To make improvements of medical grants utilizing research that is federally funded. 2. Distribute a variety of medical grants to mostly small hospitals The HBWC will be implementing an ISMS plan to facilitate these business objectives in a more secure manner. Incorporating an ISMS plan will allow executive level employees the ability to determine problem areas in the organization’s infrastructure that could be preventing the Health Body Wellness Center from providing as much support for small hospitals as possible.
The ISMS plan will also ensure that the financial information passed between hospitals is kept secure and outside organizations do not have access to financial data of competing hospitals. To help coordinate the grants to various hospitals, the Health Body Wellness Center is implementing a Small Hospital Grant Tracking System (SHGTS). The SHGTS will be used to track the small grants to a hospital for one month. Utilizing this tool, the Health Body Wellness Center will be able to effectively rotate funds to multiple hospitals without allocating excess funds to certain hospitals.
The Health Body Wellness Center will need to have an ISMS plan set in place to help support the lacking security principles that the organization currently is following. Some of those principles are: 1. The accounts of SHGTS users who no longer require access may not be deleted immediately from the system. 2. A system security plan (SSP) has not been developed for the SHGTS. 3. A disaster recovery plan (DRP) has not been developed for the SHGTS. 4. There are no sign-in logs for visitors accessing the computer room.
Passwords on the grants server are not required to be changed at least every ninety days. 6. There is no limit to the number of invalid access attempts that may occur for a given user. 7. Null session login may be possible. Currently, the guiding security principles of the organization are extremely lacking. The Healthy Body Wellness Center does not have a strong security posture in place. There are multiple security holes present that need to be addressed in order to deploy the new SHGTS system.
The Healthy Body Wellness Center should immediately consider how they will meet the standards of the traditional view of the information security industry which will include the three cornerstones of information security: confidentiality, integrity, and availability, also known as the CIA of information security (Arnason and Willet 2007) The HWBC will need to have some processes immediately established that will help control the information and limit the amount of access that people will have to it. The first thing that the HWBC will need to remember is that security is a process, not the end goal (Arnason and Willet 2007).
When an efficient ISMS is in place, management will be able to monitor protocols and control security while reducing business risks. Probably the main issue that the HWBC will need to address is access control. Currently there are no sign in logs for visitors into the computer room at the center. There needs to be some sort of access control to allow visitors entry that have provided verified contact information such as who they are, numbers address, etc. should an event happen and the organization needs to get a hold of the visitor. Also this will allow for proper logging of user activity.
Secondly, administrative passwords should not only be changed periodically, they should include special characters and a minimum length of characters to ensure that the password is complex enough to withstand password cracking software. The accounts on the system should be deleted once a person no longer requires access to the system and invalid login attempts should allow for a maximum amount of attempts (five) before complete access to the system is blocked and an engineer is needed to unlock the account. Most importantly, a disaster recovery plan needs to be implemented in the event that a system does go down.
The organization needs to be able to recover from a system failure and continue normal business operations as quickly as possible. Network logging will also be important to trace certain events that lead to a network outage or security event. Since the HWBC will be implementing a computer-based tool to secure communications between hospitals, they should implement the following type of information systems within their IT infrastructure: 1. Firewall 2. Switch 3. Database 4. IDS 5. Servers The organization needs those systems in place because they will help enable the information to be collected securely and backed up properly.
A database should be used to back up all of the information that is collected by an organization. Should a system fail, a database will be able to restore all of the information. The firewalls and IDS will help keep a user from trying to place malicious software on a system or network, and in the event that a system is infected with a virus, the beaconing to other systems on the network, or other systems across the internet can be blocked with a firewall and IDS in place. The firewalls will also provide logging of network events. Servers will allow the organization to separate multiple computer systems to do specific tasks.
The IT infrastructure will consist of an internal LAN that is all wired locally with a separate server allowing remote authentication. The way the data will flow into the network is as follows: 1. The data will go to the Firewall. a. The Firewall – All requests and responses will be recorded for reference. The firewall will also be useful in web behavior monitoring and filtering. The firewall can block accidental connections established to networks with Trojans. 2. If the traffic is allowed, it will be passed to the IDS. a. The IDS will inspect every http request in the traffic.
It will monitor the out-bound traffic to internet as well and this will enable the organization to inspect the internal Web browsing activities. All data that is not dropped by the IDS will be sent to the database for backup in the event of a system outage as well as routed to the intended host. 3. The data will be passed from the intended host back to the IDS and then through the firewall if passing all of the required characteristics. Additional steps should be taken to fully complete the ISMS. Two additional steps the organization should take are: 1. The organization will also need to implement network subnetting.
Subnetting is a way to separate traffic from different areas of the network (http://www. rfc-editor. org). If the organization wants to allow visitors to use the network for internet or other reasons, they should subnet those computers onto a separate VLAN in order to keep unauthorized users from gaining access to critical systems. A subnetting example would be to place all hosts on a server within a subnet to handle the visitor web traffic. This network may have more restriction on the amount of privilege users will have on systems.
The backup systems could be on a different subnet, that has allows one way traffic to the backup servers. . The organization should also restrict traffic to only approved sites. In order to accomplish this, the organization will have to organize a whitelist of websites that they will allow a user to travel to, or a black list of websites they will block all traffic to. For example, the organization may allow all traffic to domains that end in . edu or . org, or block all activity to domains that end in foreign country codes, such as . cc or . cn. This will help improve the security of the network, and prevent a user from going to a personal site where they may have some malicious code that could penetrate the network.