Health Body Wellness Center
- Pages: 3
- Word count: 717
- Category: Assessment Body Health Risk
A limited time offer! Get a custom sample essay written according to your requirements urgent 3h delivery guaranteed
Order NowHealth Body Wellness Center (HBWC) promotes medical research, evaluation, and sharing of information between health care professionals. The HBWC’s Office of Grants Giveaway (OGG) provides for the distribution of federally supported medical grants. OGG uses a Microsoft Access database program called Small Hospital Tracking System (SHGTS) to manage the medical grant distribution process. A risk assessment of SHGTS was conducted to evaluate vulnerabilities and establish a baseline of potential threats. HBWC has not provided a written Information Security (IS) policy that can be reviewed at this time. Additional As-Is questions (2) are provided as a guide to assess the companies security posture. A. As-Is Question Set
Question
If yes, page number
If no, justification
Policy
Does a policy that addresses the need for risk management exist? Not Provided
No policies were provided for organization
Is the acceptable risk posture for the organization included in the policy? Not Provided
No policies were provided for organization
Does the policy include details about a risk assessment?
Not Provided
No policies were provided for organization
Is there a section in the policy that includes multi-perspectives on risk including the following:
• Threat
• Asset
• Vulnerability space
• Business impact assessment
Not Provided
No policies were provided for organization
Is there a section in the policy that includes reporting results of risk assessments? Not Provided
No policies were provided for organization
Is there a section in the policy that includes a remediation analysis report based on risk assessments (i.e., how to reduce risk or increase security posture)? Not Provided
No policies were provided for organization
Procedures
Is there a procedure in existence that describes how to implement and enforce risk management policies? Not Provided
No policies were provided for organization
Does the procedure include a breadth of scope? Does the breadth of scope include the following:
• Threat
• Asset
• Vulnerability space
Not Provided
No policies were provided for organization
Health Body Wellness Center
As-Is Question Set
File:FYT2_Task 3
By Thomas A. Groshong Sr
Page 2 of 3
• Business impact assessment
Does the procedure include depth of scope? Does the depth of scope include the following:
• Interviews (asking)
• Verification (seeing)
• Validation (hands-on)
Not Provided
No policies were provided for organization
Practice
Does the organization practice the procedures described above? Not Provided
No policies were provided for organization
B. Develop two additional question categories for the “As-Is Question Set”
1. Security Management (SM):
2. Prevention:
B1. Justification
The two additional categories that have been selected above should be included in the “As-Is Question Set”. These categories cover important topics that should be covered during any assessment or audit process. Security Management and Prevention are both ISO 27001 categories and are established industrial best practices for Information Security (IS). The creation and maintenance of an Information Security Management System (ISMS) are covered in ISO 27002. (Arnason, S, & Willett, K.D. 2008) A discussion of each category is covered below.
• Security Management: This category covers executive backing and management support for the companies IS policy. Articulation of security objectives, and having a formal IS process are essential to the ISMS process. The establishment of clear security roles, responsibility delineation, and review of security awareness policies are must be established and reviewed. Resources allocation, and risk assessments must be managed as part of the SM program. (Arnason, S, & Willett, K.D. 2008)
• Prevention: Policies to prevent compromise and the review of mean time between failure (MTBF) requirements are covered under the prevention category. The review of qualified personnel, serviced information technologies, and maintenance tasks are established and reviewed. Prevention covers the tracking, trending, and reporting of IT systems performance. (Arnason, S, & Willett, K.D. 2008) Both Security Management and Prevention are categories that should be included in any review or audit process of IT systems. SM reviews how security is managed from the top down. The how and if management supports the ISMS program is identified. The overall management of the company and how services are provided are essential. Prevention looks at the performance and maintenance of IT systems and the reporting of these processes. It is extremely important to have these categories as part of the ISMS process and any review of these processes.
Reference Page
Arnason, S, & Willett, K.D. (2008). How to achieve 27001 certification an example of applied compliance. New Auerbach Publications. Tipton, H, & Henry, K. (2007). Official (ISC)2 guide to the CISSP CBK. Boca Raton, FL: Auerbach Publications. Tipton, H, & Krause, M. (2007). Information security management handbook, Sixth Edition. Boca Raton, FL: Auerbach Publications.