An information security team’s designated role is to implement an information security policy

by | Mar 2, 2025 | Security

Scenario
An information security team’s designated role is to implement an information security policy, standards, baselines, procedures, and guidelines. The Chief Information Security Officer (CISO) decided that your team must develop a security policy catalog to cover all the hospital policies and procedures to keep the networks secure, maintain secure data transmission, and protect patients’ confidential records. Take into consideration the following information about the hospital infrastructure:

The hospital headquarters is home to 750 staff members with offices in Washington, DC; San Antonio, Texas; and New York City, New York. The hospital in Washington DC, will also maintain networking to their local satellite office.
The headquarters store the primary data and the main internet backbone to include LAN services, wireless LAN, wide area network (WAN), and virtual private network (VPN) tunnels.
The San Antonio hospital and the New York hospital host about 200 staff at each facility and half of these employees are traveling more than 80% of the time. The New York office focuses on Computed Axial Tomography Scans (CAT) and maintains media and web servers.
The satellite office has approximately 100 staff and is connected to the main WAN with a wireless point-to-point bridge to the Washington, DC headquarters data center.
The hospital allows doctors to do telehealth telecommunications. Remote and mobile staff are provided access to the hospital VPN client. The VPN client required staff to access reliable internet services to communicate across teams and patients effectively. The Information Technology team manages all hospital-owned laptops.
As the lead for your IT Security Team, prepare a security catalog related to protecting personal hospital devices, securing confidential data, managing passwords, data transfer policy, managing remote access, email policy, backup policy, VPN policy, acceptable use policy, incident response policy, physical security, periodical review of security standards, and disciplinary actions against employees for breaching security standards. As part of the catalog, you will include a policy statement. You will also select a security policy testing methodology to facilitate the assessment for technical errors.

Note: You may create or make all the necessary assumptions needed for the completion of this assignment.

Submission Requirements
Write a paper in Word in which you:

Create a security policy catalog comprising a set of security policies for a hospital organization.
Explain each security policy in detail with supporting justification for the policy.
Explain the proposed cybersecurity policy statement and reasons why the policy statement may be controversial.
Provide a justification for the determined security testing methodology you would use to facilitate the assessment of technical errors.

 

Sample solution

Dante Alighieri played a critical role in the literature world through his poem Divine Comedy that was written in the 14th century. The poem contains Inferno, Purgatorio, and Paradiso. The Inferno is a description of the nine circles of torment that are found on the earth. It depicts the realms of the people that have gone against the spiritual values and who, instead, have chosen bestial appetite, violence, or fraud and malice. The nine circles of hell are limbo, lust, gluttony, greed and wrath. Others are heresy, violence, fraud, and treachery. The purpose of this paper is to examine the Dante’s Inferno in the perspective of its portrayal of God’s image and the justification of hell. 

In this epic poem, God is portrayed as a super being guilty of multiple weaknesses including being egotistic, unjust, and hypocritical. Dante, in this poem, depicts God as being more human than divine by challenging God’s omnipotence. Additionally, the manner in which Dante describes Hell is in full contradiction to the morals of God as written in the Bible. When god arranges Hell to flatter Himself, He commits egotism, a sin that is common among human beings (Cheney, 2016). The weakness is depicted in Limbo and on the Gate of Hell where, for instance, God sends those who do not worship Him to Hell. This implies that failure to worship Him is a sin.


This question has been answered

God is also depicted as lacking justice in His actions thus removing the godly image. The injustice is portrayed by the manner in which the sodomites and opportunists are treated. The opportunists are subjected to banner chasing in their lives after death followed by being stung by insects and maggots. They are known to having done neither good nor bad during their lifetimes and, therefore, justice could have demanded that they be granted a neutral punishment having lived a neutral life. The sodomites are also punished unfairly by God when Brunetto Lattini is condemned to hell despite being a good leader (Babor, T. F., McGovern, T., & Robaina, K. (2017). While he commited sodomy, God chooses to ignore all the other good deeds that Brunetto did.

Finally, God is also portrayed as being hypocritical in His actions, a sin that further diminishes His godliness and makes Him more human. A case in point is when God condemns the sin of egotism and goes ahead to commit it repeatedly. Proverbs 29:23 states that “arrogance will bring your downfall, but if you are humble, you will be respected.” When Slattery condemns Dante’s human state as being weak, doubtful, and limited, he is proving God’s hypocrisy because He is also human (Verdicchio, 2015). The actions of God in Hell as portrayed by Dante are inconsistent with the Biblical literature. Both Dante and God are prone to making mistakes, something common among human beings thus making God more human.

To wrap it up, Dante portrays God is more human since He commits the same sins that humans commit: egotism, hypocrisy, and injustice. Hell is justified as being a destination for victims of the mistakes committed by God. The Hell is presented as being a totally different place as compared to what is written about it in the Bible. As a result, reading through the text gives an image of God who is prone to the very mistakes common to humans thus ripping Him off His lofty status of divine and, instead, making Him a mere human. Whether or not Dante did it intentionally is subject to debate but one thing is clear in the poem: the misconstrued notion of God is revealed to future generations.

 

References

Babor, T. F., McGovern, T., & Robaina, K. (2017). Dante’s inferno: Seven deadly sins in scientific publishing and how to avoid them. Addiction Science: A Guide for the Perplexed, 267.

Cheney, L. D. G. (2016). Illustrations for Dante’s Inferno: A Comparative Study of Sandro Botticelli, Giovanni Stradano, and Federico Zuccaro. Cultural and Religious Studies4(8), 487.

Verdicchio, M. (2015). Irony and Desire in Dante’s” Inferno” 27. Italica, 285-297.

Hospital Security Policy Catalog

I. Policy Statement

“The [Hospital Name] is committed to safeguarding the confidentiality, integrity, and availability of all information assets, including patient data, employee records, and operational systems. We will maintain a robust security posture through adherence to established policies, continuous monitoring, and proactive risk management. All employees, contractors, and affiliates are responsible for upholding these standards.”

  • Controversy: This statement might be perceived as controversial due to its broad scope and the potential for increased oversight. Some employees may view it as an intrusion on their privacy or a hindrance to their workflow. However, it’s essential for ensuring patient data protection and regulatory compliance (e.g., HIPAA).

Hospital Security Policy Catalog

I. Policy Statement

“The [Hospital Name] is committed to safeguarding the confidentiality, integrity, and availability of all information assets, including patient data, employee records, and operational systems. We will maintain a robust security posture through adherence to established policies, continuous monitoring, and proactive risk management. All employees, contractors, and affiliates are responsible for upholding these standards.”

  • Controversy: This statement might be perceived as controversial due to its broad scope and the potential for increased oversight. Some employees may view it as an intrusion on their privacy or a hindrance to their workflow. However, it’s essential for ensuring patient data protection and regulatory compliance (e.g., HIPAA).

Security Policies

  1. Personal Hospital Device Policy
    • Description: Defines acceptable use of hospital-owned devices (laptops, tablets, mobile phones).
    • Justification: Prevents unauthorized access, malware infections, and data breaches.
    • Content:
      • Mandatory encryption.
      • Regular software updates.
      • Prohibition of unauthorized software installation.
      • Guidelines for device security in public places.
      • Policy for reporting lost or stolen devices.
  2. Confidential Data Security Policy
    • Description: Outlines procedures for handling and protecting patient health information (PHI) and other sensitive data.
    • Justification: Comply with HIPAA regulations and protect patient privacy.
    • Content:
      • Data classification and labeling.
      • Access control measures.
      • Secure data transmission protocols.
      • Data retention and disposal procedures.
      • Policy regarding portable data storage devices.
  3. Password Management Policy
    • Description: Establishes requirements for creating, storing, and changing passwords.
    • Justification: Prevents unauthorized access to systems and data.
    • Content:
      • Minimum password length and complexity.
      • Regular password changes.
      • Prohibition of password sharing.
      • Guidelines for secure password storage.
      • Multi factor authentication enforcement.
  4. Data Transfer Policy
    • Description: Defines acceptable methods for transferring data internally and externally.
    • Justification: Prevents unauthorized data disclosure and ensures secure data exchange.
    • Content:
      • Approved data transfer methods (e.g., secure file transfer protocol, encrypted email).
      • Restrictions on transferring sensitive data via unencrypted channels.
      • Guidelines for data transfer to external parties.
  5. Remote Access Policy
    • Description: Governs remote access to hospital networks and systems.
    • Justification: Ensures secure remote access for telehealth and mobile staff.
    • Content:
      • VPN requirements.
      • Multi-factor authentication.
      • Device security requirements for remote access.
      • Monitoring and logging of remote access activity.
  6. Email Policy
    • Description: Defines acceptable use of hospital email systems.
    • Justification: Prevents phishing attacks, malware distribution, and data leaks.
    • Content:
      • Guidelines for email content and attachments.
      • Restrictions on sending sensitive information via email.
      • Procedures for reporting suspicious emails.
      • Policy on personal email usage on work devices.
  7. Backup Policy
    • Description: Outlines procedures for backing up critical data and systems.
    • Justification: Ensures data recovery in the event of a disaster or system failure.
    • Content:
      • Backup frequency and retention policies.
      • Off-site backup storage.
      • Regular backup testing.
      • Disaster recovery plan.
  8. VPN Policy
    • Description: Standards for VPN usage.
    • Justification: Protects the data transmitted over a public network.
    • Content:
      • Mandatory use of hospital provided VPN client.
      • Restrictions on Split tunneling.
      • Policy on personal device usage of the VPN.
  9. Acceptable Use Policy (AUP)
    • Description: Defines acceptable use of hospital IT resources.
    • Justification: Prevents misuse of IT resources and ensures network security.
    • Content:
      • Restrictions on unauthorized access and use.
      • Guidelines for internet and email usage.
      • Prohibition of illegal or unethical activities.
  10. Incident Response Policy
    • Description: Outlines procedures for responding to security incidents.
    • Justification: Minimizes the impact of security incidents and ensures timely recovery.
    • Content:
      • Incident reporting procedures.
      • Incident response team roles and responsibilities.
      • Incident containment and eradication procedures.
      • Post-incident review and analysis.
  11. Physical Security Policy
    • Description: Measures to protect physical access to hospital facilities and IT infrastructure.
    • Justification: Prevents unauthorized physical access to sensitive areas.
    • Content:
      • Access control systems (e.g., key cards, biometric scanners).
      • Surveillance systems.
      • Visitor management procedures.
      • Server room security.
  12. Periodical Review of Security Standards
    • Description: Process for periodic review of all security standards.
    • Justification: Ensures security standards remain up to date with new threats.
    • Content:
      • Set schedule for review.
      • Process for updating standards.
      • Communication plan for updated standards.
  13. Disciplinary Actions Policy
    • Description: Consequences for violating security policies.
    • Justification: Deterrence and enforcement of security standards.
    • Content:
      • Range of disciplinary actions (e.g., warnings, suspension, termination).
      • Procedures for investigating and documenting policy violations.
      • Process for appealing disciplinary actions.

III. Security Policy Testing Methodology

  • Vulnerability Scanning and Penetration Testing:
    • Justification: This methodology provides a comprehensive assessment of the hospital’s security posture by identifying vulnerabilities in systems and networks and simulating real-world attacks.
    • Process:
      • Vulnerability scanners are used to identify known vulnerabilities in software and hardware.
      • Penetration testers simulate attacks to identify weaknesses in security controls and assess the effectiveness of incident response procedures.
      • The results of the testing are used to prioritize remediation efforts and improve security controls.
      • This methodology also allows for testing of employee security awareness, via phishing simulations.
    • This methodology also allows for testing of the physical security controls.

This question has been answered.

Get Answer