Assets and Security Requirements
An asset is something of value to an organization. An information-security risk evaluation focuses on a subset of those assets: information-related assets. These assets are grouped into the following categories: information, systems, services, applications, and people. During the data-gathering workshops of Phase 1, participants identified about 55 information-related assets. The analysis team reviewed this list to identify the organization's critical assets.
Critical assets are those information-related assets that would cause a large adverse impact on the organization if
They are disclosed to unauthorized people
They are lost or destroyed
They are modified without authorization
Access to them is interrupted
The analysis team identified the following critical assets for the hospital:
Patient Information Data System (PIDS)PIDS is a database system maintained by the contracting organization. This system contains most of the important patient information at the hospital.
Paper medical recordsThis is the official documentation source for all patient medical information.
Emergency Care Data System (ECDS)This system is used to maintain and update patient records and billing related to emergencies.
Personal computersThe hospital's staff is dependent on personal computers to access systems and information required for completing day-to-day tasks.
The contracting organization that maintains the hospital's computing infrastructureThe hospital is almost completely dependent on the contractor for maintaining PIDS and the network.
This article focuses on one of those assets: the Patient Information Data System (PIDS).
The first step in analyzing a critical asset is determining what about that asset is important. Security requirements outline the qualities of an asset that are important to protect. Typical security requirements include confidentiality, integrity, and availability. The team reviewed data that the consultant elicited during the early workshops, and constructed the following security requirements for PIDS:
Availability. Access to information is required 24/7; it must be available for patient encounters.
Confidentiality. Information on PIDS should be kept confidential (restricted to those with "need to know"). Information is subject to the Privacy Act.
Integrity. Records on PIDS must be kept accurate and complete. Only authorized users should be allowed to modify information on PIDS.
Each of the security requirements was judged to be important for PIDS. However, the team determined that availability was slightly more important than the other two requirements, because ensuring the availability of patients' medical information enables healthcare professionals to treat their patients in a timely manner, which the team viewed as the primary mission of the hospital. Integrity was judged to be second in importance.
After completing the organizational piece of the OCTAVE Method, the team turned its attention to the computing infrastructure.