QUESTIONNAIRE 7
Health Body Wellness CenterQuestionnaire
Health Body Wellness Center
HWBC is a center that endorses,evaluates, and makes allotment among professionals in healthcare. TheOGG of Health Body Wellness Center bestows the allocation ofregionally sustained grants. OGG utilizes the Microsoft databasesystem. This plan is referred to as SHGTS. In essence, the program isused to administer health grant allotment procedures. The riskevaluation of HWBC was done to review the susceptibilities and thepotential threats inherent in the system. Currently, HBWC has failedto give any IS that can be determined. There are two additional as-isquestions. Thesequeries act as a guide in assessing the safetyassessment position ofthe company.
A. As-Is Question Collection
Query | Presented/Not presented | Explanation | |
Policy | |||
Whether there exist a system that tackles the need to handle the risks | Not Presented | The procedures were not provided for the organization. ISO 27002 should develop there are management guidelines | |
Whether the conventional risk posture is embraced in the organizational policy | Not Presented | The procedures were not submitted for the organization. The risk assessment defines the impact, likelihood and the risks. ISO galvanize evaluation of political threats, determines risks, develops countermeasures recommendation and compiles BLSR checklists. | |
Whether the policy includes a risk review | Not Presented | The procedures were not performed. The organization should adopt ISO 27200 to assess there are risks, apply suitable controls and clarify control objectives. This is applicable as part of official guidance | |
Whether there is a part inherent in the system inclusive of multi-perspective on risks. This includes: Asset Threat Business impacts assessment Vulnerability space | Not Presented | The systems were not provided for the organization. ISO 27002 recommends business impact assessment, threat and asset for IS | |
Whether there is a section of the system that is inclusive of reporting results from assessing the risk | Not Presented | The policies were not provided for the organization. ISO is needed to cover risk management. The management should describe a policy that specifies support for, discretion of IS. This is supported by understandable suite for detailed corporate information | |
Whether there is a part inherent in the system inclusive of analysis in remediation reported based on risk assessment (i.e., How to increase security posture or reduce risk) | Not Presented | The policies were not presented. Systematic managed services ISO 27002 improves the entire security posture in that security compromise will be reduced | |
Procedur­es | |||
Whether there is a process that describes the implementation and enforcement administration of risk plans | Not Presented | No policies were provided for the organization. Enforcement and implementation should be selected within the process in a bid to implement IS management | |
Whether the system includes the extent of the scope and whether it includes Asset Threat Business impacts assessment Susceptibility gap | Not Presented | The risk assessment, in this case, is limited to SHGTS, remote access server and its host`s system (GSS). The risk is evaluated based on managerial, operational and technical security domains. Nevertheless, it fails to include the scope | |
Whether the risk assessment modulus operand the depth of scope: Does the depth include Validation (hands-on) Verification (seeing) Interview (asking) | Not Presented | Policies were not presented. Rather SHGTS was gathered through interview, documentation, sites visits and review and use of network scamming tool. The Information Technology department should concentrate on the resulting management control | |
Practice | |||
Whether the methods are presented herein | Not Presented | The policies were not described herein provided for the organization. Diverse controls should have been put to avoid conflicts | |
AS_IS Question Set
Justifying the GroupingsCategories of Questions
The practice, policy andprocedures are the three categories that are inclusive in oneassessment or the audit of Information systems. SM assesses the waysecurity is managed in a hierarchical structure. The “if” and“how” of the administration enhance the ISMS code which isrecognized. It is imperative to consider these groupings as anelement of ISMS and process assessment. ISO should be incorporated toprovide management policies, procedures and practice that should beimplemented from time to time. Security management and prevention arethe groups that should be included in the queries set above. Securitymanagement and prevention are set up as the finest applications forIS. Performance and management of information system are observedthrough prevention and processes documentation.
Query | Presented/Not presented | Explanation | |
Policy | |||
Does the practice comprise an in-depth Security for asset Management? | Not Presented | Security management discusses the executive backing and administration support for the organization of IS policy. Having the prescribed ISO safety and processes standards, the objectives are imperative for IS administrative process. In this grouping, ISO describes a brief security tasks, security responsiveness responsibilities and policies demarcation should be instituted for assessment. The threat resource and evaluation provision is managed as part of the SM plan (Willet & Arnason, 2007). | |
Does the policy describe prevention details? | Not Presented | The system maintenance objectives and system development ensure security of the system files and ensure that IS security is reported promptly. ISO covers diverse range of IS controls and risks. In my opinion, it is not maintainable anymore and thus no longer viable. Based on ISO 27200, information should be protected using various access control measures. | |
Procedur­es | |||
Whether the risk assessment has been well documented for access control | Not Presented | The procedures were not presented. Rather SHGTS was gathered through documentation, sites visits and review and use of network scamming tool. The Information Technology department should concentrate on the resulting management control. Information security should be documented to enhance a better comprehension of SHGTs. Various documents of assessment should be reviewed. Some of the documents include OGG mission statement, organization chart, user guide, administrator’s guide, management plan for configuration and SGHTS document | |
Were the procedures to test the security functionality for access control developed? | Not Presented | The procedures were not developed. The company should develop the procedures aimed at facilitating the removal of capabilities that may arise when the personnel are not authorized to data dial up in. Security procedures discusses the executive backing and administration support for the organization of IS policy. Having the prescribed ISO safety and processes standards, the objectives are imperative for IS administrative process. | |
Practice | |||
Does the practice establish methods to control the system that has been outsourced? | Not Presented | The practices were not described herein for the organization. Diverse controls should have been put to avoid conflicts. Getting the relative SHGT value based on sensitivity and criticality of data, SHGTS transmits stores and processes. Based on ISO 27002, the reallocation and allocation of secret authentication such as password for access control should be controlled through security management process. | |
Were observation statement and recommendation for IS access control countermeasures presented? | Not presented | The practice based on recommendations of the countermeasures was not made. Based on ISO 27200, Asset management should be protected through access control measures. | |
References
Arnason,S. T., & Willett, K. D. (2007). Howto achieve 27001 certifications: an example of applied compliancemanagement. CRC Press
Tipton, H. F.,& Nozaki, M. K. (2012). InformationSecurity Management Handbook(Sixth Edition ed., Vol. Volume 6). CRS Press
StevenHernandez, C. I. S. S. P. (Ed.). (2009). Official(ISC) 2 Guide to the CISSP CBK.CRC Press