During a recent audit of the electronic health record (EHR) it had been discovered that the system was vulnerable to threats, misuse, and theft because no security controls had been placed before accounts were created. To help meet legal and industry standards, the company can implement the ISO/IEC 27002 (International Organization for Standardization). The ISO/IEC 27002 security standard is an international standard that was created by the ISO to provide privacy for all forms of data, documents, communications, conversations, messages, recordings, and photographs. ISO is the world’s largest developer of voluntary International Standards (ISO, 2012). The ISO has members from 164 countries and 3,335 technical bodies that are involved in the development of the ISO standards. The ISO/IEC 27002 standard has control policies that are critical in protecting information in the health, public, financial and IT sectors. Implementing the three policies below can help prevent future breaches and will help the company meet industry standards and legal requirements.
Users Account Policy:
All managers or department heads must submit a user account request application form for each employee, contractor, and vender to the IT Department. Each user will be issued a uniquely assigned user ID, for authentication and accountability. Managers are to assure that the level of access is based on the need to access this information to perform one’s job responsibilities. Managers must also notify the IT Department of an employee rotation of job duties or termination. The access rights of all employees, contractors and venders to information systems will be removed upon termination of their employment.
Remote Access Policy:
All remote access will be accomplished via a secure method, i.e., strong authentication and encryption. Remote access sessions will time out after 30 minutes of inactivity, and will terminate after 8 hours of continuous connection. All computers and networks that are accessible by end-users from external networks must maintain system logs which indicate their identity and activity performed. These logs must indicate the user, time of day, the date, and other details associated with all connections. The logs will be retained for 30 days and will be reviewed by the network administrator on a weekly basis. An automated intrusion detection system will be in place to immediately inform the network administrator of any suspicious activity.
Network System Changes Policy:
Any changes to company networks include loading new software, changing network addresses, reconfiguring routers, adding dial-up lines, and the like, excluding desktop changes. With the exception of emergency situations, all changes to the company networks must be documented in a work order request and must be approved in advance by the agency network administrator and/or IT Department. Emergency changes to the company networks must only be made by persons who are authorized by IT Department.
Organizational policies are created to ensure that organizations comply with laws and regulations. When an organization is compliant with these laws and regulations they are more likely to become successful. To be compliant the organization must create documentation defining the process of procedures to follow and meet. Creating the user access policy will guarantee that the objective listed in the ISO/IEC 17799-2005 policy that states to ensure authorized user access and to prevent unauthorized access to information systems(ISO/IEC, 2005), is met. This policy will allow the users to be monitored and prevent them from having unauthorized access to sensitive information. These steps are required to meet 11.2.2 of the ISO/IEC 17799-2005 implementation guidance recommendations. The remote access policy set in place will protect the company from security breaches by ensuring the Network access control section of ISO/IEC 17799-2005 is followed.
The objective in this section is to prevent unauthorized access to networked services (ISO/IEC, 2005). Following section 10.6 of the ISO/IEC 17799-2005 ensures the protection of the organizations information by controlling the access time of end users. Adding authentication and encryptions helps safeguard the confidentiality and integrity of data passing over public networks or over wireless networks (ISO/IEC, 2005). Increasing the retention of system logs will allow the network administers increased ability to foresee the potential use of any unauthorized user which too will prevent a breach in the company’s security.
Finally, enforcing the network system changes policy in accordance with ISO /IEC 17799-2005 11.5 objective to prevent unauthorized access to operating systems (ISO/IEC, 2005) will help protect the organization from security breaches. Following this policy will implement monitoring of all network changes which will protect the organizations network infrastructure. This policy prevents the unauthorized installation of packet sniffers and malicious bots from harming the network. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other similar problems. Initiating these policies will eliminate security breach risks to the organization, while becoming compliant to laws and regulations that are required.
ISO\IEC 17799:2005. Code of practice for information security management Retrieved from https://www.iso.org June 23, 2012.
International Organization for Standardization, (2012). Retrieved from http://www.iso.org/iso/home/about.htm June 23, 2012.