Information Security Domains And Access Control
Access Control objectives
These include the goals set by an organization to achieve data security and privacy. Access control objectives are set by the Information department in an organization to allow the right people access the right information when needed, that is at the right time. I will be discussing the objective of patient and data privacy in a hospital setting. Most people regard their information private not as a privilege but as a right. It is therefore fair for health organizations to have controlled access to patient information. Previously when hospitals were single entity organizations, privacy was actually less complicated since medical records were film, paper, and microfiche. Due to large amount of records it was really difficult to access records. A new access system was therefore on demand for easier accessibility. In 2006 the American Medical Informatics Association designed a Patient Internet Portal. It is a patient site that allows an online patient log in and access to information about their enrollment, radiology and laboratory results, appointment requests, prescription renewals and many other services offered to them at the hospitals. Many health organizations have employed this mechanism of accessibility and a research by the founding organizations noted that patients using this accessibility method were healthier than the average patient not using the site. This accessibility method ensures that the data is kept private. This is because accessibility is restricted to patients
and clinicians. Data is encrypted and password protected in this site. Accessibility to the system is only to those with a confidential password to the site.
Access control policies
Medical health organizations are one of the major organizations where there exists unlimited accessibility of information. It is therefore ironic to try to limit accessibility of information in such an organization. But accessibility has to be limited anyway. Access control policies have to be set by such organizations. These are an included careful evaluation of the system. Skilled informaticians perform it. The access policies include: software to ensure data transmission over the Internet, an auntheticatioln. It validates the identities of information senders and receivers and an authorization. The later is comprised of the use of tokens such as a unique user id and password. Also the management has to set audit trials responsible for tracking information flow. These policies are an attempt of ensuring data security and privacy in the complex data security puzzle.
Data in organizations is always at risks of attack. The attack could be from within or outside the organizations. An organization has to accept the fact that hackers will always want to attack their net protocols for weaknesses. Information security systems in any organizations are therefore vulnerable to attacks from intruders. Penetration testing is a process that is used to attempt to access data by an organization. A successful penetration test is designed to achieve the breaches of data availability, data security or confidentiality and data integrity. Penetration test stands to protect an organization from data insecurity. This is because the test will provide the threats that are facing organizations information assets and help the management quantify information risk. Penetration testing also allows the management to discover the holes in its security system before hackers do.
Article; By Mark T. Edmead (August/September 2007), The Importance of Performing Vulnerability and penetration Testing
Journal;Roy L Simpson(May 2001), How can we keep private data private?, page 12.
Journal(American Medics Informatics Association Jan/Feb 2006); Saul N Weingart;David Rind;Zachary Tofias;Daniel Z sands. Who Uses ther Patient Internet Portal?The PatientSite Experience(page 91).