Information Security Classification Essay Example for Free

Information Security Classification Essay Information Security is simply the process of keeping information secure: protecting its availability, integrity, and privacy (Demopoulos). With the advent of computers, information has increasingly become computer stored. Marketing, sales, finance, production, materials, etc are various types of assets which are computer stored information. A large hospital is an institution which provides health care to patients. They are staffed by doctors, nurses, and attendants. Like any large organization, a hospital also has huge amounts of data and information to store. Hospitals have increasingly become automated with computerized systems designed to meet its information needs. According to the Washtenaw Community College website, the following types of information are stored in a Hospital: †¢ Patient information †¢ Clinical laboratory, radiology, and patient monitoring †¢ Patient census and billing †¢ Staffing and scheduling †¢ Outcomes assessment and quality control †¢ Pharmacy ordering, prescription handling, and pharmacopoeia information †¢ Decision support †¢ Finance and accounting †¢ Supplies, inventory, maintenance, and orders management Viruses, worms and malware are the most common threats to information security. In computers, a virus is a program or programming code that replicates by being copied or initiating it’s copying to another program, computer boot sector or document (Harris, 2006). Floppy disks, USB drives, Internet, email are the most common ways a virus spreads from one computer to another. Computer viruses have the potential to damage data, delete files or crash the hard disk. Many viruses contain bugs which can cause system and operating system crashes. Computer worms are malicious software applications designed to spread via computer networks (Mitchell). They also represent a serious threat to information security. Email attachments or files opened from emails that have executable files attached are the way worms spread. A Trojan is a network software application designed to remain hidden on an installed computer. Software designed to monitor a persons computer activity surreptitiously and which transmits that information over the internet is known as spy ware (Healan, 2005). Spy ware monitors information using the machine on which it is installed. The information is transmitted to the company for advertising purposes or sold to third party clients. Identity theft and data breaches are two of the biggest problems facing Information security managers. Hackers steal Social Security numbers, credit card data, bank account numbers and other data to fund their operations. There are other potential threats to the hospital information like power outages, incompetent employees, equipment failure, saboteurs, natural disasters, etc. A large hospital requires an information classification policy to ensure that information is used in appropriate and proper manner. The use of the information should be consistent with the hospital’s policies, guidelines and procedures. It should be in harmony with any state or federal laws. The hospital’s information should be classified as follows: 1. Restricted 2. Confidential 3. Public Restricted information is that which can adversely affect the hospital, doctors, nurses, staff members and patients. Its use is restricted to the employees of the hospital only. Finance and accounting, supplies, inventory, maintenance, and orders management are restricted information which comes in this category. Confidential information includes data on patients which must be protected at a high level. Patient information, clinical laboratory, radiology, and patient monitoring are some of the information which comes in this category. It can also include information whose disclosure can cause embarrassment or loss of reputation (Taylor, 2004). Public information includes data which provides general information about the hospital, its services, facilities and expertise to the public. Security at this level is minimal. This type of information requires no special protection or rules for use and may be freely disseminated without potential harm (University of Newcastle, 2007). Information Classification Threat Justification Patient information Confidential Disclosure or removal Any disclosure or removal can cause serious consequences to the patient Clinical laboratory, radiology, and patient monitoring Confidential Disclosure or removal Any disclosure or removal can cause serious consequences to the patient Finance and accounting, supplies, inventory, maintenance, and orders management Restricted Loss or destruction Any loss or destruction of this information could be very dangerous for the organization General information about the hospital, its services, facilities and expertise Public Low threat Low threat since the information is public. It would affect public relations however. Research Information Confidential Disclosure or removal This is confidential material since its exposure would cause serious consequences for the hospital Figure: Classification table Information is an asset for the hospital. The above information classification policy defines acceptable use of information. They are based according to the sensitivity of the information. According to the government of Alberta information security guideline, there are four criteria are the basis for deciding the security and access requirements for information assets. These criteria are: Integrity: information is current, complete and only authorized and accurate changes are made to information; Availability: authorized users have access to and can use the information when required; Confidentiality: information is only accessed by authorized individuals, entities or processes; and Value: intellectual property is protected, as needed. Information security must adequately offer protection through out the life span of the information. Depending on the security classification, information assets will need different types of storage procedures to ensure that the confidentiality, integrity, accessibility, and value of the information are protected. The hospital director must be responsible for the classification, reclassification and declassification of the hospital’s information. The information security policy must be updated on a regular basis and published as appropriate. Appropriate training must be provided to data owners, data custodians, network and system administrators, and users. The information security policy must also include a virus prevention policy, intrusion detection policy and access control policy. A virus prevention policy would include the installation of a licensed anti virus software on workstations and servers. The headers of emails would also be scanned by the anti virus software to prevent the spread of malicious programs like viruses. Intrusion detection systems must be installed on workstations and servers with critical, restricted and confidential data. There must be a weekly review of logs to monitor the number of login attempts made by users. Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected. Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication. This policy is the access control policy. It prevents unauthorized access to critical data. A large hospital like any organization today uses computers to store its information. The classification of its data is a very important goal to protect it from threats like viruses, Trojans, worms, spy ware, ad ware and hackers. Natural disasters and incompetent employees are another type of threats to the hospital’s data. A proper information security policy can protect the organization’s critical data from any external or internal threat. Bibliography Allen, Julia H. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley. 0-201-73723-X. Krutz, Ronald L. ; Russell Dean Vines (2003). The CISSP Prep Guide, Gold Edition, Indianapolis, IN: Wiley. 0-471-26802-X. Layton, Timothy P. (2007). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: Auerbach publications. 978-0-8493-7087-8. McNab, Chris (2004). Network Security Assessment. Sebastopol, CA: OReilly. 0-596-00611-X. Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL: Auerbach publications. 0-8493-0880-1.