The Use of BS7799 Information Security Standard to Construct Mechanisms for the Management of Medical Organization Information Security

  • Shu-Fan Liu
  • Hao-En Chueh
  • Kuo-Hsiung Liao
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 135)

Abstract

According to surveys, 80 % of security related events threatening information in medical organizations is due to improper management. Most research on information security has focused on information and security technology, such as network security and access control; rarely addressing issues at the management issues. The main purpose of this study is to construct a BS7799 based mechanism for the management of information with regard to security as it applies to medical organizations. This study analyzes and identifies the most common events related to information security in medical organizations and categorizes these events as high-risk, transferable-risk, and controlled-risk to facilitate the management of such risk.

Keywords

BS7799 Medical organizations Information security Risk management Access control 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arthur, E.H., Bosworth, S., Hoyt, D.B.: Computer Security Handbook. John Wiley & Sons, New York (1995)Google Scholar
  2. 2.
    Badenhorst, K.P., Elloff, J.H.P.: Framework of a Methodology for the Life Cycle of Computer Security in an Organization. Computer & Security 8(5), 433–442 (1989)CrossRefGoogle Scholar
  3. 3.
    Christophy, A., Dorofee, A.: Introduction to the OCTAVE Method. The CERT® Coordination Center, CERT/CC (2001)Google Scholar
  4. 4.
    Ellison, R.J., Linger, R.C., Longstaff, T., Mead, N.R.: Survivable Network System Analysis: A Case Study. IEEE Software 16(4), 70–77 (1999)CrossRefGoogle Scholar
  5. 5.
    Eloff, J.H.P., Eloff, M.M.: Information security architecture. Computer Fraud & Security 11, 10–16 (2005)CrossRefGoogle Scholar
  6. 6.
    Eloff, M.M., Von Sloms, S.H.: Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security 19(3), 243–256 (2000)CrossRefGoogle Scholar
  7. 7.
    Eloff, M.M., Von Sloms, S.H.: Information Security Management: An approach to Combine Process Certification and Product Evaluation. Computers & Security 19(8), 698–709 (2000)CrossRefGoogle Scholar
  8. 8.
    Ettinger, J.E.: Key Issues in Information Security. Information Security. Chapman & Hall, London (1993)Google Scholar
  9. 9.
    Finne, T.: Information Systems Risk Management: Key Concepts and Business Processes. Computers & Security 19(3), 234–247 (2000)CrossRefGoogle Scholar
  10. 10.
    Gehrke, M., Pfitzmann, A., Rannenberg, K.: Information Technology Security Evaluation Criteria (ITSEC)-A Contribution to Vulnerability? In: The IFIP 12th World Computer Congress Madrld on Information Processing, pp. 7–11 (1992)Google Scholar
  11. 11.
    Gollmann, D.: Computer Security. John Wiley & Sons Ltd., UK (1999)Google Scholar
  12. 12.
    Gupta, M., Chartuvedi, A.R., Metha, S., Valeri, L.: The Experimental Analysis of Information Security Management Issues for Online Financial Services. In: The 2001 International Conference on Information Systems, pp. 667–675 (2001)Google Scholar
  13. 13.
    Halliday, S., Badenhorst, K., Von Solms, R.: A business approach to effective information technology risk analysis and management. Information Management & Computer Security 4(1), 19–31 (1996)CrossRefGoogle Scholar
  14. 14.
    ISO/IEC 17799. Information technology-code of practice for information security management. BSI, London (2000)Google Scholar
  15. 15.
    Janczewski, L.J., Shi, F.X.: Development of Information Security Baselines for Healthcare Information Systems in New Zealand. Computer & Security 21(2), 172–192 (2002)CrossRefGoogle Scholar
  16. 16.
    Schultz, E.E., Proctor, R.W., Lien, M.C.: Usability and Security An Appraisal of Usability Issues in Information Security Methods. Computers & Security 20(7), 620–634 (2001)CrossRefGoogle Scholar
  17. 17.
    Sherwood, J.: SALSA: A method for developing the enterprise security architecture and Strategy. Computer & Security 2(3), 8–17 (1996)Google Scholar
  18. 18.
    Smith, E., Eloff, J.H.P.: Security in health-care information systems-current trends. International Journal of Medical Informatics 54, 39–54 (1999)CrossRefGoogle Scholar
  19. 19.
    Song, M.J.: Risk Management. Chinese Enterprise Develop Center, 33–456 (1993)Google Scholar
  20. 20.
    Trcek, D.: An Integral Framework for Information Systems Security Management. Computers & Security 22(4), 337–360 (2003)CrossRefGoogle Scholar
  21. 21.
    Von Solms, R.: Information Security Management: The Second Generation. Computer & Security 15(4), 281–288 (1996)CrossRefGoogle Scholar
  22. 22.
    Von Solms, R., Van Haar, H., Von Solms, S.H., Caelli, W.J.: A Framework for Information Security Evaluation. Information & Management 26, 143–153 (1994)CrossRefGoogle Scholar
  23. 23.
    Willet, A.H.: The Economic Theory of Risk and Insurance. Ph. D. Thesis in Columbia University (1901)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Shu-Fan Liu
    • 1
  • Hao-En Chueh
    • 1
  • Kuo-Hsiung Liao
    • 1
  1. 1.Department of Information ManagementYuanpei UniversityHsinchuTaiwan

Personalised recommendations