Standards and Legal Issues Essay
During a recent audit of the electronic health record (EHR) it had been discovered that the system was vulnerable to threats, misuse, and theft because no security controls had been placed before accounts were created. To help meet legal and industry standards, the company can implement the ISO/IEC 27002 (International Organization for Standardization). The ISO/IEC 27002 security standard is an international standard that was created by the ISO to provide privacy for all forms of data, documents, communications, conversations, messages, recordings, and photographs. ISO is the world’s largest developer of voluntary International Standards (ISO, 2012). The ISO has members from 164 countries and 3,335 technical bodies that are involved in the development of the ISO standards. The ISO/IEC 27002 standard has control policies that are critical in protecting information in the health, public, financial and IT sectors. Implementing the three policies below can help prevent future breaches and will help the company meet industry standards and legal requirements.
Users Account Policy:
All managers or department heads must submit a user account request application form for each employee, contractor, and vender to the IT Department. Each user will be issued a uniquely assigned user ID, for authentication and accountability. Managers are to assure that the level of access is based on the need to access this information to perform one’s job responsibilities. Managers must also notify the IT Department of an employee rotation of job duties or termination. The access rights of all employees, contractors and venders to information systems will be removed upon termination of their employment.
Remote Access Policy:
All remote access will be accomplished via a secure method, i.e., strong authentication and encryption. Remote access sessions will time out after 30 minutes of inactivity, and will terminate after 8 hours of continuous connection. All computers and networks that are accessible by end-users from external networks must maintain system logs which indicate their identity and activity performed. These logs must indicate the user, time of day, the date, and other details associated with all connections. The logs will be retained for 30 days and will be reviewed by the network administrator on a weekly basis. An automated intrusion detection system will be in place to immediately inform the network administrator of any suspicious activity.
Network System Changes Policy:
Any changes to company networks include loading new software, changing network addresses, reconfiguring routers, adding dial-up lines, and the like, excluding desktop changes. With the exception of emergency situations, all changes to the company networks must be documented in a work order request and must be approved in advance by the agency network administrator and/or IT Department. Emergency changes to the company networks must only be made by persons who are authorized by IT Department.
Organizational policies are created to ensure that organizations comply with laws and regulations. When an organization is compliant with these laws and regulations they are more likely to become successful. To be compliant the organization must create documentation defining the process of procedures to follow and meet. Creating the user access policy will guarantee that the objective listed in the ISO/IEC 17799-2005 policy that states to ensure authorized user access and to prevent unauthorized access to information systems(ISO/IEC, 2005), is met. This policy will allow the users to be monitored and prevent them from having unauthorized access to sensitive information. These steps are required to meet 11.2.2 of the ISO/IEC 17799-2005 implementation guidance recommendations. The remote access policy set in place will protect the company from security breaches by ensuring the Network access control section of ISO/IEC 17799-2005 is followed.
The objective in this section is to prevent unauthorized access to networked services (ISO/IEC, 2005). Following section 10.6 of the ISO/IEC 17799-2005 ensures the protection of the organizations information by controlling the access time of end users. Adding authentication and encryptions helps safeguard the confidentiality and integrity of data passing over public networks or over wireless networks (ISO/IEC, 2005). Increasing the retention of system logs will allow the network administers increased ability to foresee the potential use of any unauthorized user which too will prevent a breach in the company’s security.
Finally, enforcing the network system changes policy in accordance with ISO /IEC 17799-2005 11.5 objective to prevent unauthorized access to operating systems (ISO/IEC, 2005) will help protect the organization from security breaches. Following this policy will implement monitoring of all network changes which will protect the organizations network infrastructure. This policy prevents the unauthorized installation of packet sniffers and malicious bots from harming the network. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other similar problems. Initiating these policies will eliminate security breach risks to the organization, while becoming compliant to laws and regulations that are required.
ISOIEC 17799:2005. Code of practice for information security management Retrieved from https://www.iso.org June 23, 2012.
International Organization for Standardization, (2012). Retrieved from http://www.iso.org/iso/home/about.htm June 23, 2012.
Study Acers provides students with tutoring and help them save time, and excel in their courses. Students LOVE us!No matter what kind of essay paper you need, it is simple and secure to hire an essay writer for a price you can afford at StudyAcers. Save more time for yourself. Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more