Benefits Of Security Management Essay For GUMC.

GUMC’s IT facilities have grown along with the University and it now employs two full time staff Mary and Markos to keep the system running as well as co-ordinate the program. Sally is the Practice manager at GUMC, can foresee a time in the immediate future where they employ over 100 people across two locations. The staff at GUMC are mostly Medical Practitioners and other Health Care Workers. GUMC also has a Human Resources manager, an Accounts Manager, several administrative assistants (receptionist, office manager, secretary), and grounds staff.

The approach so far has been has been one without a formal policy where security has been built in an ad-hoc, piecemeal manner. Though the practice manager Sally at the GUMC say that the current policy has worked well enough up to now, thanks to the knowledge and expertise within the team, the Consulting head at BPSC, Mark has recommended that a more structured and formal approach will be required. Your role is to assist in developing a report that discusses how information security could be better managed by GUMC.

The GUMC has been facing a few problems with its expansion. Here is one incident that would give you an idea of the issues involved.GUMC makes use of cloud computing for processing and storage of patient information in order to save costs. The patient medical information system is the core component of thee medical centre’s work. It is
provided as a cloud application that interfaces with GUMC staff using interactive web pages .

(Note: billing is a separate system). Patient information includes personal information like name, birthdate,address, phone(s), appointment dates, visit summary, diagnostic results, referrals and drug prescription.Networking and internet access is provided by the University with the medical centre on a separate domain from the rest of the University. It was recently discovered that the cloud provider’s storage facilities have been compromised and patient information stolen. Keep in mind that initially funding was limited. Hence IT personnel have not created a contingency plan as they lacked the resources to do the same.

Benefits of Security Management Plan

Security management is an overreaching process that involves protection of systems, network as well as other information assets to prevent them from security threats. The benefits that various organizations have achieved by security management plan are far reaching. Security management planning creates indicators that help in identifying a potential hazard occasion and give an early cautioning (Subashini, and Kavitha, 2011, pp.1-11). Key estimations and estimations of danger moreover improve the advantage of reporting an examination and enable to track potential vulnerabilities that can compromise system.

Another noteworthy advantage is that security management plan prompts detection of hazards. Security management planning facilitates detection and examination of security dangers that may compromise system thus initiating immediate action (Whitman, and Mattord, 2013, pp.11).

Following the indispensable advantages of implementing the security management technique, it is imperative that every organization adopt the security management program (Ernest Chang, and Lin, 2007, pp.438-458; Robson, 2015, pp. 31). The Griffith University Medical GUMC is no exception. As a critical action to venture into this fundamental aspect, the organization personnel shall take their roles and responsibilities as defined in the following section.

The development of a Security Policy and Security Management Plan                                     

Security policy refer to procedures that governs the use of information system in an organization. The primary objective of security policy is to protect an organization’s information system from cyber-attacks (Peltier, 2016, pp.234-246). This section focus on development of information security policy and security management plan that would address the risks at GUMC.

The development of security policy involve a few steps that will be followed in order to ensure a robust security policy for GUMC organization

Information system assets to be secured

“Before getting on with policy formulation the question: what do we want to secure?”  must be answered. What is to be secured should be the first consideration when designing a policy. This will ensure the development of a pertinent policy. In GUMC’s case, this apply to the organization’s assets that needs to be secured including but not limited to patient data and hardware equipment among other assets

The reason why the policy security is developed 

This involve the rationale or needs that have called for the development of the policy. In GUMC’s case, assessment reveals that the organization, besides the online platform which facilitates service delivery, the organization does not have a formal security policy that govern it’s the privacy and security of sensitive information. This therefore calls for the development of a structured policy in order to guarantee privacy and security to patients’ information

Development of a Security Policy and Security Management Plan

Mission and vision

Mission and vision define an organization’s goals and objectives. They are important in policy development for a strategic information security management. Mission and vision will be worth consideration in the GUMC policy development.

Identify who will take responsibility

“Who will take which responsibility?” is an important question that will be addressed at this stage. This step involve identification of who will take the responsibility and the responsibilities that will ensure protection of the system

Draft a policy

This step involves outlining the organization’s policy which meets the needs of the organization. This stage should involve the organization’s security management staffs including chief information security manager at GUMC and the relevant authorities.

Security management plan                                                                                

This involve a plan for which aid in identification of all information security assets of an organization and including but not limited to computers, data, and management staff which is then followed by the formulation, documentation and implementation of the appropriate policies and procedures for protecting the assets (Almorsy, Grundy, and Ibrahim, 2011, pp. 364-371). This tool is handy as it provides for a secure deployment, maintenance, operation as well as disposal of assets of an assets. It will be essential for GUMC organization during implementation of security management program.

An important step into developing a pertinent security management plan that would suit GUMC is by first of all having an accurate information concerning the configuration including network connections, system configurations among other system properties that aid in service delivery in the organization (Whitman, and Mattord, 2011, pp. 22-39).

The second step include development and implementation of security requirements that will be followed prior to modification, configuration, addition or removal of any asset from the information system.

The functions, tasks, roles and responsibilities that need to be defined for the Security Management Program

The functions, roles, tasks and responsibilities that are defined for security program in GUMC organization lies in the following areas (Hu, Dinev, Hart, and Cooke, 2012, pp.615-660):

Security of data assets: all information including but not limited to patients data shall be safeguard from unauthorized access to ensure safety and privacy. 

Network connection threats: all GUMC information system and physical assets facilitating connections shall be protected from any external or internal threat.

Access control: any unauthorized access shall be blocked by system to protect information system from frauds.

The roles of different individuals/groups would play in terms of governance in general.

The Functions, Tasks, Roles, and Responsibilities

To ensure system security, every IT management staff must be cognizant of his/her responsibilities. In this section, the roles and responsibilities for every IT management personnel in the GUMC Corporation having responsibilities concerning IT security or any related governance for safeguarding the information system as well as the data they manage, operate and support are defined (Susanto, Almunawar, and Tuan, 2011, pp.23-29).

GUMC administrator

1. Guaranteeing that the chief information officer and other key authorities, reports every year the adequacy of the GUMC data security program, including advancement of healing activities, to the GUMC Administrator, Congress, Department of Security management and different substances as required by law and Executive Branch course (Larson, and Gray, 2015).
2. Furnishing data security insurances proportionate with the hazard and extent of the damage coming about because of unapproved get to, utilize, exposure, disturbance, alteration, or demolition of data gathered or kept up by or for the Agency, and on data frameworks utilized, oversaw, or worked by the Agency, another Agency, or by a temporary worker or other association for the benefit of the Agency (Larson, and Gray, 2015).

• Guaranteeing that data security management forms are coordinated with Agency vital and operational arranging forms.

1. Guaranteeing that an all-inclusive data security program is produced, archived, executed, and kept up to ensure data and data frameworks.
2. Chief information officer

1. Helping senior Agency and other key authorities with comprehension and executing their data security obligations.
2. Building up least compulsory hazard based specialized, operational, and administration data security control prerequisites for Agency data and data frameworks (Larson, and Gray, 2015).

• Creating, keeping up, and issuing all inclusive data security strategies, methods, and control procedures to give guidance for actualizing the prerequisites of the data security program.

1. Creating, recording, executing, and keeping up far reaching, very much outlined, all around oversaw ceaseless observing and institutionalized hazard evaluation forms (Larson, and Gray, 2015).
2. Keeping up proficient capabilities required to manage the elements of the GUMC Information Security Program and do the chief information officer obligations under GUMC strategy and pertinent data security laws, Executive Branch arrangement, and different orders.
3. The entire information management team in the organization will guarantee the following:

1. Executing approaches, frameworks, control systems and methodology perceived in the Agency information security program that incorporate activities that are under their ordinary operational control or supervision (Larson, and Gray, 2015).
2. Guaranteeing all GUMC information and information system customers inside their affiliation's successfully whole information security care going before basic access to GUMC structures and information and in any occasion yearly starting there to take care of access.

• Hazard related contemplations for individual data frameworks, to incorporate approval choices, are seen from an association wide point of view as to the by and large key objectives and targets of the Agency in doing its center missions and business capacities.

1. Organizing with the chief information officer, Risk Executive, Risk Executive Group, and others required with anchoring Agency data and frameworks to guarantee dangers are figured out how to a worthy level.
2. The model that would be useful in development of security management plan in GUMC’s case

The security model refers to a generic blue print of security management that is provided by a service organization. This section will present the appropriate model for GUMC security management. The selected model for GUMC is NIST model. This model is chosen for the following reason. GUMC organization needs a more structured formal security program to govern its system. Drawing from the organization’s needs, the NIST model would be the most appropriate for GUMC due to the fact that this model have been publicly available for access unlike other models (Greer et al. 2014, pp.47). As a result, NIST have been broadly reviewed by industry professionals and government making it the best for this project particular project.

The legal and statutory that will be addressed

This section presents the legal compliance that must be adhered to in the process of security management (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). They are acts that have to be applied during formulation of information security policies.  The policy that will be used for information security in GUMC must conform to the regulations that are in force in Australia and cannot violate any policy since it is legal sanction.

Below are three crucial acts that must not be violated:

1. Private security act 2004
2. Security and related activities act 1996

• Security providers regulation 2008

Reference list

Almorsy, M., Grundy, J. and Ibrahim, A.S., 2011, July. Collaboration-based cloud computing security management framework. In Cloud Computing (CLOUD), 2011 IEEE International Conference on (pp. 364-371). IEEE.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), pp.523-548.

Ernest Chang, S. and Lin, C.S., 2007. Exploring organizational culture for information security management. Industrial Management & Data Systems, 107(3), pp.438-458.

Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T., FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014. NIST framework and roadmap for smart grid interoperability standards, release 3.0 (No. Special Publication (NIST SP)-1108r3).

Hu, Q., Dinev, T., Hart, P. and Cooke, D., 2012. Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), pp.615-660.

Larson, E.W. and Gray, C.F., 2015. A Guide to the Project Management Body of Knowledge: PMBOK (®) Guide. Project Management Institute.

Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications, pp.234-246.

Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management, and security. CRC press, pp.23.

Robson, W., 2015. Strategic management and information systems. Pearson Higher Ed, pp. 31.

Subashini, S. and Kavitha, V., 2011. A survey on security issues in service delivery models of cloud computing. Journal of network and computer applications, 34(1), pp.1-11.

Susanto, H., Almunawar, M.N. and Tuan, Y.C., 2011. Information security management system standards: A comparative study of the big five. International Journal of Electrical Computer Sciences IJECSIJENS, 11(5), pp.23-29.

Whitman, M. and Mattord, H., 2013. Management of information security, Nelson Education, pp.11.

Whitman, M.E. and Mattord, H.J., 2011. Principles of information security. Cengage Learning, pp. 22-39.

Young, A.L. and Quan-Haase, A., 2013. Privacy protection strategies on Facebook: The Internet privacy paradox revisited. Information, Communication & Society, 16(4), pp.479-500