Health Body Wellness Center Questionnaire essay

QUESTIONNAIRE 7

Health Body Wellness CenterQuestionnaire

Health Body Wellness Center

HWBC is a center that endorses,evaluates, and makes allotment among professionals in healthcare. TheOGG of Health Body Wellness Center bestows the allocation ofregionally sustained grants. OGG utilizes the Microsoft databasesystem. This plan is referred to as SHGTS. In essence, the program isused to administer health grant allotment procedures. The riskevaluation of HWBC was done to review the susceptibilities and thepotential threats inherent in the system. Currently, HBWC has failedto give any IS that can be determined. There are two additional as-isquestions. Thesequeries act as a guide in assessing the safetyassessment position ofthe company.

A. As-Is Question Collection

Query

Presented/Not presented

Explanation

Policy

Whether there exist a system that tackles the need to handle the risks

Not Presented

The procedures were not provided for the organization. ISO 27002 should develop there are management guidelines

Whether the conventional risk posture is embraced in the organizational policy

Not Presented

The procedures were not submitted for the organization. The risk assessment defines the impact, likelihood and the risks. ISO galvanize evaluation of political threats, determines risks, develops countermeasures recommendation and compiles BLSR checklists.

Whether the policy includes a risk review

Not Presented

The procedures were not performed. The organization should adopt ISO 27200 to assess there are risks, apply suitable controls and clarify control objectives. This is applicable as part of official guidance

Whether there is a part inherent in the system inclusive of multi-perspective on risks. This includes:

  • Asset

  • Threat

  • Business impacts assessment

  • Vulnerability space

Not Presented

The systems were not provided for the organization. ISO 27002 recommends business impact assessment, threat and asset for IS

Whether there is a section of the system that is inclusive of reporting results from assessing the risk

Not Presented

The policies were not provided for the organization. ISO is needed to cover risk management. The management should describe a policy that specifies support for, discretion of IS. This is supported by understandable suite for detailed corporate information

Whether there is a part inherent in the system inclusive of analysis in remediation reported based on risk assessment (i.e., How to increase security posture or reduce risk)

Not Presented

The policies were not presented. Systematic managed services ISO 27002 improves the entire security posture in that security compromise will be reduced

Procedur&shyes

Whether there is a process that describes the implementation and enforcement administration of risk plans

Not Presented

No policies were provided for the organization. Enforcement and implementation should be selected within the process in a bid to implement IS management

Whether the system includes the extent of the scope and whether it includes

  • Asset

  • Threat

  • Business impacts assessment

  • Susceptibility gap

Not Presented

The risk assessment, in this case, is limited to SHGTS, remote access server and its host`s system (GSS). The risk is evaluated based on managerial, operational and technical security domains. Nevertheless, it fails to include the scope

Whether the risk assessment modulus operand the depth of scope: Does the depth include

  • Validation (hands-on)

  • Verification (seeing)

  • Interview (asking)

Not Presented

Policies were not presented. Rather SHGTS was gathered through interview, documentation, sites visits and review and use of network scamming tool. The Information Technology department should concentrate on the resulting management control

Practice

Whether the methods are presented herein

Not Presented

The policies were not described herein provided for the organization. Diverse controls should have been put to avoid conflicts

AS_IS Question Set

Justifying the GroupingsCategories of Questions

The practice, policy andprocedures are the three categories that are inclusive in oneassessment or the audit of Information systems. SM assesses the waysecurity is managed in a hierarchical structure. The “if” and“how” of the administration enhance the ISMS code which isrecognized. It is imperative to consider these groupings as anelement of ISMS and process assessment. ISO should be incorporated toprovide management policies, procedures and practice that should beimplemented from time to time. Security management and prevention arethe groups that should be included in the queries set above. Securitymanagement and prevention are set up as the finest applications forIS. Performance and management of information system are observedthrough prevention and processes documentation.

Query

Presented/Not presented

Explanation

Policy

Does the practice comprise an in-depth Security for asset Management?

Not Presented

Security management discusses the executive backing and administration support for the organization of IS policy. Having the prescribed ISO safety and processes standards, the objectives are imperative for IS administrative process. In this grouping, ISO describes a brief security tasks, security responsiveness responsibilities and policies demarcation should be instituted for assessment. The threat resource and evaluation provision is managed as part of the SM plan (Willet &amp Arnason, 2007).

Does the policy describe prevention details?

Not Presented

The system maintenance objectives and system development ensure security of the system files and ensure that IS security is reported promptly. ISO covers diverse range of IS controls and risks. In my opinion, it is not maintainable anymore and thus no longer viable. Based on ISO 27200, information should be protected using various access control measures.

Procedur&shyes

Whether the risk assessment has been well documented for access control

Not Presented

The procedures were not presented. Rather SHGTS was gathered through documentation, sites visits and review and use of network scamming tool. The Information Technology department should concentrate on the resulting management control. Information security should be documented to enhance a better comprehension of SHGTs. Various documents of assessment should be reviewed. Some of the documents include OGG mission statement, organization chart, user guide, administrator’s guide, management plan for configuration and SGHTS document

Were the procedures to test the security functionality for access control developed?

Not Presented

The procedures were not developed. The company should develop the procedures aimed at facilitating the removal of capabilities that may arise when the personnel are not authorized to data dial up in. Security procedures discusses the executive backing and administration support for the organization of IS policy. Having the prescribed ISO safety and processes standards, the objectives are imperative for IS administrative process.

Practice

Does the practice establish methods to control the system that has been outsourced?

Not Presented

The practices were not described herein for the organization. Diverse controls should have been put to avoid conflicts. Getting the relative SHGT value based on sensitivity and criticality of data, SHGTS transmits stores and processes. Based on ISO 27002, the reallocation and allocation of secret authentication such as password for access control should be controlled through security management process.

Were observation statement and recommendation for IS access control countermeasures presented?

Not presented

The practice based on recommendations of the countermeasures was not made. Based on ISO 27200, Asset management should be protected through access control measures.

References

Arnason,S. T., &amp Willett, K. D. (2007).&nbspHowto achieve 27001 certifications: an example of applied compliancemanagement. CRC Press

Tipton, H. F.,&amp Nozaki, M. K. (2012). InformationSecurity Management Handbook(Sixth Edition ed., Vol. Volume 6). CRS Press

StevenHernandez, C. I. S. S. P. (Ed.). (2009).&nbspOfficial(ISC) 2 Guide to the CISSP CBK.CRC Press