...Presented Problem After examining the incident, there are some key things that stick out as major risks, these include: • Accounts existed before EHR system was deployed. • Accounts were undocumented. • Non Authorized remote users had access to the EHR application. • Undocumented account was created/added to a new system. • Method or Vulnerability to gain privilege escalation outside of change control policy. This led me to propose three policies, each address some of these key issues from separate fronts. The three policies include a Remote Access Policy, Application Deployment, and a Routine Maintenance policy. The Remote Access policy aims to correct the issue that non-authorized users were able to access the EHR system. HIPAA has included provision in the Security Rule that allows for remote access, but with certain limitations. I have included provision that restricts remote access based on Job Role and Job Necessity(ISO 27002:2005, 7.1.1), and restricted to assets that are owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10...
Words: 1416 - Pages: 6
...New Policy Statements for the Heart-Healthy Information Security Policy New User Policy Statement The current New Users section of the policy states: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” There are procedures for creating new user account profiles. HIPPA requires that an Information Security Officer (ISO) must be assigned to the network account profiles. This appointed person(s) is usually the network or system security administrator of the organization. Once this role is assigned, the security administrator can create network profiles and assign the new user to such specified profile. The network profiles are implemented in accordance with least privilege access. This means that data intended for use will only be available to the specified profile. This method protects the privacy of the data during transmission. This process complies with the 4 standard Federal regulatory requirements stated in this policy: FISMA, HIPAA/HITECH, GLBA, and PCI-DSS. Once the network account profiles are created, a new user is created and assigned. To implement a strong access control measure, a unique user identifier must be assigned to the new user account. Before the new user account is activated, the network or security administrator will need to...
Words: 971 - Pages: 4
...t2 Task 4 In: Computers and Technology Tft2 Task 4 TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund...
Words: 1413 - Pages: 6
...TFT2 Cyberlaw, Regulations, and Compliance Overview Kristi Lockett, Course Mentor Kristi.lockett@wgu.edu https://kristilockett.youcanbook.me Performance Assessment • • • Seven (7) Weeks to complete COS Four (4) Tasks Refer to Rubric (in Taskstream) for task requirement details Tasks – submit via Taskstream 1. Task 1 – Policy Statements • For given scenario, develop/revise two policy statements (new users and password requirements). Justify policies based on current federal information security laws/ regulations (i.e., HIPAA) 2. Task 2 - Policy Statements • For given scenario, develop three policy statements that would have prevented a security breach. Justify policies based on national or international standards (i.e., NIST, ISO) 3. Task 3 – Service Level Agreement • • • For given scenario, recommend/justify changes to service level agreement. Address the protection of the parent company’s physical property rights, intellectual property rights and the non-exclusivity clause Use Microsoft Word tracking to track your additions, deletions, and modifications. Insert your justifications after each SLA section, or write an essay describing your changes and justifications 4. Task 4 – Cybercrime • For the given scenario, write an essay responding to the following question prompts (suggested length of 3–5 pages): • • • • • • • • Discuss how two laws or regulations apply to the case study. Discuss how VL Bank will work within the parameters of appropriate legal jurisdiction...
Words: 369 - Pages: 2
...TFT2 Task 2 Thomas Garner Student ID: 336227 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc. After careful review of the current Service Level Agreement(SLA) “A Service Level Agreement for Provvision of Specified IT Services Between Finman Account Management, LLC, Datanal, Inc., and Minertek, Inc.” we have determined that standard Information Technology security measures have not been addressed fully. Following are the recommended changes highlighted in the specific sections that need to be addressed. These changes are being recommended to protect Finman’s data and intellectual property. Established standards such as Best Management Practices(BMP), International Organization of Standards(ISO) and the Information Technology Infrastructure Library(ITIL) for the proper handling, storage and protection of IT resources are used as guidelines for these recommendations. Recommended Changes to SLA: Section 3 Background and Rationale Modifications: Finman views this SLA as a groundbreaking venture to harness the diverse array of IT-borne customer demands and opportunities that cannot be met by adhering to traditional paradigms. Finman’s objectives in the SLA are to compete more effectively in a highly competitive industry by offering its customers a unified IT management plan across an entire organization or even, if the customer wishes, across separate departments...
Words: 1333 - Pages: 6
...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as the fraudulent...
Words: 328 - Pages: 2
...Security Policy Cyberlaw, Regulations, and Compliance – TFT2 Task 1 Introduction: Heart-Healthy Insurance is currently evaluating their current security policy and have requested some changes to the policy concerning adding new users and the password requirements for the users. The end goal of the requested changes is to satisfy several compliance regulations that are required by law for their business. The regulations that need to be considered are: 1. PCI-DSS (Payment Card Industry Data Security Standard) 2. HIPAA (Health Insurance Privacy and Portability Act) 3. GLBA (Gramm-Leach-Bliley Act) 4. HITECH (Health Information Technology for Economic and Clinical Health Act) 5. HHS (US. Department of Health and Human Services) New Users: The current directive for new users from the standing security policy states: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” In evaluating the current policy this standard creates a lot of overhead and administration works for the users and the admins. The new users who are not already familiar with the systems must provide a list of machines that they require access too. Being so new they may not know all of the systems they would need on a day to day basis. This also rolls over...
Words: 1129 - Pages: 5
...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as the...
Words: 1403 - Pages: 6
...TFT2 Cyber Law Task 4 Jordan Dombrowski Western Governors University Situation Report It has come to my attention from the security analysts of VL Bank and victims that commercial customers of VL Bank have been involved in identity theft and fraud. Multiple user accounts were created without authorization claiming the identity of our customers. These fake accounts were used to make twenty-nine transfers of $10,000 each, equaling $290,000. The bank transfers were being sent to several U.S. bank accounts of unknown individuals. The U.S. banks involved in the transfers were Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. After the funds were transferred to one of these banks, the funds were automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. After further analysis we discovered that the banks affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. The computers infected did not have an anti-virus or security software of any type installed. Additionally, these customers have reported that they have been frequently experiencing spear phishing attacks, which is most likely the way that the keylogging virus software was installed. Finally we concluded that our banks systems have not been breached and no customer data has been...
Words: 3994 - Pages: 16