Developing And Validating A Healthcare Information Security Governance Framework

General medical practices\u27 in Australia are vulnerable to information security threats and insecure practices. It is well accepted in the healthcare environment that information security is both a technical and a human endeavour, and that the human behaviours, particularly around integration with healthcare workflow, are key barriers to good information security practice. The Royal Australian College of General Practitioner\u27s (RACGP) Computer and Information Security Standards (CISS) 2013 are the best practice standards for general practices, against which information security is assessed during practice accreditation. With the release of ISO/IEC 27014:2013 Information technology - Security techniques - Governance of information security in May 2013, it is this governance component of information security that is insufficiently addressed within General Practice at present. This paper documents the development and validation of an information security governance framework for use within general medical practice. The aim of the proposed Information Security Governance Framework is to extend current best practice information security management to include information security governance

Towards a framework to ensure alignment among information security professionals, ICT security auditors and regulatory officials in implementing information security in South Africa

Information security in the form of IT governance is part of corporate governance. Corporate governance requires that structures and processes are in place with appropriate checks and balances to enable directors to discharge their responsibilities. Accordingly, information security must be treated in the same way as all the other components of corporate governance. This includes making information security a core part of executive and board responsibilities. Critically, corporate governance requires proper checks and balances to be established in an organisation; consequently, these must be in place for all information security implementations. In order to achieve this, it is important to have the involvement of three key role players, namely information security professionals, ICT security auditors and regulatory officials (from now on these will be referred to collectively as the ‘role players’). These three role players must ensure that any information security controls implemented are properly checked and evaluated against the organisation’s strategic objectives and regulatory requirements. While maintaining their individual independence, the three role players must work together to achieve their individual goals with a view to, as a collective, contributing positively to the overall information security of an organisation. Working together requires that each role player must clearly understand its individual role, as well the role of the other players at different points in an information security programme. In a nutshell, the role players must be aligned such that their involvement will deliver maximum value to the organisation. This alignment must be based on a common framework which is understood and accepted by all three role players. This study proposes a South African Information Security Alignment (SAISA) framework to ensure the alignment of the role players in the implementation and evaluation of information security controls. The structure of the SAISA framework is based on that of the COBIT 4.1 (Control Objectives for Information and Related Technology). Hence, the SAISA framework comprises four domains, namely, Plan and Organise Information Security (PO-IS), Acquire and Implement Information Security (AI-IS), Deliver and Support Information Security (DS-IS) and Monitor and Evaluate Information Security (ME-IS). The SAISA framework brings together the three role players with a view to assisting them to understand their respective roles, as well as those of the other role players, as they implement and evaluate information security controls. The framework is intended to improve cooperation among the role players by ensuring that they view each other as partners in this process. Through the life cycle structure it adopts, the SAISA framework provides an effective and efficient tool for rolling out an information security programme in an organisationComputer ScienceM. Sc. (Computer Science

Information Security Policy Development Through the Lens of the Institutional Analysis and Development Framework

Organizations worldwide are increasing their information security initiatives to keep pace with the highly complex and dynamically changing operating environments. With mounting regulations, risk mitigation, and critical information protection pressures, they focus on IT governance. Using a case study methodology, this research in progress introduces an interdisciplinary common governance framework to information security policy, an important internal governance control. The Institutional Analysis and Development (IAD) framework is part of Nobel Prize-winning work in economics and is recognized as one of the most comprehensive tools for both design and analysis of policy interventions

An Information Security Governance Framework for Australian Primary Care Health Providers

The competitive nature of business and society means that the protection of information, and governance of the information security function, is increasingly important. This paper introduces the notion of a governance framework for information security for health providers. It refines the idea of an IT Balanced Scorecard into a scorecard process for use in governing information security for primary care health providers, where IT and security skills may be limited. The approach amends and justifies the four main elements of the scorecard process. The existence of a governance framework specifically tailored for the needs of primary care practice is a critical success factor if such organizations are to move to a robust level of information security. The challenge is twofold. Firstly, measures for governance need to be understandable to the target audience using the framework. Secondly, the number of measures needs to be controllable otherwise the process will become unviable and unused. This research synthesizes existing models and industry standards to formulate a new governance process that meets these two important criteria. The contribution of this research is in the refinement of governance metrics to make them useful to healthcare providers, specifically in relation to IT and new information communication technologies

Corporate information risk : an information security governance framework

Information Security is currently viewed from a technical point of view only. Some authors believe that Information Security is a process that involves more than merely Risk Management at the department level, as it is also a strategic and potentially legal issue. Hence, there is a need to elevate the importance of Information Security to a governance level through Information Security Governance and propose a framework to help guide the Board of Directors in their Information Security Governance efforts. IT is a major facilitator of organizational business processes and these processes manipulate and transmit sensitive customer and financial information. IT, which involves major risks, may threaten the security if corporate information assets. Therefore, IT requires attention at board level to ensure that technology-related information risks are within an organization’s accepted risk appetite. However, IT issues are a neglected topic at board level and this could bring about enronesque disasters. Therefore, there is a need for the Board of Directors to direct and control IT-related risks effectively to reduce the potential for Information Security breaches and bring about a stronger system of internal control. The IT Oversight Committee is a proven means of achieving this, and this study further motivates the necessity for such a committee to solidify an organization’s Information Security posture among other IT-related issues

The Applicability of ISO/IEC27014:2013 For Use Within General Medical Practice

General practices are increasingly cognizant of their responsibilities in regards to information security, as is evidenced by professional bodies such as the Royal Australian College of General Practitioners (RACGP) who publish the Computer and Information Security Standards (CISS) for General Practices. Information security governance in general medical practice is an emerging area of importance. As such, the CISS (2013) standard incorporates elements of information security governance. The International Organization for Standardization (ISO) released a new global standard in May 2013 entitled, ISO/IEC 27014:2013 Information technology -- Security techniques -- Governance of information security. The release of this revised ISO standard, which is applicable to organisations of all sizes, offers a framework against which to assess and implement this governance component of information security within general medical practice. This paper reports on an analysis of this standard to determine how it could be applied to Australian general practice. The paper further reports on two qualitative interviews with information security experts relating to the suitability of utilising this standard within general practice. The results confirm that the governance component of information security. which is currently insufficiently addressed within general practice, requires support in the form of standards, however that developing a security culture is crucial to good governance in medical information security

Enhancing the governance of information security in developing countries: the case of Zanzibar

A thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements of the degree of Doctor of PhilosophyOrganisations in the developing countries need to protect their information assets (IA) in an optimal way. This thesis is based upon the argument that in order to achieve fully effective information security management (ISM) strategy, it is essential to look at information security in a socio-technical context, i.e. the cultural, ethical, moral, legal dimensions, tools, devices and techniques. The motivation for this study originated from the concern of social chaos, which results from ineffective information security practices in organisations in the developing nations. The present strategies were developed for organisations in countries where culture is different to culture of the developing world. Culture has been pointed out as an important factor of human behaviour. This research is trying to enhance information security culture in the context of Zanzibar by integrating both social and technical issues. The theoretical foundation for this research is based on cultural theories and the theory of semiotics. In particular, the study utilised the GLOBE Project (House et al, 2004), Competing Values Framework (Quinn and Cameron; 1983) and Semiotic Framework (Liu, 2000). These studies guide the cultural study and the semiotics study. The research seeks to better understand how culture impact the governance of information security and develop a framework that enhances the governance of information security in non-profit organisations. ISO/IEC 27002 best practices in information security management provided technical guidance in this work. The major findings include lack of benchmarking in the governance of information security. Cultural issues impact the governance of information security. Drawing the evidence from the case study a framework for information security culture was proposed. In addition, a novel process model for information security analysis based on semiotics was developed. The process model and the framework integrated both social and technical issues and could be implemented in any non-profit organisation operating within a societal context with similar cultural feature as Zanzibar. The framework was evaluated using this process model developed in this research. The evaluated framework provides opportunities for future research in this area

ISGOP: A model for an information security governance platform

Sound information security governance is an important part of every business. However, the widespread ransomware attacks that occur regularly cast a shadow of doubt on information security governance practices. Countermeasures to prevent and mitigate ransomware attacks are well known, yet knowledge of these countermeasures is not enough to ensure good information security governance. What matters is how the countermeasures are implemented across a business. Therefore, an information security governance structure is needed to oversee the deployment of these countermeasures. This research study proposes an information security governance model called ISGoP, which describes an information security governance platform comprising a data aspect and a functional aspect. ISGoP adopted ideas from existing frameworks. An information security governance framework known as the Direct-Control Cycle was analyzed. This provided ISGoP with conceptual components, such as information security-related documents and the relationships that exist between them. It is important to understand these conceptual components when distributing information security-related documents across all level of management for a holistic implementation. Security related documents and their relationships comprise the data aspect of ISGoP. Another framework that influenced ISGoP is the SABSA framework. The SABSA framework is an enterprise architecture framework that enables interoperability. It ensures collaboration between the people working for a business. Ideas from the SABSA framework were used to identify roles within the information security governance framework. The SABSA life cycle stages were also adopted by ISGoP. Various functions define the functional aspect of ISGoP. These functions are organised according to the life cycle stages and the views defined for the various roles. A case study was used to evaluate the possible utility of ISGoP. The case study explored a prototype implementation of ISGoP in a company. In addition to demonstrating its utility, the case study also allowed the model to be refined. ISGoP as a model must be refined and modified for specific business circumstances but lays a solid foundation to assist businesses in implementing sound information security governance

Electronic security - risk mitigation in financial transactions : public policy issues

This paper builds on a previous series of papers (see Claessens, Glaessner, and Klingebiel, 2001, 2002) that identified electronic security as a key component to the delivery of electronic finance benefits. This paper and its technical annexes (available separately at http://www1.worldbank.org/finance/) identify and discuss seven key pillars necessary to fostering a secure electronic environment. Hence, it is intended for those formulating broad policies in the area of electronic security and those working with financial services providers (for example, executives and management). The detailed annexes of this paper are especially relevant for chief information and security officers responsible for establishing layered security. First, this paper provides definitions of electronic finance and electronic security and explains why these issues deserve attention. Next, it presents a picture of the burgeoning global electronic security industry. Then it develops a risk-management framework for understanding the risks and tradeoffs inherent in the electronic security infrastructure. It also provides examples of tradeoffs that may arise with respect to technological innovation, privacy, quality of service, and security in designing an electronic security policy framework. Finally, it outlines issues in seven interrelated areas that often need attention in building an adequate electronic security infrastructure. These are: 1) The legal framework and enforcement. 2) Electronic security of payment systems. 3) Supervision and prevention challenges. 4) The role of private insurance as an essential monitoring mechanism. 5) Certification, standards, and the role of the public and private sectors. 6) Improving the accuracy of information on electronic security incidents and creating better arrangements for sharing this information. 7) Improving overall education on these issues as a key to enhancing prevention.Knowledge Economy,Labor Policies,International Terrorism&Counterterrorism,Payment Systems&Infrastructure,Banks&Banking Reform,Education for the Knowledge Economy,Knowledge Economy,Banks&Banking Reform,International Terrorism&Counterterrorism,Governance Indicators

Impact of Knowledge Management on Security of Information and its Strategic Outcomes

Security of Information plays an important role in the progress of any organization. This research finds out that Information Security can be achieved through proper Knowledge Management in organizations especially in Telecommunication Sector. Not only the literature supports the theme of the research but it was also proved by the analysis and results of the respondents responses. Knowledge Management was found to have positive and significant influence over Security of Information. A framework was also developed for studying the relationship among Knowledge Management, Security of Information, Information Governance, Information Risk Management and Safety to Organizational Knowledge; which was tested through correlation and regression. Though the research was carried out in Telecommunication Sector organizations, yet it is equally valuable for and implementable in any other sector. Keywords: Knowledge Management (KM), Information Governance (IG), Information Risk Management (IRM), Safety to Organizational Knowledge (SOK)