Principles of Information Security - Essay Example

Principles of information security Introduction Information is one of the most important assets in most organizations. Companies invest billions of dollars in safeguarding their data and developing functional information systems to enable ease of access to the databases and the information they contain. The improvements in technologies provide appropriate ways of developing and maintaining appropriate and functional information systems (Gibson, 2011). However, the improvements in technology further increase the risks that databases and the entire information system face. An organization must develop appropriate policies capable of safeguarding and maintaining a reliable information system thus ensuring that the employees access the information in real time. Information policies influence the nature of the information systems in a company and the use of the information within the organization. This report analyzes the state of an information system in a company before proposing various issue-specific policies capable of enhancing the efficiency and effectiveness of the system. The report is a product of teamwork with the group members collaborating in the development of the various sections of the report including the selection of the issue-specific policies. The group selected New York Presbyterian Hospital as the organization of choice for the study. Information is a vital resource in the management of health facilities and the dispensation of services in the facilities. Health facilities strive to develop efficient and reliable information systems capable of providing real-time access to vital information that may always mean the death or life of a patient. The health facility provides an effective environment for assessing the importance of information systems thus formulating policies that would enhance service delivery in the facility. The members of the group carried out research on the health facility and interviewed some of its employees and managers who offered reliable information on the nature and importance of the information system. The research included studying and testing the various features of the facility’s information including the functionality of its website. The report has various sections that provide in-depth analysis of the information system in the facility, the proposition of the policies and their anticipated effects. Overview of the company is a key section of the report that provides adequate information about the existing information system of the hospital, its information needs and the need for functional information policies to guide the utilization of the system. Subsequent sections of the report address related topical issues including the existing information policy in the facility and the subsequent issue specific policies proposed after the study. Overview of the chosen company New York Presbyterian Hospital just as the name suggests is a health facility and a university hospital. The hospital has affiliations with Weill Cornell Medical College and Columbia Universitys College of Physicians and Surgeons. The hospital has a bed capacity of 2,478. The hospital has numerous departments that offer both inpatient and outpatient services a feature that compounds its need for information systems. The health facility offers various services including cancer treatments, neuroscience, orthopedic, rehabilitation medicine and children health care services among many others. As a teaching and referral hospital, New York Presbyterian Hospital has numerous departments that make the maintenance of a reliable and functional information system a difficult process. The hospital has more than two hundred doctors and about a thousand nurses. The management of information is a major function of the management with the hospital having a Chief Information Officer, who heads the department mandated with the management of information in the hospital. The hospital has seven main facilities spread throughout the city of New York. The seven include Columbia University Medical Center, Allen Hospital, Queens, Lower Manhattan Hospital, Westchester Division, Morgan Stanley Children’s Hospital and the Weill Cornell Medical Center. The facilities operate semi-autonomously but share the hospital’s database. Some patients seek help from more than one department a feature that makes sharing of information among the seven facilities vital. New York Presbyterian Hospital has hundreds of computers connected to its information systems. Each of the seven facilities has various departments each of which has installed computers, telephones, printers, a filing system and shredders among many other facilities contained in an information systems. The various computers in each department constitute functional workstations with information officers who coordinate the movement of patients and coordinate the operations of the doctors and patients to ensure that each obtains appropriate information to enhance service delivery. The doctors at the hospital have their personal laptops among other handheld devices through which they contain their personal information and may always use for their official duties at the hospital. They connect their laptops to the wireless Local Area Network belonging to the hospital and access specific data that relates to their duties at the hospital. The hospital has seven data centers each in its seven facilities. The data centers host the hospitals databases and run on an efficient network that share the information both locality in the seven facilities but with the other facilities in the various parts of the city. The data centers occupy strategic floors in the administrative buildings of the seven facilities. The buildings enjoy adequate security from the private security firm the hospital hires to guard its premises throughout the city. Additionally, the hospital has a team of information technology specialists mandated with the management of the security and integrity of the databases. The team employs various technologies to ensure the safety of the databases and that the information system runs efficiently thus enabling real-time access to patient records among other vital records in the facility. Besides the doctors and nurses, the hospital has numerous other employees including subordinate staff mandated with the cleanliness and security of the facilities. The management of the hospital requires an effective database and an equally efficient information system to manage the vital records for the various employees. In addition to the electronic information system, the hospital has an archiving department that consists of a functional library containing various records including patient and employees. The Enterprise Information Security Policy With such a reliable information system, the New York Presbyterian Hospital has various security policies that control the accessibility of the information from the databases through the system. The policies are sets of rules that influence the behaviors of the expected users, security personnel, system administrators and the management of the organization among other users. The policies at the hospital permit particular individuals to access particular parts of the databases. The hospital’s database contains various types of data including patient records, inventories of the hospital’s pharmacy among other departments, employee history, and records among many others. The policies ensure that each user of the network access the appropriate data. The information policy at the hospital encourages categorization of the database to enable orderly and effective access of information with the view to enhancing service delivery while increasing profitability. Doctors and nurses access patient records and data relating to medical research. Managers access data relating to the history of the employees of the hospital including the doctors, nurses and subordinates. They access records relating to their payments, promotions and issues affecting their productivity. The security policy permits security personnel to monitor and investigate the use of the information system. They strive to ensure that the system functions efficiently. In the case of breaches, they investigate and monitor personnel to ensure that they resolve the breaches and safeguard the security and functionality of the system. The security policies at the hospital strive to maintain orderliness, reliability and the integrity of the data they contain. The hospital maintains a strong security position through stringent data ownership, security controls and maintenance of the security infrastructure. The hospital owns its data. It ensures this by placing unique watermarks on its files and ensuring that it reserves the right to use the information in its database. The security policies encourage the various users to guard the information and discourage against sharing (Dhillon, 2007). The policies outline several behaviors the management considers unethical and illegal. The security personnel carries out dedicated surveillance of the information network to ensure that users do not share the information with unauthorized personnel. The policies mandate the information technology department with the management and the security of the information system. They maintain the infrastructure thus improving its efficiency and the security of the databases. The security policy of the information system in the hospital is functional and efficient, at least on paper. Users of the system continue to record failures and hurdles most of which point out to the need of a cohesive and holistic policies that will address the issues thereby providing a functional, safe and efficient system. The harmonization of patients’ record is a problem as doctors and nurses face difficulties accessing patient records. Five different issue specific policies Email Security Policy 1. Every user of the network should have a unique email addresses developed for them by the information technology department as part of the information system. The new policy restricts communication through the network to particular email addresses designed specifically for the network. The information technology team is to develop such email addresses as evelyn@health.NYPH.org for every doctor, nurse, and managers aiming other users of the network. The security team has the official mandate of monitoring and probing how the employees of the hospital use the network. By designing such unique email addresses, the policy restricts the use of the email addresses to official communication within the hospital thereby providing the users of the network with the liberty of retaining their private email address, which the policy prohibits to access the system (ICISS 2008, Sekar & Pujari, 2008). With such a security policy, the security personnel will easily monitor the activities of the various users thereby minimizing instances of security breaches since the users would not use such email addresses for personal affairs. Laptop Security Policy 2. The hospital will have workstations in every department accessible to every employee of the department with a unique username and password. The hospital outlaws linking personal laptops to the network. The use of personal laptops poses great security risks to the information system. Among such risks is the threat of viruses, which would easily jeopardize the integrity, and functionality of the information system by corrupting the information contained in the databases. By outlawing the use of personal laptops on the network, the policy strives to safeguard the integrity and safety of the database. The policy ensures that the management monitors the utilization of the network thus finding effective ways of addressing the problems that arise naturally from the network. The policy limits the accessibility of the network thus minimizing the security risks the network is likely to encounter. Wireless LAN Security Policy 3. The wireless LAN is a preserve of the information system and the inherent computers among other devices only. Unknown devices cannot access the network with the security team ensuring that they place several security features including passwords and firewalls to discourage external devices from accessing the network. The policy seeks to enhance accountability for the use of the network. It ensures that specific computers among other devices that constitute the information system access the network while preventing foreign devices thus minimizing external threats the network may face (Saeed & Pejas, 2005). The policy improves accountability since the security personnel will retain protocols to ensure that only computers that constitute the system access the network. Backup Security Policy 4. The security personnel will install a system that backs up the database automatically to the cyberspace. Backup is a fundamental aspect of information systems. Backup plays an important role in ensuring that the hospital accesses its database even after the network faces such threats as virus attack and theft of the equipment. Backing up databases on the cyberspace provides ease of access. The security team will regulate the accessibility of the backed up the database using passwords among other security features. Cyberspace provides an element of limitlessness that makes it reliable in backing up large amounts of data the universal accessibility of the database makes the backed up copy useful for the various facilities of the hospital since they would access them remotely. Physical Security Policy 5. The data center among other sensitive locations including the respective workstations throughout the hospital will remain out of bounce for non-concerned individuals. The physical security policy strives to minimize the risks of vandalism, theft and unauthorized access to the information system. The policy will ensure that security guards assess every individual striving to access the data center with the view to ensuring that unauthorized personnel do not access the center. By limiting accessibility of the data center, the policy will save the database from vandals and thieves among other individuals with malicious motives (Hawker, 2000). Additionally, the policy will ensure that doctors and nurses use passes to access the workstations and use their passwords to access the network as guards. Such basic security features will minimize the threats of vandalism and theft among others. Conclusion New York Presbyterian Hospital has a functional information system. However, the system faces numerous challenges including lack of comprehensive and consistent media of communication. Furthermore, some departments use physical record keeping techniques a feature that slows the functionality of the system. The system faces serious security threats arising from the structure of the network. Such threats include accidents, thefts, vandalism, fires and natural calamities that may cause the hospital to lose its vital records. The policy propositions above cover the various security threats to the network thus enhancing its safety, integrity and functionality. Successful implementation of the policies will create a reliable and safe system since the policies minimize the risks the network currently faces. References Dhillon, G. (2007). Principles of information systems security: Text and cases. Hoboken, NJ: Wiley. Gibson, D. (2011). Managing risk in information systems. Sudbury, MA: Jones & Bartlett Learning. Hawker, A. (2000). Security and Control in Information Systems: A Guide for Business and Accounting. New York: Psychology press. ICISS 2008, Sekar, R., & Pujari, A. K. (2008). Information systems security: 4th international conference, ICISS 2008, Hyderabad, India, December 16-20, 2008 : proceedings. Berlin: Springer. Saeed, K., & Pejas, J. (2005). Information Processing and Security Systems. Boston, MA: Springer Science+Business Media, Inc. Read More