Universiti Teknologi Malaysia Institutional Repository

Adopting ISO/IEC 27005:2011-based risk treatment plan to prevent patients data theft

Hamit, Laura Cassandra and Md. Sarkan, Haslina and Mohd. Azmi, Nurulhuda Firdaus and Mahrin, Mohd. Naz’ri and Chuprat, Suriayati and Yahya, Yazriwati (2020) Adopting ISO/IEC 27005:2011-based risk treatment plan to prevent patients data theft. International Journal on Advanced Science, Engineering and Information Technology, 10 (3). pp. 914-919. ISSN 2088-5334


Official URL: http://dx.doi.org/10.18517/ijaseit.10.3.10172


The concern raised in late 2017 regarding 46.2 million mobile device subscriber's data breach had the Malaysian police started an investigation looking for the source of the leak. Data security is very important to protect the assets or information by providing its confidentiality, integrity, and availability not only in the telecommunication industry but also in other sectors. This paper attempts to protect the data of a patient-based clinical system by producing a risk treatment plan for its software products. The existing system is vulnerable to information theft, insecure databases, poor audit login, and password management. The information security risk assessment consisting of identifying risks, analyzing, and evaluating them were conducted before a risk assessment report is written down. A risk management framework was applied to the software development unit of the organization to countermeasure these risks. ISO/IEC 27005:2011 standard was used as the basis for the information security risk management framework. The controls from Annex A of ISO/IEC 27001:2013 were used to reduce the risks. Thirty risks have been identified, and seven high-level risks for the product have been recognized. A risk treatment plan focusing on the risks and controls has been developed for the system to reduce these risks to secure the patient's data. This will eventually enhance the information security in the software development unit and, at the same time, increase awareness among the team members concerning risks and the means to handle them.

Item Type:Article
Uncontrolled Keywords:Data security, Risk management
Subjects:T Technology > T Technology (General)
Divisions:Razak School of Engineering and Advanced Technology
ID Code:93635
Deposited By: Widya Wahid
Deposited On:31 Dec 2021 16:45
Last Modified:31 Dec 2021 16:45

Repository Staff Only: item control page