Cite Article

Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft

Choose citation format

BibTeX

@article{IJASEIT10172,
   author = {Laura Cassandra Hamit and Haslina Md. Sarkan and Nurulhuda Firdaus Mohd Azmi and Mohd Naz’ri Mahrin and Suriayati Chuprat and Yazriwati Yahya},
   title = {Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft},
   journal = {International Journal on Advanced Science, Engineering and Information Technology},
   volume = {10},
   number = {3},
   year = {2020},
   pages = {914--919},
   keywords = {data security; risk management; information security; ISO/IEC 27005; risk assessment plan.},
   abstract = {

The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.

},    issn = {2088-5334},    publisher = {INSIGHT - Indonesian Society for Knowledge and Human Development},    url = {http://ijaseit.insightsociety.org/index.php?option=com_content&view=article&id=9&Itemid=1&article_id=10172},    doi = {10.18517/ijaseit.10.3.10172} }

EndNote

%A Hamit, Laura Cassandra
%A Md. Sarkan, Haslina
%A Mohd Azmi, Nurulhuda Firdaus
%A Mahrin, Mohd Naz’ri
%A Chuprat, Suriayati
%A Yahya, Yazriwati
%D 2020
%T Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft
%B 2020
%9 data security; risk management; information security; ISO/IEC 27005; risk assessment plan.
%! Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft
%K data security; risk management; information security; ISO/IEC 27005; risk assessment plan.
%X 

The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.

%U http://ijaseit.insightsociety.org/index.php?option=com_content&view=article&id=9&Itemid=1&article_id=10172 %R doi:10.18517/ijaseit.10.3.10172 %J International Journal on Advanced Science, Engineering and Information Technology %V 10 %N 3 %@ 2088-5334

IEEE

Laura Cassandra Hamit,Haslina Md. Sarkan,Nurulhuda Firdaus Mohd Azmi,Mohd Naz’ri Mahrin,Suriayati Chuprat and Yazriwati Yahya,"Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft," International Journal on Advanced Science, Engineering and Information Technology, vol. 10, no. 3, pp. 914-919, 2020. [Online]. Available: http://dx.doi.org/10.18517/ijaseit.10.3.10172.

RefMan/ProCite (RIS)

TY  - JOUR
AU  - Hamit, Laura Cassandra
AU  - Md. Sarkan, Haslina
AU  - Mohd Azmi, Nurulhuda Firdaus
AU  - Mahrin, Mohd Naz’ri
AU  - Chuprat, Suriayati
AU  - Yahya, Yazriwati
PY  - 2020
TI  - Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft
JF  - International Journal on Advanced Science, Engineering and Information Technology; Vol. 10 (2020) No. 3
Y2  - 2020
SP  - 914
EP  - 919
SN  - 2088-5334
PB  - INSIGHT - Indonesian Society for Knowledge and Human Development
KW  - data security; risk management; information security; ISO/IEC 27005; risk assessment plan.
N2  - 

The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.

UR - http://ijaseit.insightsociety.org/index.php?option=com_content&view=article&id=9&Itemid=1&article_id=10172 DO - 10.18517/ijaseit.10.3.10172

RefWorks

RT Journal Article
ID 10172
A1 Hamit, Laura Cassandra
A1 Md. Sarkan, Haslina
A1 Mohd Azmi, Nurulhuda Firdaus
A1 Mahrin, Mohd Naz’ri
A1 Chuprat, Suriayati
A1 Yahya, Yazriwati
T1 Adopting ISO/IEC 27005:2011-based Risk Treatment Plan to Prevent Patients Data Theft
JF International Journal on Advanced Science, Engineering and Information Technology
VO 10
IS 3
YR 2020
SP 914
OP 919
SN 2088-5334
PB INSIGHT - Indonesian Society for Knowledge and Human Development
K1 data security; risk management; information security; ISO/IEC 27005; risk assessment plan.
AB 

The concern raised in late 2017 regarding 46.2 million mobile device subscribers’ data breach had the Malaysian police started an investigation looking for the source of the leak.  Data security is fundamental to protect the assets or information by providing its confidentiality, integrity and availability not only in the telecommunication industry but also in other sectors.  This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products.  The existing system is vulnerable to information theft, insecure databases, needy audit login and password management.  The information security risk assessment consisting of identifying risks, analyzing and evaluating them were conducted before a risk assessment report is written down.  A risk management framework was applied to the software development unit of the organization to countermeasure these risks.  ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework.  The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks.  Thirty risks have been identified and 7 high-level risks for the product have been recognized.  A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks in order to secure the patients’ data.  This will eventually enhance the information security in the software development unit and at the same time, increase awareness among the team members concerning risks and the means to handle them.

LK http://ijaseit.insightsociety.org/index.php?option=com_content&view=article&id=9&Itemid=1&article_id=10172 DO - 10.18517/ijaseit.10.3.10172