Information Security Management, Research Paper Example

Abstract

Information security management has become extremely prevalent as more and more of individuals information and vital data is stored, transferred and used in information technology systems.  With the ease of access and use of personal information there is also a rise in the need for laws and regulations governing the use, access and security of that data. Accompanied by the laws and regulations there are also specific techniques and best practices that can be implemented at each level of access to mitigate the risk of security breach and provide control over the integrity of the information.  Each area of information security has specific focal points for ensuring data security and includes risk mitigation as a keystone to data integrity.

Information Systems Security

Despite the increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for a security breach posing a threat to the network.  Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypassing or superseding security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide a potential advantage or gain to the criminal.  The potential loss of data integrity or corruption to personal medical information is a direct violation of HIPAA and requires a significantly higher level of security and awareness to ensure protection.  Information security requires a high level of rigor regarding safeguarding the information, ensuring it is used appropriately and serves its intended purpose. To ensure that these key areas are focused upon there are rules, policies, regulations and laws that support the environment to create an environment that can adequately safeguard the private information.  There are specific rules and regulations that govern specific subject areas regarding areas such as patient information, employee data, demographics, credit card data, social security numbers, financial information, research and development, intellectual property and disclosure options to name a few (Cappelli, 2012). Data is a powerful tool and protecting that information falls into the responsibility of many parties.  All the way from the individual making the transaction to the corporation that is utilizing that data to better serve their customer, each level must follow the regulations and comply with the laws governing information security.  This information is gained by taking advantages of potential weaknesses in the security systems by physical or opportunistic methods.  These loses could result in the loss of business critical information or loss of a competitive advantage, both of which could negatively impact the company as a whole. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more. (Calder, 2008) This paper will highlight implementation of the proposal for an ISO 27001 compliant information security management system (ISMS) for the pharmacy in order to implement a standard to ensure confidentiality, availability, and integrity of data.  The focus is on the mitigation by prevention, detection, correction or acceptance of the physical and logical vulnerabilities associated with networks and data.

The scope for ISMS defined in ISO 27001 as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks (Calder 2008). An ISMS is part of a larger management system and can be implemented on one or more than one department. There are identified issues, related to mismanagement of network, data, assets, and database security. The data is synchronized on a daily basis from each outlet of from one file server through the dedicated T1 connection. The pharmacy’s data transfer server is the most crucial as far as both clients and organization is concerned, as it contains all the medical data related to the pharmacy’s operations as well as personal health records.  The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office. (Calder, 2009)The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. The current scope does not protect the overall network. Moreover, the servers are vulnerable due to no protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of firewall is required and enforcement of the security policies needs to ensure accountability.

Business Security Requirements

The business is designing the information security systems based on five major elements including a firewall, Windows AD domain Controllers, file server, four desk top computers and a dedicated T1 connection.  Below is a diagram of the pharmacy’s setup.

Physical Vulnerabilities

The purpose of security is to protect the assets of the organization.  Within the information security system there are five elements that could potentially cause risks to the system as a whole.  The first line of physical risk includes the three desk top computers that are subject to physical access by anyone in the mall area.  These computers are not secured behind any level of physical barrier and anyone could gain physical access to those computers and potentially gain access to the file server and other desktop computer held behind the cage.  In order to mitigate this risk, the computers will need to be physically affixed to their docking locations with a locking mechanism, must be password protected to eliminate access risk and should be set up as virtual workstations so that they do not hold business critical information on the hard drives of the desktop computers.  These actions would be to mitigate the risk due to the potential for grievous damage to information and the probability for occurrence.

The next area of concern includes physical access of disabling the communication to the T1 line.  This could occur by physically cutting or damaging the T1 line.  Since this is a single point of failure the action to ensure a backup plan to remedy the situation is in place.  This is an inherent risk that will be accepted by the pharmacy.  Since they must have a dedicated line and cannot use the redundancy built in to the other networks in the mall, the risk must be accepted and a backup plan for a return to service must be put in place.

Logical Security

The computers and network both have security risks that are based on the weaknesses within the TCP/IP protocol, operating systems vulnerabilities and network equipment issues.  There are risks within the HTTP, FTP and ICMP due to their inherent insecurities and vulnerabilities.  The operating systems have security issues in which hackers or other people with malicious intent could take advantage of and disrupt, destroy or steal vital information of the pharmacy.  The network equipment such as the router, firewall and switches have weaknesses that must be protected through password protection, authentication procedures, routing protocol and filling the firewall holes.  Within the network configuration there is also security issues that arise from the misconfigured access list or the SNMP community strings could leave large security gaps in the system.  Within the pharmacy’s system all of these risks pose a threat and the backdoor to the system opens yet another opportunity for unauthorized access to the information.  In order to mitigate these risks, the security patches, policies, procedures and access must be implemented and adhered to.  This is vital for maintaining the integrity of the information.  These areas of threats must be mitigated in order to secure the information within the system.  The way to do so is to utilize expertise in setting up the configuration, capability and security of the network as well as establish the policy for ensuring accountability for information security within the pharmacy.

Physical and Logical Controls

The basic requirements for the business’s security have been outlined in the previous section.  In order to achieve these objectives it must first be fully understood where the company’s current security levels are in regard to maturity level.  The Capability Maturity Model Integration or CMMI utilizes a process improvement method to iteratively increase the maturity of specific functions or systems within an organization.  The CMMI follows a stair step approach with five individual and distinct levels of maturity as they progress (CMUSEI 2011).  The levels are initial, managed, defined, quantitatively managed and optimized.  Each level has distinct goals and objectives to meet prior to reaching the next level ultimately pushing the system into the optimized position for future process improvement.  Each organization could be appraised to receive a level of CMMI and from that appraisal a maturity rating of 1-5 is awarded.  The lowest possible level is the initial phase.  In this phase the processes are unpredictable and each section has little if any control on the process.  Another key aspect of the initial phase lies in the fact that all of the precautions and solutions generated by the company are reactive and become “fire drills” to quickly mitigate the issue at hand.  While the CMMI appraisal does not guarantee solutions to the issues it does provide a framework for solutions to be created.  There are specific process areas that are associated with the type of CMMI that is being performed (Zimmie 2004).  The process areas are the areas that are covered within the organizations processes.

In order to form an organizational information security system it requires multiple layers of security to create a redundant and secure system.  Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa.  This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems.  This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

For pharmacy to achieve the next level of maturity in their security based on the CMMI model it must possess a specific level of maturity in multiple process areas.  Transforming a company from a CMMI level 1 to level 2 requires the structure and standard operating procedures of a best-practices framework (Chrissis, Konrad, and Shrum 2011).  There are specific and generic goals associated with PMC.  The generic goals include building the organization framework and business processes to promote and accept the process changes while also building an institutionalized vision of what the corporation will look like and behave after the implementation.  These actions include defining certain processes, identifying the stakeholders, assigning accountable and responsible parties and implementing evaluation techniques for the process.

To ensure privacy protection, each of the risks can be looked at and mitigated through evaluation and planning. Depending on the risk and the probability of that risk different tactics can be implemented.  Ensuring the privacy of the individual’s data can occur on varying levels going from the individual’s level to the Information Technology firm utilizing the data. There are two key components to information security.  The first is the IT security that protects the data.  This is the computer software and hardware that applies specific security measures that will safeguard the personal information and data.  The other pillar is the information assurance.  This is the act or measures put in place to ensure the data is not only protected but also ensures the integrity of the information remains in its intended form.  Both IT security and information assurance are coupled together to protect data and contribute the usability and purpose of that information.  Examples of privacy protection in the realm of IT security would include anti-spy ware, firewalls to prevent hacking into the corporation’s information and security settings using passwords to limit access.

In order to form an organizational information security system that limits both the physical and logical vulnerabilities, it requires multiple layers of security to create a redundant and secure system. Each layer provides its own unique strengths and weaknesses and each layer would complement the other layers weaknesses with their own strengths and vice versa. This in essence would create a nearly impervious security system which would negate risks to the network, information and other information technology systems. This umbrella of cohesive and conjunctive security layers will provide the confidentiality of information, the integrity of the data and the ability for the users to access the system as needed in a secure environment.

The security policy would enable pharmacy to follow certain set of control policy, which will give a type of broad idea of how the organization should function on daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization (Commerce, 2007):

1. All data must be identified as confidential and should be managed by using access rights.
2. Any unauthorized software found on the system would be deleted with due effect.
3. Internet access should only be granted, to selected authorized personnel only.
4. Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored.
5. Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number.
6. Passwords will expire within duration of 3 months without repeating the previous password credentials.
7. Mandatory that all workstations have an anti-virus and firewall system installed and operational.
8. The workstation will have write protection enabled and would not allow any executable programs to run except for the required software.
9. There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network.
10. All the installation and maintenance of the workstation must be performed by system administrator only.
11. If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started.
12. All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security.
13. The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security.
14. Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties.

Security Policy Requirements

In order to create and maintain a security policy the first step is to ensure that it is in line with current business requirements and processes.  That being said the policy must also have a structure in such that it can be enforced with the appropriate repercussions for violating the policy.  This will establish the framework on which the policy sits to ensure that what is generated will actually have the ability to be utilized for its intended purpose.  This security policy will be developed from the requirements gathered from the multiple business units and in essences by gathering and utilizing the requirements are creating a bond between the end users, leadership and the project team.  The role of the policy is to influence people’s actions as well as to guide them so certain goals and objectives are obtained.  The influence is derived from management’s support as well as the end user buy-in during the requirement’s creation.  The business requirements are processed and formed into what we can utilize as a security policy.  The security policy can be derived from the business requirements but it will also need to work in conjunction with the business operations as a whole.  Security of data, segregation of duties, role based access control, data maintenance and availability, risk mitigation and contingency operations all are vital to the business and thus vital for the security policy.

References

Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing.

Calder, A., 2008. ISO27001/ISO27002: A pocket guide IT Governance Publishing.

Cappelli, P. (2012). How to get a job? beat the machines. Time: Business & Money. Retrieved: http://business.time.com/2012/06/11/how-to-get-a-job-beat-the-machines/

Chrissis, M, Konrad, M., and Shrum, S., 2011. CMMI: guidelines for process integration and product improvement. Addison-Wesley Professional.

Cooper, D. F., Grey, S., Raymond, G., & Walker, P. (2005). Project risk management guidelines, managing risk in large projects and complex procurements. John Wiley & Sons

Commerce, O. G. C. O. G. (2007). Service design Stationery Office. Start with security policies, n.d.  Retrieved 8/25/2012, 2012, from http://www.altiusit.com/files/blog/StartWithSecurityPolicies.htm

Project Management Institute, P. M. 2008. A guide to the project management body of knowledge. (4th ed.). Newtown Square: Project Management Inst.

Zimmie, K., 2004. Secure and mature: combining CMMI SCAMPI with an ISO/IEC 21827(SSE-CMM) appraisal. Retrieved from http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf