FROM: Akshat Sangal DATE: May 03, 2016
SUBJECT: Analyze various concerns about the third party assessment.
MWJ Healthcare is a US based local incorporated integrated healthcare system having an expansive number of doctor's facilities and centres. Because of the adjustments in the US health care system, the healthcare services association has turned into somewhat watchful and hungry for new customers. Recently, Lunel Manufacturing, a noteworthy maker of automotive and aerospace subassemblies has been spotted as a high prospective insurance client, but because of some security concerns, Lunel Manufacturing wants that a third party should complete a careful security evaluation of the health insurance provider. This evaluation incorporates an on-site audit along with a penetration test for all the systems in the network. It should also cover those applications which contain Lunel employee records.
• The major concern is regarding the HIPPA privacy and security rules. HIPPA has a set of security rules which assures that there are certain minimum security standards which have to be followed in order to maintain a secured environment to protect the vital information of an organization from getting compromised.
• Another important concern is that the third party will be granted the access to all the systems belonging to the organization. This is bit risky as these systems contain all the important information about the organization and if the data access rights are somehow given to a wrong person then the person might misuse that information. This can cause a huge damage to the organization.
1) Assess risk and identify the level of risk
One of the most important inputs from the legal or compliance departments is to perform risk assessment and to identify the level of risk. These are risks related to providing access to the vital information related to an organization. They can help an organization to identify the consequences and level of the risk involved as it can help an organization to prepare proper mitigation strategies.
Example:- In case of Lunel Marketing, if a third party gets an access to all the systems of the organization then that can have bad consequences as well. This might lead to some security breaches.
2) Guide with Law and Regulations
Another important input expected from the legal or compliance departments is that they have complete knowledge of all the rules and regulations related to the information security issues. They can help an organization to follow some laws and regulations so as to create a secured environment within an organization.
3) Educate on security policies and create awareness
Legal or compliance departments can also educate people of an organization on the security policies and the consequences faces if not paid proper attention. They can help organizations to have security policies and develop proper documents for that. They should be able to create awareness among people from the organization, informing them about the importance of information security.
Lunel Marketing has asked for to perform a third part evaluation of the considerable number of utilizations and servers which will have insights about the association. Subsequently, before proceeding with a third party assessment, the whole procedure must be assessed altogether to keep any misfortune or harm.
First, there should be a detailed security assessment within the organization just to make sure that everything is fine. This internal audit requires assessment of each category separately. Following are the categories which need to be assessed to make sure that the working environment with the finalists is secured:-
a) Network Security Assessment
This assessment will help us to understand that addition of new devices to the existing network is secured or not. There should be proper protection in the form of Firewalls, Intrusion detection systems etc.
b) System Security Assessment
It is also important to identify that who all is having access to the system. How login Ids and passwords are managed. Also, regular password is being changed or not just to make sure that it is not compromised. Operating System installation should be according to the company's security policies. Every system must have anti-virus installed in it.
c) Application Security Assessment
Everything real to the application has to be assessed properly. It should be clearly identified that who manages the application. Also, the information used by application and the information produced by the application should be identified. If the application is integrated to some other application, how secured is that process? This is another important question which needs to be answered.
d) Data Security Assessment
The data used for the application and the source of that data should be available to the security team. It is important to make sure that the secured transfer of data between the systems is there with proper encryption in place.
Once the internal audit is completed and the organization is sure that there is no security issues with the organization, company should prepare a whole list of policies which a third party accessing their system should comply with.
Also, it should be made sure that the third party doing the assessment is an experienced and trustworthy vendor. The history of all the projects done by the party should be identified in order to get everything done in a proper manner. It would be better if a highly trustworthy certified party is hired for this job.
As it is clear from the case that MWJ Healthcare uses several Software as a service (SaaS) providers in the cloud to store much of the enterprise data, it is important to test the cloud services. Testing of cloud services involves a lot of steps so as to make sure that everything is tested properly. The following steps are some of the major steps required to evaluate and manage the security of an organization's use of cloud services. It helps to identify ways to mitigate risks and to deliver appropriate level of support.
a) Existence of effective risk and compliance process
The organizations using cloud service should ensure that their application and data hosted in cloud services are secured according to their security and compliance policies. This is done to build a trust between the clients and service providers.
b) Assurance of protection of data and other important information
Data is always the most important security concern for an organization. Cloud services are no exception, instead they need an extra bit of security as cloud is a distributed network and sharing resources is one of the important features of it. One way to assure data protection is to prepare a data catalog, identifying different data assets based on the criticality to the business. Sensitive data should be encrypted and so that the key security principles of confidentiality, integrity and availability are applied to the data handling.
c) Assurance of the security of cloud networks and connections
A cloud service provider must permit genuine network traffic and block unwanted network influx, just as any other Internet-connected organization does, but there are certain traffic which are never legitimate whatever the situation is.
Example: - Traffic to known malware ports is one of them. If the cloud services do not have safety system for this then it should better start doing that.
d) Authorized users to access applications and data
The application and data on cloud should have proper authorized users to access that information. Everything should be password protected and there should be proper tracking of all the authorized users and their activities.
The USA Patriot Act and PATRIOT Improvement and Reauthorization Act has been there as an improvement to the earlier US Patriot Act. The act helps in deciding the crime related to computer security and the appropriate punishment for that. There are different sections each having some important rules decisions regarding information security crime. Some of the most important ones are as follows:-
• As per the USA Patriot Act and PATRIOT Improvement and Reauthorization Act, there are certain computer frauds and abuse offenses that have been added to the rundown of infringement that may constitute a government crime of terrorism. This is relevant to any individual who purposely gets to a computer without authorization and obtains classified information. This rule additionally applies to the individuals who purposely causes transmission of a project, data, code or order and accordingly makes harm the ensured computer.
• The act has also expanded the punishment for offenses. The penalty for a first offense of bringing about the transmission of a system, data, code or charge that purposefully makes harm to a protected computer increments from 5 years to 10 years. The penalty for a second such offense of purposefully increasing unapproved access to a secured system and, subsequently, recklessly bringing about harm is expanded from 10 years to 20 years. Also, it is now an offense to endeavour to commit these offenses.
All these factors are responsible for increasing the value of Secret service's role in investigating fraud and other illegal activities related to computers as they are the ones with all the related information and they can come up with some mitigation strategies to counter this.
a) Pahri, M., & Idris, N. A. (n.d.). 3rd Party Information Security Assessment Guideline. Retrieved from
b) Smith, M. S., & Seifert, J. W. (n.d.). CRS Report of Congress.
c) Baudoin, C. (n.d.). Security for Cloud Computing.
...(download the rest of the essay above)