Question

Policy Drivers

The purpose of this assignment is to practice and demonstrate your ability to interpret detailed policy. We have chosen for you to take a look at two of the most well known policies; in real life, you will have government polices such as these as well as enterprise specific policies or regulations. As you build information systems, it is key to early on in the process to identify all relevant policy drivers and understand them.

In the module, we discussed how an organization's policies and regulations for data governance influence the nature and structure of IT/IS systems. For your assignment, research either HIPAA (for health care) or Sarbanes-Oxley (for financial data). In 1 page, describe at least two of the policies you find and explain how an IT/IS system would need to accommodate.

Answer 1

HIPAA Policies
1)To protect Health information:
HIPPA protects following types of health information.

a)Personal information:
such as name, address, contact number,email, social security
number,photograph.
b)Medical information:
such as medical history,medical certificates,medical prescription
and so on.
c)Technical information:
IP address,URLs,biometric details such as fingerprints.

2)Administrative Safeguard:
Administration is supposed to develop some security policies.
security is a great concern.
security of patient's medical reports/prescription is prime
concern.
Mandatory access control(MAC) should be used to grant the access
to the resources.
in MAC, access rights are provided according to the level of
authority.for example a peon should not be allowed to access the
medical history/medical report of a patient.

Role base access control
(RBAC):
in role based access control, access rights are given according to
the role of employee.employee can access information which is
required to perform his/her job.employee can not access the
information which is not required to do his/her job.
RBAC makes employees more responsible because only employee who
wants information for his/her job can access the information, some
other employee who does not require information for his/her job
can not access this information.

the above security policies can be implemented with the help of IT
infrastructure and latest technologies.
a)encryption
b)Proxy server
the job of proxy server is to hide internal network from public
network(internet).
all the packets coming from outside world(internet) are first
received by the proxy server, now proxy server can forward this
packet to the internal host.hence making it almost impossible for
outsider to know the IP address of internal host.

c)Fire walls
every packet coming from outside world(internet) is
inspected/checked by fire wall against the rules defined by the
network admin.if incoming packet follows all the rules(if packet
is authorized)then fire wall allow this packet otherwise packet is
not allowed to enter.

Combination of proxy server and fire wall is used together.
d)Intrusion detection system:
ids is use to detect the unauthorized entry of an attacker in a
system
Advantages of IDS(intrusion detection system)
1) firewall can be configured to show the ports and ip addresses.
IDS can be configured to show the specific content with in a
packet.

2)an IDS is capable to analyze the types of security attacks.
it can also analyze the amount of security attack.

3)IDS maintains logs, these logs can help security manager to
design some new security policies.