Introduction
The information system that is used in HSO has several security flaws which need to be corrected. There is also lack of information technology security policies that have been set to guide and protect the users from the flaws and damages that can occur. This paper will focus on the remedies and steps that should be taken in the HSO in order to correct the situation that has been presented in the hospital. With the suggested steps, there are many benefits that the hospital will benefit and will get in order to improve the situation that has been presented in the hospital. From the assessment, there are three levels of security improvements that should be undertaken. These are authentication and access control, policy development, and infrastructure enhancement (Peltier 17).
Authentication and access control
Authentication management
Another role of the database administrator will be to set reminders that will enable the users change the passwords. This is an important aspect that should be done in order to ensure that the password will not be mastered and compromised by intruders. It is important to understand this aspect so that if a password has been compromised and has been illegally used at HSO, this will be automatically disabled by the user after some time. This will ensure that there is proper use of the security credentials that have been assigned to the users. The users will ensure that they change their passwords from time to time (Stamp 298).
Access control
One way in which the access to the database will be managed is to have access controls. Controlling the access to the database is an important step that should be undertaken so ha the security of the database will be managed. Only the users who are authorized to access the database should be allowed to access the database. There will also be the need by the database administrator to have users access the database on request and on the levels that suit their needs. This will mean that the users will be grouped in levels according to the uses they have on the database. This will ensure that the users have the right credentials and will access the database on roles that they have on the database. The database administrator will logically divide the database so that there are data that will be used by nurses, data that will be used by the doctors, and data that will be used by the administrative and clerical staff. Another issue and aspect that should be considered with the use of the access controls in the database is that the users should be able to have the rights and the controls that are associated with the access levels that they have been assigned. This is an important aspect that will help the database administrator in assigning the roles that will be required in the database. The access rights will be based on the role that the user will have on the database and in the organization generally (Whitman, and Mattord 209).
The printing of the names of the HIV patients was possible because of lack of controls of the printers and lack of access controls to the database (Whitman, and Mattord 952).
Administrative controls
There will also be controls that will be assigned to IT controls. The printing of the list of HIV patients could have been an inside job. The IT personnel had access to the system security tools and have access to the security of the system. It is important that this security credential be changed in order to ensure that there is central management of security in the organization. One step that will be taken in order to correct this aspect is to have one security personnel who will have the credentials that will be required to access the system. One way in which this will be implemented is that the database administrator will be tasked with the security credentials of the system. The database administrator will have the database security details while the system administrator and the network administrator will each have systems security details and network security details respectively. This will allow the coordination of the administrators in order to have a unified security management between the key IT administrators.
Infrastructure security control
This is another area that will need to be controlled. There is a need to ensure that the infrastructure has been secured. One aspect that can be done is to have physical security to the IT equipment like printers and computers. The printing of the names of the patients of HSO was due to lack of physical security to the printers. The printers should have locks that will enable them to be used only when it is necessary and with the right permission. This will mean that the locks will be with the heads of the various sections of the organization. An example is that the nursing section will have control of the equipment in that section. They are the ones who will authorize the printing of the documents in those sections. This will instill some sense of controls and sensitivity to some data. It is important to understand this aspect as it will ensure that there is proper management of the data and the security controls in the organization.
One infrastructure control that is lacking is that there is lack of a secure network. The various accesses to the different systems within HSO are not secured. There is a need to have a network that is secure and have the necessary controls that will ensure that the users have the required controls to the system. This is possible with the use of different subnets within HSO. The different subnets will ensure that users will be categorized according to the roles that they have in the organization. It is important to have different network controls that will ensure that the network to have security implemented. The network should have subnets that will allow the network users to be categorized according to the roles and the departments that they are located. This will enable the grouping of users in the domains. It is important to have users have privileges that will be based on the roles that these users will have on the organization. This will ensure that the users will be able to be grouped in the domains that will be set in the server. The current infrastructure lacks controls on the network and the local computer arrangement. The database server, applications server, the DNS servers, and the storage should have their subnet which will be accessed by the network administrator, systems administrator and the database administrator. This will enable the administration of the security in HSO to be centralized and will also allow the network to be managed and enhanced. It is important to understand the fact that the infrastructure of a network will determine the far and the extent in which the network will be controlled for security issues. It is important to understand this principle and ensure that the network is secured with the necessary controls. The integration of the domain control process will work well with the use of the subnets (Eloff 82).
It is important to integrate external controls to the computer network. This will ensure that the network will be secured from external attacks. One of the strategies that can be integrated in the network is the addition of a firewall which will protect the system and the network from attacks that come from outside. Since this is not the case in this scenario, the paper will not deal on this any further.
There is also an important issue of personal devices which is posing security threats to the organizations. It is important to have a strategy that will protect HSO infrastructure from attacks and access to networks. One way on which this can be ensured is to have a system which will enable the wireless networks to have authentication. This will require that the users of the personal devices will have to seek for permission to use the company resources. They will be required to comply with the rules and regulations of HSO concerning the use of the resources of the organization (Vacca 198).
There should be a security control will restrict the use of one account profile in more than one computer at the same time. This will eliminate the instances where nurses will share account information. This should be eliminated for the security of the organization to be achieved. It is important to have this information in order and in progress so that the protection of the systems that are used will be secured (Bulgurcu, Cavusoglu, and Benbasat 83).
HSO information security policies
There is also a need to have information security policies which will be used to govern the use of the information resources in a secure manner. This will ensure that the resources that are used are secured. From the assessment, there is lack of policies that would govern the use of resources on the network. It is important to understand how this is possible with the creation of policies that will be followed in HSO. This will address the aspect where nurses share passwords, personnel leaving passwords on top of their desks; this will also solve the aspect of having users not changing their passwords for a long time. This should be solved so that there is effective use of information resource in a manner that it will ensure that the flaws that have been identified will be the responsibility of all the users within the organization. The use of information resources by all the users in the organization will be governed by the following policies:
- Password use policy
The password policy will be developed to cover the aspects of password use within HSO. All users will be provided with and passwords. The password will be changed automatically after seven days. The first password in the organization will be automatically generated. The users will be required to change the passwords that have been provided within the first seven days that they have the passwords. There will be a reminder that will be set in order to remind the users to change the passwords after a period of seven days. This will ensure that the users are able to protect the compromise to the passwords that they have.
Users will be required to be responsible for the security credentials that they have. It is important to understand this principle and ensure that the users will be able to protect the passwords and the issues that will come under the security policy that will be set.
- Account management policy
Users will be required to protect their accounts so that they will be only ones who will be using these accounts. This will be achieved by ensuring that the users will be responsible for all that happens while their accounts are active. They will be held responsible for any illegal or malicious procedures that will be done under their accounts. This will ensure that the users will be able to have the security of the accounts under control. With this policy, it will be an offense to share password information with other people. The users will be required to have one password and will be able to have the security of the account under control.
- Policy enforcement
The users who will be found to have contravened the set security policies while they are using their accounts will lose their accounts for a period of one month. This will be considered a security offense and the users might get other disciplinary actions from the senior management. This will ensure that users are responsible for their actions.
Conclusion
Works Cited
Bulgurcu, Burcu, Hasan Cavusoglu, and Izak Benbasat. "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness." MIS quarterly 34.3 (2010).
Eloff, Maria Margaretha. A multi-dimensional model for information security management. Diss. 2011.
Peltier, Thomas R. Information security fundamentals. CRC Press, 2013.
Peltier, Thomas R. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press, 2013.
Stamp, Mark. Information security: principles and practice. John Wiley & Sons, 2011.
Vacca, John R. Computer and information security handbook. Newnes, 2012.
Whitman, Michael, and Herbert Mattord. Management of information security. Cengage Learning, 2013.
Whitman, Michael, and Herbert Mattord. Principles of information security. Cengage Learning, 2011.
