INFORMATION SECURITY MANAGEMENT SYSTEM - A Case Study in a Brazilian Healthcare Organization

Carlos Eduardo Ribas, Eduardo Massad, Jorge Futoshi Yamamoto, Marcelo Nascimento Burattini

2012

Abstract

ISO 27001 is the international standard for an Information Security Management System (ISMS) that helps to address the triad of information security: Confidentiality, Integrity, and Availability (CIA). An ISMS is a systematic approach focused on managing information security within an organization. It encompasses all the information assets, such as: people, processes and IT systems. This paper describes the implementation process of an ISMS in a Brazilian healthcare organization. We use an information system based on ISO standards as an indicator to assess the information security. Using Chi-square with Yates' correction or Fisher's exact test to compare the proportion of adequacy to the requirements of reference standard used, our case study showed positive results in the first ten months of implementation with significant results on multiple items analysed. However, in an environment of limited budgets, better results were not achieved in the following months due to the financial problems to implement specific controls in the organization. The aim of this paper is to present the experience obtained during the implementation of an ISMS in a healthcare organization and to discuss some critical success factors.

References

  1. Boehmer, W., 2008. Systems and Technologies. Appraisal of the Effectiveness and Efficiency of an Information Security Management System Based on ISO 27001. In SECURWARE 7808. Second International Conference on Emerging Security Information. p. 224-31.
  2. Tonga, C. K. S., Fungb, K. H., Huangc, H. Y. H., Chana, KK., 2003. Implementation of ISO17799 and BS7799 in picture archiving and communication system: local experience in implementation of BS7799 standard. In CARS'03. Proceedings of the 17th International Congress and Exhibition Computer Assisted Radiology and Surgery. p. 311-8.
  3. Fenz, S., Goluch, G., Ekelhart, A., Riedl, B., Weippl, E., 2007. Information Security Fortification by Ontological Mapping of the ISO/IEC 27001 Standard. In PRDC'07. 13th Pacific Rim International Symposium on Dependable Computing. p. 381-8.
  4. Humphreys, E., 2008. Information security management standards: Compliance, governance and risk Management. Information Security Technical Report. Volume 13, Issue 4. p. 247-55.
  5. ISO/IEC 27799, 2008. Health informatics - Information security management in health using ISO/IEC 27002.
  6. ISO/IEC 27002, 2005. Information technology - Security techniques - Code of practice for information security management.
  7. Ribas, C. E., Francisco, A. J. F., Yamamoto, J. F., Burattini, M. N., 2011. A New Approach to Information Security Assessment: a case study in a Brazilian healthcare organization. In BMIC 2011. The 5th International Symposium on Bio- and Medical Informatics and Cybernetics, v.II. p.219 - 23.
  8. Jing Feng N., Zhiyu C., Gang L., 2010. PDCA process application in the continuous improvement of software quality. In CMCE 2010. International Conference on Computer, Mechatronics, Control and Electronic Engineering. vol 1. p. 61-5.
Download


Paper Citation


in Harvard Style

Ribas C., Massad E., Nascimento Burattini M. and Futoshi Yamamoto J. (2012). INFORMATION SECURITY MANAGEMENT SYSTEM - A Case Study in a Brazilian Healthcare Organization . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012) ISBN 978-989-8425-88-1, pages 147-151. DOI: 10.5220/0003728201470151


in Bibtex Style

@conference{healthinf12,
author={Carlos Eduardo Ribas and Eduardo Massad and Marcelo Nascimento Burattini and Jorge Futoshi Yamamoto},
title={INFORMATION SECURITY MANAGEMENT SYSTEM - A Case Study in a Brazilian Healthcare Organization},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012)},
year={2012},
pages={147-151},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003728201470151},
isbn={978-989-8425-88-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2012)
TI - INFORMATION SECURITY MANAGEMENT SYSTEM - A Case Study in a Brazilian Healthcare Organization
SN - 978-989-8425-88-1
AU - Ribas C.
AU - Massad E.
AU - Nascimento Burattini M.
AU - Futoshi Yamamoto J.
PY - 2012
SP - 147
EP - 151
DO - 10.5220/0003728201470151