Security Policy Framework
Information Security Policy Framework
Information Security Policy Framework
Information Security Policy Framework
For the healthcare industry it is important to have an Information Security Policy Framework within the organization to protect information that is accessed across the network by staff personnel and patients. In accordance with ISO/IEC 27799:2008, we begin to define the guidelines to support the interpretation and implementation of healthcare information protection. ISO/IEC 27799:2008 references the basic controls and guidelines of ISO/IEC27002:2005 will provide the minimum protection necessary to meet organizational needs. Healthcare organizations that implement the security controls of the ISO will be able to provide the minimum security level necessary to maintain confidentiality, integrity, and availability of personal health care information. Different organizations are required to be compliant with applicable local laws and federal regulations. For example, the healthcare industry is required to comply with requirements of HIPPA and the financial industry is responsible for FISMA and Sarbanes-Oxley Act. In order for you to show compliance you must be following all of the requirements of each regulation. The best method for doing that is to develop your policy and procedures to each of those requirements. If you are operating to the standards of each regulation and hold people accountable to that then you will not have issues trying to prove it during inspections or audits. With each of the 7 domains in an organization, they all pose business challenges that IT management should concentrate on or be aware of when developing IT policy. First is the User Domain. The first challenge here is employee awareness. If you want someone to follow policy they need to know that it exists. If it does exist then employees need to understand its contents and how it aligns
Information Security Policy Framework
Information Security Policy Framework
For the healthcare industry it is important to have an Information Security Policy Framework within the organization to protect information that is accessed across the network by staff personnel and patients. In accordance with ISO/IEC 27799:2008, we begin to define the guidelines to support the interpretation and implementation of healthcare information protection. ISO/IEC 27799:2008 references the basic controls and guidelines of ISO/IEC27002:2005 will provide the minimum protection necessary to meet organizational needs. Healthcare organizations that implement the security controls of the ISO will be able to provide the minimum security level necessary to maintain confidentiality, integrity, and availability of personal health care information. Different organizations are required to be compliant with applicable local laws and federal regulations. For example, the healthcare industry is required to comply with requirements of HIPPA and the financial industry is responsible for FISMA and Sarbanes-Oxley Act. In order for you to show compliance you must be following all of the requirements of each regulation. The best method for doing that is to develop your policy and procedures to each of those requirements. If you are operating to the standards of each regulation and hold people accountable to that then you will not have issues trying to prove it during inspections or audits. With each of the 7 domains in an organization, they all pose business challenges that IT management should concentrate on or be aware of when developing IT policy. First is the User Domain. The first challenge here is employee awareness. If you want someone to follow policy they need to know that it exists. If it does exist then employees need to understand its contents and how it aligns
References: BIS|Department for Business Innovation and Skills. (2010, April 30). The National Archives. Retrieved October 31, 2012, from webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/whatwedo/sectors/infosec/infosecadvice/legislationpolicystandards/securitystandards/isoiec27002/section1/page33371.html For Consumers. (n.d.). United States Department of Health and Human Services. Retrieved November 2, 2012, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html ISO 27799 ISMS for healthcare. (n.d.) ISO27k infosec management standards. Retrieved October 30, 2012, from http://www.iso27001security.com/html/27799.html