Information Systems Security
Haseeb Ahmed Khan
Mark O’Connell
CIS 333 Fundamentals of Information Security
March 12, 2012
Abstract
In today’s IT world every organization has a responsibility to protect the information and sensitive data they have. Protecting data is not only responsibility of security and IT staff but every individual is involved in protecting the information. The risks to information security are not digital only, but it involves technology, people and process that an organization may have. These threats may represent the problems that are associated to complex and expensive solution, but doing nothing about these risks is not the solution.
The case we have been assigned today deals with physical and logical vulnerabilities and protection against the risks and threats by implying the best controls to either mitigate, avoid and transfer the risks. Being an Information Security officer at a newly opened location in a busy mall, I have been asked to identify physical and logical risks to the pharmacy operations and also to suggest remedies to avoid any huge loss to the business. The pharmacy operations involve the unique transactions which involves the critical patients’ data, valuable medication and access to cash. The regulation set by the government obligates a pharmacy to meet certain standards to secure logical and physical access to information systems.
The pharmacy is comprised of 4 work stations, there is a drug storage are and an office in the premises which has a file server, domain controller and a firewall. The three of the four work stations are placed at the counter to record and retrieve information of customers’ order. The entry of the store if from the mall and there the drug storage area is securely locked location behind the front counters. The store has a back door entry which is used by the employees and for delivery of new drugs. As an IT officer I have to
References: Kim, D., & Solomon, M. (2012). Fundamentals of information systems security. Sudbury, MA: Jones and Bartlett. Department of Finance and Administration, State of Tennessee. (2008). Enterprise Information Security Policies. (Document Version 1.6) Swanson, M., & Guttman, B. (1996). Technology Administration, NIST. Generally Accepted Principles and Practices for Securing Information Technology System, retrieved March 11, 2012, from http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf Benton, R., (2005). Securing The Enterprise, retrieved March 12, 2012, from http://www.sans.org/reading_room/whitepapers/casestudies/case-study-information-security-securing-enterprise_1628 Ghosh, A., & Cigital, M. An Approach to Defending Against New and Unknown Malicious Software. Retrieved Feb 16, 2012, from http://www.cigital.com/resources/papers/ Farahmand, & F., Navathe, & S., Sharp, G., & Enslow, P., Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach, Retrieved March 11, 2012, from http://infosecon.net/workshop/pdf/39.pdf