Information Security Classification Essay

Information Security is simply the process of keeping learning secure defend its availability, integrity, and privacy (Demopoulos). With the advent of computers, selective information has increasingly amaze computer stored. Marketing, sales, finance, production, materials, etc ar various casings of assets which are computer stored information. A large infirmary is an institution which provides health care to patients. They are staffed by doctors, nurses, and attendants. Like any large organization, a hospital too has huge amounts of data and information to store.Hospitals have increasingly become automated with computerized systems designed to meet its information needs. agree to the Washtenaw Community College website, the following types of information are stored in a Hospital Patient information clinical laboratory, radiology, and patient monitoring Patient census and billing Staffing and scheduling Outcomes assessment and quality control Pharmacy ordering, prescrip tion handling, and pharmacopoeia information Decision support finance and accounting Supplies, inventory, maintenance, and orders managementViruses, worms and malware are the most honey oil threats to information security. In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document (Harris, 2006). Floppy disks, USB drives, Internet, email are the most common ways a virus break ups from one computer to another. Computer viruses have the possible to damage data, delete files or crash the hard disk. Many viruses determine bugs which can cause system and operating system crashes. Computer worms are malicious software applications designed to spread via computer meshings (Mitchell).They also represent a well(p) threat to information security. Email attachments or files opened from emails that have executable files attached are the way worms spread. A Trojan is a network soft ware application designed to remain hidden on an installed computer. Software designed to monitor a persons computer activity surreptitiously and which transmits that information over the internet is known as spy ware (Healan, 2005). Spy ware monitors information using the machine on which it is installed. The information is inherited to the company for advertising purposes or sold to third party clients.Identity theft and data breaches are two of the biggest problems facing Information security managers. Hackers take away Social Security numbers, credit card data, bank account numbers and other data to fund their operations. There are other potential threats to the hospital information like power outages, incompetent employees, equipment failure, saboteurs, natural disasters, etc. A large hospital requires an information motley policy to ensure that information is utilise in appropriate and proper manner. The use of the information should be consistent with the hospitals polic ies, guidelines and procedures.It should be in harmony with any state or federal laws. The hospitals information should be classified as follows 1. Restricted 2. Confidential 3. Public Restricted information is that which can adversely consider the hospital, doctors, nurses, staff members and patients. Its use is restricted to the employees of the hospital only. Finance and accounting, supplies, inventory, maintenance, and orders management are restricted information which comes in this category. Confidential information embroils data on patients which moldiness(prenominal) be protected at a high level.Patient information, clinical laboratory, radiology, and patient monitoring are some of the information which comes in this category. It can also include information whose disclosure can cause embarrassment or loss of reputation (Taylor, 2004). Public information includes data which provides general information nigh the hospital, its services, facilities and expertise to the publi c. Security at this level is minimal. This type of information requires no special resistance or rules for use and may be freely disseminated without potential harm (University of Newcastle, 2007).Information Classification Threat Justification Patient information Confidential Disclosure or removal Any disclosure or removal can cause serious consequences to the patient Clinical laboratory, radiology, and patient monitoring Confidential Disclosure or removal Any disclosure or removal can cause serious consequences to the patient Finance and accounting, supplies, inventory, maintenance, and orders management Restricted Loss or destruction Any loss or destruction of this information could be very dangerous for the organization General information about the hospital, its services, facilities and expertise Public Low threat Low threat since the information is public. It would usurp public relations however.Research Information Confidential Disclosure or removal This is confidential m aterial since its exposure would cause serious consequences for the hospital epitome Classification table Information is an asset for the hospital. The above information classification policy defines acceptable use of information. They are based according to the sensitivity of the information.According to the government of Alberta information security guideline, there are four criteria are the basis for deciding the security and access requirements for information assets. These criteria are Integrity information is current, complete and only authorized and accurate changes are made to information Availability authorized users have access to and can use the information when necessitate Confidentiality information is only accessed by authorized individuals, entities or processes and Value intellectual property is protected, as needed.Information security must adequately offer protection through out the life span of the information. Depending on the security classification, informati on assets will need different types of storage procedures to ensure that the confidentiality, integrity, accessibility, and value of the information are protected. The hospital director must be responsible for the classification, reclassification and declassification of the hospitals information. The information security policy must be updated on a unwavering basis and published as appropriate.Appropriate training must be provided to data owners, data custodians, network and system administrators, and users. The information security policy must also include a virus prevention policy, intrusion detection policy and access control policy. A virus prevention policy would include the installation of a licensed anti virus software on workstations and servers. The headers of emails would also be scanned by the anti virus software to prevent the spread of malicious programs like viruses. Intrusion detection systems must be installed on workstations and servers with critical, restricted an d confidential data.There must be a weekly reassessment of logs to monitor the number of login attempts made by users. Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected. Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognize forms of authentication.This policy is the access control policy. It prevents unauthorized access to critical data. A large hospital like any organization today uses computers to store its information. The classification of its data is a very important goal to protect it from threats like viruses, Trojans, worms, spy ware, ad ware and hackers. Natural disasters and incompetent employees are another type of threats to the hos pitals data. A proper information security policy can protect the organizations critical data from any out-of-door or internal threat.BibliographyAllen, Julia H. (2001). The CERT Guide to System and cyberspace Security Practices. Boston, MA Addison-Wesley. 0-201-73723-X. Krutz, Ronald L. Russell Dean Vines (2003). The CISSP Prep Guide, Gold Edition, Indianapolis, IN Wiley. 0-471-26802-X. Layton, Timothy P. (2007). Information Security Design, Implementation, Measurement, and Compliance. Boca Raton, FL Auerbach publications. 978-0-8493-7087-8. McNab, Chris (2004). Network Security Assessment. Sebastopol, CA OReilly. 0-596-00611-X. Peltier, Thomas R. (2001). Information Security Risk Analysis. Boca Raton, FL Auerbach publications. 0-8493-0880-1.