Sunday, December 8, 2019
Information Security Management Report for Analyzing
Question: Describe about the Report on Information Security Management. Answer: Introduction The report focuses on analyzing information security threats in a large organization dependent on IT. The organization chosen here is Healthscope, which is a leading enterprise health care provider in Australia. Healthscope has 46 hospitals and 52 medical centers across Australia and employs 17000 people. The operations are fully enabled by IT for and the hospitals and medical centers are connected as one large enterprise IT network. The organization generates huge volumes of information stored as millions of records in their databases. Data is used by most of its employees based on their position and role in the organization from different locations, access is provided. Their pathological services in their system are available for external users located globally. Aims of the report The focus of this report is to provide a brief analysis on the use of Identity Access and Management (IAM) for its benefits and importance in Healthscope. The recent developments in the field of IAM are explored for their implementation in the organization. Overview The IT operations and management in Healthscope are looked after by a department named IT Security and Information Assurance (ISIA). ISIA is fully aware of the fact that securing their IT systems and data is a top priority and crucial to their unique business services to run effectively. In the IT security landscape threats and risks are increasing each day as new and advanced threats such as malware, phishing attacks, botnets, etc. are on the rise (Amigorena, 2015). Therefore in order to have appropriate security measures and data prevention systems, the organization has implemented security measures such as firewalls, perimeter defense, and anti-virus software. However, these measures were recognized by ISIA as inadequate as their systems are used through the internet and number of employees are mobile, access their systems from mobile devices which increase the level of threats. ISIA is headed by a Chief Information Security Officer (CSIO) and four managers responsible for securit y in key areas namely, information and physical security, data and user privacy, busies continuity, managing attacks from malware and botnets, identifying vulnerabilities and applying appropriate remedial measures to ensure the systems are secured from all types of attacks. In order to protect all the information assets, data and people the organization explore the idea of IAM for protecting its IT systems and people. Analysis Description and importance of IAM Identity and Access Management (IAM) is a security and governance solution that offers provisioning, compliance and enforcement capabilities for organizations in securing their IT systems. IAM also offers to strengthen access control, user management, and compliance for businesses to overcome their security risks. IAM solutions offer good IT practices by answering questions (Bruhn et al, 2003) like, Is the user authorized to use IT services and data? Is the user authentic and whether he/she involved in Healthscope services? Is the user permitted to access the information? Is user privacy ensured in the organization? IAM systems help organizations to streamline and automate IT activities along with delivering business value. IAM is responsible for the entire user/device lifecycle in the organization starting with creating a new user, provisioning access to resources, modifying or providing appropriate access rights according to their position/role in the organization and finally terminating their access at the end of their association with the organization. IAM solutions offer security and risk related management by enforcing access policies, user administration and provide access to users for portals based on a set of associated approvals (EMC, 2015). The importance of an IAM solution in organizations can be understood for its functions and scope that includes, Data collection for identity: This function in IAM will contain user account details, their roles, entitlements, and unifies them centrally as an identity store. Identity analytics: This function will provide visibility across the identity store for all identities and groups in Healthscope. The CISO can generate reports, dashboards and analyze identity-related status and trends. Access Review: In this function, the supervisors of different departments in Healthscope will review IT access for their team members and ratify their access levels if found alright. Different users in the organization will have different access levels and information or data available to them will depend on their role and responsibility in a particular function. Policy management: IAM solutions provide features to define policies (segregation of duties for users) to identify violations and initiate remedial measures. Management of roles: The role of each user for his/her access to the system is maintained to consolidate their entitlements. Access request management: Users can also request for changed access to the system due to their functional change. For example, a user can request for password reset. Similarly, a user recently promoted can request for a different access level (Faraji et al. 2014). Access requests are always subject to approvals by his/her supervisor. From the above scope, it can be understood that IAM solutions in Healthscope are essential because this gives better control for users in a remote location. The trends or developments in IAM are explored. Developments/Trends of IAM The recent trends and developments in IAM can be found in the following technology areas: Mobile computing: As the workforce of Healthscope is mobile, users tend to bring their own devices (BYOD) for accessing applications like product data, email, patient reports, etc (Kunz et al. 2014). The market trends indicate mobile computing is on the rise and increasingly allowed by organizations for their users. For instance, if a mobile device having access to important data in Healthscope system is stolen or lost, that is a big risk if it falls into wrong hands. IAM can help Healthscope by securing their mobile user access mobile computing program. This is done by strengthening applications, databases and securing user and device authentication. Identity as a Service (IDaaS) is a cloud-based solution to support authentication, authorization, and provisioning (Lonea et al. 2013). IAM in the cloud is an extension to an on-premise solution to have secure integration of their internal IT with the cloud infrastructure. Normally IDaaS is provided by the cloud service provider. IAM in the cloud computing area provides a scenario where applications deployed on the cloud is secured. The advantage here is that cloud computing systems already provide robust user authentication and access controls, and hence there is not much need for protecting applications in the cloud, especially if the deployment model is a private cloud. In such environments, Federation Role-based access (RBAC) (Mazumdar et al. 2015) and cloud IAM solutions are available to ensure high levels of security. Data loss prevention (DLP): DLP is another important area for many organizations like Healthscope. The first step in DLP is to protect data and ensure the identity of the user (Schoffner et al. 2015). DLP is another information security information discipline which can enhance security in the organization when integrated with IAM capabilities. Social networks: Social network is another public domain area where systems are vulnerable to all type of attacks. Since in social media, a lot of people post different messages, IAM implementations must protect user accounts from compromised (Hu et al. 2013). Normally this is done by ensuring a second level of authentication, noting failed login attempt and monitoring for geographic regions which are known for gaining control of user accounts. Healthscope when planning to have a social media presence as a marketing strategy must ensure to look into these aspects to avoid harm to their systems. Users in Healthscope must be trained on the importance practicing discretion in social media interactions (Andersen et al. 2012). In addition to the trends indicated, users in Healthscope must be educated on maintaining their privacy and importance of following security principles according to IAM implementation. When IAM is correctly implemented it can mitigate unforeseen threats and ensure protection. Recommendations, Justification, and Benefits Based on the scope of IAM and the trends, users in Healthscope are mobile and are allowed access to their systems from a variety of devices. Looking into the large network infrastructure of Healthscope, the importance of data and information in the organization, all IT components including information must be ensured with high levels of protection. Therefore, cloud-based IAM is recommended due to the following reasons: IAM solutions in cloud offer high protection of user data and information assets. The cloud-based solution is preferred because security systems and user authentication processes are already available in the cloud. IDaaS is a cloud service offers modular identity management for access, provisioning, policies and entitlements. IDaaS can be integrated easily with IAM in existing IT infrastructure and applications, this is important for Healthscope because multiple users use a variety of devices to access data from different locations. IAM with IDaaS provides improved controls and ensures regulatory compliance (Sudha Vishwanathan, 2013). Cloud-based IDaaS also improves IT agility by automating security processes (Bowen et al. 20140). Therefore, IAM solutions are highly desired by Helthscope because it offers techniques such as review of user privileges, password management, identity-enabled networking (Torres et al. 2013), authentication and access control, and integration with IDaaS and efficiency. Conclusion In this report, the importance of IAM for a large enterprise organization is highlighted. The description for IAM for its importance in the chosen organization is briefly provided. It can be seen that IAM is important for most of the recent technological developments such as mobile computing, social networks, etc. Looking into the operations of the chosen organization, a cloud-based solution is preferred and integrated with IAM because it offers more robust security for protecting information assets and IT systems in the organization. The report also briefly provides the benefits, advantages, and justification for the recommended IAM solution. References Amigorena, F 2015 Does your C-suite really understand the benefits of IT security? Computer Fraud Security, November 2015. Andersen, K.N., Medaglia, R. and Henriksen, H.Z 2012 Social media in public health care: Impact domain propositions,Government Information Quarterly,vol. 29, no.4, pp.462-469. Bowen, J.P., Hinchey, M., Janicke, H., Ward, M.P. and Zedan, H 2014 Formality, Agility, Security, and Evolution in Software Development,IEEE Computer,vol.47, no.10, pp.86-89. Bruhn, M., Gettes, M. and West, A 2003 Identity and Access Management and Security in higher education. It's 9.30 am. Do you know who your users are?, Educase Quarterly, November 4, 2003. EMC 2015 The business value of identity and access management, An RSA Whitepaper. EMC Corporation. EY 2013 Identity and access management. Beyond compliance, Insights on governance, risk, and compliance, Ernest Young. Faraji, M., Kang, J.-M., Bannazadeh, H. and Leon-Garcia, A 2014 Identity Access Management for Multi-tier cloud infrastructures, IEEE. pp.1-4 Hu, H., Ahn, G.J. and Jorgensen, J 2013 Multiparty access control for online social networks: model and mechanisms,IEEE Transactions on Knowledge and Data Engineering,vol.25, no.7, pp.1614-1627 Kunz, M., Hummer, M., Fuchs, L., Netter, M. and Pernul, G 2014 Analyzing Recent Trends in Enterprise Identity management, Department of Information Systems, University of Regensburg, Germany. pp.1-4 Lonea, A.M., Tianfield, H., and Popescu, D.E 2013 Identity management for cloud computing, InNew concepts and applications in soft computing. pp. 175-199. Springer Berlin Heidelberg Majumdar, S., Madi, T., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L. and Debbabi, M 2015 Security Compliance Auditing of identity and Access Management in the Cloud: Application to OpenStack, In2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 58-65. Shoffner, M., Owen, P., Mostafa, J., Lamm, B., Wang, X., Schmitt, C.P. and Ahalt, S.C 2013 The secure medical research workspace: an IT infrastructure to enable secure research on clinical data,Clinical and translational science. vol. 6, no.3, pp.222-225 Sudha, S. and Viswanathan, V.M 2013 Addressing security and privacy issues in cloud computing,Journal of Theoretical and Applied Information Technology,vol.48,no.2, pp.708-719 Torres, J., Nogueira, M. and Pujolle, G 2013 A survey on identity management for the future network,IEEE Communications Surveys Tutorials. Vol.1, no.2, pp.787-802.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.