Security Policy Framework

Only available on StudyMode
  • Download(s) : 1139
  • Published : April 29, 2013
Open Document
Text Preview
Information Security Policy Framework

Information Security Policy Framework

Information Security Policy Framework
For the healthcare industry it is important to have an Information Security Policy Framework within the organization to protect information that is accessed across the network by staff personnel and patients. In accordance with ISO/IEC 27799:2008, we begin to define the guidelines to support the interpretation and implementation of healthcare information protection. ISO/IEC 27799:2008 references the basic controls and guidelines of ISO/IEC27002:2005 will provide the minimum protection necessary to meet organizational needs. Healthcare organizations that implement the security controls of the ISO will be able to provide the minimum security level necessary to maintain confidentiality, integrity, and availability of personal health care information. Different organizations are required to be compliant with applicable local laws and federal regulations. For example, the healthcare industry is required to comply with requirements of HIPPA and the financial industry is responsible for FISMA and Sarbanes-Oxley Act. In order for you to show compliance you must be following all of the requirements of each regulation. The best method for doing that is to develop your policy and procedures to each of those requirements. If you are operating to the standards of each regulation and hold people accountable to that then you will not have issues trying to prove it during inspections or audits. With each of the 7 domains in an organization, they all pose business challenges that IT management should concentrate on or be aware of when developing IT policy. First is the User Domain. The first challenge here is employee awareness. If you want someone to follow policy they need to know that it exists. If it does exist then employees need to understand its contents and how it aligns with business goals and mission statement. Another challenge in this area is handling of sensitive material such as privacy information relating to patient healthcare. Once you can overcome this area with your employees, patients will feel comfortable that their information is safe here and will continue to do business with your organization. In the Workstation Domain security controls are one of the biggest challenges. Several organizations such as SAIC had employees lose backup tapes or have laptops stolen that contained veteran information on them. Although they determined that no risk or threat existed, the company still absorbed the cost of credit monitoring for thousands of people because of an employee mistake. Security breaches are another concern for organizations, in that someone could gain access to personal information through someone’s laptop and when that user logs on to the network could give access to all of the information. Policies and permission controls on company assets will prevent users from installing any potential virus or malware on those assets. The LAN domain experiences the biggest issue with remote access to information. Depending on the employee and where they are receiving services from could impact the timing and relay of information necessary to provide necessary care. Bandwidth is an enormous problem when new services are offered such as VOIP and video feeds. Acceptable Use Policies will help in this area so that people understand what is allowed and what is not so you can attempt to maintain a certain level of bandwidth for remote users. In the LAN to WAN and WAN domains, the concern is protection of the servers in the DMZ. Security policy should exist with the configuration of the DMZ and a patch and update management plan to protect them from vulnerabilities and threats. Remote Access has significantly increased over the past few years. Through the use of smart phones and devices users could have the...
tracking img