Information Systems Security Survey Essay

The University of northeast Medical Center (UNMC) is an exis ten-spotce that was built sanction in the 19th century. UNMCs mission is to emend the health of Nebraska through premier educational programs, innovative research, the highest quality patient c ar, and revealreach to underserved populations (UNMC, 2004). As an institution with key interest to privacy of its bookmans, staff and repress staff, UNMC has adopted various policy guidelines to ensure schooling hostage trunk. The learning warrantor Management final cause (ISMP) describes its safeguards to protect hole-and-corner(a) discipline. These safeguards atomic number 18 meant among another conclude toEnsure the confidentiality of entropyEnsure the integrity of entropyEnsure the availability of infoProtect against expect threats or hazards to the certification measure or integrity of the in progress toation UNMC has adopted information credentials industry exceed practices to implement its information security dust system (UNMC, 2014). They confine become so effective that during 2011, a Hitrust scissure sagaciousness was performed, and no significant gaps were found indoors its security program. The worksheet below outlines how these programs have been rolled out by different offices in the university.Worksheet knowledge security measure Program Survey protective cover Area creditworthy Party / Office of Primary Responsibility know Vulnerabilities / Risks Countermeasures / Risk Mitigation Strategy Acquisition (systems/services) discipline pledge Office Breach of the confidentiality clause completely service providers must undergo an evaluation c be for to verify they atomic number 18 qualified. Contracts have a confidentiality clause whose breach terminates the gouge. Asset prudence remains administrator Poor summation management Proper policies and unconscious process in lineto ensure effective asset management. Evaluation to ascertain the qualifications of asset managers. Audit and function nurture tribute Office Dishonest employees disclosing confidential information to trio parties Every application contains a log that must be maintained to work regulatory requirement. There is teaching security nonessential Response plan to handle any renowned strange events. Authentication and authorization governing body administrator Covered info may be transferred to third parties without authorization Employees are provided with user name and tidings to access the data.Employees are trained on create a secure battle cry. There are checker policies in come governing access to this information. production line continuity Information Security Office Non-coordination and miscommunication mingled with employees All employees are supposed to keep sink in information of co-workers and supervisors to seek for help in cutting of any emergency. Compliance management Compliance incumbent the Information Security Officer Employees failure to keep an eye on with the set guidelines, policies and procedure There is a submission form that is filled before a study project is undertaken by the enterprise. The form is to ensure that no new attempt is introduced to the enterprise. Configuration control System decision maker Compromised system security Every cast must have a password. Each password must have at least ten characters.The password must be encrypted at all in all times. selective information System Administrator Data may be intercepted during transmission Database with security keys is available to authoritative employees notwithstanding. Access to classified data is allowed to limited employees. Information security plan ensures security of covered data. computer hardware System Administrator Destruction of hardware in disaster Only employees with good know-how of operating hardware are allowed to use them. The hardware are encrypted for security purposes. Hardware backup system. individuali sm management Information Security Office Un allow covered data and information transfer through third parties Identity Management Program (IDM) outlines procedure for issuing documentation based on the NIST guidance. Checks are done on employees prior to their employment.incidental management Command joinIncident Response Team Physical personnel casualty of data in a disaster An Incident Reporting and Response object is in place to report and respond to anyidentified risk. accessibility of a well-trained incident response team. Command digest is established to manage emergency. Maintenance procedures Change advisory Board (CAB) Existing patches within the security system A release process is in place to ensure that the changes do not affect non-primary system. conjoin policies for workstations to ensure security. Media protection and destruction Information Security Office Unauthorized access covered data as well as information Data storage policies define how data stored i n the media is to be protected. Data is only stored in a secured data centre or encrypted medium. Network System Administrator Unauthorized access to the network Network job is controlled by Cisco enterprise-class firewall where inbound connects are only allowed to DMZ.Internal trusted network is provided via an encrypted VPN tunnel. Technical perimeter is established to bar direct access from the net income to the Internal Trusted Area. Planning Information Security Office Poor planning that compromise management of the security system Contingency plan is in place to handle any eventuality. Employees are encourage to store data on network show servers for backup. All backups are surely stored and marked for blowsy identification during emergencies. Personnel System Administrator discharge of data integrity Employees are only assiduous after exhibiting minimum security requirement. Information Security Addendum are to be signed for confidentiality purposes. An insider who en sures that all legal requirements are followed before access is apt(p) must accompany outsiders accessing information. Physical environment System Administrator Physical safety of the environment may be compromised through attacks and burglary No unauthorized individualised is allowed within the data centre premises. The data centers are controlled by keycard access.Policy Information Security Plan CoordinatorPolicies may be misinterpreted by the employee The Universitys security policy is enshrined in the Privacy, Confidentiality and Security of Patient copyrighted Information Policy and the Computer Use and electronic Information Security Policy. The two policies require that authorized people can only access this information. The policies are reviewed every two years to make them in tandem with the prevailing circumstances. Operations The Information Security Officer and the Infrastructure TeamFailure for feats to surveil with the system security policy An operation must fil l a compliance Checklist or a Security Risk Assessment form for review to verify that no new risk is introduced to the enterprise.Outsourcing System Administrator Unauthorized disclosure of security information by third parties Outsourced vendors must comply with UNMC Policy No. 8009, Contract Policy. Vendors accessing classified student information must sign the GLB Act contract addendum. Risk assessments Information Custodian Poor manner of risk assessment that may downplay the real impact of a risk Security assessment I conducted annually. All applications must meet the organizations security policies and procedure. software product System Administrator Software may be infected with a virus Software should not be installed unless the user trusts it. Vendor update and patches must be installed unless directed otherwise.Software licence must be retained to get technical assistance. Training System Administrators and Information Custodians Misuse of security system Loss of data i ntegrity Employees are trained on information security system before they are employed. System administrators and information custodians are annually trained on Specific Information Security Policy and Procedure.ReferencesUNMC. (March 2014) Strategic Plan 2010-2013. Retrieved from http//www.unmc.edu/wwwdocs/strategic-plan_06-10_v3-brochure1.pdf coupled States Government Accountability Office. (February 2010). ELECTRONIC PERSONAL wellness INFORMATION EXCHANGE Health Care Entities describe Disclosure Practices and Effects on Quality of Care. Retrieved from http//www.gao.gov/new.items/d10361.pdf UNMC. (February 9, 2004). Information Security Plan. Retrieved from http//www.unmc.edu/its/docs/UNMCInformationSecurityPlan-Sept2010.pdf