Enterprise Security Concerns
BigOJ
EnterpriseSecurityConcerns.pptxEnterprise Security Concerns Auburn Regional Medical Center
[NAME]
CMGT/430: Enterprise Security
August 8, 2019
OVERVIEW
Access Control
Security Enterprise
Change Management System
Mitigation
Risk Management
Overview:
Access Control
Security Enterprise
Change Management System
Mitigation
Risk Management
Access Control
1
Access Control
access control
Information Security has a broad set of responsibilities, ranging from training & awareness to digital forensics. Given this wide range of job roles, there are many ways to organize access control at Auburn Regional Medical Center. To control access we will organize access control into several different ways to align both the skills and the primary functions of the team members.
Security Team
Non-Technology Function
Technical Operations
Security
Enforcement
4
Auburn Regional Medical Center must utilize information systems to accomplish key business goals. These goals can include operational proficiency, customer intimacy, better decision making, and new products and services. Information systems are an integral part of our organization. In reviewing the hospital’s structure, it is important to show the significance of securing the organizations structure, organizational units, and business functions. The hospital achieves and manages employment by means of a structured chain of command and through its business processes, which are logically interrelated tasks and behaviors for completing work.
access control: roles
Manage: Functions that encompass overseeing a program or technical aspect of a security program at a high level and ensuring currency with changing risk and threat environments.
Design: Functions that encompass scoping a program or developing procedures, processes, and architectures that guide work execution at the program and/or system level.
Implement: Functions that encompass putting programs, processes, or policies into action within an organization.
Evaluate: Functions that encompass assessing the effectiveness of a program, policy, process, or security service in achieving its objectives.
5
Auburn Regional Medical Center on has four operational departments that span across the enterprise. To address the security needs of each of the organizations departments separating the duties will place limitations on employee’s capabilities to damage or compromise the confidentiality integrity, and availability of the organization. Separating duties within a business or organization helps limit any individual’s ability to cause harm or commit theft. Meaning if someone is attempting to manipulate a system without management noticing, it would take multiple persons to conspire to be successful.
access control: role-based access control
6
Role based controls are centered around the roles that employees are assigned to in a system. The user's identity is used to connect him or her to resources, normally the RBAC models describes the responsibility and purpose inside the organization. The benefit of this control allows the role base access control method to designates access rights to roles and not the users. This technique is very useful because the users are given distinctive roles, that are static or dynamic, based upon the user’s tasks. The role-based access control allows numerous users designated to the same task utilizing a minimum set of permissions.
access control: role-based access control
7
The hospital will also establish different user roles. The following roles will be implemented:
IT Staff: Employees in the IT department. Full system access.
Doctors: Doctors with their case load.
Nurses: Nurses with their case load.
Vendors: Vendor access. Highly controlled and monitored.
Role based controls are centered around the roles that employees are assigned to in a system. The user's identity is used to connect him or her to resources, normally the RBAC models describes the responsibility and purpose inside the organization. The benefit of this control allows the role base access control method to designates access rights to roles and not the users. This technique is very useful because the users are given distinctive roles, that are static or dynamic, based upon the user’s tasks. The role-based access control allows numerous users designated to the same task utilizing a minimum set of permissions.
Security Enterprise
2
Security Enterprise
security enterprise
Security is a need when dealing with privileged information, but more so when that information is people’s confidential medical records. In particular, the adoption of electronically formatted medical records, so called Electronic Health Records (EHRs), has become the primary concern for a broad range of health information technology applications and practitioners.
9
Auburn Regional Medical Center must take security seriously. There can be serious legal issues to face if a patient’s EHRs get released without the patients authorization. See the next slide on how the team will secure the IT systems.
security enterprise
10
An overview of how data will flow from the EHR to the end-user and how it will be secured in-between.
Change Management System
3
Change Management System
change management system
Changes in the hospitals systems is necessary. Whenever new operating system or EHR application updates are released, patches, or new equipment is deployed there will be changes that are required to be made to the configuration of the hospital’s IT network.
To monitor the configuration changes, Auburn Regional Medical Center will implement a Change Management team to analyze, approve, develop, implement, and review a planned or unplanned change within the IT infrastructure.
12
Changes to the IT system will be necessary. To monitor and implement these changes the hospital will establish a Change Management team.
change management system
The change request begins with the submission of a Change Request. The Change Management team will see the Change Request all the way through until satisfactory implementation of the change and the communication of the result of that change to all interested parties.
Review Change Request and approve the request.
Implement the changes in a planned and controlled environment.
Prepare user test cases to test the changes once the Change Request is complete.
13
Once a Change Request has been submitted the team will:
Review the change request and approve or deny.
Implement the changes.
Prepare user test cases to test the changes.
change management system
Have a rollback plan in case the changes fail.
Inform internal and external customers of any planned maintenance so they are aware of the possible downtime.
Review the changes to determine if they negatively impact the hospital in any way.
To keep record of all changes. Future request can be compared to the historical changes to learn from those changes.
14
4. Prepare a rollback plan in the event the changes fail.
5. Inform internal and external customers of any planned maintenance so they are aware of possible downtime.
6. Review changes to determine if they will negatively impact the hospital in any way.
7. Document all changes for record and historical purposes.
Mitigation
4
Mitigation
mitigation
Mitigation is the management method that attempts to lessen, whereby planning and preparation for the loss triggered by the manipulation of vulnerabilities. This method consists of:
incident response
disaster recovery
business continuity
16
Mitigation is the management method that attempts to lessen, whereby planning and preparation for the loss triggered by the manipulation of vulnerabilities. This method consists of incident response, disaster recovery, and business continuity.
mitigation: incident response
The IT team will proactively monitor the hospital’s IT systems and networks. In the event the team discovers an issue within the system and/or network the team will create an Incident Response using their reporting application.
The IT team will work with the necessary staff and/or vendors to resolve the incident. The IT staff will notify the Change Management team if changes will need to be made to resolve the incident.
The IT team will also keep all upper-management informed of the incident so their engagement can occur when needed.
17
The IT team will monitor the systems and networks. In the event of an incident the team will record the incident in their reporting application, resolve the incident, and information management of the incident and status updates.
mitigation: disaster recovery
Backing up the IT systems, securely, is also a priority for the hospitals IT staff. The goal of having a backup of data is to make sure that in an event of a disaster, such as flooding, hurricane, tornado, fire or other malicious activities, this data will be available and can be easily accessed, during the recovery phase.
The security of the backup data is also important because backup data would be no use if it gets corrupted or damaged. Certain guidelines must be followed to accomplish these tasks.
18
In case of Disaster Recovery the hospitals IT staff will implement a backup policy.
mitigation: disaster recovery
Various options are available for backups.
Full System: all data on the systems is backed up, once the backup is initiated, but it does require a lot of space (Smith, 2016).
Incremental: once a full system backup is complete, then only those files get backed up are the ones that get changed from the original backup and this type of backup does not use a lot of space and less time to backup or create (Smith, 2016).
19
Different backup types.
Full System: all data on the systems is backed up.
Incremental: only those files get backed up are the ones that get changed from the original backup.
mitigation: disaster recovery
Differential: like incremental, but a differential backup would include changed files from the last full backup (Smith, 2016). The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc. (Smith, 2016).
20
Differential: like incremental, but a differential backup would include changed files from the last full backup . The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc (Smith, 2016).
mitigation: business continuity
Hospitals must stay open 24x7x365. To do so, all IT data will reside in 2 different geographic located data centers.
Data backups will occur using 3 types of backups: full, incremental and differential.
In the event of a disaster, some employees can work from home or a remote location to ensure the hospital continues to serve the community.
21
Differential: like incremental, but a differential backup would include changed files from the last full backup . The methods that the organizations can use to back up their data, which includes in-house backup, where servers are in the data center on site and the other is the cloud services, such as, Google Drive, Dropbox, Microsoft OneDrive, etc (Smith, 2016).
Risk Management
5
Risk Management
risk management
There are six steps to Risk Management Framework (Soto, 2013).
First, is how data that is stored, handled, and communicated on their information technology network needs to be categorized, which basically means that if one of the concepts of CIA Triad is infiltrated, then what kind of impact it is going to have (Soto, 2013).
Second, the hospital will establish an initial set of policies for the the IT systems and this is where necessary controls, which will be used to create a baseline for the information system will be (Soto, 2013).
23
6 steps to RMF.
How data is stored and handled.
Establish an initial set of IT policies.
risk management
Third, implement the controls and figure out how to use these control, while having the ability to explain the reason behind selecting these security controls (Soto, 2013).
The fourth step is the assess the controls and, in this process, the IT staff must assess the controls that have been implemented to see if it meets the security requirements (Soto, 2013). Regular audits will be preformed to ensure the hospital is complaint with licensees: The Joint Commission, HIPPA and Medical College of Georgia.
24
3. Implementation and use of control.
4. Asses the control and perform regular audits.
risk management
The fifth step is the authorization of the IT operation and in this step, the data custodian must evaluate the security controls and provide a risk-based decision, which will be used to determine, if the security controls can mitigate risks allowing the systems to process, store, and transfer information (Soto, 2013).
The last step is the monitoring of the controls on a regular basis against the mission and updating the documents pertaining to those security controls (Soto, 2013).
25
5. Establish a data custodian and evaluate security controls.
6. Monitoring the controls and updating documentation pertaining to the security controls.
Soto, D. (2019). Intro to the Six Step Risk Management Framework for ICD 503. Retrieved from http://icd503training.org/introduction-to-the-six-step-risk-management-framework-for-icd-503/.
Smith, R. (2016). Module10: Data Backup and Disaster Recovery. Retrieved from UOP.
Whitman, M., & Mattord, H. (2019). Management of information security (6th ed.). Boston, MA: Cengage.
26
REFERENCES
References
Soto, D. (2019). Intro to the Six Step Risk Management Framework for ICD 503. Retrieved from http://icd503training.org/introduction-to-the-six-step-risk-management-framework-for-icd-503/.
Smith, R. (2016). Module10: Data Backup and Disaster Recovery. Retrieved from UOP.
Whitman, M., & Mattord, H. (2019). Management of information security (6th ed.). Boston, MA: Cengage
