Free Essay

Tft2 Task1

In:

Submitted By NightStalker
Words 1129
Pages 5
Security Policy
Cyberlaw, Regulations, and Compliance – TFT2 Task 1

Introduction:

Heart-Healthy Insurance is currently evaluating their current security policy and have requested some changes to the policy concerning adding new users and the password requirements for the users. The end goal of the requested changes is to satisfy several compliance regulations that are required by law for their business. The regulations that need to be considered are: 1. PCI-DSS (Payment Card Industry Data Security Standard) 2. HIPAA (Health Insurance Privacy and Portability Act) 3. GLBA (Gramm-Leach-Bliley Act) 4. HITECH (Health Information Technology for Economic and Clinical Health Act) 5. HHS (US. Department of Health and Human Services)

New Users:

The current directive for new users from the standing security policy states:
“New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.”
In evaluating the current policy this standard creates a lot of overhead and administration works for the users and the admins. The new users who are not already familiar with the systems must provide a list of machines that they require access too. Being so new they may not know all of the systems they would need on a day to day basis. This also rolls over to the admins who have to one by one grant access to the new machines for every new user and when changes are needed. Having to keep track of what access was already granted and what would be needed would become too cumbersome to maintain day to day. In addition, this may grant too much access which would not be needed by some users and would violate HIPAA Standard 164.312(a)(1) which states “Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.” Based on this requirement there should be a clear process of determining the proper permissions needed for each role that a new user may be assigned too to maintain compliance. Instead of having a one by one process for adding permissions there should be some sort of directory services that provides access based on groups and roles. These groups and roles should be defined based on the departments that the new user would be working under. Each department can then be further broken down into sub-units based on the job tasks. For example, if a new user is hired on into the marketing department they would be added to the marketing group for the base permissions on that group. Then for additional specific roles say one or two users need additional access to the webservers then they can also be added to the webserver admin roles to provide that access without all of marketing having it. This will also aide in if a user changes roles then permissions can be removed and added for the new roles more seamless. In addition to the new permissions being set a training should be implemented during onboarding that defines the user’s responsibilities. These responsibilities include not sharing their accounts with any other persons, keeping their workstations locked when they are away, a clear desk policy locking away documents and password complexity requirements to ensure they are using strong passwords. These requirements are set forth by NIST and HIPPA to ensure that PHI and ePHI are not leaked by new employees by accident.

Password Requirements:

The second policy that Heart-Healthy Insurance requires to be evaluated and updated is the password requirements for the users and administrators. Per the policy:
“Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”
While the current requirements provide some complexity directive on creating better passwords, there are still additional contents that are needed to truly ensure security per the compliance requirements. The current requirement states a minimum of eight characters of upper and lower case letters. With that combination they are more likely to be brute forced or guessed with password hashes. NIST Special Publication 800-118 provides guidance on how to enforce password requirements and mitigate any risks against character based passwords. This publication guides on using special characters in place of some letters and creating mnemonics to help remember passwords but to keep them complex. To ensure that strong passwords are used in the environment there are several requirements to satisfy the compliance required. These requirements that are recommended are: 1. Passwords must be at least eight characters or more. 2. Passwords must contain a combination of three of the the four types including uppercase letters, lowercase letters, numbers and special characters. 3. Passwords should be phrases that are complex but easy for the user to remember and understand. An example would be to use the first letter of a phrase and then mix up the letters replacing some with numbers and special characters such as C!h@ic2P. This would be a password for the phrase “Can I have an ice cream too please”. 4. Passwords should expire every 90 days minimum, shorter is better and the last six passwords should not be able to be reused. This will prevent users from recycling passwords too quickly that would allow cracking easier. 5. Passwords should be tested using a password cracking application to ensure easy passwords that can be broken with dictionary attacks are not used. These are common passwords such as P@ssword1, Trustno1, etc.

By following these policy recommendations Heart-Healthy Insurance can strengthen their security posture and follow the compliance with the regulations that are required by law including HIPAA, PCI-DSS, HHS and others keeping them safe from attackers.

References:

* NIST Guide to Enterprise Password Management http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf * HIPPA Security Series. Department of Health and Human Services USA. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf * HIPAA ‘Protected Health Information’: What Does PHI Include?. http://www.hipaa.com/2009/09/hipaa-protected-health-information-what-does-phi-include *

Similar Documents