This paper will focus on the fundamental aspects of information security programs, which aim at the safety of information in most government agencies. In this case, the analysis will be conducted for the U.S Department of Health and Human Services (HHS), which is a department working closely with both the local and state government, in providing the citizens of the United States with the right health environment and also assisting the needy with basic requirements. Elements of the department will focus greatly on the safety of information, which has been threatened in the current times. Typically, the paper will explain the vulnerability of information to insecurity, and mitigation and control measures to curb information loss.
¶ … Security Programs
Implementation of Information Security Programs
Information Security Programs are significantly growing with the present reforms in the United States agencies, due to the insecurity involved in the handling of data in most corporate infrastructure systems. Cases such as independent hackers accessing company databases and computerized systems, computer service attacks, malicious software such as viruses that attack the operating systems and many other issues are among the many issues experienced in the corporate arena, including government agencies like the U.S. Department of Health and Human Services. These cases have led to the necessity for more implementation of the information security programs, which provide counter measures for the information security threats.
The United States Department of Health and Human Services
The Department of Health and Human Services in the United States (HHS) is one of the principal agencies obliged to protect the health conditions of the entire American population and also providing the basic human services especially to the needy Americans (HHS.gov, 2012). The department works very closely with the local and state government, hence providing most of its services at both the county and state agencies. The HHS department is constituted of eleven different divisions, which are individual operations, eight of which represent agencies of Public Health Services, and the remaining four are agencies of human services (HHS.gov, 2012).
Security Area Responsible Party
The CSIRC, which is under the Chief Information Security Officer, has the primary responsibility of entering data related to the HHS department, including the maintenance of the IT security awareness, and also the overall determination of IT security position of the HHS. The office shall ensure that the HHS department is always aware of privacy and security vulnerability, any happenings that might have a direct negative impact to the security of information, the negative impacts in case of insecurity and the sharing of information to the relevant authorities. The office will also analyze the risks related to data handling and ensure measures are instituted to mitigate data loss or penetration by unintended persons (HHS.gov, 2012).
Vulnerabilities and risk mitigation strategies
Information in the Department of Health and Human Services is prone to many risks that could lead to the distortion of very important information. In severe situations, the information could be lost permanently, leading to disruptions in the normal functioning and department operations. The major risks also include the unintended disclosure of confidential information/data, and also unauthorized use of the same data. The Information security Programs, therefore, aim at the reduction of these risks, which come in different forms. The technical risks involved are; malicious distortion of data and tampering with stored information through destruction of storage capacities. Fraud could also be a risk, where the staff and those operating the data systems could decide to use the data in the wrong way, mostly for self-interests. Systems could also be damaged through the infection of viruses and worms. For the mitigation of these named risks, the department has to indulge in both prevention and management of the risks.
The focus of the information security program is to prevent, detect, verify and then respond to the different risks involved. The prevention entails the effective manipulation of processes, procedures, technology and the department responsibilities, so as to mitigate any potential threats. Detection in most cases involves the use of both the automated and manual mechanisms to identify and differentiate the risk and security issues. Currently, the HHS department could apply the detention strategy by monitoring passively and actively the procedures of the security programs. Verification phase ensures that all the necessary measures dealing with security are taken care of. This could include the use of monitoring tools and conduction of audit functions. The response strategy will only be implemented when the prevention approaches seem to be underperforming. The department will require rapid and efficient capabilities to respond to risks, including direct responses, triage and containment of hazardous security threats (Onsett International Corporation, 2001).
Acquisition of systems and Asset management
The HSS Department has the obligation to acquire and maintain the best systems that will help maintain the department's information. The department has to use specified systems, preferably a descriptive database, that will store records for all the property the department owns and controls. According't the principles governing the department (FRPC principles), there has to be inventory and a description of all the assets. This records relating to department assets will be significant especially in the management of real property assets. The assets records will be done with relation to size, location and the other relevant elements of assets. Once the real assets value is recorded, there will be continuous need to always add the most recent information to the database, in accordance with the mandatory of the HHS and the federal real property council (HHS.gov, 2012).
Compliance Management and Configuration Control
HHS has to ensure that all the necessary guidelines, processes, standards, procedures and guidelines are compliant with the provided regulations by law, statutes and the other policies within the state. This will be done in relation to identification, disposition requirements and classification. This management involves the efforts to implement relations with other organizations that are both business oriented, have human resources and also the legal areas of specialization. In most cases, the configuration control assumes a linear path, just like project management, and will concentrate on production and control of different product versions. Typically, configuration management will entail the infrastructure of business processes, the operations of products and services and also the end product/services. All these elements are linked to the management of information in HHS (Meyer, 2007).
Data owners and Network Administrators
The data owners at HHS will have to process and gather information, which will later be stored and transmitted to the departmental database to support the mission of the program for security information. In addition, the data owners will ensure that system owners known about the levels of sensitivity in relation to data so as to enhance the security controls of the data. The network administrators, also known as system administrators, have to make sure the requirements of security measures are appropriately implemented and forwarded to all other networks/departmental systems. The administrators also have the mandate to install proper system backups, and ensure immediate reporting of incidences of security threats. All the information systems will also be secured technically using appropriate implementation tools through the network administrators (HHS, 2004).
You’re 82% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.