1100 words..............

profilere.bertyh.elpsfuben.t
CMGT430Week5IndividualAssignmentEnterpriseSecurityPlanStrategicObjectives6.docx

Enterprise Security Plan Strategic

CMGT 430

Enterprise Security Plan Strategic

This enterprise security plan is being created to discuss core principles that can improve the overall enterprise system.

Data loss prevention

Data damage is a risk that Auburn Regional does not have the luxury of overlooking. Patient data is sensitive and needs to be secured in the most efficient manner possible. Staff members themselves pose the biggest vulnerability because of their access to patient data. There is a plethora of information that is obtained when a person visits a hospital, and staff members have access to the information. Having all the specifics in a patient record not only gives the staff members access to medical data but typically they will also have entrance to social security, contact information, home addresses, employer information. With all this information, staff members can also steal one's identity. Abuse of power is a very huge threat, and the only mitigation is to hire qualified individuals who pass their background checks and are provided policies and procedures to maintain data safety.

Access controls

Understanding who has access to what locations is mandatory when trying to ensure that a system is secure. Controls like key cards are great tools for access control. Key cards let the company let the employees have access to the building and sometimes different parts of the building. This gives certain people access to different things that way you can have a more secure building. Then also you can monitor who is where within the building, then also who is on what computer too. All of those are to improved security around the projects being work on. Physical access to computers, visitors, and patient records are another vulnerability identified. Physical security is important to the safety of our employees, our data, and has even been shown to improve productivity. With security monitoring data systems and their various entrances, we increase the physical security of our systems and the data that the house. Employees will feel more safe and secure as they enter and exit the building daily and as they move from department to department. There has also been some research that shows that campus-wide surveillance systems increase productivity because when the employees know that their actions may be scrutinized throughout the day then they tend to work harder and more efficiently.

Data management

3rd party software has become a common usage today and this may interfere with existing configurations within the organization's systems. The probability and threat are media, and the mitigation strategy can easily be to test software on controlled systems for compliance prior to allowing users to download or use the software. Preventing the use of 3rd party software is another means, but if the software is needed, then the approach to testing prior to allowing the usage is the best mitigation strategy.

Risk management

The ransomware attack on neighboring systems has led this author to review aspects of potential threats to the Auburn Regional system. The threats that were noticed by the author dealt with one or more of the following attributes, authorization, authentication or roles of certain members of the business. Changes to the authorization and authentication procedures and/or protocols are mandatory for the integrity of the business. Unauthorized users having access to patient data can result in patient distrust and lawsuits. Increased authorization procedures can include but not limited to additional password protection to specific applications. Authorization changes can also include physical deterrents such as key cards. Authentication upgrades can be touchy depending on the size of the business. In a smaller business, authentication updates can mean new picture identification. For a system as large as Auburn Regional, authentication needs to be more detailed. Biometric technology can be implemented for sensitive areas that need access control. Biometrics can also be applied to certain software applications utilized by the staff. Most potential threats within a system are caused by not properly securing access points, whether a desktop or device being left unlocked or weak password protection for those desktops and devices. In smaller businesses, roles may be increased to ensure that all facets are covered to ensure no loss of integrity. In a larger business, roles can be reduced or redefined to remedy any localized issues.

Verification is key to keep potential threats at the lowest levels a possible. As stated earlier in the document, biometrics would be the technology that can be implemented to save time, resources and unnecessary data storage. Having all staff members on file in the biometrics system mean that all employees can be assigned or issued a security level. Security levels help to separate sensitive data from restricted users. All recommendations within this document can help with active threats and deter potential threats. There is no way to prepare for all threats but having competent staff can cut risk almost in half.

Cloud technology`

The cloud allows the company flexibility to have access to data from any location no matter the time or place. Cloud storage requires little to no maintenance while increasing the security of all data that will be stored. Depending on which storage plan that is being offered, the cost for the service of using the cloud will be low. The only drawback to the cloud is the assurance of confidentiality and security. Finally, any software that needs to be implemented within the company can be easily deployed from the cloud with a click of a button.

Auburn regional is a small, rural hospital that is part of the College of Georgia (CGA) Medical System. My team and I were asked to review the enterprise security environment at Auburn Regional and make suggestions as to how the hospital system can be better prepared to respond to recent threats that have had an impact on other similar-sized hospitals. Our primary goal is to protect the confidentiality, discretion, reassure, and the integrity and availability of organizational data.

Data loss restriction is an approach for securing that end users don't transfer critical or sensitive information outside the enterprise network.

· Why is this topic important to Auburn Regional? Data loss prevention is an important topic at Auburn regional because patient data is sensitive and needs to be secured. The Patients' rights act and HIPAA both state-specific protections of Patient information and a breach in the hospital's systems will lead to a violation of these rights.

· What is the desired outcome to this effort? We hope to put a plan in place that will protect the hospital's security against intrusion and/or hackers.

· What is the specific strategic objective? Hiring qualified security personnel and conducting thorough background checks on all employees.

· What will be the benefits of this effort? The benefits of data loss prevention are preventing data loss. Simply put!

· What will be done to meet this objective? My team will identify the weak points in our security and implement ways to prevent breaches. Background checks, heightened security, audits, and quarterly security training courses for all employees.

Access controls validate and allow individuals to obtain the information they are permitted to inspect and use. There are 3 sorts of access controls. Mandatory, Discretionary, and Role-based. According to (Martin, 2018), Discretionary Access Control is a kind of access control method that handles the company owner accountable for determining which people are permitted in digitally or physically and special location. Mandatory Access Control is regularly employed in an enterprise that demands a high accent on the classification and confidentiality of data. Role-based AC path is designated by the framework controller and is strictly supported on the subject's part within the organization or household and most possibilities are based on the controls determined by their position obligations.

· Why is this topic important to Auburn Regional? Access controls are important to Auburn regional because it helps dictate the level of access an employee can get. Access controls also help effectively protect the company's data. The controls make sure users are who they say they are and are not given more access than required to do their job

· What is the desired outcome to this effort? With the implementation of access controls. Auburn regional should be able to manage the level of access given to employees and ultimately make the company more secure!

· What is the specific strategic objective? Implementing one of the 3 access control methods where required.

· What will be the benefits of this effort? A more secure infrastructure.

· What will be done to meet this objective? Our team will implement a role-based or team-based access model on a small focus group of employees from various departments. We will then deploy this model to all employees once testing is deemed successful.

Avoidance, mitigation, transfer, and acceptance are among the common types of risk management techniques. According to info-entrepreneurs, Risk control is the method of using techniques, tools, and processes, for handling certain hazards. Risk management is important to Auburn regional is important because it explains strategies of managing risks.

· What is the desired outcome to this effort? Managing risks at Auburn Regional.

· What is the specific strategic objective? Identifying, quantifying, and decreasing any uncertainty that concerns or is integrated into a company's establishment, objectives, and tactics accomplishment.

· What will be the benefits of this effort? Identifying potential issues before they arise

· What will be done to meet this objective? Create a risk management plan, analyzing and identifying risks.

Cloud technology is the distribution of computing databases, co-operation—servers, storehouse, software, networking, analytics, knowledge and further—over the Internet ("the cloud") to offer high-speed variation, economies of range and manageable resources.

What Is Cloud Computing?

Cloud technology is important to Auburn regional. The implementation of cloud computing will increase net income while decreasing the charges. Charges will decrease because equipment and personnel needs will decrease. This will alleviate some of the pressure on the small IT team and allow enable to the opportunity to work on other time-intensive IT related issues like software upgrades.

· What is the desired outcome to this effort? To have all data stored in the cloud with a reputable, economically priced CSP. We also hope to see profit increases within the company.

· What is the specific strategic objective? Scalability is the first strategic objective. The short-term cost benefits are appealing as Auburn regional currently wastes revenue due to lack of efficiency and resources.

· What will be done to meet this objective? Auburn regional will use Azure services as their cloud provider. According to Microsoft Azura, you normally pay only for cloud services you use, maintaining moderate your operating expenses, run your foundation more efficiently, and scale as your enterprise requires change.

Recommendations:

· Install antivirus and keep computer software patched.

· Create a change management Plan.

· Move data to the cloud

· Create a Security Enterprise system

· Require Token and VPN access for all external vendors

· Hire a Security guard to monitor the building and especially around the data center.

· Require badge entry as well a 4 digit pin requirements to enter the data center

· Require key card as well as 4 digit pin to access terminals and utilize the network on the terminals.

In summary, once a security plan has been developed, the key to its effectiveness falls to enforcement and upkeep. Regular training and educating the staff, as well as requiring compliance reviews regularly helps greatly with the overall organization understanding best practices that have been implemented. Regularly reviewing the health of the organization allows for new vulnerabilities to be discovered to prevent issues from arising in the future. Having specific people assigned responsibilities also takes the burden off a single department preventing a single facet from becoming overworked and thus not able to operate at maximum efficiency, as well as be a starting point when investigating any potential incident that needs reviewing.

References:

Information Retrieved from Martin, J. A. (2018). What is access control? A key component of data security. 

What is cloud computing?(n.d.). Retrieved from https://azure.microsoft.com/en-us/overview/what-is-cloud-computing/

3 Strategic Goals for your Cloud Migration(n.d.). Retrieved from https://www.nexustek.com/blog/3-strategic-goals-for-your-cloud-migration/

Swanson, D. (2006, June 06). Auditing Ethics And Compliance Programs. Retrieved from https://www.complianceweek.com/blogs/dan-swanson/auditing-ethics-and-compliance-programs#.W5HUOehKhPY

Srivastava, S. B. (2015). Threat, opportunity, and network interaction in organizations. Social Psychology Quarterly, 78(3), 246-262. doi:10.1177/0190272515596176

Waldo, B. H. (1999). Managing data security: Developing a plan to protect patient data.Nursing Economic, 17(1), 49.

https://continuingprofessionaldevelopment.org/risk-management-steps-in-risk-management-process/

https://www.getkisi.com/access-control

https://www.sas.com/en_us/insights/data-management/data-management.html

Manage risk Information Retrieved from https://www.infoentrepreneurs.org/en/guides/manage-risk/