management of the risks along with describing the various
level of risks which are not at all tolerable by the organization. The major reason for developing
the risk management plan and integrating it with the project management plan is for the purpose
of aligning the project with the other documents which begins from the project charter. In this
the cost plan is associated with the determining the ways by which the risk may be carried into
the project by means of the budgeting, expenditure and the procurement.
6. Major assets of the Organization vulnerable to risks:
Some of the major assets includes the following:
a. Certain components as well as the medical application system which might be including
the image creating modalities, network components and many more.
b. Some unspecific components or medical application systems present in the IT
infrastructure of the hospital which might be including the denial of service attack may
block the whole network traffic and many more
c. The Medical application software
d. Data regarding the configuration of hardware and the software
e. Patients personal data
f. Personal data of the staff and other persons associated with the organization
g. Healthcare procedure support information, including history of use and operator/user
details.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4SECURITY MANAGEMENT AND GOVERNANCE
7. Possible impacts of the risk:
The threats can be of different type this might be including the single diagnostic or monitoring
risk, a single patient related risk, a single diagnostic or monitoring system related risk, or an
entire deployed set of systems under a particular software version number under attack. So it can
be stated that the number of systems which are being impacted helps in determining of the
severity. Another major risk that is might be faced by the system is the irreversible disclosure of
the private health information of the patient and this might be cresting a devastating financial
problems for an individual.
8. Priorities Set:
After identification of the risks it is essential for the project management team to determine the
level of risk. This is to be done by making use of the risk matrix. After this the team is associated
with the evaluation of the risks so as to adopt the methods that are required in order to mitigate
the risk. The different level of risks has been discussed below and this mainly includes the
tolerable risks, low risks, medium risks, high risks and the risks which are intolerable. Tolerable
risk is the state when the identification of the risks are done that are having a very little or almost
no effect on the objectives of the project. Low risks mainly includes the risk that are having
minor effect on the objectives of the project. Medium risks are those risk that are like to have a
possible impact upon the project objectives and on the cost as well as on the schedule. The
probability of this type of occurrence is generally high so as to require close control of all the
contributing factors. High risks are those conditions here the risk is generally considered to have
high probability of occurrence as well as consequence upon the objective, cost and schedule.
There is generally a requirement of establishing risk actions. Intolerable risks include the
7. Possible impacts of the risk:
The threats can be of different type this might be including the single diagnostic or monitoring
risk, a single patient related risk, a single diagnostic or monitoring system related risk, or an
entire deployed set of systems under a particular software version number under attack. So it can
be stated that the number of systems which are being impacted helps in determining of the
severity. Another major risk that is might be faced by the system is the irreversible disclosure of
the private health information of the patient and this might be cresting a devastating financial
problems for an individual.
8. Priorities Set:
After identification of the risks it is essential for the project management team to determine the
level of risk. This is to be done by making use of the risk matrix. After this the team is associated
with the evaluation of the risks so as to adopt the methods that are required in order to mitigate
the risk. The different level of risks has been discussed below and this mainly includes the
tolerable risks, low risks, medium risks, high risks and the risks which are intolerable. Tolerable
risk is the state when the identification of the risks are done that are having a very little or almost
no effect on the objectives of the project. Low risks mainly includes the risk that are having
minor effect on the objectives of the project. Medium risks are those risk that are like to have a
possible impact upon the project objectives and on the cost as well as on the schedule. The
probability of this type of occurrence is generally high so as to require close control of all the
contributing factors. High risks are those conditions here the risk is generally considered to have
high probability of occurrence as well as consequence upon the objective, cost and schedule.
There is generally a requirement of establishing risk actions. Intolerable risks include the
5SECURITY MANAGEMENT AND GOVERNANCE
conditions where there exists high probability of risk occurrence as well as the consequences are
also high.
9. Risk mitigation process:
The risk mitigation plan might be including the internal technical controls of the system along
with the external technical controls or the description of the processes or providing of trainings
to the staffs. In case if it is not possible to mitigate the risks in the design control process then it
is essential to document the risks in a proper way which is to be followed by the assigning of the
risks in accordance to the operational environment. Besides this the operational controls are to be
implemented along with the external controls. In the last stage the final decision maker of
GUMC having the executive approval authority would be presented with the residual risks along
with subsequent mitigation plans in case if any exists. Followed by this the decision maker
would be associated with the assessment of the summary made by the team along with combing
this with the knowledge regarding the function of the system. This would be helping in
advancing the mission of the organization so as to reach a clear and well-supported decision so
as to deploy or not to deploy the targeted system.
conditions where there exists high probability of risk occurrence as well as the consequences are
also high.
9. Risk mitigation process:
The risk mitigation plan might be including the internal technical controls of the system along
with the external technical controls or the description of the processes or providing of trainings
to the staffs. In case if it is not possible to mitigate the risks in the design control process then it
is essential to document the risks in a proper way which is to be followed by the assigning of the
risks in accordance to the operational environment. Besides this the operational controls are to be
implemented along with the external controls. In the last stage the final decision maker of
GUMC having the executive approval authority would be presented with the residual risks along
with subsequent mitigation plans in case if any exists. Followed by this the decision maker
would be associated with the assessment of the summary made by the team along with combing
this with the knowledge regarding the function of the system. This would be helping in
advancing the mission of the organization so as to reach a clear and well-supported decision so
as to deploy or not to deploy the targeted system.
6SECURITY MANAGEMENT AND GOVERNANCE
Bibliography:
Abrahamsson, P., Salo, O., Ronkainen, J. and Warsta, J., 2017. Agile software development
methods: Review and analysis. arXiv preprint arXiv:1709.08439.
Carvalho, M.M.D. and Rabechini Junior, R., 2015. Impact of risk management on project
performance: the importance of soft skills. International Journal of Production Research, 53(2),
pp.321-340.
Haimes, Y.Y., 2015. Risk modeling, assessment, and management. John Wiley & Sons.
Huang, Q., 2015, April. Research on Risk Analysis and Management in the Software
Development Process. In 2015 5th International Conference on Education, Management,
Information and Medicine (EMIM 2015).
Verner, J.M., Brereton, O.P., Kitchenham, B.A., Turner, M. and Niazi, M., 2014. Risks and risk
mitigation in global software development: A tertiary study. Information and Software
Technology, 56(1), pp.54-78.
Wanderley, M., Menezes Jr, J., Gusmão, C. and Lima, F., 2015. Proposal of risk management
metrics for multiple project software development. Procedia Computer Science, 64, pp.1001-
1009.
Bibliography:
Abrahamsson, P., Salo, O., Ronkainen, J. and Warsta, J., 2017. Agile software development
methods: Review and analysis. arXiv preprint arXiv:1709.08439.
Carvalho, M.M.D. and Rabechini Junior, R., 2015. Impact of risk management on project
performance: the importance of soft skills. International Journal of Production Research, 53(2),
pp.321-340.
Haimes, Y.Y., 2015. Risk modeling, assessment, and management. John Wiley & Sons.
Huang, Q., 2015, April. Research on Risk Analysis and Management in the Software
Development Process. In 2015 5th International Conference on Education, Management,
Information and Medicine (EMIM 2015).
Verner, J.M., Brereton, O.P., Kitchenham, B.A., Turner, M. and Niazi, M., 2014. Risks and risk
mitigation in global software development: A tertiary study. Information and Software
Technology, 56(1), pp.54-78.
Wanderley, M., Menezes Jr, J., Gusmão, C. and Lima, F., 2015. Proposal of risk management
metrics for multiple project software development. Procedia Computer Science, 64, pp.1001-
1009.
1 out of 7
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.