The Security Plan Development and Implementation for a Medical Records SAN - Report Example

?INFORMATION SECURITY To design a secure, scalable, and responsive database security plan and requirements definition document for a Medical Records SAN (Storage Area Network) Author Author Affiliation Date Table of Contents Table of Contents 2 Part 1: Project Identification and Business Environment 3 Major responsibilities for database security management 3 Operational and incident management procedures 4 Personnel and procedures for daily administration 4 Part 2: Architecture and Operating System Considerations 4 Architecture of System 4 Requirements relate to database security 6 Part 3: User Accounts and Password Administration 6 User administration 6 Password policies 7 Part 4: Privileges and Roles 7 Security model selection 7 8 Roles assignment 9 System privileges 9 Object privileges 9 Part 5: Database Security Operations 10 Requirements and methodology for database logging 10 Requirements and methodology for activity auditing 11 Part 6: Data Isolation Policies 12 Requirements for data isolation 12 Database views 12 Database triggers 12 Database stored procedures 13 Part 7: Physical Environment for Secured Databases 13 Physical Security and control mechanisms systems 13 Part 8: Conclusion 14 Bibliography 15 Abstract It is an admitted fact that information systems and database technology has turned out to be one of the vibrant tools for the effective business and corporate structure. However these corporate structures are presently under a great deal of risks. These risks include critical security and privacy attacks. In this scenario there is a dire need for the application of enhanced security and privacy solutions that ensure a scalable and responsive Medical Records SAN (Storage Area Network). In fact application of such security based solutions demands extensive security management endeavor. With the effective security management we can gain a better business competitive edge in the marketplace. This report is based on the security plan development and implementation for a Medical Records SAN (Storage Area Network). Part 1: Project Identification and Business Environment Major responsibilities for database security management For the development of an information security plan we generally require a comprehensive hierarchy of security management staff. In this scenario the corporate Chief Security Manager will be in-charge of this responsive, secure and scalable database security plan. Then we will hire an Assistant Security Manager who will perform the responsibilities of managing operative measures and complex corporate security issues. Operational and incident management procedures In case of any security violation or threat the corporate security plan will be operational. However we will also maintain the facility of constantly database back-ups. In this way we can easily manage the complex situation through various security based measures to stop or manage such security threats. Personnel and procedures for daily administration In case if we want regular security and operational management for the corporate we will have to establish and maintain a suitable safety handling and managerial arrangement. This may involve a reporting mechanism on daily basis under the supervision of Assistant Security Manager who will compile the weekly security report for Chief Security Manager. Hence the responsible authority can take the necessary action for the overall security management and handling. Part 2: Architecture and Operating System Considerations Architecture of System The corporate information security policy will govern the overall corporate security management operations. Given below is a comprehensive architecture of the new security management arrangement for SAN: Figure 1: Architecture of security policy Source: http://itil.osiatis.es/ITIL_course/it_service_management/security_management/introduction_and_objectives_security_management/introduction_and_objectives_security_management.php The above given diagram shows a complete and clear overview of our desired responsive database security plan. In fact we can implement it in an effective manner. It can be easily managed through the better planning of security management. This overall security arrangement is assessed and evaluated by the corporate officials. In addition, this security management will also involve the comprehensive management of required security assistance. Hence this overall architecture will be governed through absolute reporting arrangement that will offer a great deal of support for the corporate security management. Requirements relate to database security This section covers detailed requirements regarding database security administration for the Medical Records SAN (Storage Area Network). Secure medial data and information Offers security for access of system managers, users, security personnel and management Offers better database access for business workers and security personals to check, search and investigate Reduce danger of security violations Offers international security standards maintained through professionals Ensures minimum risk Easy and flexible in use Part 3: User Accounts and Password Administration User administration We will assign all the users with different usernames and passwords, which will allow them to make changes or define access level to the database. For this purpose we will make use of active directory based user accounts administration method, which is helpful in making complex situation more flexible. Password policies In order to ensure secure user access, we will put into practice efficient password policies. In this scenario we will establish effective procedures for the password allocation and change. In addition, the active directory will manage the password security and handle the overall procedures for the security management. Profile definitions and assignments In order to assign a new profile the corporate Chief Security Manager will approve the user and then Assistant Security Manager will issue the password to that user. With such allocations of passwords and security procedures we will be able to make our system more effective through standard user authentication techniques. In this way Assistant Security Manager will also create the profile of user and allocate rights according to working position of client. Part 4: Privileges and Roles Security model selection For the sake of Medical Records SAN (Storage Area Network) implementation and security handling we will make use of Multi-Level Security (MLS) security management model. In order to protect secret and sensitive corporate data and information (confidential data) we need an improved security management model because valuable security management is the basic need for any business. Moreover when corporate data and information is made public, company can face financial or legal issues and some damaging result. As a result, they will undergo a loss of client trust. In many cases this could create a lot of problems (CentOS, 2012; Black & Varadharajan, 1990). If we implement an effective security policy then in case of any external attack we can easily protect and recover our data from misuse. In this way we can protect and recover sensitive data and information (CentOS, 2012; Black & Varadharajan, 1990). Figure 2 outlines a comprehensive overview of numerous aspects related to multi security levels of business. These multi security arrangements involve a detailed arrangement of the security management and arrangement of the business: Figure 2- MLS Model Image Source: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/images/mlsoview/security-mls-data-flow.png Roles assignment It is a worth mentioning here that roles allocation is one of the chief aspects in establishing such an application. However in case of roles allocation for the database handling, updating and access we will have to make use of the standard technical skills for the information access and handling. Here the Chief Security Manager will assign and allocate the roles to staff and offer a great deal of facility to handle and manage their talent related duties. System privileges In case of new business security arrangement for Medical Records SAN (Storage Area Network) we will have to implement more effective system access privileges. For this purpose we will implement a suitable security management arrangement that can offer more secure access mechanism to business staff. Hence we can get rid of unauthorized access. It will help the security officials to resist illegal members towards their access to the system. The system will be protected through rigid security arrangements offering SSL based log-in support. Object privileges For the sake of management of the object access and privilege handling we will offer different access levels depending upon the situation. For the management of diverse access levels at the business arrangement we will make use of system access management mechanism that ensures safe and reliable security handling of business data and information. Part 5: Database Security Operations Requirements and methodology for database logging In scenario of Medical Records SAN (Storage Area Network) application we can manage related information security policy document; I am about to present the basic security program for this advanced policy application for the sake of requirements and methodology for the system logging. It is assessed in case of this new policy application that information security for Medical Records SAN (Storage Area Network) is critical. The aim is to recognize, review and take steps to keep away from or risks to our organization’s information assets. In this way we can make our organizational access much simpler and efficient (SAS70Checklists, 2012). As we know that governance is essential for the long-term strategy and a significant way for a business with value to the security policies and risk management plan. Governance requires managerial administration endorsement, participation and consistency in support. Hence we can manage our application in better organizational arrangement that offers a suitable place to notify, advice, executive, corporate the assessed security concerns along with satisfactory risk levels (SAS70Checklists, 2012). In order to implement a robust information security role for Medical Records SAN (Storage Area Network) application we will have to be familiar with the significance of recognizing the information security necessities and required policy objectives intended for information security that we have to apply in a quite flexible way. This may minimize the risks during operational controlling and to run information security risks in the circumstance of general corporate issues and security concerns. Given below are some of the basic security needs and requirements for Medical Records SAN (Storage Area Network) application: (SAS70Checklists, 2012) Handling security operations. Managing database access. Disaster recovery mechanism. Taking periodic reports for security assessments. Offering legal access mechanism. Continuous development foundational measurement, assessment as well as transforms that affect risk. Makes sure the entire clients of agency information assets are responsive for their jobs in protecting corporate possessions. Reviewing and Monitoring the efficiency and performance of information security strategy and controls. Requirements and methodology for activity auditing For establishing requirements and methodologies for activity auditing we will make use of periodic security assessment reports. These reports will ensure the effective management of the auditing of information technology based systems. This can be handled through various detection aspects with its implementation. Hence these reports will be complied at weekly basis and will ensure the better detection and management of security aspects. This will lead to a great deal of capable and valuable management and it ensures secure environment. Part 6: Data Isolation Policies Requirements for data isolation In case of Medical Records SAN (Storage Area Network) application we are having a variety of requirements for data isolations. As we know that Medical data may involve secret data and information and personal records of users. In case of illegal access to such data the whole corporate can suffer from a number of legal issues. Here we are having a number of challenges regarding protection of the business data from unauthorized access. It will offer customized access levels to user for security management and handling. Database views For demonstrating management and corporate decision support we will use the database views those will be used to enumerate the concluding picture of ongoing business working and critical operations. These views will also ensure the corporate security and access control. Database triggers Only authorized staff can access the database triggers. However, in case of access and manipulating the business data we need to ensure the suitable security and effective access management to database triggers. Database stored procedures In this application the role of data analyst cannot be neglected. Database stored procedures will be developed and executed by few high level data analysts. These data analysts will be given special rights that will be governed to manage and handle the corporate working and operational arrangements. It will offer an excellent support for security management. Part 7: Physical Environment for Secured Databases Physical Security and control mechanisms systems In order to ensure comprehensive security management for the information system, physical security management is also one of main needs for such arrangement. In this scenario we will make use of some up-to-date physical security arrangements that will ensure the proper handling and management of security for Medical Records SAN (Storage Area Network) application. Here we will have to install secure surveillance cameras those will constantly monitor and assess the possible security. The need for such arrangement is vital in keeping an operational security eye on working and movement of staff. In this way we can reduce and stop and point out any unauthorized person access within the premises. These all aspects will lead to a great deal of better security management of staff. Here we will also need to install some Biometric or Magnetic Card based entry of staff member to working areas. These all aspects will offer a comprehensive and more powerful access management for working staff and their management. Database backup and restore practices If we want to implement some contingency arrangement for the possible risks within the Medical Records SAN (Storage Area Network) application; we need to offer some disaster recovery systems. For this purpose we will have to ensure proper implementation of database backup and restore arrangements. These arrangements will be utilized when we will need. In fact we must make sure that the security of corporate arrangement is ready to avoid any external attack or misuse. In case of any possible event or security attack the whole corporate data is stored into a central backup server and can be restored for the smooth working of corporate. Here these arrangements will be considered as a main backbone plan for the management of disaster recovery plan. Part 8: Conclusion In this technological era we are aware of the significance of the security of business and corporate arrangement. Moreover it has turned out to more imperative for the effective business working. These days almost every business is more dependent on information technology based systems. However there are dangers to such systems regarding security point of view. In this scenario we need to remain more flexible in making security arrangements and applying these standards. Hence we can easily manage secure environment and privacy of such systems. This security policy, development and supervision report can be a helpful aspect in implementing a secure, scalable and responsive database security plan and requirements for protecting and defending Medical Records SAN (Storage Area Network) system. Each organization wants its data in fool-proof security arrangement that is more reliable for improving the performance of overall corporate and also for the business security management. The database security management in network based arrangement is a really complex task. However this can be achieved by applying standard techniques. I hope this comprehensive research and critical report will offer a deep overview of security plan for the corporate arrangement. The above mentioned suitable methods related to standard and suitable security procedures can lead towards more reliable and secure business environment. Bibliography Black, S., & Varadharajan, V. (1990, June). A Multilevel Security Model for a Distributed Object-Oriented System. Retrieved February 09, 2012, from Hewlett-Packard. Company: http://www.hpl.hp.com/techreports/90/HPL-90-74.pdf Bowen, P., Chew, E., & Hash, J. (2011). Information Security Guide for Government Executives. Retrieved February 10, 2012, from http://csrc.nist.gov/publications/nistir/ir7359/CSD_ExecGuide-booklet.pdf CentOS. (2012). 43.6. Multi-Level Security (MLS). Retrieved February 10, 2012, from http://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-mls-ov.html Cert-In. (2011). EMPANELLED OF INFORMATION SECURITY AUDITING ORGANISATIONS. Retrieved February 09, 2012, from http://www.cert-in.org.in/PDF/emprog.pdf Elemental Cyber Security, Inc. (2011). Elemental Security and Information Security Policy. Retrieved February 09, 2012, from http://www.elementalsecurity.com/glossary/information-security-policy.php Fumey-Nassah, G. (2007). The management of economic ramification of information and network security on an organization. InfoSecCD '07 Proceedings of the 4th annual conference on Information security curriculum development. ACM New York, USA. Grimaila, M. R. (2004). A novel scenario-based information security management exercise. InfoSecCD '04 Proceedings of the 1st annual conference on Information security curriculum development (pp. 66-70). ACM New York, USA. JBwGroup. (2009, April). Evolution of an International Information Security Standard. Retrieved February 12, 2012, from http://www.jbwgroup.com/documents/JBWGroup-EU-InfoSecHistoryV2-N2.0.pdf kennesaw State University. (2010). Enterprise Information Security Policy. Retrieved February 11, 2012, from http://its.kennesaw.edu/infosec/docstore/policy/eisp.pdf Mscpaonline. (2010). Sample Written Information Security Plan. Retrieved February 09, 2012, from http://www.mscpaonline.org/pdf/wisp.pdf Ruiu, D. (2006). Learning from Information Security History. IEEE Security and Privacy, Volume 4 Issue 1, 77-79. SAS70Checklists. (2012). Information Security Plan Template. Retrieved February 10, 2012, from http://www.sas70checklists.com/information-security-plan-template SAS70Checklists. (2011). Information Security Plan Template. Retrieved February 09, 2012, from http://www.sas70checklists.com/information-security-plan-template United States Government Accountability Office. (2009, May 05). Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk. Retrieved February 08, 2012, from http://www.gao.gov/new.items/d09661t.pdf University at Albany. (2003, June). Information Security Guideline for NSW Government - Part 2: Examples of Threats and Vulnerabilities. Retrieved September February 09, 2012, from http://www.albany.edu/acc/courses/ia/inf766/nswinfosecriskmanagementpt21997.pdf Washington University. (2011). Information Security Policy. Retrieved February 08, 2012, from http://wustl.edu/policies/infosecurity.html Read More