Background Analysis of AVC Care Hospital’s Issues
The AVC Care hospital, which provides one of the most comprehensive ranges of health care services in South Australia, is currently facing some issues in the company and has planned to implement the Information Security Contingency Plan for assisting the company to save money and minimizing the disruption in the company The paper includes the detailed background analysis of the company and the issues. The paper also includes the processes of information security risk management (Hom et al., 2020). The paper will focus on the OCTAVE Allegro method for assessing information security risks for the organization.
The AVC care hospital, one of the most renowned hospitals provides services to different cities in South Australia since 2004. The company has gained the trust of the consumers by providing the best services. The individual is currently facing security breach issues in the organization that has affected the services of the hospital. The company has currently faced a massive cyber-attack that affected the record of more than 1.4 million patients. The company discovered this after some of the staff started notifying the changes in the patient’s records, like there were a lot of records that were missing in AVC acre’s private servers. While overcoming and solving the situation, the company faced another incident where the healthcare system was affected which caused the company more than 90000 dollars. The attacker used the vulnerability to access the official and personal data. This affected every patient present there. To avoid these types of future incidents, the company has planned to develop an information security contingency plan which is one of the essential elements of business impact analysis. To assist the company with the plan OCTAVE Allegro method has been chosen which will work with the organizational assets and technological view to make the strategic plan for the individual.
OCTAVE Allegro Background:
The chosen method for risk assessment and risk analysis is the OCTAVE Allegro method. The operationally critical threat, asset and vulnerability evaluation (OCTAVE) is referred to as the framework for organizations to identify and manage the risks related to information security (Suroso & Fakhrozi, 2018). The method will help in assessing the important assets and the vulnerabilities that can be used to assess the threats. The main purpose of choosing OCTAVE is that it directs and manages the information for the risk assessment, provides the best possible decision for the individuals based on the unique risk and threats that are identified and effectively communicate with the major security information. The method is executed by following three phases.
The OCTAVE Allegro method is completely based on the security systems and information security staff. The method aligns the IS with the other business roles by making the assumption of risks more explicit to the operational staff. The assessment also includes the caregivers and the doctors who will help with organizational information.
The method is performed by following few steps, the steps will determine the current active assets and the risks associated with the will identify the vulnerabilities of the organizational containers, will be spreading awareness of the organizational assets and raise awareness about the security risks for making more enhanced decisions (Sardjono & Cholik, 2018). It also provides a specific action plan for the improvement of all the security postures. The phases of the method can be presented as followed-
OCTAVE Allegro Method: Risk Assessment for AVC Care Hospital
Step 1: Creating the risk management criteria
This phase is created to determine the important assets of the organization and the measurements taken to protect the assets. The individuals are assigned to inspect the critical assets that play a vital role in managing the information security assessment. This criterion contains the measurement through which the organization can build the criteria that are assisted with the organizational drivers (Laukka & Fransson, 2021). The threat profiles are built on the basis of assets. This includes the identification of the risks type and identification of the security objectives that can be helpful for focusing on the threat modelling of the activities and determination of how much effort is required by the individuals assigned with the specific duties. the next step to create the risk assessment criteria is the determination of the risk. In this step, the existing threats and possible threats will be identified. The scenario will be analyzed to make plans and profitability. The phase will also include the strategic and operational plans that identify the business objectives of AVC Care. To build the threat profile the results form risk management processes used by AVC Care. Information about these processes will be provided by the responsible stakeholders. This phase will also define the evaluation criteria for the individual based on the impact ratio.
Step 2: Development of information asset profiles
This phase evaluates the identified assets. This is known as the informational infrastructure. The team members analyze and identify the access path for evaluation identifies the technological components that rely on technology that is related to the assets. Once the assets are identified the assets will be tested and inspected for vulnerabilities. The steps which are followed to execute the phase are- the development of information asset profiles and the identification of the asset containers. The informational asset profile includes the information of the organization like service details, chosen network and individual information (Herdianto, Ramli & Suryanto, 2022).
Step 3: Identification of information asset containers
The containers refer to the place where the information is stored, processed and transported. Containers are responsible for handling the data and information so any kind of threat and issue with the container may affect the organization directly. To protect the organization from this risk, the identification of the information contained is important. In the OCTAVE Allegro method, all the assets are that, including internal and external assets, are securely stored, transported and processed (Wagiu, Siregar & Maulany, 2019). In this phase, all the team members are required to map and inspect all the assets of containers where the assets are used and the individual creates the boundaries and some unique circumstances that are highly required to be inspected or examined. The incidents that the company faced like the security breach attack on the healthcare system, were because of the lack of security of containers (Alfarisi & Surantha, 2022). The method will ensure that all the assets are protected and kept safe in the containers so that it does not provide any way for the attackers to find a vulnerability and attack.
Phases of OCTAVE Allegro Method for AVC Care Hospital
Step 4: Identification of areas of concern
This step starts with brainstorming idea processes of the possible conditions and situations that can create a threat to the organizational information system assets. The phase provides the key factors and areas of concern that represent the threats and issues and the corresponding outcomes of bad solutions. The step will choose the correct boundary of information that will help the individual to solve the security issues. All the possible may of solving and dealing with the issues must (Aditya & Febiola, 2021). The step does. It provides the individual with the correct information regarding how the businesses should she managed rather than explaining the type of possible threats to the organization. The phase will provide real time value for the organization so create ta plan for the situation so that we can proceed with the analysis team.
Step 5: Identification of threat scenarios
In this method, the areas of concern captured in the previous steps are expanded in the scenarios that consist of the details of threats. The collection of treatment levels in the areas of concern does not actually provide the consideration of the possible threats and issues of an organizational information asset. The broad range of threat scenarios can be represented by examining the short threat scenarios. This step provides a consideration to inspect the profitability in the description of threat scenarios. The profitability will help the organization to understand which scenario is likely to give its unique operational value to the organizational environment (Suroso & Fakhrozi, 2018). It becomes problematic for the individual to calculate the accurate profitability specifically when the security vulnerabilities and events are expressed in the OCTAVE Allegro methods as high, medium and low.
Step 6: Identification of the risks
The risks are identified in step 5 and the consequences of the threats that the organizations can face if the threats are identified, captured, and completed will be presented in step 6. One single threat can have a different organizational impact on AVC care. A small distribution in the online payment system may affect the customers and the organization’s reputation as well as the financial position (Herdianto, Ramli & Suryanto, 2022). In the activities in this step, the different possible consequences of a single threat will be analyzed and presented to ensure the measurement of the threats and understand the possible value of the captured risks or threats.
Step 7: Risk Analysis
In the 7th step of the method, the extent to which the organization is impacted by the threats is inspected. This is derived from the consequences and the impact of the risks on the organization in various important areas. Reputation is an important factor of an organization, and the risks have those capabilities to affect the reputation in a higher way with equivalent impacts and profitability (Prajanti & Ramli, 2019). But prioritizing the higher valued area of being an organization will ensure that the risks and threats are prioritized and mitigated in these areas. This method is important because it will ensure the risk type or threat type and based on this, the mitigation process will be approved.
Step 1: Creating the Risk Management Criteria
Step 8: Selection of migration approach
The last step of the OCTAVE Allegro method is the risk mitigation where the risk type will be determined and based on the risk type, the mitigation process and strategies will be set. This is done by checking the impact level of the risks on the organization like which threat is affecting the organization more and which threat is affecting the assets more. The value will be created based on the impact report and then the mitigation strategies will be followed by the threat level (Ramadhani, Hartanto & Nugroho, 2018). If there is any threat that needs to be inspected on the priority level as it has value in the organizational assets, then the mitigation will be strategies will be created accordingly to mitigate the threat as soon as possible.
Figure 1: OCAVE Allegro Process Roadmap
To perform the OCTAVE Allegro method, there are important preparations that need to be done like having support from management, creating the scope of the activities and managing the resources for the process.
The senior management support- To perform and execute the methods having support from the senior management team is important. The budget sponsorship while executing and perfuming the mitigating process is required from the senior management team. Not only the sponsorship the senior management team is required to support by providing the organizational information, poorer resources and space (Sardjono & Cholik, 2018).
Organizational resource allocation- The two most important factors of OCTAVE Allegro is organizational composition and the assessment team size. The process and preparation widely depend on the size of the team. To perform the activities and processes, the different roles will be set for the assessment team members. After breaking the method and tasks, the roles and responsibilities will be set for the individuals. To execute the process, the measurement of the activities is important like availability of the physical resources, the team strength or capabilities to perform the assigned tasks, the complexity of the processes that include the environmental complexity, complexity in performing and using the resources, complexity in storing and transporting the assets (Yaacoub et al., 2020). The teams will be divided. The first team will be performing the initial activities and once the team is experienced the other team will be provided with the assistance of the first team with the gained information and details.
Training- The organizations that have adapted OCTAVE Allegro before finding the processes and steps easy to execute. AVC care is adopting the method for the first time which makes it more complicated compared to the previous methods that were used. To perform the method successfully, the team members will be required to have basic training on the key activities (Qi et al., 2019). After planning the initial process, the proper guidance will be provided to the staff and employees.
Conclusion:
Risk assessment and security analysis is one of the main sectors of managing an organization. AVC Care, one of the most renowned healthcare sectors in Australia, has faced some security breaches and has planned to implement a security analysis and risk assessment in the organization to mitigate and avoid security issues. The paper has discussed the OCTAVE Allegro and how it can use for risk assessment and security analysis. The paper also included the different phases that have been used in this paper like driver’s establishment, profile asset phase, identification of threats phase and risk mitigation phase. The phases are used to identify and analyses the factors that can be possible threats to the organization. The OCTAVE Allegro methodologies are also concluded here for assisting the plan for the organization.
References:
Aditya, N. M. B., & Febiola, S. (2021). Information System Risk Management Using Octave Allegro Method (No. 6219). EasyChair.
Alfarisi, S., & Surantha, N. (2022). Risk assessment in fleet management system using OCTAVE allegro. Bulletin of Electrical Engineering and Informatics, 11(1).
Herdianto, R. A., Ramli, K., & Suryanto, Y. (2022, March). Risk Assessment of Electronic Archive Services using Octave Allegro Method (Case Study: SIKN JIKN). In IOP Conference Series: Materials Science and Engineering (Vol. 1232, No. 1, p. 012007). IOP Publishing.
Herdianto, R. A., Ramli, K., & Suryanto, Y. (2022, March). Risk Assessment of Electronic Archive Services using Octave Allegro Method (Case Study: SIKN JIKN). In IOP Conference Series: Materials Science and Engineering (Vol. 1232, No. 1, p. 012007). IOP Publishing.
Hom, J., Anong, B., Rii, K. B., Choi, L. K., & Zelina, K. (2020). The Octave Allegro Method in Risk Management Assessment of Educational Institutions. Aptisi Transactions on Technopreneurship (ATT), 2(2), 167-179.
Laukka, L., & Fransson, C. (2021). Cloud risk analysis using OCTAVE Allegro: Identifying and analysing risks of a cloud service.
Prajanti, A. D., & Ramli, K. (2019, June). A Proposed Framework for Ranking Critical Information Assets in Information Security Risk Assessment Using the OCTAVE Allegro Method with Decision Support System Methods. In 2019 34th International Technical Conference on Circuits/Systems, Computers and Communications (ITC-CSCC) (pp. 1-4). IEEE.
Qi, R., Sun, Z., Lin, Z., Niu, P., Hao, W., Song, L., … & Long, G. L. (2019). Implementation and security analysis of practical quantum secure direct communication. Light: Science & Applications, 8(1), 1-8.
Ramadhani, S. T. A., Hartanto, R., & Nugroho, E. (2018). RISK-MANAGEMENT BASED GOVERNMENT INFORMATION SYSTEM SECURITY USING OCTAVE ALLEGRO FRAMEWORK. In Proceeding of International Seminar & Conference on Learning Organization.
Sardjono, W., & Cholik, M. I. (2018, September). Information systems risk analysis using octave allegro method based at deutsche bank. In 2018 International Conference on Information Management and Technology (ICIMTech) (pp. 38-42). IEEE.
Sardjono, W., & Cholik, M. I. (2018, September). Information systems risk analysis using octave allegro method based at deutsche bank. In 2018 International Conference on Information Management and Technology (ICIMTech) (pp. 38-42). IEEE.
Sukri, M., & Riadi, I. Risk Management Analysison Administration System using OCTAVE Allegro Framework. International Journal of Computer Applications, 975, 8887.
Suroso, J. S., & Fakhrozi, M. A. (2018). Assessment of information system risk management with octave allegro at education institution. Procedia Computer Science, 135, 202-213.
Suroso, J. S., & Fakhrozi, M. A. (2018). Assessment of information system risk management with octave allegro at education institution. Procedia Computer Science, 135, 202-213.
Wagiu, E. B., Siregar, R., & Maulany, R. (2019, December). Information System Security Risk Management Analysis in Universitas Advent Indonesia Using Octave Allegro Method. In Abstract Proceedings International Scholars Conference (Vol. 7, No. 1, pp. 1741-1750).
Yaacoub, J. P., Noura, H., Salman, O., & Chehab, A. (2020). Security analysis of drones systems: Attacks, limitations, and recommendations. Internet of Things, 11, 100218.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
