Week 7 - Risk Analysis and Management in IT Industries

For week 7 we are learning the Risk Management life-cycle, I choose to research more on the current trends of risk management in IT Industries. Risk analysis and management are very essential topics in the IT industry as risk determines the implementation approach and timelines.  A risk assessment helps organizations ensure they are compliant with regulatory mandates. With baseline risk management standards, risk analysis helps to determine the implementation of the safeguards contained in the security rule; we can say that risk analysis is one of the important processes of security management process. 

A risk analysis process includes, but is not limited to, the following activities:

1) Calculate the possibilities and impact of the potential risks to important personal health information (Risk Score Calculation).

2) Identify the appropriate security framework to address the risks identified during risk analysis

3) Document the security framework and compliance of the infrastructure

4) Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to systems and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to information.  With the secure system and environment, the organizations can achieve their business goal. All the applications that are used to communicate with the secured information needs to be protected with strong security plan. Following are some of the security rules that organizations can include to safeguard the systems and assets:

•Implement Security Management Process:  Organizations has to perform the risk analysis and implement the security measures that reduce the risks and vulnerability to organization assets and the infrastructure.

•Assign security personnel: security official who is responsible for developing and implementing organizational security policies and procedures has to be assigned.

•Information Access Management: Secured measures have to be implemented in order to safeguard the accessibility of the information. Policies and standards helps in maintaining the access management to the employees, external partners and other sectors. 

•Workforce Training and Management: Organizations must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

•Evaluation: A periodic assessment of how well security policies and procedures meet the requirements of the Security Rule has to be evaluated and necessary updates have to be documented.

• Facility Access and Control. Authorized access has to be maintained to access the physical facilities.

•Workstation and Device Security: Organization must implement policies and procedures to specify proper use of and access to workstations and electronic media. Enterprise also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.

•Access Control: Organization must implement technical policies and procedures that allow only authorized persons to access electronic protected health information. Access to the software and system has to be the role based access.

•Audit Controls: Organizations must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use personal information. Internal and External audit help to maintain the reliability and compliance of the organization with standard laws.

Works Cited

American Medical Association. (n.d.). Security Standards and Risk Analysis. Retrieved September 24, 2015, from http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page?

Cornell University Law School. (n.d.). 42 U.S. Code § 1320d–5 - General penalty for failure to comply with requirements and standards. Retrieved September 24, 2015, from Legal Information Institute: https://www.law.cornell.edu/uscode/text/42/1320d-5

Health IT.gov. (n.d.). Security Risk Assessment. Retrieved September 24, 2015, from http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

Week 6- Security Risk of Using Personal Devices while travelling in public transportation

Research conducted by PublicTransportation.org concluded, "In the year 2013 Americans took 10.7 billion trips in the public transportation" proving the record high ridership. In the world, of all trips made to and from work  35% use public transportation and underdeveloped countries are at high end of using public transportation, Whether the intent is to commute to work or non work related, most of commuters use mobile devices for communication, browsing, listening music, taking photographs, playing games etc. While using these devices some way or other these devices use the public networks which are unsecured and posses high risk of security. Public transportation commuters are even accessing the company data on the unsecured and unknown networks. Unsecured data can easily be exploited by the elite hackers using the public Wi-Fi networks and use them against the company security data networks. Some travelers even use the public network for the company task while travelling and or talking to the colleague regarding important work related data posses threats in company privacy policy. 

It is equally important to protect the personal information while using these mobile devices because you never know who you are travelling with and using the cellular phones or laptops or tablets openly gives opportunity to the criminals. Openly texting, entering personally identifiable information, entering banking information, displaying work related information while  travelling in the public transportation should strictly be  considered as vulnerable. On the other hand, if  any suspicion is occurred that someone is watching your messages, works then you should confront the individual asking the intent and report the issue to concerned authority if unusual behavior is noticed. If you feel company data is shared then the action should be notified to the security team as soon as possible. 

With increasing Security risk, companies are moving towards "Bring Your Own Device (BOYD)" policies  which will force security team to conquer mobile device management in order to maintain the company data and network security. 

To conclude, using mobile device in public transportation should be strictly be monitored and using company data in public networks should strictly prohibited. If any suspicious activities are noticed, confront them to ask the privacy of the usage and if in any case company data is compromised then notify  to the IT security team as soon as possible. 

References:

http://www.worldmapper.org/posters/worldmapper_map142_ver5.pdf

http://www.publictransportation.org/news/facts/Pages/default.aspx

Week 5 :Business Internet/email use policies- Legal and ethical issues of an employer being able to monitor the computer use/emails of employees-

Since we are deep diving the security policies this week, I would like to discuss the business internet/email policies. Some organizations keep an eye on it's employee, what they are doing during and off work.Monitoring has both benefits and impact to the organization and employee. I am discussing some legan and ethical issues of an employer being able to monitor the computer use or email use of an employee.

As we all know, the Company owns the rights to all data and files in any computer, network, or other information system used in the Company. It also reserves the power of retrieving the data sent or received by the employee using the company internet access or company’s property. The company has always closed monitored in its employees and to all data and files sent or received either personal or professional. Employees must be fully aware of the discipline of the company. They must know that the electronic mail, messages which are sent or received though the company’s internet or web base application can be traced and view by the company officials at any time without any notice. There is no expectation of privacy in any information or activity conducted, sent, performed, or viewed on or with Company equipment or Internet access (www.twc.state.tx.us). It is completely clear that using of the internet at office by the employees during the working hour is totally unacceptable, however I believe that there is always a pros and cons for such kind of cases.

Employers has started to put close monitoring on their employee due to excess increase in cyber loafing and lawsuits through the new inventive technologies. At the same time both parties are clear regarding the ethical implications of constant monitoring. The company does monitoring on its employee’s action to closely monitor the work productivity and the efficacy. At the same time monitoring also helps to track the actual amount of time they spend on the work and or sitting idle.

Computer monitoring also allows the employer to keep records of the employees’ performance, and provides the information required to set the company’s performance standard and helps in the appraisal review process. Not only this it also allows the employer to keep closer look on the employees’ access to information about their own level of performance and also give an access to employees to judge their own level of performance. It also helps to create the flexibility in work location by allowing the employee to telecommute or" flex time".

On the contrary, Employer feels the pressure of working under the hostile environment and feeling of invasion in their territory. Because of the unfriendly environment the productivity of the company might not meet the company’s standard. Monitoring is intrusive and has a high potential risk for abuse in the companies’ employer (Mishra & Crampton, 1998). Since the employees can have direct access to track of each and everything they can use it against the employee. The monitored employees are also likely to have less control over their jobs, monitor work load pressures, more arguable interaction with the customers and less fairness of their work. With the major increase in stress it has also been found employee reporting the psychological and physical health issues.

Works Cited

Department of Health and Human Services. (n.d.). Security Standards: Technical Safeguards. Retrieved October 06, 2015, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Mishra, ,. J., & Crampton, S. M. (1998). EMPLOYEE MONITORING: PRIVACY IN THE WORKPLACE? Retrieved from http://faculty.bus.olemiss.edu/breithel/final%20backup%20of%20bus620%20summer%202000%20from%20mba%20server/frankie_gulledge/employee_workplace_monitoring/employee_monitoring_privacy_in_the_workplace.htm

www.twc.state.tx.us. (n.d.). INTERNET, E-MAIL, AND COMPUTER USE POLICY. Retrieved from http://www.twc.state.tx.us/news/efte/internetpolicy.html

Potential health risks related to cellular phone technology on human health - Week 4

In the communication industry use of telephones are significant and warmly welcomed for the human use. World health Organization (WHO) reports an estimate of 6.9 Billion subscriptions of the mobile phone globally (World Health Organization , 2014). Both wired and wireless communication, the signals are transferred and received as the form of radio frequency (RF) (analog) and electromagnetic waves in the case of digital media. The electromagnetic waves are non-ionizing radiation meaning they can move the atoms in the molecule but not enough to ionize (replace or remove the electrons). High energy radiations such as X-ray or Gamma rays are seriously hazardous to the human body. The exposure level of the radio waves to the human body for the longer duration can cause heat leading to the tissue burn, skin diseases but there are no clear indications of damaging the blood cells due to the exposure. The frequencies that are used in the mobile phones ranges from 900 MHZ to 2.1 GHZ and power of 0.1 to 2 watts. These exposures to the human body vary with the wavelengths, distance, handheld vs. hands- free and length of the call (World Health Organization , 2014).

Health effects

As it is certain that the longer use of the cell phones can cause the heat to the body cells and most likely affect the soft cells in the brain as use is closer to the head. According to NIH only biological effect of radiofrequency energy is heating and there has been no factual evidence on the brain tumors or cancers. On the other hand the study from World Health Organization Regional Office for Europe’s Health Evidence Network (HEN) on the impact on developing head and brain tumors (benign and malignant) concluded the evidence did not support the hypothesis but an increase in the risk of acoustic neuroma after 10 years or more of mobile phone use (World Health Organization and Health Evidence Network (HEN), 2006). Exposure to the radiation can cause short-term and long-term effect to the human body.

Short term effect

Brain performs all the electrical activity of the human body and the nerves transfer these signals to different parts including the skin. The radiation generated by the cell phones can cause heat to the human body, most likely to the skin in the ear and head section. This can increase the temperature to the exposed part of the human body affecting the electrical activity of the human body. People tend to keep the cell phones near to the heart and this can cause the heating in the exposed part and affect the neural functions related to the heart. The studies from health organizations does not suggest any evidence of the health effects due to the exposure to the radio frequency but practically increase the temperature of the tissue exposed (World Health Organization , 2014).The other side of the cell phone use hazard is battery explosion which is causing the serious burnt to the human body and sometimes leads to the human death.

Long term effect

The longer exposure to the radio frequency can cause human health effects most possibly to the lowest level of effect of the high radiation waves. Again the length of exposure to the radiation will depict the effect to the human body. The Interphone study report from World Health organization in 2010 concluded a median lifetime cumulative call time was around half an hour each day and this trend is slowly decreasing due to the technology of hands free and texting in use that prevents from bringing the cell phones closer to the brain cells. Most discussion in the world at present day is brain tumors and damage in the blood cells. People using the cell phones closer to the brain for longer time might expose to the radiation and slowly these radiations can damage the blood cells and also cause some damage in the temporal organ of the human body. Effect on the brain cells, stem cells, skins leads to the rupture in the DNA that will stop the cells growth leading to the blood barrier to the human body. People keeping the cell phones close to the reproductive organs can cause the damage in count of sperm cells leading to the infertility. The exploratory study conducted by Weston A. Price Foundation (WAPF) on ten human bodies to cell phone radiation stressor illustrate substantial changes in the blood from short-term cell phone radiation exposure in nine out of ten human subjects (Weston A. Price Foundation , 2015). So several studies have been conducted by various health organizations to verify the possibility of brain cancer due to the exposure to the cell phone radiation for longer time but there has not been any definitive study that proves the theory. The research result depends on the various measuring factors such as duration of use, participant’s health condition, age, frequency of the radiation and many more which is always volatile and results cannot be replicated. In other hand the cell phone use in the children are increasing day by day and radiation might affect the brain cells but still researches conducted by US, Spain, Denmark, Sweden, Norway, and Switzerland does not prove any cases of brain cell damage or proved cancer.

Works Cited

CTIA-THE WIRELESS ASSOCIATION. (2015). Background on CTIA’s Wireless Industry Survey . CTIA-The Wireless Association.

Weston A. Price Foundation . (2015, January 16). Does Short-term Exposure to Cell Phone Radiation Affect the Blood? Retrieved October 28, 2015, from http://www.westonaprice.org/modern-diseases/does-short-term-exposure-to-cell-phone-radiation-affect-the-blood/

World Health Organization . (2014, October). Electromagnetic fields and public health: mobile phones. Retrieved October 28, 2015, from http://www.who.int/mediacentre/factsheets/fs193/en/

World Health Organization and Health Evidence Network (HEN). (2006). What effects do mobile phones have on people’s health? Copenhagen: WHO Regional Office for Europe.

Issue Specific Security Policy (ISSP)

For my CIS-608 class, i need to draft a generic, sample Issue Specific Security Policy (ISSP)  that would be useful to any home computer user. So I have prepared a sample Issue Specific Security Policy (ISSP) for my house hold : "Security Policy Document for use of personal devices in Khadka household". Please review and provide the feed back on my work:

Statement of Policy

PURPOSE

This document establishes a policy for use of personal devices (cell phones, tablets, home computers, etc.) within the Khadka household premises to protect the sensitive information of the family members, relatives, visitors, and security of the Khadka house.

BACKGROUND

This document was developed because the use of personal devices within the Khadka household from the visitors, guest and neighbors increased during the last year which created the threat over the security of household assets. The use of the personal devices in the household network for personal communication, work related connections, gaming, television networks and use of the software created more thereat on the firewalls and injected malware in the network that created lots of downtime for the network repair during the peak hours and slowness in the browsing capacity.

SCOPE

This policy applies to all members of the Khadka family, guests, visitors and others using personal devices (Cell phones, tablets, laptops etc.) within the premise.

Failure to comply with the security requirements and policies will result in disciplinary action, legal issues and also restriction over the access of the network at any time inside the premise. Non- compliance includes willful or negligent violation of the personal devices, use of personal devices for the personal communication at family gathering, use of home network in personal devices at the dining table, use of computer software for gaming and video streaming over 2 hours continuously, negligence of the security policies that endanger the interest of Khadka family members.

Authorized access and usage of the equipment

All the users agree to comply by the household code of conduct to protect the household data. The use of the personal devices and connection to the household network should be authorized and authenticated. Access to the Khadka housed network must be:

• Authenticated and verified for visitors and guests
• Use of computer, laptops, and other devices within the household should be authorized
• Gaming station and use of TV network should be authorized and monitored
• Children under age of 16 should follow the guidelines of time limit (2 hours) for use of gaming devices, use of TV networks, mobile devices, computer usage
• Restricted use of the personal devices and connecting to the network during family gathering and after waking hours.
• Revoked when visitors, guests, outside family members tries to change the password and perform any infringement to the network.
• Visitors, guest and outside members should require use of guest access to connect the network.

Security Policies agreement

All the users and devices are required to comply all the existing security policies developed by Khadka hose hold and the current security policy. Some of the existing policies include:

• Information security policy for Khadka household
• Use of mobile and laptop policy
• Wireless use policy
• Remote access and device use policy
• Network/Malware/Virus policy
• Khadka family Privacy policy
• Copyright Information policy

Guests use of personal device

Personal devices including mobile devices, laptops, tablets, person computers, USB etc. are authorized to bring in the household premise but connection to the network should be authorized and monitored. These devices are prohibited to access the Khadka household’s communication, any personal information, sharing family member’s personal information to public. All guests/visitors should use guest password protected network to complete the use of the devices. Any guests/visitors required to use the personal devices for any emergency should be approved by the authorized house member.

Systems Management

Khadka house member is solely responsible for monitoring the use of external devices in the home network. Khadka household member should safeguard the software, networks and any household devices provided to the guests/visitors in any use. Khadka household is responsible for creating the guidelines of the device use in the Intranet and also publish all the lists of the approved devices, hardware, and password encrypted user accounts.

Prohibited Uses

Guests/visitors/neighbors are prohibited from adding any software, personal passwords, network password and household data in the personal devices. Data includes email communication, house member’s information, financial information, household personal files, any persona bookmarks, passwords, user accounts. Capturing images and videos of the personal data are not authorized within the household premise. Paring the household devices with the personal using the Bluetooth is strictly prohibited and only permitted with authorization. Any form of personal USBs are not allowed to use in the family network, hardware and software to store Khadka family information and data.  

Violations of the policy

Failure to comply with the security requirements and policies will result in disciplinary action, legal issues and also restriction over the access of the network at any time inside the premise.

Policy Review and modification

This policy will be reviewed and modified based on the family member’s agreement at the end of every year.

Limitations of Liability

Khadka household is not responsible for any lost or stolen devices during the unauthorized use within the Khadka home premise. Any devices borrowed from the house has to be reported to the Khadka household if they are stolen or lost.