Information Security Management Frameworks - Essay Example

Comparisons of two Information Security Management Frameworks The purpose of this program plan is to outline an efficient framework that will guide the health care industry in enhancing their cyber security and obtaining an appropriate but cost effective insurance cover. It defines essential elements of effective information security program without infringing the borders of law and other regulations governing it. It is imperative to have a plan of how the organization can be able to ensure its information is secured. This include important steps like assessing the risks both imminent and long term, having a structure responsible for information security and assigning the responsibilities, setting up personnel policies related to security and finally monitoring the security program the company will formulate. Security responsibilities in an organization are all-embracing that is why it is important to associate the employees in formulating the program. SQL information system management used in health care The health care information technology system in several instances is predisposed to various risks and threats among other vulnerabilities. The situation gets worse when such vices are channeled towards the information system targeting patients with life threatening conditions. Some of the risks, threats, and vulnerabilities include and are not limited to accessing public internet without authority, hacking resulting to penetration of IT infrastructure, and fire torching primary data (Rodrigues 56). In most instances, health-care centers have put in place web-based patient and physician portals to enable visibility in the organizations financial and clinical data. The physician portal is normally used for various purposes including viewing radiology and laboratory results, obtaining electronic medical records and completing charts. Similarly, the patient portal enables accessing patient’s information including test results, billing information, prescribed medication, scheduled appointments, and medical conditions. However, if secure coding of the web application is not implemented, vulnerabilities such as SQL injections and cross-site scripting are likely to occur. This occurs based on actions of exploitation from unauthorized users who may compromise sensitive information confidentiality via the internet (Gentile 69). Notable tools employed in the identification of healthcare related online risks include the Web inspect scanner by Hewlett, Web vulnerability scanner by Acunetix and the watchfire Appscan by IBM. Application of the above systems would then go ahead in selective selections of authentic databases, passwords, and user identities as far as the internet security is concerned. In order to tackle various threats and risks, sections of clinical systems have adopted wireless networks, which they use to present and obtain information at the point of care. For example, this has been applied at bedsides (Gentile 41). The wireless network policy enables the use of wireless network infrastructure to handle patient’s information systems. This kind of system with proper coding plays a significant role in ensuring that there is integrity, confidentiality, and reliable availability of patient’s information. If proper securing of information is not enhanced under such circumstances, it would greatly affect the organizations internal systems. The wireless network system ensures that proper regulations and procedures are put in place to handle the patient’s information systems. These include performance logs and network security. Training of steps in this field would then enable justified users such as permitted staff to understand encryptions and authentication of wireless mechanisms that are in use. To identify where unauthorized access points and rogue users are located, system administrators should use wireless scanning tools. On the same note, hospitals offering free access to wireless network for the public must always ensure that the person accessing information is authenticated. Regulations on whether the terms of access are acceptable by the organization must form the guidelines of access by public members. The health centre should clarify the entire wireless network access is segregated within internal network. The wireless network policy if therefore put in place will have the various advantages over fixed network systems since its portable thus easily applicable within the workstation. If effectively employed, the wireless network system is one of the fastest ways to enable information flow within the organization system (Gentile 99). The use of Kerberos System information management (security) system framework Kerberos is an authentication system or protocol created or developed by Massachusetts Institute of Technology (MIT) and adopted by most operating systems today. A basic knowledge of Kerberos is required to determine its usefulness in access control mechanisms provided by the operating system. Kerberos authentication process depends on certain formatted information or data packets referred to as tickets. The tickets are very vital in that they go via the networks rather than passwords. Conveying tickets rather than passwords makes the process of authentication resistant to threats or attacks that can intercept the network traffic (Brenner 12). In the Kerberos milieu, the process of authentication starts at logon. There are several steps used to explain the process of Kerberos authentication. i. When a client or a user enters the login details (username and password), the computer transmits the username to the KDC that has master databases of specific keys for every step in its arena. ii. The KDC searches the client’s master key depending on the client password. The KDC then develops TGT and a session key to share with the client. The TGT incorporates a copy of S.A, time of expiry and the client name. The KKDC then encrypts the tickets that the KDC recognizes. iii. The user computer gets the data or message from the KDC and operates the password via a one way hashing role that changes the password into the client’s KA. iv. If the user requires getting resources on a certain server of the same domain, it communicates with the KDC. v. The KDC develops a duo of tickets, one for the user and another one for the server on which the user requires to access resources. vi. The KDC takes the ticket of the server and shields or encrypts it utilizing the master key. vii. When the server gets the tickets, the client decrypts it utilizing S.A. This renders the KAB to the user and also renders or exposes the tickets of the server. After communication between the KAB and the server, the server decrypts the tickets by the use of its KB. In turn, this allows access to the KAB that can decrypt the timestamp for the user (Hornstein 10). References Brenner. Kerberos: Authentication with some drawbacks. Web. December 2, 2013. Gentile, Michael. The Ciso Handbook: A Practical Guide to Securing Your Company. New York: Auerbach Publications, 2005. Print. Gentile, Michael. The Ciso Handbook: A Practical Guide to Securing Your Company. New York: Aurbach Publications, 2005. Print. Hornstein. Kerberos-faq/general. Web. December 2, 2013 from http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#whatis Rodrigues, James. Health Information Systems: Concepts, Methodologies, Tools and Applications. New York: Idea Group Inc (IGI), 2009. Print. Read More