Saturday, December 7, 2019

Medical Imaging and Technology Alliance †

Question: Discuss about the Medical Imaging and Technology Alliance. Answer: Introduction Information security involves protection of information systems against security threats. Threats are either intended or accidently cause harm to information systems. Deliberate actions affecting security are usually aimed to attack information assets. However, some security implications are not intended but happen accidentally because of certain human actions or other events. This research paper would explore various types of accidental and deliberate threats that Victorian government is likely to face. The government has developed The Victorian Protective Data Security Framework (VPDSF) for protection of the data security that defines security standards, assurance model, security guides, and supporting resources. Objectives of the framework include identification of information and determination of the owner of that information, assessment of the value of the information, identification and management of data risks, application of security measures, creation of a security culture, and maturing of data security capabilities. Risks can be business specific, legal, technology related or technical. In case of any type risk, a question has to be asked whether the risk can be fixed with the acquired technology and in case it cannot, appropriate steps have to be taken to enhance protection. Comparative analysis of Threats Threats can either be accidental or deliberate. Accidental Threats are caused by users or situations accidently causing risks to information systems. Some examples of accidental threats include: Natural disasters such as earthquake, hurricanes, tornadoes, cyclones, etc. causing damage to infrastructure and thus, cause loss of data Technical failures caused by breakdown of hardware Errors or mistakes done by humans such as loss of devices, opening of emails from unknown sources, lowering of security level, download of unsafe files, etc. Some people may end up using social engineering by trying to trick some into providing confidential information. This may not be a deliberate threat to cause harm but it does pose risk to the person whose data is revealed(AlKalbani, Deng, Kam, 2015). Certain ways these accidental threats can be avoided or their impacts can be mitigated include: Any changes that are made to the critical data of an organization must be monitored and the permissions to access or modify the data should only be with specific designated people. For controlling access, user manuals can be developed. All the print outs that are obtained for the management must be shredded after use People with different job functions should have differential access to information. For example, a programmer may not be provided with an access to the storage systems. The data that is being exchanged online can be encrypted(S, 2016) IT auditors may be hired for checking if the company systems are secure such that their guidance can help in improving security of the company. Transaction logs of the usage can be stored to check who has used or seen which programs in the system(Anderson, 1994) Deliberate Threats are those intended to cause security harm to a system and it can be in various forms such as espionage, extortion, sabotage, data theft, and software attacks such as Trojan, virus, worm, denial of service, phishing, key logger, spyware, malware and spam ware. Risk rating model is based on the likelihood of the occurrence of a risk and its impact on an organization. The determination of rating factors that cause these risks can be broken down into steps including risk identification, likelihood estimation, impact estimation, determination of severity of risk, decision on what to fix and customization of the risk model based on it(Brey, 2007). Risk Identification: The first step to risk ranking is risk identification. In case of the Victorian government, various risks that can occur include: Power failure Network failure or errors Technology Obsolescence Hardware failure or errors Operational issues Communication interception Repudiation Espionage Infiltration Social Engineering Technical Failures Data theft Misuse of resources(CGI, 2013) Staff shortage Unauthorized communication User Errors Sabotage Quality deviations Environmental Threats Intellectual property compromise(ESET, 2016) Incomplete or missing data Faulty planning Financial Fraud Equipment Theft Terrorism Natural Disasters(Shahri Ismail, 2012) In the next step, likelihood is estimated which measures the probability that a vulnerability in the information system would be exploited by an attacker. There is a set of agent factors and vulnerability factors that can be used for this calculation such that each factor is given a rating between 0 and 9. Agent factors include level of skills of the threat agents, motive of attack, resources and opportunity requirement, size of the threat group. Vulnerability factors include ease of the discovery of the vulnerability, ease of exploitation, awareness of the vulnerability to the agent, and likelihood of an exploit getting detected(CenturyLink Solutions Consulting, 2014). After estimating this likelihood, the factors of impact are also rated on the scale of 0 to 9. These factors include technical impacts like loss of confidentiality, integrity, availability and accountability and business impacts like financial damage, reputation damage, non-compliance, and privacy violation(Engine Yard, Inc., 2014). The likelihood of occurrence and the impact factors are put together to assess the severity of the impact of the risk which could be low, medium, high or critical. Based on this severity, risks are categorized and given priority for resolution(Chen Zhao, 2012). Risk severity can be: Low: When Likelihood is medium and impact is low and when likelihood is low but impact is medium. Medium: When Likelihood is Low and impact is High, when both are medium and when likelihood is high but impact is low. High: When Likelihood is medium and impact is high and when likelihood is high but impact is medium. Critical: When both Likelihood and impact are high then the risk can be considered as critical(Gopinath, 2011). The risks are decided to fix based on this categorization from critical to high, medium and lastly, low. Based on these factors, the risk model of Victorian Government can be modified with addition of certain factors, tuning the model based on risks, and customizing testing options. The table below presents the calculation of all the risk factors and the overall risk ranking for all the identified risks for the case of Victoria. As the table above shows, the risks can be categorized into critical, high risk, medium risk, and low risk. Terrorism is found to be a critical risk while sabotage is a high risk. Most other risks were found to be showing medium level of severity except a few that were low in severity including operational issues, user errors, environmental threats and natural disasters. The operational issues may not directly affect the security posture of the company if the security management is outsourced(TrustSphere, 2012). The user errors could be minor errors done by customers of the company and these can be handled by exceptions or can be easily mitigated. Environmental threats and natural calamity may not have a direct impact on the companys information system unless the physical damage happens to data in which case a backup can be obtained from the disaster recovery system there by resolving the risk impact on the company and thus, would not affect the security posture of Victorian governme nt(Shahri Ismail, 2012). Challenges of security/risk management approach Risk management or security management can either be established internally by developing and using internal governance procedures and security policies or the same can be outsourced to a third party security service provider. Initially, organizations used to establish their own security systems but in past decade, many of them are outsourcing security management to third party contractors. There are two key reasons behind this change(MYOB, 2016): With increase in competition, it becomes imperative for organization employees to focus on their core work. Security management is non-core support system and thus, can be outsourced to experts in security by the companies while companys internal employees only focus on the core systems(Hu, Hart, Cooke, 2007). Because of increasing threats and sophistication in them day by day, costs of establishing and updating security systems have drastically increased. Moreover, there are many areas of work that have hidden costs needed for preventing personnel and information resources from security threats(Chen, Longstaff, Carley, 2004). However, there are some concerns that cause challenges while taking decisions on whether to outsource their security operations. Security directors of organizations are highly concerned about outsourcing as the organization would then have less control over the security program. Organizations would have to do an extensive background check of the security service provider before the system is put in their control. However, organizations are looking for outsourcing as an option as it can help a company improve its security posture(HP Enterprise, 2015). There are certain advantages of using contract arrangement for security management such as Reduced overheads on office, administrative and operational costs Increasing efficiency as well as productiveness of the security systems with the focus of contractor on security as a core function Assess the benefits that supplier of security services may have such as experience of using best practices, professional training, screening of professionals, payrolls management, operations, and so on. More flexibility to change security posture and business conditions based on the need of the time(MYOB, 2016). Sharing of risks and the liability as multiple companies may be using the same systems and thus, finding solutions would attract a combined effort. Companies can leverage on the expertise, resources, and experience of the service provider Reduction in the cost that would otherwise be incurred in establishing the security infrastructure for the organization(MYOB, 2016) Risk and Uncertainty Uncertainty is a potential outcome which is unpredictable and uncontrollable while risk occurs when actions are taken despite the uncertainty of the outcome from the action. Risk is a situation in which there is a possibility of facing a loss as an outcome while uncertainty is a situation where the outcome is not clear. The comparison between the two can be made clear using a comparison table as shown below: Table B: Uncertainty vs Risk (NIST, 2014) Basis of comparison Uncertainty Risk Meaning Situation where the outcome cannot be predicted Probability that the outcome would be a loss or a victory Outcome Unknown Known Probabilities Assigned Not assigned Ascertainment Cannot measure Can measure Minimization No Yes Control Cannot be controlled Can be controlled(Xero, 2016) A risk can be systematic such as market and inflation risks or unsystematic such as business or financial risk(NIST, 2014). Riskcontrol and mitigation For controlling and mitigating risks, the security data framework of VIC can be used. For controlling the risks, the preventive measures can be taken using the guidelines given in the security protocols defined in the framework. This includes: Study of evolving security risks in the information systems and updating the security framework accordingly Recording of risks identified in the risk register Monitoring and reviewing of all the risks recorded in the register Implementation of the security requirements in the policies and procedures of the organization, access management system, business continuity management, contract services, service agreements, sharing practices, personnel management, ICT management, and physical management of the company(Cisco, 2013) Embedding security functions in routine functions as well as activities in the organization Identification and enforcement of the obligations all the people in the company considering security aspects Monitoring and review of all security requirements to identify possibility for improvement or updating(OECD, 2008). Creating awareness program and providing training on security to personnel Implementation, monitoring and review of incident management system Conducting annual assessment for security compliance for review(DHS, 2009) The response and mitigation to the risks would be decided based on the severity of each risk. Risks that are critical or high impact must be avoided but in case they still occur, immediate actions have to be taken on priority. As in the case of VIC, terrorism and sabotage are the critical and high risk categories, they have to be avoided which may not be possible and thus, in case such a situation occurs, an immediate action would be warranted. For risks that are of medium severity, a mitigation plan for reduction of the impact of the risk on the security posture of the organization can be taken. In case of the low severity risks, they can be avoided without any advanced actions but if they occur then decision can be taken on whether to accept them or mitigate their impacts depending on the actual rating of the severity of the risk identified(Security Awareness Program Special Interest Group, 2014). Recommendations Based on the study of risks and uncertainties that are likely to be faced by VIC organization while managing its security framework, certain recommendations can be made for the company for enhancing its security posture such as: The company can outsource its security and risk management to a third party which would save on the cost of security personnel, management as well as provide them access to an expertise of the security expert consultancy. The company can provide training to the staff on the security frameworks and unintentional risks such that the probability of posing such risks can be reduced with the increased awareness in the staff The company should keep its security systems updated with the latest happening such that latest threats can be tackled for which the security audit can be conducted yearly to identify loopholes for updating A regular and monitoring of the security systems and the risk register must be done so that it can be ensured that security systems are working as expected and in case of problems, they can be resolved fast. A number of different factors can be used for the assessment of risks for each type of risk such that the severity of each risk can be known and accordingly a plan for managing risks can be made including mitigation and control strategies. The risks with medium level of the severity must be avoided with appropriate control procedures implemented but in case they are still not prevented, mitigation actions can be taken based on the level of severity such that high severity risks would be tackled on priority. The company should create a culture of security by embedding security considerations in all its operations such that security risks are better prevented than mitigated leaving company with lower probability of facing any major problems. Conclusion This paper was written to explore the current security posture of VIC upon studying its security framework that is implemented in the organization. The paper explored the ideas of unintended risks, deliberate risks, and uncertainties. It also identified various types of the security risks that the company can face and identified their ranking based on the security of each of the risks. It was found that there are a number of risk likelihood forming factors that can contribute to the severity of risk such as threat agent factors like skill, motivation, opportunity and size of threat agent, vulnerability factors like ease of discovery or exploration, awareness of user, and intrusion detection capabilities. Some impact factors were also identified including technical impact factors like loss of confidentiality, integrity, availability or accountability and business impact factors like financial damage, reputation damage, non-compliance and privacy violation. Based on these insights obta ined in the study, certain recommendations were made for VIC such as embedding of security considerations in all business processes, outsourcing of security and risk management systems to a third party service provider, and so on. References AlKalbani, A., Deng, H., Kam, B. (2015). Organizational Security Culture And Information Security Ccompliance For E-government Development: The Moderating Effect Of Social Pressure. RMIT University. Anderson, R. J. (1994). Liability and Computer Security: Nine Principles. CL. Brey, P. (2007). Ethical Aspects of Information Security and Privacy. Springer Berlin Heidelberg. CenturyLink Solutions Consulting. (2014). CenturyLink Assessments: seCurity,infrAstruCture And disAster reCovery. CenturyLink Technology Solutions. CGI. (2013). Developing a Framework to Improve Critical Infrastructure Cybersecurity. CGI. Chen, D., Zhao, H. (2012). Data Security and Privacy Protection Issues in Cloud Computing. Shenyang, China: International Conference on Computer Science and Electronics Engineering. Chen, L.-C., Longstaff, T. A., Carley, K. M. (2004). The Economic Incentives Of Providing Network Security Services On The Internet Infrastructure. Carnegie Mellon University. Cisco. (2013). Australian Government Cyber Security Review. Cisco. DHS. (2009). A Roadmap for Cybersecurity Research. DHS. Engine Yard, Inc. (2014). Security, Risk, and Compliance. Engine Yard. ESET. (2016). Trends 2016 (IN) Security Everywhere. ESET. Gopinath, S. (2011). Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds. Mumbai: Reserve Bank of India . HP Enterprise. (2015). Cybersecurity Challenges, Risks, Trends, and Impacts: Survey Findings. MIT. Hu, Q., Hart, P., Cooke, D. (2007). on information systems security a on information systems security a neo-institutional perspective. Journal of Strategic Information Systems , 16, 153172. IBM Global Technology Services . (2011). Security and high availability in cloud computing environments. IBM Corporation. ISC. (2010). The Pursuit of Integrity, Honor and Trust in Information Security. ISC. James, C. (2016). Cyber Security Threats, Challenges and Opportunities. ACS. JIRA Security and Privacy Committee (SPC) . (2007). Information Security Risk Management for Healthcare Systems . MITA (Medical Imaging Technology Alliance) . Jurimae, T. (2010). Risk management in the procurement of innovation: Concepts and empirical evidence in the European Union. European Commission . Khan, R., Wanner, R. (2010). Practical Approaches to Organizational Information Security Management. SANS Institute. MYOB. (2016, September 13). Company file security. Retrieved from MYOB: MYOB. (2016, September 13). Protecting your confidential information. Retrieved from MYOB: NIST. (2014). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology. OECD. (2008). Malicious Software (Malware): A security Threat to Internet Economy. OECD. S, S. (2016). Difference Between Risk and Uncertainty. Keydifferences. Security Awareness Program Special Interest Group. (2014). Best Practices for Implementing a Security Awareness Program. PCI. Shahri, A. B., Ismail, Z. (2012). A Tree Model for Identification of Threats as the First Stage of Risk Assessment in HIS . Journal of Information Security , 3, 169-176 . TrustSphere. (2012). Advanced Security Methods for eFraud and Messaging. TrustSphere. Xero. (2016, September 13). Your data is safe with multiple layers of security. Retrieved from Xero:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.