Other customisation requirements - multi-view

Một phần của tài liệu generic security templates for information system security arguments mapping security arguments within healthcare systems (Trang 162 - 166)

8.4.2 The customised GST instances

The above acceptance types have been reflected in the revised Generic Security Tem- plate as is shown in Figure 8.4, 8.5 and 8.6.

A comparison of the Generic Security Template of the VA 2006, VA 2007 and Shenzhen security incident reveals that, the redacted central hospital is more likely to accept recommendations from the Shenzhen security incident. The acceptance types are implemented, implemented with customisation, and implementable. This might be due to the similarity of the healthcare system settings within the same country.

On the other hand, the VA security incidents have some additional acceptance types, which are reserved for future use and implementation unnecessary. For example, the lessons learned “Sensitive Information: Use encryption, or other effective tool, to pro- tect personally identifiable information stored on removable storage” is reserved for future use because the organisation currently does not allow any kind of patient data to be stored in removable storage. The lessons learned “Security Policy: Discontinue storing email on unauthorized system” is reserved for future use because the organi- sation currently does not use internal email systems, which indicates different system settings between different countries. The lessons learned “Risk Analysis: Develop and issue Government-wide risk analysis criteria” are implementation unnecessary because the organisation believes it is the governments’ responsibility to develop and issue government-wide risk analysis criteria.

As we have seen, the development of a specific security incident map from the Generic Security Template helps organisations consider their own practices and to assess whether applicable security standards address the concerns raised in previous breaches. Again, in this process, participants stated the GST provides a platform for discussion and helped them come to the final decision on acceptance of lessons learned.

8.5 Other customisation requirements - multi-view

The organisation identified some other customisation requirements of the Generic Se- curity Template, such as multi-view approach, a requirement raised in Chapter 6. The Generic Security Template is then further customised and those new features will be considered in the future design of the Generic Security Template. Identifiers that doc- ument the target groups are added to the Generic Security Template and the adjusted Generic Security Templates are produced. The target groups were classified into three,

8.5. OTHER CUSTOMISATION REQUIREMENTS - MULTI-VIEW 145

7.2 Management requirements are addressed.

Healthcare System (HS) is acceptably secure. 7.1 Technical requirements are addressed. (Type II) Security Audit: Establish and conduct security audit plan according to the security standards.

(Type II) Security Policy: Establish and enforce security policy according to the security standards.

(Type II) Security Training: Establish and execute security training programs by following the security standard.

7.1.2 Internet Security Control is addressed.7.2.2: Security management structure is addressed. 7.2.2.5: Audit and assessment (G4) are addressed.(Type II) Network Security: Ensure network security by following the security standard.

Argument over GB/T22239

Healthcare System of XXX Central Hospital Chinese Security Standard 7.2.3.4 Security education and awareness training (G4) is addressed.

7.2.3 Human recourse security management is addressed 7.2.1.1 Management policy (G4) is addressed.

7.2.1 Security management policy is addressed. (Type III) Sensitive Information: Defined the information sensitive level.

7.1.5.2 Data confidentiality (S4) is addressed.

7.1.5 Data security and recovery are addressed. $ Implementable with customization

$ Implementable$ Implemented $ Implementable$ Implementable

(Type II) Network Security: Use network physical isolation to ensure the network security.

Figure 8.4: Instance of the Generic Security Template Shenzhen 2008 - customised by implementation types

8.5. OTHER CUSTOMISATION REQUIREMENTS - MULTI-VIEW 146

(Type III) Position Description: Re-evaluate and correct position sensitive level.

(Type IV) Risk Analysis: Develop and issue Government-wide risk analysis criteria (Type III) Management Structure: Establish a functional description and performance plan to clarify the line authority and reporting relationship.(Type I) Access Control: Avoid the abuse of programmer level access control.

(Type I) Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage.

Argument over All Missing Security Recommendations (Standard non-existent): Government-wide risk analysis criteria (Type III) Administrative Action: Take appropriate administrative action against the people involved in this incident for their inappropriate actions.

8.2: Management Requirements are addressed

Healthcare System (HS) is acceptably Secure 8.1: Technical Requirements are addressed

Argument over GB/T22239

Healthcare System of Shenzhen Hospital Security Standard China 8.1.5.2 Data confidentiality (S4) is addressed 8.1.5.2.b Use encryption or other protective measures for system data management, information identification, and the storage of critical business data

8.2.2.1 Position description (G4) is addressed 8.2.2 Security Management Structure is addressed

8.1.4 Application Security is addressed 8.1.4.3.d Minimum required permissions should be granted to different account 8.2.5.12 Security Incident Handling (G4) is addressed8.2.1.1 Management Policy (G4) is addressed

8.2.1 Security Management Policy is addressed

8.1.5 Data security and recovery are addressed 8.1.4.3 Access Control (S4) is addressed

8.2.5 System operation and maintenance management are addressed $ Implementation unnecessary $ Implemented with customization

$ Implementable $ Implementable with customization

$ Reserved for future use $ Implementable with customization (Type III) Security Policy: Discontinue storing email on unauthorized system

(Type III) Security Policy: Ensure human subjects in research, compliance with information security requirements

(Type III) Security Policy: Ensure that data security plans for research projects comply with information security policies $ Implemented$ Reserved for future use $ Implemented with customisation

(Type I) Access Control: Warn the security engineers of the consequences caused by wrongly granting access control through department meeting.

(Type III) Security Policy: Ensure human subjects in research, compliance with “China Personal Information Protection Act.”

(Type III) Position Description: Define the position sensitive level.

(Type III) Administrative Action: Take appropriate administrative action against the people involved in this incident for their inappropriate actions according to the “China Personal Information Protection Act.”

Figure 8.5: Instance of the Generic Security Template VA 2007 - customised by imple- mentation types

8.5. OTHER CUSTOMISATION REQUIREMENTS - MULTI-VIEW 147

(Type I) Sensitive Information: Use encryption, or other effective tool, to protect personally identifiable information stored on removable storage.

(Type III) Administrative Action: Take administrative actions against the people involved in this incident for their inappropriate actions.

7.2: Management requirements are addressed.

Healthcare System (HS) is acceptably secure 7.1: Technical requirements are addressed.

Argument over GB/T22239Chinese Security Standard 7.1.5.2 Data confidentiality (S4) is addressed. 7.1.5.2.b Use of encryption or other protective measures for system data management, information identification, and the storage of critical business data is addressed.

7.2.2.1 Position description (G4) is addressed.

7.2.2 Security management structure is addressed. 7.2.5.12 Security incident handling (G4) is addressed.

7.1.5 Data security and recovery are addressed.7.2.5 System operation and maintenance management are addressed. (Type III) Position Description: Define the position sensitive level.

7.2.3.4 Security education and awareness training (G4) is addressed.

7.2.3 Human recourse security management is addressed. (Type III) Security Training: Provide linkage to all applicable laws and VA policy as part of the security awareness training.

7.2.5.12.d Development of security incident reporting and response procedure, scope, extent and treatment method is addressed. (Type I) Incident Handling: Enhance incident-response program on promptly identification and thoroughly investigation of the incidents.

Healthcare System of XXX Central Hospital $ Reserved for future use

$ Implementable $ Implementable

$ Implementable $ Implemented with customisation

(Type III) Administrative Action: Take administrative actions against the people involved in this incident for their inappropriate actions according to the “China Personal Information Protection Act”

Figure 8.6: Instance of the Generic Security Template VA 2006 - customised by imple- mentation types

Một phần của tài liệu generic security templates for information system security arguments mapping security arguments within healthcare systems (Trang 162 - 166)

Tải bản đầy đủ (PDF)

(274 trang)