Wednesday, March 6, 2019
Heart Healthy Information Security Policy Essay
Due to personnel, policy and administration changes, and audits, ticker healthy has voluntarily updated their nurture warranter policy to be in-line with the up-to-date culture credentials laws and regulations. Currently heart-healthy insurance policy, a large indemnity comp whatsoever(prenominal), plans to review and provide recomm residueations for an updated information security policy in the country s of 1. Current invigorated Users constitution The current new drug user section of the policy statesNew users are assigned approach shot ground on the content of an overture request. The submitter must sign the request and port balance which systems the new user exit need rile to and what level of access will be needed. A managers approval is inevitable to grant administrator access.(heart-healthy Insurance tuition auspices polity)2. Current news Requirements The current word of honor requirements section of the policy statesPass course must be at least ei ght characters long and contain a faction of upper- and minuscule letters. Shared passwords are not permitted on each system that contains longanimous information. When resetting a password, users usher outnot reuse any of the previous six passwords that were used. Users entrance an faulty password more than three times will be locked verboten for at least 15 minutes before the password can be reset.( wholesome Insurance Information security Policy)Heart Healthy Insurance Information guarantor Policy and UpdateProposed User Access PolicyThe purpose of the User Access Policy is to provide access to wholesomes internet infrastructure and to get a line appropriate access to entirely of heart-healthys information resources. The purpose of heart-healthys profit Access Policy is to establish the appropriate level of user access to Heart-Healthys network infrastructure. Heart-Healthys network access rules are necessary in lay to preserve the confidentiality, Integrity and handiness of Heart-Healthys proprietary information.Heart-Healthys Information trade def cobblers lastion Office will be trustworthy for management and administration of Heart-Healthys information security function(s). Heart-Healthys Information warranter Office will be the chief point of contact for any and any security related functions. User Access Policy* Heart-Healthy users will be permitted access based on the principle of least privileges * Remote access or dial-in-services will be requested by Manager level positions and up, and approved by the Information auspices Department. * give the axe users are not allowed to re-transmit or extend any of Heart-Healthys network services. E.g. users will not attach hubs, switches, firewalls, access points to Heart-Healthys network without prior written authorization. * Users are not allowed to install any additional hardware or software without the express written live with from the Heart-Healthy information technology departmen t.* all in all Heart-Healthy computer systems will conform to agency standards * End users are not allowed to download, install or run any programs that could potentially reveal or undermine Heart-Healthys in-place security system, e.g. packet sniffers, password crackers or network mapping tools are strictly forbidden. All Heart-Healthy employees, 3rd society contractors are responsible for managing their information resources and will be held accountable for any information security violations or infractionsCurrent countersignature Policies and RequirementsPasswords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset(Heart-H ealthy Insurance Group Information Security Policy).NIST Special Publication 800-63The stronger the password, the more likely that password guessing and elasticity will be deterred. The combination of the password and the complexity directly pull to its unpredictability. With 8 character complex passwords, with current GPU processing power a password can be broken in less than 26 days by exhausting all possible combinations.Proposed Password Guidelines* Passwords should be a minimum of 14 characters* Passwords based on dictionary words are prohibited* Passwords based on pet names, biographical information, childrens names, no names of relatives* Passwords must consist of a mixture of uppercase, lowercase, and a special character* System will remember last 12 passwords* If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be be written down and tape to the bottom of the keyboard, stuck to the computer monitoring device with a sticky note, or put in an unlocked desk drawer.* All passwords will be changed every 90 daysProposed Password PolicyHeart-Healthy password policy guideline is a recommendation for creating a new user password. This policy is a guideline to garter end users in* Choosing and creating a strong password* Ensure that passwords are passing resistant to brute force attacks and password guessing* Recommendations on how users should get by and store their passwords safely* Recommendations on lost or stolen passwordsPassword waiver* Password expiration will serve 2 specific purposes* Password expiration will limit the time crackers have to all guess, or brute force a password.* If a password has been compromised, the password expiration will help to limit the time the cracker / political hack has access to Heart-Healthys internal networking system.Heart-Healthy has embarked on a path to bring their information security posture regarding Password Requirements and New Users up-to-date. Heart-Healthy has used NIST (National Institute of Standards) and HIPAA ( Health Insurance Portability and Accounting Act) regulations in order to achieve their goal of providing the CIA (Confidentiality, Integrity, Authorization) triad for information security. The federal authorities has implemented a number of laws and regulations that pertain to the handling, reviewing and compliance assurance of snobby or confidential data. With respect to NIST, and HIPAA although they do not specifically schema the methods in these documents, Heart-Healthy is obligated to make an attempt to implement clean standards in order to meet the current legal obligations outlined by these laws and regulations.Heart-Healthy will focus on three main categories for their security posturePhysical,Technical,Administrative,* Physical Security Heart-Healthy has designed their physical security around defend computer systems that store confidential data. * Technical Security Heart-Healthy has implemente d software and security safeguards designed specifically to ensure access is controlled, and the integrity and the authentication of the stored data remains intact. * Administrative Security Heart-Healthys administrative security ensures that Heart-Healthy procedures, standards, security measures, and organisational policies are implemented by qualified personnel.The HIPAA Security territoryThe HIPAA Security Rule establishes national standards to protect individuals electronic own(prenominal) health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic defend health information (HSS.gov ).NIST ensures that the CIA (Confidentiality, Integrity, and Availability) of any electronic personal health information (EPHI) information that is maintained, received or transmitted is protected from poten tial threats and hazards that could potentially affect the integrity of the ePHI information. NIST also provides protection against the accidental or knowledgeable exposure of buck private information.Heart-Healthy understands that information security means protecting their information from un definitive disclosure, access and any disruptions. Heart-Healthy understands the difference in protecting their sensitive data lies primarily in their approach. Heart-Healthy has taken precautions to prevent accidental or intentional exposure to electronic private health information. Heart-Healthy feels confident that these policies put forth will help eliminate unauthorized access to Heart-Healthys information systems. Heart-Healthys technical security policies will help ensure that end users are responsible for their information. Technical policies will also serve to protect end users from accidental exposure by providing adequate protection to end users passwords and confidential data.He art-Healthy will provide annual training on their new policies, in order to ensure end users are informed of security risks and that end users will ultimately be accountable for their personal security awareness. Heart-Healthy personnel will ultimately be responsible for the management of their information resources and will be held accountable for their actions in tattle to their information security. All access to Heart-Healthy information resources are for authorized business purposes only. Heart-Healthy will not provide access to or guarantee access to email, web browsing. Heart-Healthy will monitor all electronic communications that might be needed in order to fulfill a complaint or any investigatory requirements. Heart-Healthy understands that if any confidential information is breached or falls into the hands of a competitor or a hacker that the consequences could be devastating.Referencesmailchip.com. (2012). 3 one million million million Passwords Per Second. Are Complex PasswordsEnough Anymore?. Retrieved from http//blog.mailchimp.com/3-billion-passwords-per-second-are-complex-passwords-enough-anymore/ nist.gov. (2011). NIST Policy on Information Technology Resources Access and Use. Retrieved from http//www.nist.gov/director/oism/itsd/policy_accnuse.cfm hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/index.html hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html nist.gov. (). Guide to Enterprise Password Management. Retrieved from http//csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.