本文是新西兰信息系统论文范例,题目是“Information Security Issues Faced by Healthcare in New Zealand(新西兰医疗保健面临的信息安全问题)”,本报告将识别和解释新西兰医疗行业的安全问题、威胁,提出可能的安全解决方案,并建议相关政策,以克服识别出的问题。文献综述清楚地回顾了包括信息安全、信息安全问题、信息安全政策和信息安全意识在内的所有主题。所提出的建议与文献综述一致。
I.Abstract摘要
This report will identify and interpret the security issues, threats, suggest possible security solutions and will recommend related policies to overcome the identified issues of healthcare industry in New Zealand. The literature review clearly reviews all the topics which include information security, information security issues, information security policies and information security awareness. The recommendations suggested are aligned with the literature review.
II. Introduction介绍
Modern healthcare has made a dramatic change due to help of technology. Data sharing and collaboration with physicians and their patience through the widespread use of electronic systems has lessen the medical errors and medical research. The delivery of healthcare has enhanced digitalisation of health information which made healthcare data highly vulnerable to attack (Dunlap & Pliakos 2017). Ahead of all other industries healthcare industry remains the most cyberattacked industry (‘Cybersecurity in healthcare is improving, but not fast enough’ 2017). Therefor organisation must install wide range of tools and mechanisms for the security of the information and mainly to their portfolio managerial, organisational and technical defences of information security policy. Even after much research and many practical initiatives security breaches is the main area of concern for all the organisations and in particular to healthcare sector (Stahl, Doherty & Shaw 2012).
现代医疗保健在技术的帮助下发生了巨大的变化。通过电子系统的广泛使用,与医生和他们的病人共享数据和协作,减少了医疗错误和医学研究。医疗保健的交付增强了医疗信息的数字化,这使得医疗保健数据非常容易受到攻击(Dunlap & Pliakos 2017)。在所有其他行业中,医疗保健行业仍然是受网络攻击最严重的行业(2017年的“医疗保健中的网络安全正在改善,但不够快”)。因此,组织必须安装广泛的工具和机制的信息安全,主要是他们的投资组合管理,组织和技术防御的信息安全政策。即使经过大量的研究和许多实际行动,安全漏洞仍然是所有组织,特别是医疗保健部门关注的主要领域(Stahl, Doherty & Shaw 2012)。
The nature of information security threats have changed significantly during the past years. Still the incidence of information security breaches remain very high. Information Technology and network connections are the core modules of each organisations. End users are ignorant of the security concerns caused by the certain actions. For employees Information Technology is just a tool to perform as fast as they can and as efficiently as possible. In ensuring the security of Information Technology systems and information process one of the most vital part is its employees. (Hansche 2001) .
Mostly Information Technology incidents are have occurred due to the result of employees actions originated either from inattention and unaware of the security policies and procedures. So trained employees plays an important role for crucial role for the effective functioning and protection of information system.
III. Literature Review文献综述
a) Information Security信息安全
The high priority of information security problem not only affecting information security experts but also a large communities like company managers and university staff. There is no boundary for cyber threats their landscape is fast expanding. The technology on its own cannot offer information security. Even the present IT solutions offer means to protect user’s information and security. Most risks are not properly understood nor addressed properly emphasizes the global 2013 survey performed by PWC (PWC, 2013). For the effectiveness of security a proactive approach have to be adopted in information security which is reactive with regard to IT risks (EY 2014). The higher rate of attacks after recognising the sophistication from information security specialists. (Stanciu & Tinca 2016).
信息安全问题的高优先级不仅影响到信息安全专家,也影响到像公司经理和大学员工这样的大型社区。网络威胁没有边界,它们的版图正在快速扩张。技术本身不能提供信息安全。即使现在的IT解决方案也提供了保护用户信息和安全的方法。普华永道2013年全球调查(PWC, 2013)强调,大多数风险没有得到正确的理解,也没有得到正确的解决。为了安全的有效性,必须在信息安全中采用主动的方法,这是对IT风险的反应(EY 2014)。从信息安全专家那里认识到攻击的复杂性后,攻击率更高。(Stanciu & Tinca 2016)。
The increase in attack which exploit the weakness or the vulnerabilities found special emphasis should be given to information security. In a recent survey held in UK in 2014 states that the worst 31% security breaches happened due to inadvertent human errors the rest 20% are caused by the deliberate misuse of system by employers (PWC 2014). Most enforce security policy and the best adequate information security actions can be taken by companies but if the employers are not trained in regards to this real awareness can never be achieved. So the companies will remain less protected in regards to Information security policies and IT risks. The ultimate success of the security measures depends on the end users actions which has been stated by Rastogi and von Solms in the year 2012 (Stanciu & Tinca 2016).
b)Information Security Issue
Considering different organisations of today majority of them dependent on information security for survival (Knapp et al. 2006). The higher number of threats and ferociousness attacks has made the data protection a challenge. To avoid biggest risk business organisations should ensure the information system of theirs is running well. In this context information security means the safe storage of data. It is a careful balance of user access and information safeguard. Attacks can come from either external or internal firms. The attacks can be either way either the denial of service or damaging the entire framework. The threat to information can be of any forms like natural, man-made disasters, errors of employees, acts of competitors, hackers and viruses. Viruses, worms, hackers, employee’s abuse and misuse created the need for understanding and implementing the need for better quality information security. If the organisation fails to succeed in their information security issues and reduce information security issues diligently organisations will encounter into problems. Information security issues are ignored by top managers, middle managers and employees. Many organisations lose their trust for the reason of failure in information security. The fundamental building-blocks for the development of information Security as identified by Fitzgerald are: Information security policy document; Allocation of security responsibilities; Information security education and training; Reporting of security incidents; Virus control; Business continuity planning process; Control of proprietary copying; Safeguarding of company records; Compliance with data protection legislation”. To handle the problem of information security breaches effectively more importance should be given to human, organisational and training factors. (‘IT Security Consultancy in Malaysia: Hindrances and Impacts’ n.d.). The table listed below states the top five information security and risk management issues the organisations dealt with during this era (‘Information security issues, strategies and spending in 2010’ n.d.).
The table listed below states the information security which must be addressed as per priority:
c) Information Security Policy
Information security policy development is a critical activity. Well drafted information security policy is the credibility of the complete information security program of an organisation. (Kadam 2007) . An information security policy will supply the organisation clear high level and comprehensive strategy to shape security problems in relation to business objectives. By accepting the best policy framework the organisation can assess, improve and develop information security policy. A better framework can bring in better communication among information security teams and management executives and its owners. This also provides better understanding of basics required for effective information security. Due to the nature of open computer environments the risks are higher in number. Policies remain relevant and applicable for a period of time and does require revision when fundamental changes or operational objectives of organisation differs (‘Information Security Policy Framework: Best Practices for Security Policy i…’ n.d.).
d)Information Security Awareness
Each and every organisation has its own state of the art hardware and network security protection but it takes just a second for an uneducated person to download virus which will compromise the system of the organisation which in turn accidently publishes confidential information. It can be either intentional or unintentional errors caused by security incidents of employees which underline the importance of security awareness program. National Institute of Standards and Technology (NIST) states information security awareness as “Awareness is not training. The purposes of awareness presentations are simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly”. For the overall information security infrastructure implementing security awareness program is a must. (Wilson & Hash, 2003).
One of the best way followed in organisations is to communicate security information policies, tips and best practices to everyone in the organisation. Information security awareness is not about training but designed to change employee’s behaviour. Security awareness program must run alongside in conjunction with information technology, hardware and software to avoid threads to organisation. A successful security awareness program should state all details to users about the use of information technology systems and data assets. The information security policy and procedures must be uniformly followed by everyone in the organisation. Proper education should be done and informed about information security policies and expectations (‘Developing an Information Security Awareness Program for a Non-Profit Organ…’ n.d.).
IV. Identify and interpret the security issues/threats/vulnerabilities of the given scenario:识别和解释给定场景的安全问题/威胁/漏洞:
The higher number of data breaches will be the volume of conceded record. These state in years to come there will be much more expensive attacks can happen for any organisations. Some of the traditional areas which will incur these costs are network clean-up and customer notification but additional costs will arise from newer areas which include litigation involving a growing number of parties. There are also prediction that angry customers will pressure government to introduce much more tightly secure data protection rules (Olavsrud 2017). The cause of the higher number of failure is caused by capacity issues and operational failures. During a study of top security threats perceived by organizations with over 500 employees, the top five threats are (1) deliberate software attacks; (2) technical software failures or errors; (3) acts of human error or failure; (4) deliberate acts of espionage or trespass; and (5) deliberate acts of sabotage or vandalism (‘Information Security Threats: A Comparative Analysis of Impact, Probability…’ n.d.).
数据泄露的更多数量将是被承认的数量。这些情况表明,在未来的几年里,任何组织都可能遭受代价高昂得多的攻击。会产生这些费用的一些传统领域是网络清理和客户通知,但新的领域将产生额外的费用,包括涉及越来越多当事人的诉讼。也有预测称,愤怒的客户将向政府施压,要求政府引入更严格的数据保护规则(Olavsrud 2017)。故障次数较多的原因是容量问题和操作故障。在一项对拥有超过500名员工的组织所感知到的最主要的安全威胁的研究中,最主要的五种威胁是:(1)蓄意的软件攻击;(2)软件技术故障或错误;(3)人为错误或失败行为;(四)故意从事间谍活动或者非法侵入的;(5)蓄意破坏或破坏行为(“信息安全威胁:影响、可能性的比较分析……”)。
A thread depends on the attacker’s degree of skills, knowledge, resources, authority and motives. Apparently, the same will remain for the information security professionals who are supposed to protect against threat. No one can expect appropriate protection lacking the skills, knowledge, resources, authority and motives. During these years threats have become a huge impact for all organisations. Computer security and information security both are supreme in running an organisation. For ensuring organisations information assets retain their accuracy, confidentiality, and availability it is highly significant to prioritise the security of their computer system. The major provider to systems security are the users which is considered to be internal threats (Chekwa et al. 2013).
Basic security responsibility must be followed by all employees. There are number of contribute to cyber vulnerabilities in healthcare sector which include real life urgent situations, tension between department priorities and budget considerations. When dealing with critical conditions health care person has no choice but to leave their work station unlocked which permit others to access important data and find potential patient safety issues. Urgent need for information can lead to conflict with best practices in relation to privacy and security. There are reports that which indicate cybersecurity at organisational level is often viewed as information technology problem not as important as high level priority. Information security professionals are under trouble in convincing healthcare organisations these types of attacks cause risks to patient care. To protect the organisation against longer reputational damage proactive measures should be taken. All sizes of healthcare organisations are under target in part for the reason of black market for medical records and valuable nature of healthcare data.
V. Suggest possible security solutions for the identified issues of the given scenario:针对给定场景中发现的问题,提出可能的安全解决方案:
The present business plan which is already existing should be done in a way to protect information security which is a valuable business strategy. The preparedness plan must be divided into physical security, information security, emergency response, crisis management, and business continuity planning. As soon as the risk is realised business continuity planning will describe the steps to take. There should be systems and process in place before anything can happen. (‘Information Security Threats: A Comparative Analysis of Impact, Probability…’ n.d.).
目前已经存在的商业计划应该以保护信息安全的方式来完成,这是一个有价值的商业战略。准备计划必须分为物理安全、信息安全、应急响应、危机管理和业务连续性规划。一旦意识到风险,业务连续性计划将描述要采取的步骤。在任何事情发生之前,都应该有系统和流程。(“信息安全威胁:影响、可能性的比较分析……”n.d.)。
Periodical review and evaluation of all management programs and security awareness program must be done. A survey questionnaire should be circulated among employees seeking input. During new employee orientation a brief awareness should be conducted, follow up with employees every three to six months should be done and should ask how the briefing was apparent (i.e, what they can memorise, what information need to add on etc.). Others should also be asked about the awareness programme. The security incidents that occurred before and after the programme should be tracked. If there is a higher number of reported incidents that is a positive sign. The users should be well aware of the person to be contacted in case of any suspect of security breach or incident. Spot check in a user friendly manner should be done.
This must include walking through office checking whether unattended workstations are logged in and adequate protection is given to sensitive media. Awareness materials should be distributed via computer based delivery which include intranet etc. A basic check should be done as to who reviewed the material. To those employees who have done with online material a targeted questionnaire must be given. Against each employees password a system manager must run a password cracking programme. In many cases evaluations focus deviate and end up in a wrong item. Employees are the key phase of information security programme and management support for ensuring the goal of awareness programme (Hansche 2001).
Table below displays the summary means of preparedness for information security threats.
The table given below shows the organisations response to survey conducted for information security protection mechanisms:
VI.Recommend related policies to overcome the identified issues of the given scenario:建议有关政策,以克服上述情况所确定的问题:
Organisations information security plan must be line item of security awareness programme. Apart from the operational and technical counter measures which is a must in protecting the system awareness and training is also essential part of it. The first priority should be given to goals of the programme, what must be achieved, then programme plan must be developed. It should be professionally presented at the management meetings (Hansche 2001).
组织资讯保安计划必须是保安意识计划的一项。除了必须采取的操作和技术应对措施外,意识和培训也是必不可少的一部分。应首先优先考虑方案的目标,这是必须实现的目标,然后必须制订方案计划。它应该在管理会议上被专业地提出(Hansche 2001)。
In order to protect the resources as well as securing the important information of firms from any threats, the starting point must be development of information security policy documents (Moody, Siponen & Pahnila 2018). Further support is needed for the importance of security in computing and information systems (IS). There is no complete definition that will cover all aspects of security. It’s recognised as its important role in social and organisational dimensions. There has been a significant change in the nature of information security threats. Apparently, the incidents of information security breach remains high. Information security policy is a significant business document which will cover a wide area of security concern. This document will set out approach to managing organisations information security. The policy will be a working document which offers rules on means of information security management at the same time desired ends. The role of policy is to stressing management’s obligation and upkeep for information security (Stahl, Doherty & Shaw 2012). The organisation can use technologies like E-mail encryption, spam filtering, user training on the job and patching(Victor 2017).
VII.Conclusions结论
The aim of this study was to study the literature topics about information security, information security issues, information security policy and information security awareness. Apparently, identify and interpret security issues, threats and vulnerabilities. Suggest possible security solutions and recommend related policies to overcome identified issues.
本研究的目的是研究文献主题的信息安全,信息安全问题,信息安全政策和信息安全意识。显然,要识别并解释安全问题、威胁和漏洞。提出可能的安全解决方案和相关策略,以克服已发现的问题。
The advancement of the technology plays a crucial role in organisations profitability. The main aim of information security is to secure the organisation from thread and help the business in attainment of anticipated level of consistency and efficiency by ensuring integrity, availability and confidentiality. The requirement of security specification is to recognise organisations requirement in relation to security (Istikoma et al. 2015).
技术的进步对组织的盈利能力起着至关重要的作用。信息安全的主要目的是确保组织的安全,并通过确保完整性、可用性和机密性,帮助企业达到预期的一致性和效率水平。安全规范的要求是认识到与安全相关的组织需求(Istikoma等人,2015)。
留学生论文相关专业范文素材资料,尽在本网,可以随时查阅参考。本站也提供多国留学生论文写作指导服务,如有需要可咨询本平台。