StudyDaddy Health & Medical Class: Electronic Data Security Assignment: Security Policies of a Specific Facility Note: This a paper instead of a work policy and procedure. TIP: For the written assignment Security Policies of a S

Class: Electronic Data Security Assignment: Security Policies of a Specific Facility Note: This a paper instead of a work policy and procedure. TIP: For the written assignment Security Policies of a S

Week 10 Assignment, Rubric, and Lesson Content

Class: Electronic Data Security

Assignment: Security Policies of a Specific Facility

Note: This a paper instead of a work policy and procedure.

TIP: For the written assignment Security Policies of a Specific Facility, you will find these in Chapter 12 of your textbook reading - there is a bullet pointed list of 10 major sections of the ISO standard 17799, and after that it adds 2 more bullet points to make it 12 major sections for ISO standard 27002, so look for those to decide which 10 you would pick.  The explanations of each of these categories in your text are rather brief so you will need to do a little more research to expand a bit more on them.  (this information is found under Lesson Content)

Consider the information security needs of a group physician practice. Not only must HIPAA regulations be met, but the business needs of the practice as a business must be protected.

Requirements:

Prepare in outline form a summary of IT security policies for this practice:

  • Identify at least 10 security policy categories that should be included in security policy manual for the group physician practice.

  • Write one brief paragraph per category explaining the need for this (10 security policy categories) type of policy.

  • Do not write the policy statements themselves. Instead ensure that the scope of policy categories included is comprehensive.

Your paper should:

  • be 1-2 pages in length, double-spaced,

  • be free of spelling, grammar, punctuation errors, and APA format with In-text citation.

Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.

Save your assignment as a Microsoft Word document.






Rubric:

Written Assignment:  Security Policies of a Specific Facility

Criteria

Points

Identified at least 10 security policies that should be included in a security policy manual for a group physician practice (See information above (TIP) for help with this)

15

Write one brief paragraph per category (10 security policies) explaining the need for this type of policy.

15

 

 

Free of spelling, grammar, punctuation errors, and APA format with In-text citation.

Total

35


Lesson Content:

ISO 17799 (Withdrawn)

ISO 17799 is a former international security standard that has been withdrawn. It wasn’t withdrawn because anything was wrong. In fact, it was so well received and successful that it was completely updated and turned into a new standard with a new name. You will learn about the new standard in the next section. Because ISO 17799’s original form was such an important information security standard, it is important to understand it. This standard documents a comprehensive set of controls that represent best practices in information systems. The standard actually consists of two separate parts: The ISO 17799 code of practice The BS 17799-2 specification for an information security management system The main purpose of the standard is to identify security controls needed for information systems in business environments. The standard originally appeared as the “DTI Code of Practice” in Britain and was later renamed BS 7799. It did not gain wide international popularity due to its inflexibility and overly simplistic approach to control. Developers released version 2 in 1999 to address the standard’s weaknesses. Developers submitted the standard to ISO for accreditation and publishing. ISO published the standard as ISO 17799 in 2000. Interest in the standard increased quickly. Several companies began providing tools and services to help implement ISO 17799. It quickly became the predominant information security standard. ISO 17799 gave many organizations a framework on which to build their security policy. Full compliance with the standard quickly became a goal. It also became a differentiator among competitors. The standard enabled potential customers to evaluate organizations on their efforts toward securing data.

The ISO divides the standard into 10 major sections:

  • Security Policy—A statement of management direction.

  • Security Organization—Governance of information security, or how information security should be enforced.

  • Asset Classification and Control—Procedures to classify and manage information assets.

  • Personnel Security—Guidance for security controls that protect and limit personnel.

  • Physical and Environmental Security—Protection of computer facilities.

  • Communications and Operations Management—Managing technical security controls in systems and networks.

  • Access Control—Controls that limit access rights to network resources, applications, functions, and data.

  • System Development and Maintenance—Guidelines for designing and incorporating security into applications.

  • Business Continuity Management—Protecting, maintaining, and recovering business-critical processes and systems.

  • Compliance—Ensuring conformance with information security policies, standards, laws, and regulations.

A newer standard, ISO/IES 27002, has superseded ISO 17799. It provides a generic information security standard accessible by all organizations, regardless of size, industry, or location. Although ISO/IES 27002 replaced the withdrawn ISO 17799, you will still see references to ISO 17799 as a leading information security standard

ISO/IEC 27002

ISO/IEC 27002 appeared in 2005 as an update to the ISO 17799 standard. Originally named ISO 17799:2005, ISO changed its name to ISO/IEC 27002:2005 in 2007. This was to conform to the naming convention used by other 27000-series ISO/IEC standards. The ISO/IEC 27000 series is a growing family of general information security standards. ISO/IEC 27002 is “Information Technology Security Techniques Code of Practice for Information Security Management.”

Like its predecessor, ISO/IEC 27002 provides organizations with best-practice recommendations on information security management. The standard directs its recommendations to management and security personnel responsible for information security management systems. Information security is within the standard in the context of the CIA triad:

  • Confidentiality—Ensuring only authorized users, and no one else, can access data.

  • Integrity—Ensuring only authorized users, and no one else, can modify data.

  • Availability—Ensuring that authorized users have access to information when it is requested.

ISO/IEC 27002 expands on its predecessor by adding two new sections and reorganizing several others. The ISO divides the new standard into 12 major sections:

  • Risk Assessment—Formal methods of identifying and classifying risks. Security

  • Policy—A statement of management direction. Organization of Information Security—Governance of information security or how information security should be enforced.

  • Asset Management—Procedures to acquire, classify, and manage information assets.

  • Human Resources Security—Security guidelines for personnel joining, leaving, or moving within an organization.

  • Physical and Environmental Security—Protection of computer facilities.

  • Communications and Operations Management—Managing technical security controls in systems and networks.

  • Access Control—Controls that limit access rights to network resources, applications, functions, and data.

  • Information Systems Acquisition Development and Maintenance—Guidelines for designing and incorporating security into applications.

  • Information Security Incident Management—Anticipating and responding appropriately to information security breaches.

  • Business Continuity Management—Protecting, maintaining, and recovering business-critical processes and systems.

  • Compliance—Ensuring conformance with information security policies, standards, laws, and regulations.

The standard specifies and outlines the recommended security controls within each section. Most people regard the information security controls as best practices. These best practices provide methods of achieving each objective. ISO/IEC 27002 also provides guidance for implementing each of the recommended controls.

NOTE: You can find more information about ISO/IEC 27002 at the official ISO website, www.iso.org/iso/catalogue_detail?csnumber=50297.

IT Security Policy in Healthcare

Secure Information Technology Environment

A secure information technology environment is critical to every organization for the following reasons:

  • Security implies availability because the most apparent consequence of a security incident is that a service will become unavailable.

  • A secured environment promotes trust among customers and staff alike.

  • Security policies reinforce best practices for communication and managing client data.

  • Information technology resources which are audited and updated to comply with security policies often perform better as a result of those improvements.

In order to achieve these results and comply with HIPAA regulations each healthcare organization must draft, publish, and update security policies regularly. The motivation to do so may initially be mandates to comply with HIPAA, but if security policy authorship becomes a routine business process the positive outcomes will benefit the organization visibly.

IT Security Policy in Healthcare

Class: Electronic Data Security Assignment: Security Policies of a Specific Facility Note: This a paper instead of a work policy and procedure. TIP: For the written assignment Security Policies of a S 1

Stakeholders

To make IT security policy authorship a routine, it is first important to identify the staff who will contribute to the initiative. Stakeholders from throughout the organization should be involved, including customers if possible. By including input from the administration, the staff, and the customers alike it is much more likely for policies to become valuable guides to doing business, rather than stale statements of what not to do. Consider a policy committee made up of three administrators, three staff members, and three non-employees.

This committee should meet regularly in order to:

  • Gather information about changes to regulations and compliance standards.

  • Review incidents that relate to current policies.

  • Analyze feedback regarding existing policies.

  • Draft new policies or revisions to current ones.

  • Plan ways to communicate policies, including signage, publication, and training.

Such a committee can be a very effective means for maintaining relevant, well chosen, IT security policies. However, it is important to remember that because of the need to enforce security policies each organization will have its own requirements for implementing the policies the committee prepares. In some cases this may be Chief Information Officer or Director of IT, but more often than not it will be a Board of Directors or CEO.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!