Assignment (Part A Report Body) - Report for a security management and governance program
Discuss the benefits derived from seeing Security Management as an ongoing process and the reasons for having a policy
Discuss the development of a Security Policy and Security Management Plan.
Identify and present a description of the functions, tasks, roles and responsibilities that need to be defined for the Security Management Program for GUMC. Discuss the roles of different individuals/groups would play in terms of governance ingeneral.
Identify any models or methods that may be relevant for the development of a Security Management Program
Discuss the implications of legal and statutory requirements and the benefits your formal approach would bring
Risk Assessment/Management – Patient Information
Briefly explain the benefits a Risk Management Plan can bring to a company and the steps necessary to build one. Include a discussion on the importance of Contingency Planning to GUMC, as well as the risk analysis and CBA mentioned above
For the Patient Information area, list the threats, vulnerabilities, and attacks that your formal plan would manage. This should not be an exhaustive, detailed list. Keep the focus on GUMC’s context
Work on this aspect and draw up a Risk Management Plan for it and include a recommendation based on a Cost-Benefit Analysis.
Where does the responsibility for the user and the vendor begin?
Purpose of the Report:
The purpose of the report is to put forward the need and requirement for the implementation of Information and communications technology (ICT) security system for the Griffith University Medical Centre (GUMC) in Tasmania.
The report consists of two parts. The first part discusses about the benefits of Security Management and the importance of the policies. There is also discussion about the security policy and the security management plan. This portion of the report also provides a descriptive analysis of tasks, roles, responsibilities and functions. There is also discussion about the individual roles in governance, models relevant for developing security management program along with an implication of the statutory and legal requirements. The second part of the report talks about the process of risk assessment along with explanation of the benefits of risk management plan. In this portion the report helps in the identification of the assets, vulnerabilities, threats, suggested controls and the priority sets.
1. Benefits of an Ongoing Security Management Process and Reasons for Having a PolicyThe benefits an ongoing Security Management process is as follows (Soomro, Shah and Ahmed 2016):
- It helps in securing all forms of information:A Security Management process ensures protecting all kinds of paper based and digital information, company related secrets, intellectual property, data on cloud and on services along with personal information and hard copies.
- Enhances the Resilience Towards Cyber Attacks:A Security Management process will enhance the organization’s resilience towards the cyber attacks
- Represents a Centrally Managed Framework: An ongoing Security Management process helps in keeping the information of the organization safe and thereby manage it from a single place.
- Protection to the Organization: The presence of Security Management system not only protects the organization from technology-based risks but common threats like ineffective procedures and poorly informed staffs.
- Ensures Responding to the Evolving Security Related Threats: The Security Management process helps in continuously adapting to the changes of the environment and within the organization thereby reducing threats of the continuously evolving risk.
- Reduction of Cost in terms of Information Security: The risk assessment and analysis approach of Security Management process allows organizations in reducing the cost indiscriminately spent on adding the layers of the defensive technology that may not work.
- Allows Protection, Integration and Availability of Data: The SecurityManagement process offers set of procedures, policies, physical and technical control for protecting the availability, confidentiality and the integrity of the information
- Leads to Improvement in the Culture of the Company:This helps the employees in readily understanding the risk and in embracing the security controls as the day-to-day working practice. .
The security policy represents a document explaining the procedures intended for protecting resources and the physical assets related to the information technology (Safa, Von Solms and Furnell 2016). The policy is designed with much flexibility for making amendments whenever necessary.
Thus, the successful development a Security Policy involves (Ifinedo 2014):
- Identification of the risks
- Learning the Security Policy Implemented by the Others
- Ensuring the conformation of the policy with the legal requirements
Security Management Plan helps in setting out security measures for implementation by the Griffith University Medical Centre (GUMC) of Tasmania. Such implementation depends on all the aspects of services and the processes associated with service delivery (Weaver et al. 2016). This also depends on the compliance with the security procedures and measures that are sufficient for ensuring that the services comply with the provision of the schedule. In other words, the Security Management Plan sets out plans for transitioning all the security responsibilities and arrangements from the ones in place to the one’s incorporated on a specific date for meeting the security requirements and full obligations.
The objectives and the purpose of the Security Management Plan lines in (Peltier 2016):
- The establishment, support and maintenance of a plan based on the evaluation and monitoring of the potential and actual hazards that makes use of the organizational experience, accepted practices and the applicable regulation and law.
- Security Management Plan helps in reducing the risk of the patients, physicians, staffs, vendors/contractors and the visitors while they are inside a hospital or any other property through assurance of a hazard free physical environment.
- It also provides a secure, safe and a comfortable physical environment.
- This also ensures that the training and education of the staffs on the methods of preventing injuries, incidents and thereby provide a quicker response for recognizing, reporting and reacting to accidents that seems inappropriate.
Functions of Security Management program include (Sennewald and Baillie 2015):
- Monitoring all infrastructure and operations
- Maintaining all the security technology and tools
- Monitoring the compliance of theinternal and external policy
- Monitoring the compliance of regulation
- Working with the different departments within the organization for reducing risk.
- Implementing newer technologies
- Auditing policies and controls on a continuous basis
Tasks Included in Security Management Program are as follows (Peltier 2013):
The Security Management Program holds the responsibility of monitoring security operations of GUMC. The tasks primarily include:
- Implementation of the security policies
- Implementation of rules and regulations
- Implementation of norms
- Ensuring a safe environment for the employers and the patient
Roles and responsibilities of a Security Management Program are as follows (Rittinghouse and Ransome 2016):
Security Management Program acts as a control function of GUMC and is responsible for verifying and implementing the enterprise protection intended for meeting the duty for protection through the adequate protection of the things that has already been protected.
- Roles of Different Individuals / Groups in Terms of Governance.
- Chief Information Security Office: This person holds the responsibility of defining the entire security posture of the organization and will have an idea about and understanding of the systems and information they are responsible for protecting (Harkins 2013).
- Security Manager: The role involves the creation of a vision for building processes, hiring and the development of technology stack (Ahmad, Maynard and Park 2014). He must also possess a significant experience and background in running of a security tea and therefore should provide both managerial oversight and technical guidance
- Security Engineer: They are responsible for building the engineering security systems and the security architecture thereby ensuring speed and continuity(Bhatt, Manadhata and Zomlot 2014).
- Security Analyst: They hold the responsibility of recommending newer technologies and installing them along with providing required training to the other teams (Hilary and Shen 2013).
The Bell-LaPadula Confidentiality Model might find relevance in the development of the Security Management Program (Younis, Kifayat and Merabti 2014). The model helps in ensuring the confidentiality of the information system since it makes use of mandatory access controls (MACs), security clearances and data classification. This model is secure since it depends on a conceptual approach where the state of content of a system undergoing modeling always remains in a secured condition. The model represents a system that acts as reference monitor that compares the classification level of data with clearance from entity requesting an access.
Structure of the Report:
The legal and statutory requirements of the Security Management Program help in the prevention of legal misbehavior and in dealing with complex programs that extend to the areas involving the clients (Nemeth 2017). Besides, a Security Management Program depends on three key principles often guaranteed by fulfilling the legal and the statutory requirements. This includes confidentiality, integrity and the availability.
1. a. Benefits of Risk Management PlanThese include (Sadgrove 2016):
- Observing Non Apparent Risk: This enables in leveraging a team of experts for identification and providing deeper understanding of all risks
- Provides Support and Insight to Board of Directors: The members of the board might find difficult in identifying risk beyond their experience and expertise. Therefore, it helps in providing advisory services and resources to the Board for discharging the duties.
- Helps in Reducing Business Liability: This involves the reduction of the upfront litigation risk that makes a company more attractive.
- Helps in Framing Regulatory Issues: Risk management program helps in providing a greater insight for insurance, liability and indemnity issues thereby allowing the company to focus.
This includes (Hopkin 2018):
- Step 1: Identification of the e risk
- Step 2: Analysis of the risk
- Step 3: Evaluating and treating the risk
- Step 4: Treatment of the risk
- Step 5: Monitoring and reviewing the risk
A contingency plan for GUMC will enable the firm in returning to the daily operations as soon as possible post the occurrence of an unforeseen event (Talluri et al. 2013). The presence of a contingency plan helps in protection of resources, minimization of inconvenience of the customers along with identification of key staff.
Risk analysis refers to the examinations of how the outcomes and objectives of a project may change due to impact of risk event (Kou, Peng and Wang 2014). After the identification of risk, analysis is done for the identifying the qualitative and quantitative impacts of the risk on projects for undertaking appropriate steps for mitigating them.
A cost benefit analysis involves evaluation of rewards and risks of the projects under the consideration (Muennig and Bounthavong 2016). It is often used for projecting potential benefits of the investment in product development, marketing ideas, enhancements of infrastructure and the operational changes.
2. Threats, Vulnerabilities, and Attacks that Formal Risk Management Plan ManagesThreats
- Threats related to the breach of security and hacking of the health
- Threats of infiltration into the system by gaining access of the health information of patients.
- Threats related to the unintentional actions or mistakes
- Threats related to supply chain from transactions with the vendors to the pharmaceutical shipments.
Vulnerabilities
- Theft of medical information by simply stealing desktop computers
- Usage of the mobile devices does not have the same level of security as the computer systems
- Leakage of data while dissemination from the patients to the third parties.
- Outsourcing to the third party vendors or business associates that has become a norm in the healthcare industry.
- Employment of cloud computing services for maintaining the protected health information exposed health organization to breaches.
Attacks
- Negligent behavior of the employees acted as the biggest worry in healthcare organizations
- Criminal threats as the cybercriminals are changing their tactics on regular basis.
- of Insufficient security the Electronic Medical Records (EMR), has raised the risk of exposure of the personal information of the patients (Park, Parwani and Pantanowitz 2014).
The Plan can act as the model for the development of patient safety and the risk management program for meeting the needs of the organization.
- Purpose
The purpose of the Risk Management Plan lies in supporting the vision and mission of Griffith University Medical Centre (GUMC) since it deals with the patient safety and the clinical risk along with visitor, volunteer, third party and employee safety
- Guiding Principles
The Risk Management Plan represents a conceptual and overarching framework that leads to the development of a risk management program along with the activities and initiatives related to patient safety.
- 3. Governing Body
The governing board is committed to the promotion of safety of all the patients, visitors, volunteers, employees and individuals who are involved in the organizational operations.
- Programs, Objectives and Goals
- Continuous improvement of the patient safety and minimizing and preventing occurrence of the errors
- Minimizing the adverse impacts of the errors, system breakdowns and events as and when they occur.
- Minimizing the overall organizational losses by proactively analyzing, identifying, , controlling and preventing clinical business and the operational risks.
- Facilitating compliance with the legal and regulatory authority thereby accrediting the requirements of the agency
- Protection of intangible and human resources
- Risk Management Program Functions
- Development of systems for reporting and overseeing the potentially unsafe conditions and the adverse events.
- Collection and analysis of the data for monitoring performance processes involving risk or other adverse events.
- Overseeing GUMC for collection of data and processing, analysis of information and the generation of the statistical trend reports for the monitoring and identification of the adverse event.
- Ensuring the compliance with reporting requirements and data collection for the governmental, accrediting and regulatory agencies
- Facilitating the implementation of improved tracking systems for the diagnostic test, preventive screenings and medication related safety systems.
- Facilitating the participation of the staff and the provider in the educational programs of risk and safety management.
- Monitoring and Continuous Improvement
The Patient Risk Management Committee undertakes a risk management activity on regular basis. The risk manager usually reports the outcomes and the activities to the governing board on a regular basis.
- Confidentiality
The documents and records of the patients are confidential and privileged to extent provided by the state and the federal law.
- Recommendations
- By using a risk informed instead of a risk based approach towards the management of risk
- By incorporating qualitative assessment of risk
- By focusing on the management of the risk instead of measuring the risk
They hold the responsibility of developing the risk consciousness amongst all the contractors, owners and suppliers by making them understand the explicit consideration of the risk.
References:
Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), pp.357-370.
Bhatt, S., Manadhata, P.K. and Zomlot, L., 2014. The operational role of security information and event management systems. IEEE security & Privacy, (5), pp.35-41.
Harkins, M., 2013. Managing risk and information security: protect to enable. Apress.
Hilary, G. and Shen, R., 2013. The role of analysts in intra-industry information transfer. The Accounting Review, 88(4), pp.1265-1287.
Hopkin, P., 2018. Fundamentals of risk management: understanding, evaluating and implementing effective risk management. Kogan Page Publishers.
Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), pp.69-79.
Kou, G., Peng, Y. and Wang, G., 2014. Evaluation of clustering algorithms for financial risk analysis using MCDM methods. Information Sciences, 275, pp.1-12.
Muennig, P. and Bounthavong, M., 2016. Cost-effectiveness analysis in health: a practical approach. John Wiley & Sons.
Nemeth, C.P., 2017. Private security and the law. CRC Press.
Park, S.L., Parwani, A.V. and Pantanowitz, L., 2014. Electronic medical records. In Practical Informatics for Cytopathology (pp. 121-127). Springer, New York, NY.
Peltier, T.R., 2013. Information security fundamentals. CRC Press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Rittinghouse, J.W. and Ransome, J.F., 2016. Cloud computing: implementation, management, and security. CRC press.
Sadgrove, K., 2016. The complete guide to business risk management. Routledge.
Safa, N.S., Von Solms, R. and Furnell, S., 2016. Information security policy compliance model in organizations. Computers & Security, 56, pp.70-82.
Sennewald, C.A. and Baillie, C., 2015. Effective security management. Butterworth-Heinemann.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Talluri, S., Kull, T.J., Yildiz, H. and Yoon, J., 2013. Assessing the efficiency of risk mitigation strategies in supply chains. Journal of Business Logistics, 34(4), pp.253-269.
Weaver, C.A., Ball, M.J., Kim, G.R. and Kiel, J.M., 2016. Healthcare information management systems. Cham: Springer International Publishing.
Younis, Y.A., Kifayat, K. and Merabti, M., 2014. An access control model for cloud computing. Journal of Information Security and Applications, 19(1), pp.45-60.
To export a reference to this article please select a referencing stye below:
My Assignment Help. (2021). Report For A Security Management And Governance Program. Retrieved from https://myassignmenthelp.com/free-samples/bit361-security-management-and-governance/security-management-process.html.
"Report For A Security Management And Governance Program." My Assignment Help, 2021, https://myassignmenthelp.com/free-samples/bit361-security-management-and-governance/security-management-process.html.
My Assignment Help (2021) Report For A Security Management And Governance Program [Online]. Available from: https://myassignmenthelp.com/free-samples/bit361-security-management-and-governance/security-management-process.html
[Accessed 15 November 2024].
My Assignment Help. 'Report For A Security Management And Governance Program' (My Assignment Help, 2021) <https://myassignmenthelp.com/free-samples/bit361-security-management-and-governance/security-management-process.html> accessed 15 November 2024.
My Assignment Help. Report For A Security Management And Governance Program [Internet]. My Assignment Help. 2021 [cited 15 November 2024]. Available from: https://myassignmenthelp.com/free-samples/bit361-security-management-and-governance/security-management-process.html.