Information Security Assignment: Private & Security Policy Of NTN
Task: You are required to analyse the scenario given on page 2 and develop an issue-Specific Security Policy (ISSP) report for a ‘Privacy and Security of NTN Patients Health Information Policy’ for the organisation described in the scenario. You must support the policy you prepare with relevant references and justify as to why those policies are necessary.
1. Executive Summary
The present report on information security assignment is focused on examining NTN, a private school of nursing in Australia who is conducting distant classes with its primary campus being located in Sydney. NTN’s recent Information Security Division’s head Chief Information Security Officer (CISO) plans to design along with launch an information security program for the purpose of preventing data and information breaches or leak. A detailed discussion on the issue-Specific Security Policy (ISSP) for the privacy and security of NTN patient’s health information policy. The ISSP will enable the organization to identify potential threats towards its assets and in handling situations when they take place. The security policy aims at communicating ways the organization will protect the security and privacy of its patient information. Blockchain technology is a new procedure that is incorporated and used in protection of valuable patient data. Hence the organisation can make use of this technology in encrypting its data while sending it across its network.
The information security assignment is focused on exploring NTN, a private nursing school in Australia who is conducting distant classes with its main campus being located in Sydney. The satellite campuses located at Darwin and Cairns receives live-video being streamed in virtual classroom mode. Along with this NTN also provides healthcare and telemedicine services in a radius of about 200km ranging from each of the satellite campuses. These teams provide patient consultation by way of an equipped vehicle called the home-care, that communicates directly with medical staffs by use of network. NTN’s recent Information Security Division’s head Chief Information Security Officer (CISO) plans to design and launch an information security program to prevent data and information breaches or leak. The below mentioned detailed discussion on the issue-Specific Security Policy (ISSP) for the privacy and security of NTN patient’s health information policy. The ISSP will enable the organization to identify potential threats towards its assets and in handling situations when they take place. The policy will assist in identifying potential threats to the assets of the organisation which are the most vulnerable.
2. Discussion (ISSP)
a. What is the statement of purpose for the case scenario of information security assignment?
NTN for the purpose of catering to service to needy people around the radius of 200km around satellite campuses will need to share various patient data through its network. The statement of purpose for designing this policy lies in the core of protecting the privacy and security of its patient health information, whom they are providing services through their mobile teams.
This statement of purpose on the case scenario of information security assignment indicates at the importance of preserving the varied data and information regarding patients such as reports, photographs and scans within the network or personnel amongst whom it is being circulated (Kshetri, 2017, p 1031).
Protecting data in the healthcare industry is not an easy task hence the organisation with its associates needs to balance protecting patient privacy while delivering free of cost quality patient care at remote locations. Health information is one of the most sensitive individual data that needs to be kept private. There are an increased regulatory requirement that facilitates the necessity of incorporating data and information security of patient data. With the increase in electronic health records, data breaches and security threats have increased in the past few years. The policy will aim at accommodating the best practices in healthcare security to prevent breaches and accommodate security.
b. Authorized Access and Usage of Equipment
The security policy needs to outline configuration and settings for computer systems and laptops where it can be used. The policy has to outline the authorized access and usage of equipment, that can effectively prevent data breaches (Taitsman, Grimm, and Agrawal, 2013, p 978). Apart from configuration and setting designing for computer systems and passwords, there needs to be present authorized access and usage of equipment policy as;
- User registration which approves or provides users access to rights to using the system (Ruotsalainen, 2010, p 33). Through user registration, the network will be aware of any external user who tries to log into and access the system’s database. There will be present a list of users who are already present within the network, thus allowing them access to usage of equipment.
- The policy needs to include privileged management by way of determining clear system hierarchies (Arora, Yttri, and Nilsen, 2014, p 143). The system hierarchy detailing stakeholders, who will have all possible access to the system and will be managing it needs to be outlined. For example, Oracle has 13 levels recognized authority, approved by its Group’s Controller.
- User management is essential for authorizing access and allowing using of various equipment within the network (Hedström, Kolkowska, Karlsson, and Allen, 2011, p 381). Ever system needs to have clear processes for the purpose granting system access. There needs to be defined processes for joiners, movers and leavers with proper audit trials.
- Limited access to using of specific equipment has to be well-defined. Every user’s access path needs to be defined such that there can be no untraced or improper access to areas by users. Users access rights needs to be subjected to periodic reviews by the audit committee under the supervision of CISO.
- For the purpose of authentication multiple factor needs consideration (Murphy et al, 2011, p i105). A multi-factor authentication when the system is being accessed at remote location has to be periodically reviewed.
c. Prohibited Usage of Equipment
The system to be accessed over the network includes prohibited usage of equipment. The organization beforehand will conduct training for mobile teams on procedures to access to equipment (Warkentin, Johnston, and Shropshire, 2011, p 270). Each equipment will be made accessible to certain/particularly assigned users. User defined paths for equipment included in the policy will make certain that authorized users do not have access to certain types of equipment.
Unauthorized reconfiguration or changes in network settings, computers, laptops, or any IT component will not be allowed (Appari, and Johnson, 2010, p 280). In order to prohibit usage of equipment by unauthorized personnel or by unknown people will be prohibited. Following will be the prohibited usage of equipment as per policy;
- In case of unauthorized connecting devices, the network will not respond.
- In case of any component suitable for gaining unauthorized in restricted areas of the equipment will be restricted strictly.
- Physical merging of networks or integrating network nodes will not be allowed by unauthorized equipment or personnel
- Virus protection shall be enabled in the network at all times
- During time of update or following any non-standardized software or hardware procedures, appropriate authentication will be necessary
d. Systems Management
Managing systems is the key strategy that is adopted for the security policy and enables protection. Systems management includes the organization’s network, its physical building, computer points, satellite and many more (Weber-Jahnke, and Obry, 2012, p 96). Outlining the potential threat within this information security assignment to these assets in terms of losing secured and private data of patient has to be understood. As per the current organizational policy mentioned in the context of information security assignment, there might be threats from possibilities inside the organization. Such as network threats from disgruntled employees might lead to information linkages or launching of internal virus in the organization (Hall, and McGraw, 2014, p 218). There might also be threat from hackers, who can penetrate the system and can challenges in systems management leading to loss of data and information. Physical damage to the network or satellite can take place which might disrupt systems management.
Systems management for the organization examined in this report of information security assignment includes the complex functionalities encompassing the following;
- Physical components: It includes computers, laptops, network, satellite and any other physical system present for conducting the functionalities by the organization. These systems need to be connected and interlinked without hinderance or breakages with one another for smooth flow and effective communications. All these physical components need to be known to the central officer and coordinator of these properties.
- Operators: The doctors, nurses, service providers that coordinates over the network enabling smooth services in form of telecommunications, information systems managers include the operators. All operators in the systems are authorized and are allowed to access the system once authenticated. Such systems management prevents unauthorized access and prevents loss or theft of data.
- Maintenance: Maintenance comprises of a major part of systems management. Handling data and information over the network might require maintenance time to time to attend to the ISSP. In absence of maintenance there might be data leaks prevailing errors which might to easily be diagnosed by onlookers or users.
e. Violations of Policy
The organisation’s policy for ISSP illustrated in the information security assignment needs to have outlined criteria for violation of policy. While accessing the network or systems, there might be violation of the policy in case any data breaches occurs (Vallance, and Chalmers, 2013, p 1073). When data or information in regards to patience is made available outside of the network, it leads to violation in the said policy. Violation might occur when employees do not have a thorough understanding of the policy documents. However, the readings developed in this segment of information security assignment signifies that it is the responsibility of members/ users to be aware of the various policy norms and regulations that are regarded important and implemented by the organisation (Landau, 2015, p 56). Violating policy can be avoided by educating healthcare staffs and professionals, implementation of data usage controls, logging and monitoring usages and so on. When such violations occur, the organization can identify responses in regards to the violation;
- Issue warnings in written or verbal form to the personnel/ person in-charge of the violation
- Conduct an in-depth analysis of the causes that might have led to such violations
- Suspend the members/ users for using the network and its systems for a time period
- Suspend the member’s account for the time being till no certain course of action have been decided upon
- Terminate or issue memo to the user for violating the terms of the policy
- Raise bill to the member for the various administrative costs and reactivation charges that might be incurred
- Bring about legal course of action for such violations for collecting damages that are caused from such violations.
f. Policy Review and Modification
The policy designed by the organization illustrated herein information security assignment will need to get revised from time to time. Such revisions need to accommodate the anticipated changes and requirements that have been raised by various users of the system (Hall, and McGraw, 2014, p 1315). The coordinators for systems needs to conduct periodic reviews and those users with access rights are authenticated for conducting reviews and modifications to the system and security policy so devised. There needs to be conducted frequent reviews of automated intrusion detection system logs, user account logs, firewall logs, application logs, network scanning logs, and so on (Terry, 2012, p 385). Review and modification over yearly basis provides opportunity for authenticating new users and also to make additional changes to the policy documents.
g. Limitations of Liability
The limitations of liability of the policy document discussed in the information security assignment will extend to the organisation as well as to its associated organisations (Patil, and Seshadri, 2014, p 763). The members/ users of the organisation along with the distance users with whom the communication is conducted over the network is bound by the policy document. The organisation however has limitation of liability till the extent of the network implying its extent.
In concluding the above discussion on information security assignment it can be stated that the security policy aims at communicating ways the organization will protect the security and privacy of its patient information. The policy documents will aim at protecting computer threats and network threats from the external or internal environment. The security policy is developed taking into consideration the company’s assets and any potential threats occurring to such assets. Blockchain technology is a new procedure that is incorporated and used in protection of valuable patient data. Hence the organisation examined in the information security assignment can make use of this technology in encrypting its data while sending it across its network.
Appari, A. and Johnson, M.E., 2010. Information security and privacy in healthcare: current state of research. Information security assignment International journal of Internet and enterprise management, 6(4), pp.279-314.
Arora, S., Yttri, J. and Nilsen, W., 2014. Privacy and security in mobile health (mHealth) research. Alcohol research: current reviews, 36(1), p.143.
Hall, J.L. and McGraw, D., 2014. Information security assignment For telehealth to succeed, privacy and security risks must be identified and addressed. Health Affairs, 33(2), pp.216-221.
Harvey, M.J. and Harvey, M.G., 2014. Privacy and security issues for mobile health platforms. Journal of the Association for Information Science and Technology, 65(7), pp.1305-1318.
Hedström, K., Kolkowska, E., Karlsson, F. and Allen, J.P., 2011. Value conflicts for information security management. The Journal of Strategic Information Systems, 20(4), pp.373-384.
Kshetri, N., 2017. Blockchain's roles in strengthening cybersecurity and protecting privacy. Information security assignment Telecommunications Policy, 41(10), pp.1027-1038.
Landau, S., 2015. Information security assignment Control use of data to protect privacy. Science, 347(6221), pp.504-506.
Li, M., Lou, W. and Ren, K., 2010. Data security and privacy in wireless body area networks. IEEE Wireless communications, 17(1), pp.51-58.
Murphy, S.N., Gainer, V., Mendis, M., Churchill, S. and Kohane, I., 2011. Strategies for maintaining patient privacy in i2b2. Journal of the American Medical Informatics Association, 18(Supplement_1), pp.i103-i108.
Patil, H.K. and Seshadri, R., 2014, June. Big data security and privacy issues in healthcare. In 2014 IEEE international congress on big data (pp. 762-765). IEEE.
Ruotsalainen, P., 2010. Privacy and security in teleradiology. European journal of radiology, information security assignment 73(1), pp.31-35.
Taitsman, J.K., Grimm, C.M. and Agrawal, S., 2013. Protecting patient privacy and data security. New England Journal of Medicine, 368(11), pp.977-979.
Terry, N.P., 2012. Protecting patient privacy in the age of big data. UMKC L. Rev., 81, p.385.
Vallance, P. and Chalmers, I., 2013. Secure use of individual patient data from clinical trials. The Lancet, 382(9898), p.1073.
Weber-Jahnke, J.H. and Obry, C., 2012. Protecting privacy during peer-to-peer exchange of medical documents. Information security assignment Information systems frontiers, 14(1), pp.87-104.