Enterprise Security Plan Proposal the

Enterprise Security Plan Proposal The objective of this study is to develop an enterprise security plan proposal which covers the ten domains of Information Security Common Body of Knowledge and includes the elements of widely accepted categories of information security; information security and the principles of success; planning procedures towards those goals, security policy and standards taxonomy; and policies complying with HIPAA Security Rule Standards as well as other policies relevant to information security and privacy currently defined by local, state or other regulatory bodies.

Information Security traditionally meant protect of corporate specific information such as trade secrets and other company-specific information. However, in today's business environment data protection means much more as medical service and health care providers store huge amounts of patient data making information security concerns more important than ever before.

Ten Domains of Information Security Common Body of Knowledge The ten domains of information security common body of knowledge include the domains stated as follows: (1) Security management practices; (2) Access control systems and methodology (3) Telecommunications and networking security (4) Cryptography (5) Security architecture and models (6) Operations security (7) Application and systems development security (8) Physical security (9) Business continuity and disaster recovery planning (10) Laws, investigation, and ethics. (American Health Information Management Association, 2011) II.

Confidentiality, Integrity and Availability Forming what is known as the CIA Triad are the tenets identified as confidentiality, integrity and availability reported as the measures by which security practices are tested. Primary security issues are reported to include those stated as follows: (1) Feasibility of System: Identification of the requirement for security, policies and standards; (2) Requirements for Software Plans: Identification of Vulnerabilities, threats and risks. Planning adequate protection and completion of cost-benefit analysis.

(3) Design of product: security specifications planning in design of product including access, encryption and so forth; (4) Design detail: the security controls and relationships for users linked to needs of business and legal liabilities set out; (5) Coding: Development of security-related software code and documentation"; (6) Implementation: Security measures implemented and testing of software prior to roll-out of system; (7) Product Integration: testing of security measures written in system software and refinements; (8) Operations and Maintenance: Monitoring of security software for any threats, changes and testing or changes when needed.

(American Health Information Management Association, 2011, paraphrased) III. Information Security Architecture and Models Three types of security models exist including the following stated models: (1) Access control -- common in health field enables organizations to identify users and classification of data for access or restriction is used; (2) Integrity: this model protects confidentiality and data integrity. This means unauthorized users cannot make changes to data or modify data; (3) Information Flow -- this model classifies information and it flows in a specific manner guided by policies and rules on security.

(American Health Information Management Association, 2011, paraphrased) IV.

Operation Security Domains The following operation security domains are reported in the work of the American Health Information Management Association -- HIM Body of Knowledge: (1) controls to prevent and decrease risk of unintentional errors and unauthorized users; (2) Monitoring to identify an error;(3) System that makes provision of duties being assigned to various personnel so that no one person has total control of the security measures; (4) Tracking of changes and approval needed for changes or reconfiguration; (5) Background checking and screening for employees; (6) Retention policies formed on the basis of policies of the organization as well as organization standards and legal and business rules; (7) Documentation appropriate including security policy and procedures, contingency, and disaster recovery; and (8) Hardware, software and data resource protections.

Protections for hardware, software, and data resources. (American Health Information Management Association, 2011, paraphrased) V. Legal and Ethical Issues Security professionals are held responsible for understanding the legal and ethical aspects of information security including crimes, investigation of computer crimes and specifically it is stated that certified security professionals "…are morally and legally held to a higher standard of ethical conduct." (U.S.

Department of Health and Human Services, 2011) There are four primary canons established in (ISC)2 code of ethics for credentialed security included those stated as follows: (1) Protect society, the commonwealth, and the infrastructure (2) Act honorably, honestly, justly, responsibly, and legally (3) Provide diligent and competent service to principals (4) Advance and protect the profession (U.S.

Department of Health and Human Services, 2011) Three credentials are held by information security professions include the following credentials: (1) CISSP -- Certified Information Systems Security Professional, credentialed through the International Information Systems Security Certifications Consortium; (2) CHS -- Certified in Healthcare Security, credentialed through (3) CHPS -- Certified in Healthcare Privacy and Security, credentialed through AHIMA or HIMSS. (U.S. Department of Health and Human Services, 2011) VI. HIPAA Security Rule Standards The HIPAA Privacy Rule protects the individual's "identifiable health information (Protected health information). (U.S.

Department of Health and Human Services, 2011) a Risk Analysis is stated to include: (1) Evaluate the likelihood and impact of potential risks to e-PHI; (2) Implement appropriate security measures to address the risks identified in the risk analysis; (3) Document the chosen security measures and, where required, the rationale for adopting those measures; and (4) Maintain continuous, reasonable, and appropriate security protections.(.