Διαχείριση ασφαλείας πληροφοριακού συστήματος γενικού νοσοκομείου με ευαίσθητα προσωπικά δεδομένα
KeywordsΠεριουσιακά στοιχεία ; Εμπιστευτικότητα ; Ακεραιότητα ; Διαθεσιμότητα ; Απειλές ; Επίπτωση ; Ανάλυση κινδύνου ; Διαχείριση κινδύνου ; Αντίμετρα ; Σχέδιο ασφαλείας ; Πολιτικές ασφαλείας ; MAGERIT ; EAR/PILAR ; OCTAVE ; EBIOS ; CallioSecura ; CCS Risk Manager ; Cloud assurance ; CRAMM ; COBRA ; Αssets ; Confidentiality ; Integrity ; Availability ; Threat ; Impact ; Vulnerability ; Risk analysis ; Safeguards ; Risk management ; Security plan ; Security policy ; ISO31000
The threats of the contemporary information systems have increased the dangers and further more the need for security of the information systems. The scope of this master thesis is the risk analysis and management of information, and specifically the comparison of eight of the contemporary methods and tools. Through this procedure the advantages and disadvantages of the methodologies are revealed and the need of their use was evaluated. Consequently, a security study of risk analysis and management of a Greek Hospital’s information system was performed. The study used the quantitative risk analysis methodology MAGERIT and the environment for the Analysis of Risk EAR/Pilar. To begin with, in this security study the critical elements were defined of the specific information system and they were valued via interviews. Next, threats were defined for the specific assets and they were valued. After that, the dependencies were valued so as the remaining risk was calculated. Consequently, the remaining risk was calculated for every threat for every asset. Finally, priorities of safeguards were defined and the decisions from management for the protection of assets was taken. Consequently, we presented a summary of the security plan for the Hospital, which includes the security procedures suitable for these threats. At the last chapter, we present the suitability of the Magerit method for the specific system and the advantage offered for the risk management of the specific information system. Finally, there are some thoughts for improvement for the specific implementation for the risk management of the information system of the Greek hospital.