1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
CIP Cyber Security – Security Management Controls
David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies
Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
HIPAA PRIVACY AND SECURITY AWARENESS.
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Eliza de Guzman HTM 520 Health Information Exchange.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
ISO/IEC 27001:2013 Annex A.8 Asset management
Chapter 8 Auditing in an E-commerce Environment
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Review of IT General Controls
Security Standard: “reasonable security”
Introduction to the Federal Defense Acquisition Regulation
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
Introduction to the PACS Security
Presentation transcript:

1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information Security Office Office of the CIO – Information Services

2 Compliance Checklist Issues ➲ Assume you have a score < 3 for a given compliance requirement ➲ The fact that you're not meeting that requirement is a compliance issue ➲ Document each compliance issue, and your recommended approach to its remediation, in the Risk Analysis Worksheet ● Compliance issue => Security Issue ● Remediation approach => Recommended Controls

3 Issue #1 (Risk Management) ➲ Issue: Risk assessments have not been performed (or documented) at appropriate points in the System's life cycle. ➲ Ideas for Recommended Controls: ● Assemble a qualified risk assessment team. ● Conduct a risk assessment for the system in its current life cycle stage. ● Document the risk analysis and the recommended security controls in the Risk Analysis Worksheet.

4 Issue #2 (Risk Management) ➲ Issue: Significant risks to the System have not been identified, and/or are not being managed. ➲ Ideas for Recommended Controls: ● From the Risk Analysis Worksheet, develop a Security Plan, and get it approved. ● Execute the Security Plan. ● Develop and implement evaluation procedures (see Issue #3).

5 Issue #3 (Evaluation) ➲ Issue: The effectiveness of the System’s security measures is not being monitored and evaluated ➲ Ideas for Recommended Controls: ● For each documented and implemented security procedure or other control, make sure someone is designated as being responsible for monitoring and evaluating its effectiveness. ● Require each responsible person to develop an evaluation plan, and provide periodic reports.

6 Issue #4 (Workforce Security) ➲ Issue: The System lacks procedures for ensuring that no workforce member is granted access to protected information without authorization. ➲ Control Ideas: ● Develop, document, and implement procedures for establishing user accounts and access levels. ● Define who has authority for granting access, and who has responsibility for provisioning access. There should be a separation of duties between the two.

7 Issue #5 (Workforce Security) ➲ The System lacks procedures for ensuring that workforce members’ access is terminated when their authorization is revoked. ➲ Recommended Control Ideas: ● Develop, document, and implement procedures for terminating user accounts in a timely manner when their access is no longer authorized. ● Communication of changes in users' role / authorization status to system administrators is a key issue here.

8 Issue #6 (Awareness and Training) ➲ Users do not have access to appropriate System- specific training resources and materials. ➲ Recommended Control Ideas: ● Develop training and/or documentation that explains users’ security responsibilities. ● Ensure that all users are trained / aware.

9 Issue #7 (Incident Response) ➲ Issue: Emergency contacts have not been identified, or are not known by the CSIRT. ➲ Control Ideas: ● Identify the key people who should be contacted if a security incident occurs. Depending on the System's criticality and sensitivity, set up on-call duty / rotation. ● Register emergency contact information in the MUSC System Registry.

1010 Issue #8 (Contingency Plan) ➲ Issue: A contingency plan for the System is not being maintained. ➲ Control Ideas: ● If a contingency plan has never been developed, then assign someone with the responsibility for overseeing the development and maintenance of a plan. ● Note: The depth and breadth of the plan should be determined by the System’s criticality.

1 Issue #9 (Contingency Plan) ➲ Issue: The System’s contingency plan is not being periodically tested. ➲ Control Ideas: ● Assign responsibility for developing and maintaining an appropriate test plan. ● Establish a means of verifying that the test plan is being executed, and that test results are being used to improve the contingency plan itself.

1212 Issue #10 (Contingency Plan) ➲ Issue: The System's contingency plan is not being revised as needed. ➲ Control Ideas: ● Establish responsibility for monitoring the conditions (environmental, operational, policy or regulatory changes) that should trigger a review of the contingency plan, and its modification if appropriate.

1313 Issue #11 (Workstation Security) ➲ Issue: The list of authorized applications is not evident to prospective users of the workstations within the System's boundaries. ➲ Control Ideas: ● Include this information in the documentation / training that is provided to the System's users (see Issue #6). ● Restrict user privileges on the System's workstations to the minimum set of privileges required to run the authorized applications. ● Note: If there are no workstations within your System's boundaries, then the Workstation Security policy, and Issues #11-14, do not apply to your System.

1414 Issue #12 (Workstation Security) ➲ Issue: The users of the System's workstations do not have, or do not follow, appropriate procedures for initiating, terminating, and suspending their sessions. ➲ Control Ideas: ● Define and document these procedures (see Issue #6). ● Discipline workforce members who disregard procedures. ● Implement workstation session time-outs, as a last line of defense against user carelessness.

1515 Issue #13 (Workstation Security) ➲ Issue: Physical access to the System's workstations is not restricted to authorized users. ➲ Control Ideas: ● To the extent possible, use physical security measures (e.g. locked doors) to restrict access. ● Address the need to protect the physical security of workstations in user documentation / training. E.g., users should be trained to recognize and report suspected unauthorized access.

1616 Issue #14 (Workstation Security) ➲ Issue: Visual access to workstation displays is not being restricted to authorized users. ➲ Control Ideas: ● Orient workstations in a way that minimizes opportunities for “shoulder surfing” by unauthorized users. ● Use directional display filters where appropriate, e.g. if workstations must be used in high traffic areas.

1717 Issue #15 (Device and Media Controls) ➲ Issue: Protected information is not being erased from the System’s media prior to disposal or re- use. ➲ Control Ideas: ● Document appropriate procedures, and assign responsibilities clearly. ● Note: Procedures should address all electronic or digital media used or produced by the system: disks, tapes, cd- roms, etc. Examples: ● Surplus disks: Use secure disk wiping procedure, or otherwise render any stored data unrecoverable. ● Tapes: Use de-gausser (OCIO-IS Operations).

1818 Issue #16 (Device and Media Controls) ➲ Issue: The physical security of the System’s devices and media is not being maintained during movement and storage. ➲ Control Ideas: ● Develop, document, and implement procedures for maintaining physical security of all devices and media. ● Notes: ● Mobile devices and media, such as laptops, PDAs, and portable disks/memory devices, require special attention. Consider encryption (see Issue #23). ● Backup tapes rotated off-site require appropriate tracking and control of all tapes in inventory.

1919 Issue #17 (Device and Media Controls) ➲ Issue: Hardware maintenance contracts do not address confidentiality requirements. ➲ Control Ideas: ● Review all hardware maintenance contracts to see if confidentiality of device/media contents is protected. ● At contract renewal time, negotiate protections for confidentiality of device/media contents. ● Note: For new systems, address this requirement up front (before any contracts signed or P.O.'s issued).

2020 Issue #18 (Access Control) ➲ Issue: The System lacks adequate access control procedures. ➲ Control Ideas: ● Develop, document, and implement access control procedures to protect against all reasonably anticipated threats. ● Note: Access control is a very broad protection category. Most systems are exposed to a wide range of threats. Make sure that both the threats and the vulnerabilities that could create opportunities for unauthorized access to your System are understood by your risk assessment team, and that the access controls that are selected and implemented, are reasonable and appropriate.

2121 Issue #19 (Access Control) ➲ Issue: Users of the System are not assigned unique identifiers to enable tracking of access. ➲ Control Ideas: ● Develop, document, and implement procedures for assigning unique identifiers and access credentials (e.g. passwords) to each authorized user. ● Note: Audit Controls (Issues #25-28) are a necessary, complementary control to enable tracking of access.

2 Issue #20 (Access Control) ➲ Issue: Users are capable of managing their passwords or other access credentials. ➲ Control Ideas: ● Document procedures for user management of passwords or other credentials. ● Ensure that all users are trained / aware of their responsibilities, including maintaining the confidentiality of their passwords, and reporting any apparent discrepancies in the use of their accounts.

2323 Good Password Practices (Issues #19-20) ➲ Passwords should be conveyed to new users in a controlled manner. Positive identification should be required. ➲ Procedures for resetting forgotten passwords must provide for positive identification of the person requesting the password reset. ➲ No user should ever be required to reveal his password in order to obtain technical support. Users should be trained to recognize any such request as a possible social engineering attack.

2424 More Good Password Practices (Issues #19-20) ➲ Users should be required to choose a password that cannot be easily guessed by an attacker. ➲ Users should be instructed not to choose a password that they have ever been assigned previously. ➲ Users should be instructed not to choose a password that they have ever used or been assigned on any non-MUSC system. ➲ Users should be required to change their assigned password upon their first login. ➲ Users should be required to change their passwords at reasonable intervals.

2525 Issue #21 (Access Control) ➲ Issue: User sessions that provide access to protected information do not time out. ➲ Control Ideas: ● Implement application session time-outs if feasible. ● If infeasible, document why, and implement and document appropriate workarounds (e.g., workstation time-outs, user training, reminders, monitoring, enforcement...)

2626 Issue #22 (Access Control) ➲ Issue: There is no (documented) procedure to allow users to obtain access to the System in an emergency. ➲ Control Ideas: ● In the System's contingency plan (see Issue #8), document any emergency scenarios in which users would need to be able to obtain access. ● Develop, document, and implement emergency access procedures, if and as appropriate.

2727 Issue #23 (Access Control) ➲ Issue: Encryption of the System's data is not being used when reasonable and appropriate. ➲ Control Ideas: ● Through the risk analysis process, identify any critical points, either within the System or in interfaces between the System and other systems, where data that being stored or transmitted should be encrypted to protect it from unauthorized access. ● If and as needed, develop, document and implement appropriate encryption and key management procedures (see Issues #31-32).

2828 When to Encrypt? Assess the Risks (Issue #23) ➲ Examples (often considered “high risk”) ● Sensitive data stored on a device that is at a non- negligible risk of loss or theft. Examples include portable devices such as laptops, PDAs, thumb drives, etc. ● Data transmitted over any network where there is a non- negligible risk of interception or eavesdropping. Examples include wireless transmission, and transmission over the Internet. ● Any stored and/or transmitted data that is especially sensitive, such as passwords and encryption keys.

2929 Issue #24 (Network Access) ➲ Issue: One or more of the System's networked components is not being kept hardened in accordance with MUSC standards. ➲ Control Ideas: ● Develop and maintain an inventory of all networked system components. ● Identify who is responsible for configuring and maintaining each device in accordance with MUSC's security and networking standards.

3030 Issue #25 (Audit Controls) ➲ Issue: There are no (documented) procedures for collecting and maintaining appropriate records of System activity. ➲ Control Ideas: ● Guided by the risk analysis process, identify what types of System event records should be collected. ● Document any gaps in the System's capability to collect the event records of interest. ● Develop, document and implement procedures for collecting and maintaining the event records of interest, to the extent possible and feasible.

3131 Issue #26 (Audit Controls) ➲ Issue: An appropriate retention schedule for System activity records has not been established, has not been documented, or is not being followed. ➲ Control Ideas: ● Guided by the risk analysis process, determine an appropriate retention schedule for the System's event records, and document it. ● Implement the documented retention schedule. ● Re-visit / revise as needed, and during the System's normal risk management cycle.

3232 Issue #27 (Audit Controls) ➲ Issue: System activity records are not being regularly reviewed and analyzed. ➲ Control Ideas: ● Assign responsibility for regular review and analysis of the System's event logs. ● If and as warranted by assessed risks, implement procedures for automated analysis of event records, and timely generation of security alerts, routed to the appropriate personnel.

3 Issue #28 (Audit Controls) ➲ Issue: Procedures have not been established for making System activity records available for external review. ➲ Control Ideas: ● Determine who will be responsible for making logs and other event records available to authorized personnel during incident response and compliance investigations. ● If any special procedures need to be observed in these situations, document them.

3434 Issue #29 (Person or Entity Authentication) ➲ Issue: Appropriate procedures and other controls are not being used to authenticate each person or entity seeking access to the System's protected information. ➲ Control Ideas: ● Develop, document and implement appropriate procedures for authenticating users, recipients, etc. ● Develop, document and implement appropriate procedures for authenticating other entities (e.g., interfaces with other systems).

3535 Issue #30 (Data Integrity) ➲ Issue: The System's data is not being appropriately protected against improper alteration or loss during storage, processing or transmission. ➲ Control Ideas: ● Guided by the risk analysis process, determine any critical points in processing, storage and/or transmission where data requires special integrity protection. ● Develop, document and implement appropriate procedures and controls to protect data integrity at each of these critical points.

3636 Issue #31 (Encryption) ➲ Issue: Appropriate encryption procedures are not being used. ➲ Control Ideas: ● For each critical point where encryption is needed (see Issue #23), develop, document and implement appropriate encryption procedures. ● Notes: Good encryption = good algorithms + good implementation + good configuration. It is easy to do encryption badly. Done badly, it can do more harm than good, so it's important to get it right.

3737 Issue #32 (Encryption) ➲ Issue: Appropriate (documented) procedures are not being used to manage encryption keys. ➲ Control Ideas: ● Address key management during the development, documentation and implementation of the System's encryption procedures. ● Notes: The processing power of computers makes encryption (relatively) easy, but key management remains a fundamentally hard problem. It takes work to do it right.

3838 Issue #33 (Documentation) ➲ Issue: The System's processes for security management and operations are not being documented. ➲ Control Ideas: ● Assign clear responsibility for documenting each of the System's security management processes (including risk assessment, security planning, and monitoring and evaluation of the effectiveness of operational procedures). ● Assign clear responsibility for documenting each of the System's operational security procedures.

3939 Issue #34 (Documentation) ➲ Issue: The System's security documentation is not available, reviewed, updated, or retained as required. ➲ Control Ideas: ● Assign clear responsibilities for: ● Making operational documentation available to all authorized personnel who need access to it. ● Reviewing and updating all documentation as needed. ● Use red binder for tracking changes, and for ensuring that all retention requirements are met.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.