Security Management and Governance Report for GUMC
VerifiedAdded on 2023/06/04
|16
|3393
|138
Report
AI Summary
This report addresses the need for a robust ICT Security Program at Griffith University Medical Centre (GUMC). It begins with an abstract and table of contents, followed by an introduction that emphasizes the importance of security management. The report details the development of a security policy and management plan, outlining key steps like asset identification, policy rationale, mission and vision, responsibility assignment, and policy drafting. It defines essential functions, tasks, roles, and responsibilities within the security management program, including those of the GUMC administrator and Chief Information Officer, with a focus on data security, network protection, and access control. The NIST model is recommended for GUMC's security management plan. The report also addresses relevant legal and statutory compliance, and concludes with a risk assessment/management plan for the patient information system, encompassing risk identification, threat assessment, and mitigation strategies. A reference list and appendix including risk assessment and management plan are included. The report provides a comprehensive overview of security management strategies, tailored to the specific needs of GUMC.
Security Management and Governance 1
A Report on the Need to Implement Security Management Program at Griffith University
Medical GUMC
Student
Course
Tutor
Institutional Affiliations
State
Date
A Report on the Need to Implement Security Management Program at Griffith University
Medical GUMC
Student
Course
Tutor
Institutional Affiliations
State
Date
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance 2
Abstract
The purpose of this document is to develop a report that discusses how information
security can be better managed by GUMC organization. Security management information is
akin to an organization’s nervous system. Security system management is a core component of
every organization activities as it embrace confidentiality, availability as well as integrity
assurance in an organization’s information system and assets. It as well minimize crisis such as
disasters that may compromise the organization’s operations.
Key words: Security management, risks, threats, assessments, NIST, GUMC.
Table of Contents
Abstract
The purpose of this document is to develop a report that discusses how information
security can be better managed by GUMC organization. Security management information is
akin to an organization’s nervous system. Security system management is a core component of
every organization activities as it embrace confidentiality, availability as well as integrity
assurance in an organization’s information system and assets. It as well minimize crisis such as
disasters that may compromise the organization’s operations.
Key words: Security management, risks, threats, assessments, NIST, GUMC.
Table of Contents
Security Management and Governance 3
Abstract......................................................................................................................................................2
The development of a Security Policy and Security Management Plan................................................4
i. Information system assets to be secured......................................................................................5
ii. The reason why the policy security is developed.........................................................................5
iii. Mission and vision......................................................................................................................5
iv. Identify who will take responsibility.........................................................................................6
v. Draft a policy..................................................................................................................................6
Security management plan........................................................................................................................6
The functions, tasks, roles and responsibilities that need to be defined for the Security Management
Program.....................................................................................................................................................7
The roles of different individuals/groups would play in terms of governance in general....................7
GUMC administrator............................................................................................................................8
Chief information officer......................................................................................................................8
The entire information management team in the organization will guarantee the following:.........9
The model that would be useful in development of security management plan in GUMC’s case.....10
The legal and statutory that will be addressed......................................................................................10
Reference list............................................................................................................................................11
Appendix..................................................................................................................................................13
Risk Assessment/Management............................................................................................................13
Assessment process..........................................................................................................................13
Risk identification............................................................................................................................14
Threats identified in patient information area..................................................................................15
Priorities set to mitigate the risks.......................................................................................................15
Abstract......................................................................................................................................................2
The development of a Security Policy and Security Management Plan................................................4
i. Information system assets to be secured......................................................................................5
ii. The reason why the policy security is developed.........................................................................5
iii. Mission and vision......................................................................................................................5
iv. Identify who will take responsibility.........................................................................................6
v. Draft a policy..................................................................................................................................6
Security management plan........................................................................................................................6
The functions, tasks, roles and responsibilities that need to be defined for the Security Management
Program.....................................................................................................................................................7
The roles of different individuals/groups would play in terms of governance in general....................7
GUMC administrator............................................................................................................................8
Chief information officer......................................................................................................................8
The entire information management team in the organization will guarantee the following:.........9
The model that would be useful in development of security management plan in GUMC’s case.....10
The legal and statutory that will be addressed......................................................................................10
Reference list............................................................................................................................................11
Appendix..................................................................................................................................................13
Risk Assessment/Management............................................................................................................13
Assessment process..........................................................................................................................13
Risk identification............................................................................................................................14
Threats identified in patient information area..................................................................................15
Priorities set to mitigate the risks.......................................................................................................15
Security Management and Governance 4
Introduction
Security management is an overreaching process that involves protection of systems,
network as well as other information assets to prevent them from security threats. The benefits
that various organizations have achieved by security management plan are far reaching. Security
management planning creates indicators that help in identifying a potential hazard occasion and
give an early cautioning (Subashini, and Kavitha, 2011, pp.1-11). Key estimations and
estimations of danger moreover improve the advantage of reporting an examination and enable
to track potential vulnerabilities that can compromise system.
Another noteworthy advantage is that security management plan prompts detection of
hazards. Security management planning facilitates detection and examination of security dangers
that may compromise system thus initiating immediate action (Whitman, and Mattord, 2013,
pp.11). Following the indispensable advantages of implementing the security management
technique, it is imperative that every organization adopt the security management program
(Ernest Chang, and Lin, 2007, pp.438-458; Robson, 2015, pp. 31). The Griffith University
Medical GUMC is no exception. As a critical action to venture into this fundamental aspect, the
organization personnel shall take their roles and responsibilities as defined in the following
section.
The development of a Security Policy and Security Management Plan
Security policy refer to procedures that governs the use of information system in an
organization. The primary objective of security policy is to protect an organization’s information
system from cyber-attacks (Peltier, 2016, pp.234-246). This section focus on development of
Introduction
Security management is an overreaching process that involves protection of systems,
network as well as other information assets to prevent them from security threats. The benefits
that various organizations have achieved by security management plan are far reaching. Security
management planning creates indicators that help in identifying a potential hazard occasion and
give an early cautioning (Subashini, and Kavitha, 2011, pp.1-11). Key estimations and
estimations of danger moreover improve the advantage of reporting an examination and enable
to track potential vulnerabilities that can compromise system.
Another noteworthy advantage is that security management plan prompts detection of
hazards. Security management planning facilitates detection and examination of security dangers
that may compromise system thus initiating immediate action (Whitman, and Mattord, 2013,
pp.11). Following the indispensable advantages of implementing the security management
technique, it is imperative that every organization adopt the security management program
(Ernest Chang, and Lin, 2007, pp.438-458; Robson, 2015, pp. 31). The Griffith University
Medical GUMC is no exception. As a critical action to venture into this fundamental aspect, the
organization personnel shall take their roles and responsibilities as defined in the following
section.
The development of a Security Policy and Security Management Plan
Security policy refer to procedures that governs the use of information system in an
organization. The primary objective of security policy is to protect an organization’s information
system from cyber-attacks (Peltier, 2016, pp.234-246). This section focus on development of
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance 5
information security policy and security management plan that would address the risks at
GUMC.
The development of security policy involve a few steps that will be followed in order to
ensure a robust security policy for GUMC organization:
i. Information system assets to be secured
“Before getting on with policy formulation the question: what do we want to secure?”
must be answered. What is to be secured should be the first consideration when designing a
policy. This will ensure the development of a pertinent policy. In GUMC’s case, this apply to the
organization’s assets that needs to be secured including but not limited to patient data and
hardware equipment among other assets.
ii. The reason why the policy security is developed
This involve the rationale or needs that have called for the development of the policy. In
GUMC’s case, assessment reveals that the organization, besides the online platform which
facilitates service delivery, the organization does not have a formal security policy that govern
it’s the privacy and security of sensitive information. This therefore calls for the development of
a structured policy in order to guarantee privacy and security to patients’ information.
iii. Mission and vision
Mission and vision define an organization’s goals and objectives. They are important in
policy development for a strategic information security management. Mission and vision will be
worth consideration in the GUMC policy development.
information security policy and security management plan that would address the risks at
GUMC.
The development of security policy involve a few steps that will be followed in order to
ensure a robust security policy for GUMC organization:
i. Information system assets to be secured
“Before getting on with policy formulation the question: what do we want to secure?”
must be answered. What is to be secured should be the first consideration when designing a
policy. This will ensure the development of a pertinent policy. In GUMC’s case, this apply to the
organization’s assets that needs to be secured including but not limited to patient data and
hardware equipment among other assets.
ii. The reason why the policy security is developed
This involve the rationale or needs that have called for the development of the policy. In
GUMC’s case, assessment reveals that the organization, besides the online platform which
facilitates service delivery, the organization does not have a formal security policy that govern
it’s the privacy and security of sensitive information. This therefore calls for the development of
a structured policy in order to guarantee privacy and security to patients’ information.
iii. Mission and vision
Mission and vision define an organization’s goals and objectives. They are important in
policy development for a strategic information security management. Mission and vision will be
worth consideration in the GUMC policy development.
Security Management and Governance 6
iv. Identify who will take responsibility
“Who will take which responsibility?” is an important question that will be addressed at
this stage. This step involve identification of who will take the responsibility and the
responsibilities that will ensure protection of the system.
v. Draft a policy
This step involves outlining the organization’s policy which meets the needs of the
organization. This stage should involve the organization’s security management staffs including
chief information security manager at GUMC and the relevant authorities.
Security management plan
This involve a plan for which aid in identification of all information security assets of an
organization and including but not limited to computers, data, and management staff which is
then followed by the formulation, documentation and implementation of the appropriate policies
and procedures for protecting the assets (Almorsy, Grundy, and Ibrahim, 2011, pp. 364-371).
This tool is handy as it provides for a secure deployment, maintenance, operation as well as
disposal of assets of an assets. It will be essential for GUMC organization during implementation
of security management program.
An important step into developing a pertinent security management plan that would suit
GUMC is by first of all having an accurate information concerning the configuration including
network connections, system configurations among other system properties that aid in service
delivery in the organization (Whitman, and Mattord, 2011, pp. 22-39).
iv. Identify who will take responsibility
“Who will take which responsibility?” is an important question that will be addressed at
this stage. This step involve identification of who will take the responsibility and the
responsibilities that will ensure protection of the system.
v. Draft a policy
This step involves outlining the organization’s policy which meets the needs of the
organization. This stage should involve the organization’s security management staffs including
chief information security manager at GUMC and the relevant authorities.
Security management plan
This involve a plan for which aid in identification of all information security assets of an
organization and including but not limited to computers, data, and management staff which is
then followed by the formulation, documentation and implementation of the appropriate policies
and procedures for protecting the assets (Almorsy, Grundy, and Ibrahim, 2011, pp. 364-371).
This tool is handy as it provides for a secure deployment, maintenance, operation as well as
disposal of assets of an assets. It will be essential for GUMC organization during implementation
of security management program.
An important step into developing a pertinent security management plan that would suit
GUMC is by first of all having an accurate information concerning the configuration including
network connections, system configurations among other system properties that aid in service
delivery in the organization (Whitman, and Mattord, 2011, pp. 22-39).
Security Management and Governance 7
The second step include development and implementation of security requirements that
will be followed prior to modification, configuration, addition or removal of any asset from the
information system.
The functions, tasks, roles and responsibilities that need to be defined for the Security
Management Program
The functions, roles, tasks and responsibilities that are defined for security program in
GUMC organization lies in the following areas (Hu, Dinev, Hart, and Cooke, 2012, pp.615-660):
Security of data assets: all information including but not limited to patients data shall be
safeguard from unauthorized access to ensure safety and privacy.
Network connection threats: all GUMC information system and physical assets facilitating
connections shall be protected from any external or internal threat.
Access control: any unauthorized access shall be blocked by system to protect information
system from frauds.
The roles of different individuals/groups would play in terms of governance in general.
To ensure system security, every IT management staff must be cognizant of his/her
responsibilities. In this section, the roles and responsibilities for every IT management personnel
in the GUMC Corporation having responsibilities concerning IT security or any related
governance for safeguarding the information system as well as the data they manage, operate and
support are defined (Susanto, Almunawar, and Tuan, 2011, pp.23-29).
The second step include development and implementation of security requirements that
will be followed prior to modification, configuration, addition or removal of any asset from the
information system.
The functions, tasks, roles and responsibilities that need to be defined for the Security
Management Program
The functions, roles, tasks and responsibilities that are defined for security program in
GUMC organization lies in the following areas (Hu, Dinev, Hart, and Cooke, 2012, pp.615-660):
Security of data assets: all information including but not limited to patients data shall be
safeguard from unauthorized access to ensure safety and privacy.
Network connection threats: all GUMC information system and physical assets facilitating
connections shall be protected from any external or internal threat.
Access control: any unauthorized access shall be blocked by system to protect information
system from frauds.
The roles of different individuals/groups would play in terms of governance in general.
To ensure system security, every IT management staff must be cognizant of his/her
responsibilities. In this section, the roles and responsibilities for every IT management personnel
in the GUMC Corporation having responsibilities concerning IT security or any related
governance for safeguarding the information system as well as the data they manage, operate and
support are defined (Susanto, Almunawar, and Tuan, 2011, pp.23-29).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Security Management and Governance 8
GUMC administrator
i. Guaranteeing that the chief information officer and other key authorities, reports every
year the adequacy of the GUMC data security program, including advancement of
healing activities, to the GUMC Administrator, Congress, Department of Security
management and different substances as required by law and Executive Branch course
(Larson, and Gray, 2015).
ii. Furnishing data security insurances proportionate with the hazard and extent of the
damage coming about because of unapproved get to, utilize, exposure, disturbance,
alteration, or demolition of data gathered or kept up by or for the Agency, and on data
frameworks utilized, oversaw, or worked by the Agency, another Agency, or by a
temporary worker or other association for the benefit of the Agency (Larson, and Gray,
2015).
iii. Guaranteeing that data security management forms are coordinated with Agency vital and
operational arranging forms.
iv. Guaranteeing that an all-inclusive data security program is produced, archived, executed,
and kept up to ensure data and data frameworks.
Chief information officer
i. Helping senior Agency and other key authorities with comprehension and executing their
data security obligations.
ii. Building up least compulsory hazard based specialized, operational, and administration
data security control prerequisites for Agency data and data frameworks (Larson, and
Gray, 2015).
GUMC administrator
i. Guaranteeing that the chief information officer and other key authorities, reports every
year the adequacy of the GUMC data security program, including advancement of
healing activities, to the GUMC Administrator, Congress, Department of Security
management and different substances as required by law and Executive Branch course
(Larson, and Gray, 2015).
ii. Furnishing data security insurances proportionate with the hazard and extent of the
damage coming about because of unapproved get to, utilize, exposure, disturbance,
alteration, or demolition of data gathered or kept up by or for the Agency, and on data
frameworks utilized, oversaw, or worked by the Agency, another Agency, or by a
temporary worker or other association for the benefit of the Agency (Larson, and Gray,
2015).
iii. Guaranteeing that data security management forms are coordinated with Agency vital and
operational arranging forms.
iv. Guaranteeing that an all-inclusive data security program is produced, archived, executed,
and kept up to ensure data and data frameworks.
Chief information officer
i. Helping senior Agency and other key authorities with comprehension and executing their
data security obligations.
ii. Building up least compulsory hazard based specialized, operational, and administration
data security control prerequisites for Agency data and data frameworks (Larson, and
Gray, 2015).
Security Management and Governance 9
iii. Creating, keeping up, and issuing all inclusive data security strategies, methods, and
control procedures to give guidance for actualizing the prerequisites of the data security
program.
iv. Creating, recording, executing, and keeping up far reaching, very much outlined, all
around oversaw ceaseless observing and institutionalized hazard evaluation forms
(Larson, and Gray, 2015).
v. Keeping up proficient capabilities required to manage the elements of the GUMC
Information Security Program and do the chief information officer obligations under
GUMC strategy and pertinent data security laws, Executive Branch arrangement, and
different orders.
The entire information management team in the organization will guarantee the following:
i. Executing approaches, frameworks, control systems and methodology perceived in the
Agency information security program that incorporate activities that are under their
ordinary operational control or supervision (Larson, and Gray, 2015).
ii. Guaranteeing all GUMC information and information system customers inside their
affiliation's successfully whole information security care going before basic access to
GUMC structures and information and in any occasion yearly starting there to take care
of access.
iii. Hazard related contemplations for individual data frameworks, to incorporate approval
choices, are seen from an association wide point of view as to the by and large key
objectives and targets of the Agency in doing its center missions and business capacities.
iii. Creating, keeping up, and issuing all inclusive data security strategies, methods, and
control procedures to give guidance for actualizing the prerequisites of the data security
program.
iv. Creating, recording, executing, and keeping up far reaching, very much outlined, all
around oversaw ceaseless observing and institutionalized hazard evaluation forms
(Larson, and Gray, 2015).
v. Keeping up proficient capabilities required to manage the elements of the GUMC
Information Security Program and do the chief information officer obligations under
GUMC strategy and pertinent data security laws, Executive Branch arrangement, and
different orders.
The entire information management team in the organization will guarantee the following:
i. Executing approaches, frameworks, control systems and methodology perceived in the
Agency information security program that incorporate activities that are under their
ordinary operational control or supervision (Larson, and Gray, 2015).
ii. Guaranteeing all GUMC information and information system customers inside their
affiliation's successfully whole information security care going before basic access to
GUMC structures and information and in any occasion yearly starting there to take care
of access.
iii. Hazard related contemplations for individual data frameworks, to incorporate approval
choices, are seen from an association wide point of view as to the by and large key
objectives and targets of the Agency in doing its center missions and business capacities.
Security Management and Governance 10
iv. Organizing with the chief information officer, Risk Executive, Risk Executive Group,
and others required with anchoring Agency data and frameworks to guarantee dangers are
figured out how to a worthy level.
The model that would be useful in development of security management plan in GUMC’s
case
The security model refers to a generic blue print of security management that is provided
by a service organization. This section will present the appropriate model for GUMC security
management. The selected model for GUMC is NIST model. This model is chosen for the
following reason. GUMC organization needs a more structured formal security program to
govern its system. Drawing from the organization’s needs, the NIST model would be the most
appropriate for GUMC due to the fact that this model have been publicly available for access
unlike other models (Greer et al. 2014, pp.47). As a result, NIST have been broadly reviewed by
industry professionals and government making it the best for this project particular project.
The legal and statutory that will be addressed
This section presents the legal compliance that must be adhered to in the process of
security management (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). They are acts that
have to be applied during formulation of information security policies. The policy that will be
used for information security in GUMC must conform to the regulations that are in force in
Australia and cannot violate any policy since it is legal sanction.
Below are three crucial acts that must not be violated:
i. Private security act 2004
ii. Security and related activities act 1996
iv. Organizing with the chief information officer, Risk Executive, Risk Executive Group,
and others required with anchoring Agency data and frameworks to guarantee dangers are
figured out how to a worthy level.
The model that would be useful in development of security management plan in GUMC’s
case
The security model refers to a generic blue print of security management that is provided
by a service organization. This section will present the appropriate model for GUMC security
management. The selected model for GUMC is NIST model. This model is chosen for the
following reason. GUMC organization needs a more structured formal security program to
govern its system. Drawing from the organization’s needs, the NIST model would be the most
appropriate for GUMC due to the fact that this model have been publicly available for access
unlike other models (Greer et al. 2014, pp.47). As a result, NIST have been broadly reviewed by
industry professionals and government making it the best for this project particular project.
The legal and statutory that will be addressed
This section presents the legal compliance that must be adhered to in the process of
security management (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). They are acts that
have to be applied during formulation of information security policies. The policy that will be
used for information security in GUMC must conform to the regulations that are in force in
Australia and cannot violate any policy since it is legal sanction.
Below are three crucial acts that must not be violated:
i. Private security act 2004
ii. Security and related activities act 1996
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Security Management and Governance 11
iii. Security providers regulation 2008
iii. Security providers regulation 2008
Security Management and Governance 12
Reference list
Almorsy, M., Grundy, J. and Ibrahim, A.S., 2011, July. Collaboration-based cloud computing
security management framework. In Cloud Computing (CLOUD), 2011 IEEE International
Conference on (pp. 364-371). IEEE.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548.
Ernest Chang, S. and Lin, C.S., 2007. Exploring organizational culture for information security
management. Industrial Management & Data Systems, 107(3), pp.438-458.
Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T.,
FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014. NIST
framework and roadmap for smart grid interoperability standards, release 3.0 (No. Special
Publication (NIST SP)-1108r3).
Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with
information security policies: The critical role of top management and organizational
culture. Decision Sciences, 43(4), pp.615-660.
Larson, E.W. and Gray, C.F., 2015. A Guide to the Project Management Body of Knowledge:
PMBOK (®) Guide. Project Management Institute.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications, pp.234-246.
Reference list
Almorsy, M., Grundy, J. and Ibrahim, A.S., 2011, July. Collaboration-based cloud computing
security management framework. In Cloud Computing (CLOUD), 2011 IEEE International
Conference on (pp. 364-371). IEEE.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness. MIS
quarterly, 34(3), pp.523-548.
Ernest Chang, S. and Lin, C.S., 2007. Exploring organizational culture for information security
management. Industrial Management & Data Systems, 107(3), pp.438-458.
Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T.,
FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014. NIST
framework and roadmap for smart grid interoperability standards, release 3.0 (No. Special
Publication (NIST SP)-1108r3).
Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with
information security policies: The critical role of top management and organizational
culture. Decision Sciences, 43(4), pp.615-660.
Larson, E.W. and Gray, C.F., 2015. A Guide to the Project Management Body of Knowledge:
PMBOK (®) Guide. Project Management Institute.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for
effective information security management. Auerbach Publications, pp.234-246.
Security Management and Governance 13
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press, pp.23.
Robson, W., 2015. Strategic management and information systems. Pearson Higher Ed, pp. 31.
Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of
cloud computing. Journal of network and computer applications, 34(1), pp.1-11.
Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2011. Information security management system
standards: A comparative study of the big five. International Journal of Electrical Computer
Sciences IJECSIJENS, 11(5), pp.23-29.
Whitman, M. and Mattord, H., 2013. Management of information security, Nelson Education,
pp.11.
Whitman, M.E. and Mattord, H.J., 2011. Principles of information security. Cengage Learning,
pp. 22-39.
Young, A.L. and Quan-Haase, A., 2013. Privacy protection strategies on Facebook: The Internet
privacy paradox revisited. Information, Communication & Society, 16(4), pp.479-500
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management,
and security. CRC press, pp.23.
Robson, W., 2015. Strategic management and information systems. Pearson Higher Ed, pp. 31.
Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of
cloud computing. Journal of network and computer applications, 34(1), pp.1-11.
Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2011. Information security management system
standards: A comparative study of the big five. International Journal of Electrical Computer
Sciences IJECSIJENS, 11(5), pp.23-29.
Whitman, M. and Mattord, H., 2013. Management of information security, Nelson Education,
pp.11.
Whitman, M.E. and Mattord, H.J., 2011. Principles of information security. Cengage Learning,
pp. 22-39.
Young, A.L. and Quan-Haase, A., 2013. Privacy protection strategies on Facebook: The Internet
privacy paradox revisited. Information, Communication & Society, 16(4), pp.479-500
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Security Management and Governance 14
Appendix
Risk Assessment/Management
Assessment process
The purpose of this risk assessment was to assess the needs and requirements for
implementing information and communication technology at Griffith University Medical Center
GUMC. This risk assessment got performed by a group of technology students from Melbourne
polytechnic hired by Bay Pointe Security Consulting BPSC. The project team leader got selected
and assigned to lead, schedule and document the project assessment result throughout the
session. All project assessment results including risks identified were preserved in a project file.
The assessments was carried out throughout the project life cycle to help in change request
process when there was a need for baseline adjustments and to help in decision making process
involving selection as well as implementation of technical alternatives for implementation of the
program. The risk management plan was then made by the project leader on basis of risks
identified.
Risk identification
Upon completion of the risk assessment on the needs for adopting the system security
program, various threats were found to be hazardous to GUMC information system. The threats
were categorized in the following manner including information system management,
Information system security and disaster recovery.
Information system management
The risk assessment revealed that IT management program in the organization has been
one without pertinent controls regarding ICT system security.
Appendix
Risk Assessment/Management
Assessment process
The purpose of this risk assessment was to assess the needs and requirements for
implementing information and communication technology at Griffith University Medical Center
GUMC. This risk assessment got performed by a group of technology students from Melbourne
polytechnic hired by Bay Pointe Security Consulting BPSC. The project team leader got selected
and assigned to lead, schedule and document the project assessment result throughout the
session. All project assessment results including risks identified were preserved in a project file.
The assessments was carried out throughout the project life cycle to help in change request
process when there was a need for baseline adjustments and to help in decision making process
involving selection as well as implementation of technical alternatives for implementation of the
program. The risk management plan was then made by the project leader on basis of risks
identified.
Risk identification
Upon completion of the risk assessment on the needs for adopting the system security
program, various threats were found to be hazardous to GUMC information system. The threats
were categorized in the following manner including information system management,
Information system security and disaster recovery.
Information system management
The risk assessment revealed that IT management program in the organization has been
one without pertinent controls regarding ICT system security.
Security Management and Governance 15
Information system security
The GUMC organization was found to handle very critical information i.e. patients data
and patient’s prescriptions that were not secured from potential cyber-attack.
Disaster recovery
Upon assessment, the GUMC it was found that the organization did not have a disaster
recovery control. The disaster recovery program is a fundamental aspect in information system
security program.
Risk management is a considerable aspect in every organization including GUMC, this is
because without risk management, the organization will not be able to define its objectives for
the future needs. If an organization define its objectives without taking into account the risks, the
chances that the organization will lose direction when hit by the risk is very high. The risk
management will ensure that the risks identified are managed properly to mitigate the negative
effects of risks as it explore more opportunity for GUMC. Contingency planning and disaster
recovery program are other critical aspects of in every organization as it helps in recover as fast
as possible when hit by unforeseen security-attack.
Threats identified in patient information area.
1. Risk of cloud computing services
The patients information are provided in cloud based application which are interfaced
with GUMC staff through interactive web pages to make operations easy. Besides being
overlooked by GUMC, such systems are prone to cyber-attacks (Rittinghous and Ransome,
2016, pp.23). There is therefore a need to put more consideration on IT security program under
this sector.
Information system security
The GUMC organization was found to handle very critical information i.e. patients data
and patient’s prescriptions that were not secured from potential cyber-attack.
Disaster recovery
Upon assessment, the GUMC it was found that the organization did not have a disaster
recovery control. The disaster recovery program is a fundamental aspect in information system
security program.
Risk management is a considerable aspect in every organization including GUMC, this is
because without risk management, the organization will not be able to define its objectives for
the future needs. If an organization define its objectives without taking into account the risks, the
chances that the organization will lose direction when hit by the risk is very high. The risk
management will ensure that the risks identified are managed properly to mitigate the negative
effects of risks as it explore more opportunity for GUMC. Contingency planning and disaster
recovery program are other critical aspects of in every organization as it helps in recover as fast
as possible when hit by unforeseen security-attack.
Threats identified in patient information area.
1. Risk of cloud computing services
The patients information are provided in cloud based application which are interfaced
with GUMC staff through interactive web pages to make operations easy. Besides being
overlooked by GUMC, such systems are prone to cyber-attacks (Rittinghous and Ransome,
2016, pp.23). There is therefore a need to put more consideration on IT security program under
this sector.
Security Management and Governance 16
2. Network connections
The networking in GUMC contain devices for medications like medication scanners,
patient monitoring system and embedded connections among other assets which helps in
tracking, monitoring and managing operations. However, the embedded connections in the
network may be exploited by attackers to gain access into the organization’s information system
and compromise it. Therefore precipitating the need for information security program at GUMC.
Priorities set to mitigate the risks
i. All sensitive information including patient data and organization’s important information
will continue to reside within PEW organization’s system and will be subject to security
and access control policies to secure privacy (Young, and Quan-Haase, 2013, pp.479-
500).
ii. To minimize the network connection risk, the PEW organization should adopt pertinent
security policy and controls to protect its assets, both hardware and software alongside
networking devices.
iii. PEW organization shall prioritize in selecting a vendor that adopt more security options
in order to avoid data breach.
2. Network connections
The networking in GUMC contain devices for medications like medication scanners,
patient monitoring system and embedded connections among other assets which helps in
tracking, monitoring and managing operations. However, the embedded connections in the
network may be exploited by attackers to gain access into the organization’s information system
and compromise it. Therefore precipitating the need for information security program at GUMC.
Priorities set to mitigate the risks
i. All sensitive information including patient data and organization’s important information
will continue to reside within PEW organization’s system and will be subject to security
and access control policies to secure privacy (Young, and Quan-Haase, 2013, pp.479-
500).
ii. To minimize the network connection risk, the PEW organization should adopt pertinent
security policy and controls to protect its assets, both hardware and software alongside
networking devices.
iii. PEW organization shall prioritize in selecting a vendor that adopt more security options
in order to avoid data breach.
1 out of 16
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.