What is the vital role of security management in an organization or in our community?
|
Tony W. York, Don MacAlister, in
Hospital and Healthcare Security (Sixth Edition), 2015 The security management plan should contain a brief
description of the activities performed by each job position of the security department. An option for this section of the plan could be to include the complete position descriptions in an appendix or attachment to the plan, and simply refer the reader to that document. In utilizing this option it may be useful to include an appendix for other areas of the plan, such as defining skill and competency levels of various positions, a listing of general activities/duties, and a listing or table of
contents of security policies and procedures. This section of the plan is also a good place to include the number of authorized full-time equivalent (FTE) staff for each position. In place of the number of staff for each position, an alternative could be the number of weekly hours required to staff and operate the program. Table 4-1 is an example of portraying staff requirements as an FTE count and the number of deployment hours. Table 4-1. Security Department Authorized Staffing Level
Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124200487000040 Knowledge ManagementClifton L. Smith, David J. Brooks, in Security Science, 2013 IntroductionThe security management plan is a major constituent of security strategies for organizations and entities. Security managers are responsible for the initiation and development of a security plan, and need to draw appropriate information from many sources to satisfy the security requirements to protect their organization's assets. A security plan will assess the security risks and security threats to an organization so that suitable strategies are applied to potential adversaries. The acquisition of information for risk and threat assessments is achieved through knowledge management, and the attainment and processing of the information is crucial for an effective security management plan. The organization and dispersal of knowledge can be achieved through knowledge management, which develops knowledge bases, expert systems, knowledge repositories, and group decision support systems. Therefore, knowledge management assists in improved performance, competitive advantage, innovation, and integration of sources of knowledge. As a result, the development of knowledge management systems will be strategic assets that aid the effective distribution of information and knowledge among authorized groups. It is considered that knowledge management systems will enhance the ability of information and knowledge managers to better distribute knowledge to appropriate analysts and experts for production of intelligence. Intelligence is a fundamental process in the domain of security management, and is a critical element in effective decision making for the protection of assets. Intelligence can support the security risk management and security threat assessment processes. As intelligence is both a product and a process, it determines how data and information are converted into useful knowledge (Clauser, 2008). A form of data gathering in situations or on people is predictive profiling to identify suspicious behavior in specified environments. Predictive profiling attempts to identify suspicious indicators according to characteristics of particular adversarial methods of operation. That is, by observing the behavior of people in a security-sensitive location, an estimate of the threat level can be produced. Thus, predictive profiling can be applied to determine whether a person, object, or situation represents a major threat to an organization. The management and processing of information are important processes in the protection of assets of an organization. By producing intelligence from data and information, and managing that knowledge, security outcomes will be enhanced. That is, the security of an organization is dependent on the quality of the knowledge derived from the relevant intelligence. Knowledge and intelligence are distinct concepts, but both support organizational security. For example, knowledge may be considered an underlying concept that can encompass paper information (the traditional view), electronic information (the contemporary view), and individual and corporate information (explicit and tacit). Whereas, intelligence is a process to better use information to gain value and improve knowledge. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123944368000084 A Primer for Healthcare ExecutivesTony W. York, Don MacAlister, in Hospital and Healthcare Security (Sixth Edition), 2015 Where Should Security Report?An expectation of The Joint Commission and the required Security Management Plan is to clearly specify the position that has the responsibility for security of the organization and has a clearly defined reporting level for this position. The hierarchical level in the organization to which security reports reflects the importance that the administrative team places on the security function and the organization’s responsibility of protecting persons and property. The important aspect of the security reporting level is it must provide the organizational authority necessary to properly carry out its mission. A practical consideration is security should report to an individual who has both the time and interest in the security function. In short, there must be proper administrative support for a security program to be effective and productive. A common reporting level for security is the vice president (or director) of facilities or the risk management administrator who, as a generality, seems to fit the foundation criteria for a successful program. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978012420048700026X Detection SystemsClifton L. Smith, David J. Brooks, in Security Science, 2013 ConclusionThe application of security technology to the protection of assets depends on the requirements and conditions of the security management plan. That is, the function of security technology within a security protection strategy is to support the security management plan. Also, the application of security technology must be congruent with appropriate theories and principles for the protection of assets, and is required to be integrated with design and planning. The security principles of DiD and CPTED both support the application of security technology within the contexts of the principles of the protection of assets. An understanding of critical path analysis and EASI will allow security management to assess the quality of the security strategy in the protection of assets for their organization. The principles of universal element conceptual mapping are an advanced approach to understanding the reliability and validity of a security strategy, and provide security managers with the ability to extend their knowledge of a security system. The necessity to detect the presence or activity of unauthorized persons in an area of interest requires appropriate sensors according to risk and the environment. Applications of sensors on barriers and in open ground are familiar technologies for the detection of unauthorized persons. However, the application of multibeamed laser intruder detections systems provides a technology to detect the presence of a person and analyze the reflected beams of the intruder to determine location, movement, and information about the intruder. The testing of security technology is an important facet of a security plan and design in asset protection. Testing is necessary to determine the appropriateness of an item of equipment for a particular task in a security function. A testing model has been presented in this chapter to evaluate both the reliability and validity of security technology in the context of its application in a security strategy. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123944368000060 Program Documentation and Performance MeasuresTony W. York, Don MacAlister, in Hospital and Healthcare Security (Sixth Edition), 2015 Annual Security Management Plan and Program Effectiveness EvaluationOn an annual basis there should be a formal review of the security program which addresses the objectives, scope, performance, and effectiveness of both the security management plan and the operational implementation of the plan. In short, how did the program measure up to expectations? In addition to the security management plan the periodic reports prepared throughout the year for the multidisciplinary review committee are the basic sources of information for the annual evaluation. The annual evaluation does not need to be on a calendar year basis; however, the calendar year is utilized by most healthcare security administrators. In the U.S., the annual security program effectiveness evaluation continues to be a requirement of TJC. Chapter 4 provides a detailed discussion on performance measurement as part of the security management planning process. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978012420048700012X Physical SecurityClifton L. Smith, David J. Brooks, in Security Science, 2013 Perimeter ProtectionPerimeter protection is effectively the first line of defense in a physical security plan for a facility. However, an examination of the threat assessment of the facility together with the risk management strategy will determine the role of the perimeter in the security management plan. Perimeter security can vary from such items as a white line painted on the ground, to sophisticated high-level perimeter configurations involving multiple barriers with numerous detection systems, permanent surveillance, and continuous patrols. Physical barriers will discourage an undetermined intruder, but will only delay a determined person. Thus, physical barriers must be combined with other security controls for an integrated security solution. Fences are the usual form of perimeter barrier used to protect the assets of an organization. Fences are relatively cheap and rapid to build, surveillance can be conducted through the barrier, and fences can follow the barrier and be configured into different shapes, and may be enhanced with barbed wire, razor wire, or topped with anti-climbing devices (Figure 5.4).  Figure 5.4. A perimeter fence enhanced with razor wire to resist climbing. (Copyright: Centre of Applied Science and Technology of the Home Office, United Kingdom. This material is reproduced by permission.)However, fences are not flawless as physical barriers as they will not usually stop vehicle penetration. They are also susceptible to cutting, the nature of their construction assists scaling, and they can be tunneled under unless additional barriers such as plinths can be provided. Fences require a high level of maintenance and usually have a finite life depending on the environment. Barbed wire can be installed over a chain-link fence by holding it on extension arms installed over the fence. Single-barbed wire can be installed outwards of the perimeter being protected, whereas double-barbed wire is installed on V-shaped extension arms. Barbed wire is installed to provide added difficulty for anyone attempting to scale a fence. For the same reason as barbed wire, concertina or spiral sharp edge wire is also installed on fence extension arms. Evaluation of penetration times of chain-link fencing have been conducted by the U.S. Army Mobility Equipment Research and Development Command. Chain-link fences with extension poles installed have been subjected to climbing attacks by fit young men to estimate the effectiveness of fences as barriers against penetration. The 2.8ft (2.6m) fence with pole has been penetrated by a man with another man assisting without the use of aids in 4 seconds and the 2.8ft (2.6m) fence with 2.5ft (2.3m) pole was climbed by a man with three men assisting in 2.5 seconds; using carpet as an aid the fastest time was 7 seconds. Again, a 2.2ft (2m) fence was climbed unassisted and without the use of aids in a time of 3 seconds, and with one man assisting without the use of aids was 1.5 seconds. Finally, a 2.5ft (2.3m) fence was penetrated by a man with one man assisting without the use of aids in 2 seconds. The fastest penetration time with one man assisting using canvas as an aid was 6 seconds (Knoke, 2004). Chain-link fences with outriggers and barbed wire to increase the level of difficulty for scaling was penetrated with one man assisting without the use of aids in 4 seconds for a 2.5ft (2.3m) fence with barbed wire outrigger, and 5 seconds with one assistant. Also 2.5ft (2.3m) chain-link fences with a collapsible and a double outrigger with one man assisting were 4 seconds (Knoke, 2004). A chain-link fence is neither crash rated nor intended to stop forcible entry, for example, entry by vehicle or physical cutting. In most cases, a chain-link fence can be easily penetrated by a normal passenger vehicle. As a consequence, target hardening must be installed for facilities where forcible vehicular entry is an issue. A chain-link fence may be enhanced with the aid of crash-rated tension wires threaded through the fence, or with concrete crash structures, or simply by digging a trench around the perimeter of the fence to stop vehicles from reaching the fence. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123944368000059 Security ManagementClifton L. Smith, David J. Brooks, in Security Science, 2013 ConclusionThe security management plan provides a framework that incorporates all other functions of organizational security. The management plan organizes, staffs, leads, and controls corporate security, informing both internal security staff and external stakeholders such as the board, executives, and other managers of the security methodology. Security management plans are not explicit functions or “how-to” instructions; rather, they are an overarching process that integrates the many and diverse functions of security. Security management takes a systems approach, which provides defined inputs, transformation in various security functions, and measurable outputs or deliverables. Inputs include tactical and strategic direction, leadership, governance, accountability, ethics, culture, and resilience. Transformations are the many functions of security, such as risk management, business continuity, personnel, physical, and technology security. In addition, functions should also include more general business and management functions, such as finance, budgeting, and performance management, to name a few. Systems theory provides an underlying methodology for the design and application of a security management plan. Systems theory considers an organization as a whole and its interrelated parts, rather than discrete silo-formed departments that have little interaction. There are many benefits of a systems approach, in particular for security, such as promoting the security plan outside of the security department, common lexicon, integration of common business and management practices, flexibility in operations, a strategic approach, and the effective allocation of resources. Security management plans can be designed, operated, and managed within four discrete types, depending on an organizational type, culture, and expectation. These four types of methodology take a risk-based, quality assurance, governance, or strategic security framework approach. These frameworks are modular in form and should be designed to meet the organization and its operating environment. Resilience has become a core concept in security management that security can strive toward. Resilience is a common capacity possessed by individuals, groups, or communities that allow them to prevent, minimize, or prevail in the face of adversity. Nevertheless, the application of resilience is still vague and is better considered a philosophy rather than a plan or framework. However, there are clear characteristics that support organizational resilience. These include the need for a top-down culture with strong and aware leadership, as well as bottom-up functions with devolution of responsibilities, reduced silos, robust financial support, and efficacy in risk management and business continuity. A security manager is first a business manager, and second a security manager. Therefore, beyond the many security functions, there are other functions that a security manager should practice, such as governance, performance management, corporate risk management, succession planning, education and awareness, cost-benefit analysis, and setting budgets. Important parts of security management include policy and procedures, ethical behavior for themselves and their staff, understanding the principles of security, and being aware of security decay. Ethics has to be high on the list of a security manager, as ethics lead to positive and effective leadership. Finally, security decay is the understanding that all systems will fail if there is not appropriate and directed feedback to maintain the system at its commissioning level or aligned to dynamic threats. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780123944368000023 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Managing Information Security (Second Edition), 2014 Federal Information Security Management ActAt the U.S. federal level, the National Institute of Standards and Technology (NIST) has specified guidelines for implementing the Federal Information Security Management Act (FISMA). This act aims to provide the following standards shown in Figure 3.1. Figure 3.1. Specifications in the Federal Information Security Management Act.2 The “Federal Information Security Management Framework Recommended by NIST”1 sidebar describes the risk management framework as specified in FISMA. The activities specified in this framework are paramount in implementing an IT security management plan. Although specified for the federal government, this framework can be used as a guideline by any organization. Federal Information Security Management Framework Recommended by NISTStep 1: CategorizeIn this step, information systems and internal information should be categorized based on impact. Step 2: SelectUse the categorization in the first step to select an initial set of security controls for the information system and apply tailoring guidance as appropriate, to obtain a starting point for required controls. Step 3: SupplementAssess the risk and local conditions, including the security requirements, specific threat information, and cost/benefit analyses or special circumstances. Supplement the initial set of security controls with the supplement analyses. Step 4: DocumentThe original set of security controls and the supplements should be documented. Step 5: ImplementThe security controls you identified and supplemented should be implemented in the organization’s information systems. Step 6: AssessThe security controls should be assessed to determine whether the controls are implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements for the system. Step 7: AuthorizeUpon a determination of the risk to organizational operations, organizational assets, or individuals resulting from their operation, authorize the information systems. Step 8: MonitorMonitor and assess selected security controls in the information system on a continuous basis, including documenting changes to the system. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166882000039 Information Technology Security ManagementRahul Bhaskar, Bhushan Kapoor, in Computer and Information Security Handbook (Third Edition), 2013 1 Information Security Management StandardsA range of standards are specified by various industry bodies. Although they are specific to an industry, these standards can be used by any organization and adapted to its goals. Here we discuss the main organizations that set standards related to information security management.1 Federal Information Security Management ActAt the US federal level, the National Institute of Standards and Technology (NIST) has specified guidelines for implementing the Federal Information Security Management Act (FISMA). This act aims to provide the standards shown in Fig. e27.1. Figure e27.1. Specifications in the Federal Information Security Management Act. The “Federal Information Security Management Framework Recommended by the National Institute of Standards and Technology” sidebar describes the risk management framework specified in FISMA. The activities specified in this framework are paramount in implementing an information technology (IT) security management plan. Although specified for the federal government, this framework can be used as a guideline by any organization. International Standards OrganizationOther influential international bodies, the International Standards Organization (ISO) and International Electrotechnical Federal Information Security Management Framework Recommended by the National Institute of Standards and TechnologyStep 1: Categorize In this step, information systems and internal information should be categorized based on their impact. Step 2: Select Use the categorization in the first step to select an initial set of security controls for the information system and apply tailoring guidance as appropriate to obtain a starting point for required controls. Step 3: Supplement Assess the risk and local conditions, including the security requirements, specific threat information, and cost–benefit analyses or special circumstances. Supplement the initial set of security controls with the supplement analyses. Step 4: Document The original set of security controls and the supplements should be documented. Step 5: Implement The security controls you identified and supplemented should be implemented in the organization's information systems. Step 6: Assess The security controls should be assessed to determine whether the controls are implemented correctly, are operating as intended, and are producing the desired outcome with respect to meeting the security requirements for the system. Step 7: Authorize Upon determining the risk to organizational operations, organizational assets, or individuals resulting from their operation, authorize the information systems. Step 8: Monitor Monitor and assess selected security controls in the information system on a continuous basis, including documenting changes to the system. Commission (IEC), published ISO/IEC 17799:2005.2These standards establish guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. The standards consist of best practices of control objectives and controls in the areas of information security management, shown in Fig. e27.2. Figure e27.2. International Standards Organization best-practice areas. These objectives and controls are intended to be implemented to meet the requirements identified by a risk assessment. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780128038437000272 Software for Medical SystemsJeff Geisler, in Mission-Critical and Safety-Critical Systems Handbook, 2010 6.2 Security and Privacy—HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) is U.S. law primarily concerned with portability of health insurance coverage when people change jobs. It also establishes standards for healthcare transactions. Where it is of interest from the point of view of software development is the intent of the HIPAA to protect the privacy of patients and the integrity and privacy of their medical records. 6.2.1 Who Must ComplyProtection of privacy is mostly the responsibility of the healthcare provider [43]; unless you are in the business of providing software that directly handles patient records for reporting or billing, compliance to the provisions of the HIPAA is usually indirect. The healthcare provider will be doing the heavy lifting, but the security provisions may impose requirements on the software that you are creating for their use. (Or it may provide market opportunities for devices useful for protecting medical data or authenticating users.) The security aspects of the HIPAA are known as the security rule. The Department of Health and Human Services (HHS) under the U.S. government has published a series of introductory papers discussing the security rule on the website, www.cms.hhs.gov/SecurityStandard/. Quoting from the web page, “[the] rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information.” The “covered entities” that the rule applies to are “any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard” [44]. The “transactions for which HHS has adopted a standard” is a reference to the Electronic Data Interchange (EDI) definitions having to do with health care that HHS has enumerated. In fact, there is some ambiguity about to whom the security rule applies. There is an exemption for researchers, for example, provided they are not actually part of the covered entity's workforce. Insofar as a researcher is a covered entity and deals with Electronic Protected Health Information (EPHI), they would have to comply. Hence, companies researching whether their products are safe and effective in clinical trials would also have to comply if they access EPHI. This also applies to vendors who have access to EPHI during “testing, development, and repair” [45]. In this circumstance, the vendor is operating as “business associate,” and must implement appropriate security protections. The methods for doing so are flexible, however, so it ought to be possible for the covered entity and the business associate to come up with reasonable methods. One simple method to achieve compliance with the security rule for vendors or researchers is to “de-identify” the data. “If electronic protected health information [EPHI] is de-identified (as truly anonymous information would be), it is not covered by this rule because it is no longer electronic protected health information” [45]. By making the data anonymous, it is no longer technically electronic protected health information, and thus not subject to the regulations. Not everything is EPHI anyway. If the data are not in electronic form, they are not covered by the security rule, which does, after all, only apply to electronic protected health information. “Electronic” in this sense are data stored in a computer which itself can be programmed. The issue is the accessibility of the computer, not so much the physical format of the data. Therefore, personal phone calls or faxes are exempt; whereas a system that returned a fax in response to a phone menu system would be EPHI and subject to the rule [45]. Patients themselves are not covered entities and thus are not subject to the rule [45]. It is nice to know that you are allowed to see your own health data, and discuss it with your doctor. So even though your data may not be subject to the security rule, you would nevertheless want to make reasonable efforts to protect its data against loss, damage, or unauthorized access, if only to prevent competitors from seeing it. But you would not be required to maintain a complete security process including security risk assessment and a security management plan. The provisions of the security rule may not be directly applicable to a medical device manufacturer. Nevertheless, they will be important to your customers. It may be necessary to provide the technical security solutions so that your customer can implement the required administrative policies. On the other hand, if the purpose of your software is to provide EPHI data handling, you will find that your customer is required to obtain satisfactory written assurances from your business that you will safeguard EPHI. You will need to follow the full set of regulations in the security rule including security risk assessment and a security management plan. If your hardware or software has access to EPHI, the healthcare provider will have to assess whether you also need to comply [46]. 6.2.2 Recommended Security PracticesWe have established some guidelines for determining the extent to which the security rule may impact your business. We next turn to a discussion of the type of issues that might be important. Malicious Software. One aspect that may affect anyone providing software into the medical environment is the requirement for the “covered entity [to] implement: ‘Procedures for guarding against, detecting, and reporting malicious software.’ Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms” [46]. The reasoning is that malicious software could damage, destroy, or reveal EPHI data. This means that your customers will require of you assurances that your software is not an open door to malicious code that could harm the provider computer network or other devices. You may be required by the customer to provide assurances that your installation software is protected from viruses. If your device is connected to the Internet, it may be necessary to provide anti-virus software along with regular updates to prevent just such an occurrence. It is probably insufficient to trust the healthcare provider employees to always engage in appropriate safe computing—you might want to consider using an input device special to your device or somehow protected from general use lest it acquire a virus and infect your system. For example, rather than using a standard USB thumb drive, you could use a device that does the same thing but with a custom connector, so that it could not be plugged into an unknown computer that may be infected with a virus. Malicious software is a more significant issue for software written to run on general-purpose computers. It is less an issue for many embedded systems whose programs execute from read-only memory and hence are difficult or impossible to infect. Administrative Support. While monitoring log-ins and manage passwords is generally the responsibility of the healthcare provider, device makers sometimes want to limit the access to functionality in the device (i.e., information relevant to engineering or system diagnostics). If the engineering mode provided access to EPHI, a single password to your device that could not be changed would not be an adequate security safeguard. The administrative policies of covered entities may also require regular reviews of information system activities for internal audits. To do this, they may need your device or software to provide records of log-ins, file accesses, and security accesses [45]. Physical Security. You must have the ability to back up the data or restore it in the event of a disaster, that is, somehow get the data out of the device and into a secure facility if the data are part of health information. For example, if your device contains “electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, [or] electronic test results,” [46] the healthcare provider would need to be able to archive this information. It is also important to provide for obliterating EPHI data from your device at end of use or disposal. As for physical safeguards, you would want to avoid doing anything that would make it impossible for an organization to impose some standards. For example, you wouldn't want to broadcast EPHI or make it available on a web page or some other method such that restricting it to only the people who need to know it becomes impossible. This extends to physical media that might be used to store EPHI. The provider has to establish rules about how the media goes into or out of the facility, how it is re-used, and how it is disposed of so that protected data are not revealed to unauthorized personnel. In the case of re-use, “it is important to remove all EPHI previously stored on the media to prevent unauthorized access to the information” [47]. If you are making a storage device, the provider may want to be able to identify each device individually so that they can track them. Risk Analysis. As is the case with risk analysis for the safety of the software or the device, depending on how close you are to the EPHI data, you may need to carry out a formal risk assessment, wherein you evaluate the potential threats and vulnerabilities to those threats and develop a risk management plan in response [48]. Threat is twofold: unauthorized access or loss of data. Both must be guarded against. CMS has a good discussion and example of risk analysis as applied to security concerns. Interestingly enough, many of the same issues and analytical practices are relevant to device risk analysis. The example has good hints for both. The document HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information, available at www.cms.hhs.gov/SecurityStandard/ is a useful specific discussion of remote vulnerabilities and possible risk management strategies. The security rule is enforced by the Office for Civil Rights; violation may bring down civil monetary penalties, not to mention possible tort awards. Moreover, there is something of an ethical obligation for healthcare providers and others in the medical industry to exercise due care with private information. While security is often not a direct concern to the manufacturers of medical devices, as information technology evolves and the desire to share information from individual diagnostic devices increases, it will become increasingly important. In addition, there are best practices for protecting data—such as guarding against viruses, unauthorized access, or data corruption—that are the sorts of things we should be doing anyway. We want our medical devices to be of the highest quality and serve customer needs; some measure of data integrity ought to be a given. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780750685672000044 What is the importance of security management in organization?Purpose of Security Management
The goal of security management procedures is to provide a foundation for an organization's cybersecurity strategy. The information and procedures developed as part of security management processes will be used for data classification, risk management, and threat detection and response.
How do you explain security management in organizations?What Is Security Management? Corporate security managers identify and mitigate potential threats to a company. For example, they assess safety and security policies to ensure that an organization's employees, products, buildings and data are safeguarded.
What is the purpose of information security management?Information security management is the process of protecting an organization's data and assets against potential threats. One of the primary goals of these processes is to protect data confidentiality, integrity, and availability.
|
