Audit of Information Security

My primary responsibility as chief information security officer going forward is to develop and put in place a strong and efficient security program. To ascertain the level of organizational cyber security, an information security audit will need to be performed prior to developing such a program. The discussion that follows outlines the five primary areas that will be subject to the audit, its specifics, and the desired outcomes.
The business environment, risk assessment, governance, and data security are the five main components of the information security program that need to be audited (NIST, 2017). An audit of asset management would seek to identify the systems, personnel, data, facilities, and devices crucial to ensuring that health organization achieves its purposes and goals. An audit of the business environment is interested in whether the organization has understood and prioritized the vision, mission, and stakeholders.

A governance audit will concentrate on establishing whether the role of the policies and procedures in managing cyber security, legal, and environmental risks is understood. The risk assessment audit will seek to uncover the information security and cyber security risks that face the healthcare organization’s operations. A data security audit will seek to determine whether the confidentiality, integrity and the availability of information are protected by the effective management of data.

Goals of the audit

The NIST cybersecurity framework (2017) points out that effective asset management contributes to the achievement of organizational objectives and the development of an effective risk strategy. An audit of the asset management framework will aim at establishing whether all the systems, systems, and software applications within the ten hospitals are correctly inventoried. As the CISO, it is of great importance to establish the mapping of communication and data flows to determine the most effective communication channels. A weakness of many information security programs is that there is no clarification of the roles of the personnel and therefore, the audit will determine the different worker's role to build the culture of accountability.

The various business environment factors such as infrastructure and the mission must not be ignored because they affect the making of cybersecurity decisions. An audit of this area aims to identify the critical functions that must be performed to improve the organizational security. The functions reveal the resilience requirements necessary to support the various information security roles reducing the risk of a security breach. The audit will also seek to clarify the healthcare organization’s information security objectives and mission to enhance the risk management process at all the ten hospitals (NIST, 2017).

Every healthcare organization must audit its risk assessment environment because it enables the identification of all the organizational risks (Mohammed & Mariani, 2014). The primary goal is to identify and document the different asset vulnerabilities. The critical assets include policies, the security personnel, and the information systems and devices and their documentation enhances the security of organizational information. The second goal is to identify and document the internal and external threats and their impact on organizations’ information assets (Zarei & Sadoughi, 2016). As the CISO, this process will be made possible by facilitating the sharing of information by all the ten hospitals to enable the development of a standard security program.

A governance audit is necessary because it informs the management whether the existing policies, procedures, and processes contribute to the mitigation of cybersecurity risk. The audit aims to coordinate and align all the stakeholder’s roles and responsibilities. A large healthcare organization has many internal and external partners, and the development of an effective information security program requires that all share common responsibilities. A shared approach by all stakeholders ensures that all the regulatory and legal demands are understood and managed. Most large healthcare organizations fail to strengthen their governance mechanisms, and the result is that conflict over the management of information assets arise.

Data security is a concern of every chief information security officer irrespective of the industry (Peltier, 2016). The information security program main aim is to maintain the confidentiality, integrity, and the availability of patient information. The goal of the data security audit is to test the effectiveness of the software and databases in securing information and health records. It is also crucial to identify the areas vulnerable to an attack and to seek to establish the causes of data leaks. Ensuring the security of the organizational information is my primary role, and therefore, the audit will also recommend additional methods to enhance the safety of data.

References

Mohammed, D., & Mariani, R. (2014). An Evaluation of the Cybersecurity Policies for the United States Health & Human Services Department: Criteria, Regulations, and Improvements. International Journal of Business and Social Research, 4(4), 1-7

NIST, (2017). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press

Zarei, J., & Sadoughi, F. (2016). Information security risk management for computerized health information systems in hospitals: a case study of Iran. Risk Management and Healthcare Policy, 9, 75