Information Security Management
Question:
Discuss about the IEEE Communications Surveys and Tutorials.
A company in New Zealand, which is known by the name of Sermelles Limited, became a victim of cyber attack. The company has more than three thousand employees and in one of largest health insurance providers in New Zealand. Large healthcare organizations in all parts of the world have fallen victims to cyber bullying. Private data of employees were siphoned off. This report will study the following scenario and based on that will provide some insights. Few security management models will be discussed, existing security issues in health care industry will be analyzed and based on the analysis strategy and framework will be developed.
Information security is critical in the modern world since there are various threats in the cyberspace. There are various threats including virus attacks, malware and phishing. Procedures or set of policies incorporated within an organization to protect sensitive data is termed as Information security management (Disterer 2013). The main goal of information security management is to enable framework so that risk can be minimized and continuity of business is ensured. Information security management addresses process, data, technology and employee behavior. This system is mainly targeted to a specific type of data such as employee and customer data. Implementation of this system is also an important part because if not implemented properly then it would not serve the purpose for which it was made. It is critical to safeguard data since it is the most important asset of any company, organization and institutions. Data can be protected in various ways. One such way is data encryption. In this technology, data is transformed from one form to the other. A form such as code, so that the people having right access key such as passwords or a secret key can decrypt the data. According to statistics, data encryption is the most popular and effective method used by an organization.
A practice to prevent unauthorized access, disclosure, use, inspection, modification, disruption, destruction and recording of information is termed as information security. Information Security is abbreviated, as Info Sec. Data can be physical or electronic. The focus of Information security is on the availability, integrity and confidentiality of data while there is an increased emphasis on policy implementation so that it does not hamper productivity of the organization (Crossler et al. 2013). Proper implementation is only achieved through risk management that has multiple steps. Multiple steps may include a process created for identifying vulnerabilities, threat sources, impacts and a step including assessment of risk management plan. This discipline must be standardized and collaboration among professional and academics must be sought after so that the standard can be adopted by any organization irrespective of their sizes. Strong policies and standards must be set on antivirus software, password, encryption software and firewall. Training standards must also be there for the perfect implementation of information security.
This portion will mainly address threats surrounding information. Information is nothing but valuable data’s. There are different forms of threats such as sabotage, information extortion, sabotage, cyber bullying, and identity theft, theft of intellectual property rights, phishing, equipment theft and malwares. Trojan horses, worms and viruses are few types of software attacks (Jouini, Rabai & Aissa 2014). Various forms of threats will be taken up and explained individually. Theft of intellectual property rights means stealing ideas from companies, authors, inventions and gaining benefits from them. In identity theft, an attempt is made to impersonate the person whose identity is being stolen and then advantage is taken to gain access to valuable information about that person. Equipment theft is a type of physical theft where mobile devices are stolen. The mobile device holds valuable information. In terms of organization, sabotage refers to destruction of valuable information pertaining to the company resulting in defamation. Defamation results in customer loss, which is not at all desirable from a company perspective. Extortion of information is another type of threat where valuable data is taken hostage. Cyber criminals then demands certain ransom amount in lieu of returning access to data that is stolen. This is achieved with the use of ransomwares.
Existing Threats to Information Security in the Healthcare Industry
This paragraph will provide a brief about various types of cyber attacks prevalent in modern times. There are various types of cyber attacks, which affect data, and this includes SQL injection, phishing attacks, and malware attacks, Denial of services, cross-site scripting and man in the middle attacks. Malware can be referred to as a harmful software or sort of ransomware that can take control of a system. Once it takes control, it can monitor user activities such as keystrokes and can send private data silently to a remote server (Divya 2013). It mainly occurs when a user clicks on an email attachment containing that malware. Phishing attack in a sense is a sort of malware attack but there is a catch. Here, the email that is sent will seem legitimate and the user will be provoked to download any attachment linked with it (Jesudoss & Subramaniam 2014). Structured query language is abbreviated as SQL. This programming language is used for databases. A server that stores databases uses SQL for managing data. SQL injection attack is a type of attack, which targets those servers that holds databases and uses malicious code to extract or to destroy data (Pawar 2015). Cross-site scripting is similar to SQL injection however; this targets a specific individual instead of an organization or a company. Denial of service also known as ‘DoS’, is a special type of attack. A website gets affected when there is huge load on the server. In this attack, a website is flooded with traffic intentionally to overload the server so that the website fails to serve up the content it is intended to serve. Since it is done from several IP addresses, it is known as distributed denial of service (Zargar, Joshi & Tipper 2013). Man in the middle attacks belongs to other domain. Here a hacker captures the session between a private computer and a remote server so that the hacker is able to log in as the individual and extract valuable data (Conti, Dragoni & Lesyk 2016). It is evident from the paragraph that due to variety of types of attacks there is a strong need to formulate an effective policy.
Information security policies are nothing but a set of rules implemented by a company, organization or institutes so that users and networks within the Information technology domain abides by the prescribed rules. In simple words, policies govern protection of data. This is the most important asset in any organization. The main goal of information security policy is to create a general framework that will detect misuse of networks, data and computer systems (Siponen, M, Mahmood, MA & Pahnila 2014). Once, detection is done restrictive measures are put in place. It is also framed to safeguard reputation of the organization related to legal and ethical aspects.
Awareness in general sense means gaining knowledge about an issue. Awareness is an important part of information security, which helps in increasing consciousness about potential risks involved in information field. Threats are constantly evolving at the same pace as information. There are now more sophisticated ways of attacking and identifying loopholes. Because of this, existing infrastructure needs constant up gradation and there is an increased need in awareness (Lebek et al. 2013). People who are unaware may without their knowledge may expose loopholes within an organization and enable data breach.
Types of Cyber Attacks
A health insurance provider in New Zealand known as Sermelles Limited was hacked. It has more than three thousand employees and spans across New Zealand with eighty branches. Net income of this company as of 2015 was about NZ$150 million. Hackers were able to steal 470,000 records. Employees were a victim of malware attack.
Massive data breach occurred in Sermelles Limited. Few employees received email that looked like an internal email informing them to backup their emails. They had no reason to suspect and so they knowingly clicked on a link. There were unauthorized data queries to the network server of the company. Two types of attack have been identified in this case. One is phishing and the other one is SQL injection attack. Cyber criminals in this case made use of both the methods. Phishing is a special type of attack, which is used to steal data such as personal information, login credentials and debit and credit card details. This happens when cyber criminals impersonate as trusted entity and tactfully extracts information from the victim. Often, the victim is tricked into clicking a spam link. Upon clicking the link without the user’s knowledge malware can be installed into the system. Phishing is mainly used to infiltrate large organizations or government sectors as a part of larger plan. SQL injection attack mainly relates to server. It uses malicious codes of SQL to manipulate database for revealing information that was not to be displayed under any circumstance. Information revealed may include sensitive data of company and employee data. This type of attacks can have far-reaching consequence. An attack of this scale can result in deletion of database table, unauthorized viewing and gaining administrative rights to make changes within a table. This is highly detrimental for any company, institution and organization. Five security vulnerabilities present in healthcare will be discussed now. First on is mobile devices, mobile devices are inexpensive and highly portable. Healthcare industry workers use mobile devices to access resources of the organization. Mobile devices are one of the major contributors in data breaches. Second vulnerability is thievery. Data breaches can occur due to a stolen external drives or laptops. Third vulnerability is identified in data dissemination. Breaches have occurred during data dissemination within employee and third party. FTP sites with weak controls have serious loopholes. Fourth vulnerability is outsourcing. There are certain times when vendors or business associates resort to unfair tactics to win contracts. Finally, the fifth vulnerability is due to cloud. Health care industries are increasingly moving towards the clouds and that is where vulnerability exists.
This paragraph will prove few recommendation and solutions to the scenario given. Electronic health records are used extensively in healthcare industry. Secure electronic health records sharing environment must be there in order to prevent data leak. An Electronic Health Record reference model can be developed to manage issues relating to security in cloud servers. The organization should take steps to create a Cyber Security Body, which will be responsible for defining and framing security policies for the entire organization. The body must work independently within the organization. Next thing is that a tech emergency team can be created which in case of an emergency will be ready to put their expertise in action. The Cyber Security Body should be in complete control of emergency team and their strategies must be aligned. Training session must be incorporated within the organization so that the employees are trained and made aware of existing threats. They should be trained on what should be their course of action after being attacked. Systems must have adequate security, which means they must have anti-virus software, anti-malware software and anti-spyware installed. Network infrastructure within the organization must be upgraded. Systems should be updated regularly. If software update is not done on a regular basis then the system becomes much more vulnerable. Additionally, employees must be informed to change passwords occasionally. The organization must perform risk assessments on a regular basis. The Information technology team within the organization must be given authority to find out existing vulnerabilities within the organization (Hinduja & Kooi 2013).
Security Management Models
This portion will formulate some security policies based on the scenario provided. Information security policies are nothing but a set of rules implemented by a company, organization or institutes so that users and networks within the Information technology domain abides by the prescribed rules. The first security policy should provide risk assessment. This policy will help to identify every possible risk. This policy will also provide accountability. Contingency plans are also included along with this policy, which will outline what needs to be done when a breach happens (Peltier 2016). Information technology is complicated and therefore, specialists need to be assigned to do a particular task. The second security policy should revolve around assigning a specialist. Policy will make it clear for the specialist to learn about government compliance. The specialist for any circumstances should follow guidelines. Third security policy should address everyday common practices of the employees such as changing password. This might seem to be a trivial issue but this problem probably exists nearly in every organization. Policy should advocate that every employee must ensure his or her passwords changed frequently and their passwords should contain a mix of letters, numbers and special characters. Fourth policy should talk about disabling accounts that are not required such as for ex-employees. Fifth policy should be about data security. This policy must be followed strictly by the organization. Customer data should not be stored in an unencrypted form. Information technology team should use good encryption algorithm to store customer or customer specific data. Sixth policy should address access issues. Internal servers must be located in locked room so that a person with access will be able to enter. Biometric will achieve this purpose.
Conclusion:
Based on the discussion in this report, it can be concluded that by developing certain policies and framework, potential attacks can be averted. Organizations having the means and resources must invest heavily in infrastructure because once a data breach happens losses are huge. Cyber Security Body must be independent and aligned with the security framework of the organization. It can also be concluded that awareness is important in this sector. By providing proper training to the employees, awareness can be increased and this in turn will lead to lower risks for the organization. This report identifies various threats in healthcare industries and provides insights into each. Vulnerabilities present in the company mentioned in the scenario have also been discussed. Based on the vulnerability, solutions have been devised. Appropriate security policy has been devised to implement the prescribed solutions.
References:
Conti, M, Dragoni, N & Lesyk, V 2016, ‘A survey of man in the middle attacks’, IEEE Communications Surveys & Tutorials, 18(3), pp.2027-2051.
Crossler, RE, Johnston, AC, Lowry, PB, Hu, Q, Warkentin, M & Baskerville, R 2013, ‘Future directions for behavioral information security research’, computers & security, no. 32, pp.90-101.
Disterer, G 2013, ‘ISO/IEC 27000, 27001 and 27002 for information security management’, Journal of Information Security, 4(02), p.92.
Divya, S 2013, ‘A survey on various security threats and classification of malware attacks, vulnerabilities and detection techniques’, International Journal of Computer Science & Applications (TIJCSA), 2(04).
Hinduja, S & Kooi, B 2013, ‘Curtailing cyber and information security vulnerabilities through situational crime prevention’, Security journal, 26(4), pp.383-402.
Jesudoss, A & Subramaniam, N 2014, ‘A survey on authentication attacks and countermeasures in a distributed environment’, Indian J Comput Sci Eng IJCSE, 5, pp.71-77.
Jouini, M, Rabai, LBA & Aissa, AB 2014, ‘Classification of security threats in information systems’, Procedia Computer Science, no. 32, pp.489-496.
Lebek, B, Uffen, J, Breitner, MH, Neumann, M & Hohler, B 2013, ‘ Employees’ information security awareness and behavior: A literature review’. In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 2978-2987). IEEE.
Pawar, RG 2015, ‘SQL Injection Attacks’, KHOJ: Journal of Indian Management Research and Practices, pp.125-129.
Peltier, TR 2016, ‘Information Security Policies, Procedures, and Standards: guidelines for effective information security management’, CRC Press.
Siponen, M, Mahmood, MA & Pahnila, S 2014, ‘Employees adherence to information security policies: An exploratory field study’, Information & management, 51(2), pp.217-224.
Zargar, ST, Joshi, J & Tipper, D 2013, ‘A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks’, IEEE communications surveys & tutorials, 15(4), pp.2046-2069.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
