As an information security officer for a small pharmacy there are a few things that need to be addressed. As with all companies it is top priority to make sure that the data that is input into the machines stays safe and to make sure that the people using the computers know it is their responsibility as well. As a security officer my supervisor has asked me to identify any inherent risks associated with the pharmacy and establish any physical and logical access control methods that will mitigate the risks identified.
When it comes to both physical and logical controls you have to keep the two separated but both still within the means of IT security and the fact that they both have the abilities to access data and therefore security needs to be in place. With physical controls you need to understand that this is a computer that is accessed right there on site and since this is a pharmacy it is going to be one of the three computers that are available at any of the three windows for anyone to use.
There needs to be a username to log in with a password that has its own requirements attached to it. Also, with a computer onsite and physical access if no one is using the computer it needs to automatically lock itself within 10-15 minutes unless it is already in use. With logical access you need to understand that this is what some companies would say is a “privilege”. To be able to work for example from home or on vacation and not have to be at work physically to do the job that you are required to do.
Some cases some sort of token may be set in place where you need a username, password and pin + token in order to access the network and the data that may even be shared on a local share drive. However; sometimes certain access is restricted to make sure that there is no data that could possibly be transmitted into the wrong hands or get lost. With both cases it is important that a firewall is set in place and internet security should both be in place and monitored to make sure that the firewall is running properly. Also, we must look at the physical risks that are in place because of the physical layout of the pharmacy.
Since the front of the store faces the mall that means that the person that delivers the drugs or medications is coming from the back door. Which means this puts the server room at risk because the only personnel that need to be in the server room are those that have access to the server room itself. If someone other than IT needs access to this room for any reason, they should get approval at a corporate level. Also, at any point that this server room door should be open for any reason without approval should definitely be monitored to make sure that nothing ends up “walking”.
Such computer hardware or cabling are stored here it is an easy target for something to come up missing in this area. There should also be lock on the door that should be a pin code so that no one else knows what that code is. If someone leaves the company for any reason this lock should be changed in order to remain in full security and compliance with company policies. With any network organization you want to make sure that you keep on top of vulnerabilities of anything that reaches out to the internet.
Computers and servers that touch the internet are ones that must be scanned. As a company you have to make sure that you configure the security settings for the operating system, internet browser and security software. As a company you also want to set personal security policies for online behavior. There also needs to be an antivirus installed on the network like Norton or Symantec which blocks threats targeting the vulnerabilities. This is classified under risk mitigation because it is reducing the risk of computer infection.
An anti-virus needs to be installed on each and every machine as well since this could also create vulnerabilities for a hacker to hack into the network. To help with mitigation there is also different software that you can get that you can get to disable all USB so that the ports will be disabled or even encrypted. If a user plugs in a USB thumb drive the system would automatically encrypt it and that means that the user will not be able to get to the data on that particular thumb drive. (Unless of course they are in the computer industry then I guess technically- sometimes you can get it back).
This of course is a good example of a logical vulnerability because all humans can be a risk to a network mostly unintentional but occasions intentionally. Personal devices like IPOD, IPAD, Kindles etc. , are the worse culprits because these devices could bring malicious code, giving hackers access or breaking into the network because it is a “wink link”. I think that administrative controls are definitely important “With the firewalls you want to configure them in the reputable internet security program to block unsolicited request communication. (Source 2) Firewalls need to be installed on each computer and configured properly and to run every day like they are supposed to.
With the organization running Windows 2008 domain controllers with an integrated Active Directory and an Exchange server for email functions, “there are risks associated specifically to those types of operating systems. ” (Source 2) If you do not keep on top of the systems and do the necessary patches regularly there could potential security risks. (Be sure that you are not just installing any patches because implementing an untested patch could potentially bring down the servers. Patches should also be done at least once a month if not more to be sure that they are no “open gaps” or vulnerabilities that could compromise the network by a potential hacker. In this example, pharmacy personnel have to be sure of the surroundings and the environment at all times to make sure that there are no physical vulnerabilities that could happen. A pharmacy is required and held by high standards to make sure that customer’s confidential information and data get out. If the network gets hacked the pharmacy would no longer be able to function. And what do you understand by information system? Some helpful info you can find at our site)
This would slow production 2-fold and the business itself would have to suffer, thus causing people to go elsewhere. As with any vulnerability loss of information is always crucial. This could violate both the business and the customers’ privacy and legal liabilities would come in to play and cost more money. If the pharmacy lost, got hacked into, or data was lost customers would probably not be likely to return. People have a lot of faith and trust in their pharmacist and pharmacy alone and if something happened and it did compromise their network the customers that they had originally probably wouldn’t return.
I would also make sure that the pharmacy had a good backup of their data. In most cases, and with businesses the main backup has to be in a remote location whether down the street or in another state. One big backup of the data, and then incremental backup after that. That way they could at least restore to the day before if absolutely needed to. The pharmacy would have to double check what the legal liabilities if any are before they did a backup since, customers data and confidential information are to be stored somewhere else.