Information Systems Security Survey Essay Example for Free

Information arrangings security department Survey EssayThe University of Nebraska Medical Center (UNMC) is an institution that was built back in the 19th century. UNMCs mission is to improve the health of Nebraska through premier educational programs, innovative research, the highest quality patient care, and outreach to underserved populations (UNMC, 2004). As an institution with winder interest to privacy of its students, staff and subordinate staff, UNMC has adopted various form _or_ system of government guidelines to examine info warranter system. The Information Security centering Plan (ISMP) describes its safeguards to shelter confidential schooling. These safeguards are meant among a nonher reason toEnsure the confidentiality of dataEnsure the integrity of dataEnsure the availability of dataProtect against anticipated threats or hazards to the security or integrity of the learning UNMC has adopted information security industry best practices to implement its in formation security system (UNMC, 2014). They have last so effective that during 2011, a Hitrust Gap assessment was performed, and no significant gaps were found inside its security program. The worksheet below outlines how these programs have been rolled out by different offices in the university.Worksheet Information Security Program SurveySecurity Area Responsible Party / Office of Primary Responsibility Known Vulnerabilities / hazards Countermeasures / assay Mitigation Strategy Acquisition (systems/services) Information Security Office Breach of the confidentiality clause either service providers essential(prenominal) undergo an evaluation process to moderate they are qualified. Contracts have a confidentiality clause whose breach terminates the contract. As pitch management System Administrator Poor asset management Proper policies and procedure in placeto ensure effective asset management. Evaluation to ascertain the qualifications of asset managers. Audit and accountabi lity Information Security Office Dishonest employees disclosing confidential information to third parties Every application contains a log that must be maintained to meet regulatory requirement. There is Information security hazard solvent plan to handle any notable strange events. Authentication and self-confidence System Administrator Covered data may be transferred to third parties without authorization Employees are provided with user name and password to access the data.Employees are trained on developing a secure password. There are control policies in place governing access to this information. Business continuity Information Security Office Non-coordination and miscommunication between employees All employees are supposed to keep contact information of co-workers and supervisors to seek for help in case of any emergency. Compliance management Compliance policeman the Information Security Officer Employees failure to comply with the set guidelines, policies and procedure T here is a compliance form that is filled beforehand a major project is undertaken by the enterprise. The form is to ensure that no raw(a) risk is introduced to the enterprise. Configuration control System Administrator Compromised system security Every configuration must have a password. Each password must have at least ten characters.The password must be encrypted at all times. Data System Administrator Data may be intercepted during transmission Database with security keys is available to authorized employees only. Access to classified data is allowed to limited employees. Information security plan ensures security of covered data. computer hardware System Administrator Destruction of hardware in disaster Only employees with technical know-how of operating hardware are allowed to use them. The hardware are encrypted for security purposes. Hardware backup system. Identity management Information Security Office unlicenced covered data and information transfer through third partie s Identity Management Program (IDM) outlines procedure for issuing credentials based on the NIST guidance. Checks are done on employees prior to their employment.Incident management Command CentreIncident Response Team Physical loss of data in a disaster An Incident Reporting and Response Plan is in place to cut through and respond to anyidentified risk. Availability of a well-trained incident response team. Command Centre is set up to manage emergency. Maintenance procedures Change Advisory circuit board (CAB) Existing patches within the security system A release process is in place to ensure that the changes do not affect non-primary system. Patching policies for workstations to ensure security. Media protection and destruction Information Security Office Unauthorized access covered data as well as information Data terminus policies define how data stored in the media is to be protected. Data is only stored in a secured data centre or encrypted medium. Network System Administr ator Unauthorized access to the network Network traffic is controlled by Cisco enterprise-class firewall where inbound connects are only allowed to DMZ.Internal trusted network is provided via an encrypted VPN tunnel. Technical perimeter is established to bar direct access from the internet to the Internal Trusted Area. Planning Information Security Office Poor planning that compromise management of the security system Contingency plan is in place to handle any eventuality. Employees are encouraged to store data on network file servers for backup. All backups are surely stored and marked for easy identification during emergencies. Personnel System Administrator Loss of data integrity Employees are only employed later exhibiting minimum security requirement. Information Security Addendum are to be signed for confidentiality purposes. An insider who ensures that all legal requirements are followed before access is granted must accompany outsiders accessing information. Physical envir onment System Administrator Physical safety of the environment may be compromised through attacks and burglary No unauthorized personal is allowed within the data centre premises. The data centers are controlled by keycard access.Policy Information Security Plan CoordinatorPolicies may be misinterpreted by the employee The Universitys security policy is enshrined in the Privacy, Confidentiality and Security of Patient Proprietary Information Policy and the Computer Use and Electronic Information Security Policy. The two policies require that authorized pot can only access this information. The policies are reviewed every two years to make them in tandem with the prevailing circumstances. Operations The Information Security Officer and the Infrastructure TeamFailure for operations to comply with the system security policy An operation must fill a compliance Checklist or a Security Risk Assessment form for review to verify that no new risk is introduced to the enterprise.Outsourcing System Administrator Unauthorized disclosure of security information by third parties Outsourced vendors must comply with UNMC Policy No. 8009, Contract Policy. Vendors accessing classified student information must sign the GLB Act contract addendum. Risk assessments Information Custodian Poor method of risk assessment that may downplay the actual impact of a risk Security assessment I conducted annually. All applications must meet the organizations security policies and procedure. Software System Administrator Software may be infected with a virus Software should not be installed unless the user trusts it. Vendor update and patches must be installed unless directed otherwise.Software license must be retained to get technical assistance. educate System Administrators and Information Custodians Misuse of security system Loss of data integrity Employees are trained on information security system before they are employed. System administrators and information custodians are annually t rained on Specific Information Security Policy and Procedure.ReferencesUNMC. (March 2014) Strategic Plan 2010-2013. Retrieved from http//www.unmc.edu/wwwdocs/strategic-plan_06-10_v3-brochure1.pdf United States government Accountability Office. (February 2010). ELECTRONIC PERSONAL HEALTH INFORMATION EXCHANGE Health Care Entities Reported Disclosure Practices and Effects on Quality of Care. Retrieved from http//www.gao.gov/new.items/d10361.pdf UNMC. (February 9, 2004). Information Security Plan. Retrieved from http//www.unmc.edu/its/docs/UNMCInformationSecurityPlan-Sept2010.pdf