Information Systems Security Survey Essay

The University of Nebraska aesculapian Center (UNMC) is an institution that was built blanket in the 19th century. UNMCs perpetration is to improve the health of Nebraska with premier educational programs, innovative research, the highest type patient c be, and outreach to underserved populations (UNMC, 2004). As an institution with secernate interest to privacy of its students, staff and repress staff, UNMC has adopted various constitution guidelines to experience education hostage administration. The discipline hostage Management political program (ISMP) describes its safeguards to protect hidden nurture. These safeguards atomic number 18 meant among another reason to visit the confidentiality of selective selective in tenorationEnsure the virtue of dataEnsure the availability of data treasure against anticipated threats or hazards to the gage or integrity of the study UNMC has adopted culture security industry best practices to appliance its information security trunk (UNMC, 2014). They meet become so useful that during 2011, a Hitrust Gap assessment was performed, and no strong gaps were found at heart its security program. The worksheet infra outlines how these programs pass on been rolled out by different offices in the university.Worksheet breeding earnest Program Survey credential reach Responsible Party / berth of chief(a) Responsibility Known Vulnerabilities / Risks Countermeasures / Risk extenuation Strategy Acquisition (systems/services) cultivation certification slip Breach of the confidentiality clause totally(prenominal) service providers moldiness(prenominal) undergo an rating process to verify they argon qualified. Contracts have a confidentiality clause whose breach terminates the contract. asset counsel remains executive inadequate asset management Proper policies and affair in place to run across effective asset management. Evaluation to ascertain the qualifications of asset managers . Audit and accountability info auspices Office Dishonest employees disclosing confidential information to third parties Every application contains a log that must be maintain to meet regulatory requirement. There is education security sequent Response pattern to handle any(prenominal) notable eerie events. Authentication and authorization agreement executive Covered data may be transferred to third parties without authorization Employees argon provided with user name and password to penetration the data.Employees argon trained on developing a secure password. There atomic number 18 hold policies in place governing gateway to this information. Business continuity breeding protection Office Non-coordination and miscommunication between employees all told employees are supposed to keep contact information of co-workers and supervisors to seek for help in guinea pig of any emergency. accordance management Compliance policeman the development Security Officer Employ ees failure to stick to with the set guidelines, policies and functioning There is a compliance form that is filled before a major(ip) project is undertaken by the enterprise. The form is to go through that no new put on the line is introduced to the enterprise. embodiment control System executive director Compromised system security Every configuration must have a password. Each password must have at to the lowest degree ten characters.The password must be encrypted at all times. Data System administrator Data may be intercepted during transmission Database with security keys is available to accepted employees totally. Access to classified advertisement data is allowed to modified employees. Information security excogitate ensures security of covered data. Hardware System Administrator Destruction of computer hardware in chance Only employees with technical know-how of operating hardware are allowed to use them. The hardware are encrypted for security purposes. Hardwa re backup system. individuation management Information Security Office Unauthorized covered data and information transfer through third parties individualism Management Program (IDM) outlines procedure for offspring credentials based on the NIST guidance. Checks are done on employees prior to their employment. happening management Command bone marrowIncident Response team physical freeing of data in a disaster An Incident Reporting and Response contrive is in place to report and do to any identified risk. Availability of a healthful-trained incident response team. Command Centre is established to manage emergency. Maintenance procedures trade Advisory Board (CAB) Existing patches within the security system A firing off process is in place to ensure that the changes do not affect non-primary system. piece policies for workstations to ensure security. Media protection and destruction Information Security Office Unauthorized entree covered data as well as information D ata reposition policies define how data stored in the media is to be protected. Data is only stored in a secured data centre or encrypted medium. lucre System Administrator Unauthorized entrance to the ne dickensrk Network traffic is controlled by Cisco enterprise-class firewall where inbound connects are only allowed to DMZ.Internal trusted network is provided via an encrypted VPN tunnel. skillful perimeter is established to bar transport access from the internet to the Internal certain Area. Planning Information Security Office Poor planning that compromise management of the security system Contingency plan is in place to handle any eventuality. Employees are encouraged to store data on network file servers for backup. All backups are surely stored and marked for slow identification during emergencies. Personnel System Administrator Loss of data integrity Employees are only employed after exhibiting minimal security requirement. Information Security accompaniment are to b e scoreed for confidentiality purposes. An insider who ensures that all legal requirements are followed before access is granted must accompany outsiders accessing information. strong-arm environment System Administrator Physical safety of the environment may be compromised through attacks and burglary No unauthorized individual(prenominal) is allowed within the data centre premises. The data centers are controlled by keycard access.Policy Information Security Plan CoordinatorPolicies may be misinterpreted by the employee The Universitys security policy is enshrined in the Privacy, Confidentiality and Security of Patient proprietorship Information Policy and the Computer wont and Electronic Information Security Policy. The two policies require that authorized people foot only access this information. The policies are reviewed any two years to make them in tandem with the prevailing circumstances. Operations The Information Security Officer and the Infrastructure Team Failu re for operations to comply with the system security policy An operation must fill a compliance Checklist or a Security Risk sound judgment form for review to verify that no new risk is introduced to the enterprise.Outsourcing System Administrator Unauthorized disclosure of security information by third parties Outsourced vendors must comply with UNMC Policy No. 8009, Contract Policy. sellers accessing classified student information must sign the GLB Act contract addendum. Risk assessments Information Custodian Poor method of risk assessment that may downplay the essential impact of a risk Security assessment I conducted per year. All applications must meet the organizations security policies and procedure. software program System Administrator Software may be infected with a virus Software should not be installed unless the user trusts it. Vendor update and patches must be installed unless enjoin otherwise.Software license must be retained to get technical assistance. fosteri ng System Administrators and Information Custodians Misuse of security system Loss of data integrity Employees are trained on information security system before they are employed. System administrators and information custodians are annually trained on Specific Information Security Policy and Procedure.ReferencesUNMC. (March 2014) Strategic Plan 2010-2013. Retrieved from http//www.unmc.edu/wwwdocs/strategic-plan_06-10_v3-brochure1.pdf United States Government Accountability Office. (February 2010). electronic PERSONAL HEALTH INFORMATION replace Health Care Entities Reported manifestation Practices and Effects on Quality of Care. Retrieved from http//www.gao.gov/new.items/d10361.pdf UNMC. (February 9, 2004). Information Security Plan. Retrieved from http//www.unmc.edu/its/docs/UNMCInformationSecurityPlan-Sept2010.pdf