Scribd
Upload
67 views

Ex: SOD Would Be To Separate The Ability To Set Up A New Vendor Account and

The document discusses creating a security policy framework for a large healthcare organization with 25 sites, 2000 employees, and thousands of patients. The assistant recommends analyzing existing policies and identifying risks such as attacks to steal patient data or violate rules like HIPAA. The assistant proposes a policy framework focused on protection through authentication, detection of unauthorized access attempts, response to attacks by warning administrators and guiding troubleshooting, and recovery to minimize damage and restore normal operations quickly.

Uploaded by

Vo Minh Khanh (K14 HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
67 views

Ex: SOD Would Be To Separate The Ability To Set Up A New Vendor Account and

The document discusses creating a security policy framework for a large healthcare organization with 25 sites, 2000 employees, and thousands of patients. The assistant recommends analyzing existing policies and identifying risks such as attacks to steal patient data or violate rules like HIPAA. The assistant proposes a policy framework focused on protection through authentication, detection of unauthorized access attempts, response to attacks by warning administrators and guiding troubleshooting, and recovery to minimize damage and restore normal operations quickly.

Uploaded by

Vo Minh Khanh (K14 HCM)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Group 4

Member:

- Võ Minh Khánh - SE140781

- Nguyễn Quốc Bửu - SE140936

- Trần Đăng Khoa - SE140934

Discussion 4: Separation of Duties (SOD)

The importance of the SOD

- A task can be performed by more than one person → SOD creates the minimum
number of organizational layers needed to achieve a specific business
purpose → prevent fraud and reduce errors.

Ex: SOD would be to separate the ability to set up a new vendor account and
ability to authorize payment to a vendor. The ability both to set up and to
authorize a vendor creates an opportunity for fraud. The SOD controls reduce
the likelihood that a fake vendor is set up and paid.

- SOD sets boundaries between roles assigned to an employee, and between the conflict
of interest that may result from an employee’s responsibilities → reducing the risk
of internal fraud.

Ex: One employee calculates the gross pay and net pay information for a payroll, and
another employee verifies that one → prevents the payroll employee from paying
‘fake’ employees.

- SOD for high-risk transactions is a fundamental component of internal control:


no individual should be able to execute a high-risk transaction, conceal
errors, or commit fraud in the normal course of their duties. SOD can be
applied at either a transactional or organizational level.

Roles would always be separated

- Employees: access specific applications in the production environment


- Systems administrators: access systems and databases to support
applications
- Security personnel: protect network, systems, applications, and information
- Contractors: temporary worker needing the same access as a full-time worker
in the same role
- Vendors: access networks, systems, and applications to perform contracted
services.
- Guests and general public: access specific application function
- Control partners: review and assess controls
- Contingent IDs: recover systems and data during an outage
- System accounts: start, stop, and perform automated system services

Assignment 4: Security Policy Creation

Learning Objectives and Outcomes


- You will research information security policy framework approaches. You will
analyze policies for the specified organization.
- You will identify the method for creating a security policy framework.

Assignment Requirements
You are appointed as an information technology (IT) security manager in the XYZ
health care organization. This publicly traded, large health care organization has
25 sites across the region with 2,000 staff members and thousands of patients.
Sean, your manager, has asked you to analyze the available situation of the
corporation and then to identify and finalize the method for creating a security
policy framework. He wants to know how you would approach this endeavor. Write
a report on how you would analyze your organization and how you would go about
identifying and finalizing the method for creating a security policy framework. He will
then compare your findings to his and move forward to make the changes that were
applicable. Be sure to research these steps from the textbook, ITT Tech Virtual
Library, and use these methods to formulate your recommendations. Complete a
report no longer than three pages describing how you would approach the task
above.

Analyze the health care organization policies:

- 25 sites with 2000 staff members and thousands of patients.


- Most of user will use the mobiles so the data must be secured
- Security: Need to equip employees with the right information and procedures
so they can handle all security-related situations.
- Data privacy and IT security: are connected in terms of hospital policies and
procedures. The more technology you incorporate into your facilities, the more
risks you face for data leaks or privacy breaches.
- Identify: The health care organizations are likely to be attacked to steal or
destroy data information, including: Patient’s health information, personal
data, organization’s property information,... Or violate rule such as HIPAA

Create a policy framework:

- Protect: Must have some protection such as authentication when using assets
or organization.
- Detection: Have some warning when someone try to unauthorized access
data of organization
- Response: When being attacked, the system must warn the administrator,
have a process to guide the troubleshooting when the problem occurs.
- Recovery: Must have a recovery system to reduce the damage from attacking
and the organization can go back to work immediately

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy