Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.

Published byNigel Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information."— Presentation transcript:

1 1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information Security Office Office of the CIO – Information Services +1-843-792-8307 gadsden@musc.edu

2 2 Compliance Checklist Issues ➲ Assume you have a score < 3 for a given compliance requirement ➲ The fact that you're not meeting that requirement is a compliance issue ➲ Document each compliance issue, and your recommended approach to its remediation, in the Risk Analysis Worksheet ● Compliance issue => Security Issue ● Remediation approach => Recommended Controls

3 3 Issue #1 (Risk Management) ➲ Issue: Risk assessments have not been performed (or documented) at appropriate points in the System's life cycle. ➲ Ideas for Recommended Controls: ● Assemble a qualified risk assessment team. ● Conduct a risk assessment for the system in its current life cycle stage. ● Document the risk analysis and the recommended security controls in the Risk Analysis Worksheet.

4 4 Issue #2 (Risk Management) ➲ Issue: Significant risks to the System have not been identified, and/or are not being managed. ➲ Ideas for Recommended Controls: ● From the Risk Analysis Worksheet, develop a Security Plan, and get it approved. ● Execute the Security Plan. ● Develop and implement evaluation procedures (see Issue #3).

5 5 Issue #3 (Evaluation) ➲ Issue: The effectiveness of the System’s security measures is not being monitored and evaluated ➲ Ideas for Recommended Controls: ● For each documented and implemented security procedure or other control, make sure someone is designated as being responsible for monitoring and evaluating its effectiveness. ● Require each responsible person to develop an evaluation plan, and provide periodic reports.

6 6 Issue #4 (Workforce Security) ➲ Issue: The System lacks procedures for ensuring that no workforce member is granted access to protected information without authorization. ➲ Control Ideas: ● Develop, document, and implement procedures for establishing user accounts and access levels. ● Define who has authority for granting access, and who has responsibility for provisioning access. There should be a separation of duties between the two.

7 7 Issue #5 (Workforce Security) ➲ The System lacks procedures for ensuring that workforce members’ access is terminated when their authorization is revoked. ➲ Recommended Control Ideas: ● Develop, document, and implement procedures for terminating user accounts in a timely manner when their access is no longer authorized. ● Communication of changes in users' role / authorization status to system administrators is a key issue here.

8 8 Issue #6 (Awareness and Training) ➲ Users do not have access to appropriate System- specific training resources and materials. ➲ Recommended Control Ideas: ● Develop training and/or documentation that explains users’ security responsibilities. ● Ensure that all users are trained / aware.

9 9 Issue #7 (Incident Response) ➲ Issue: Emergency contacts have not been identified, or are not known by the CSIRT. ➲ Control Ideas: ● Identify the key people who should be contacted if a security incident occurs. Depending on the System's criticality and sensitivity, set up on-call duty / rotation. ● Register emergency contact information in the MUSC System Registry.

10 1010 Issue #8 (Contingency Plan) ➲ Issue: A contingency plan for the System is not being maintained. ➲ Control Ideas: ● If a contingency plan has never been developed, then assign someone with the responsibility for overseeing the development and maintenance of a plan. ● Note: The depth and breadth of the plan should be determined by the System’s criticality.

11 1 Issue #9 (Contingency Plan) ➲ Issue: The System’s contingency plan is not being periodically tested. ➲ Control Ideas: ● Assign responsibility for developing and maintaining an appropriate test plan. ● Establish a means of verifying that the test plan is being executed, and that test results are being used to improve the contingency plan itself.

12 1212 Issue #10 (Contingency Plan) ➲ Issue: The System's contingency plan is not being revised as needed. ➲ Control Ideas: ● Establish responsibility for monitoring the conditions (environmental, operational, policy or regulatory changes) that should trigger a review of the contingency plan, and its modification if appropriate.

13 1313 Issue #11 (Workstation Security) ➲ Issue: The list of authorized applications is not evident to prospective users of the workstations within the System's boundaries. ➲ Control Ideas: ● Include this information in the documentation / training that is provided to the System's users (see Issue #6). ● Restrict user privileges on the System's workstations to the minimum set of privileges required to run the authorized applications. ● Note: If there are no workstations within your System's boundaries, then the Workstation Security policy, and Issues #11-14, do not apply to your System.

14 1414 Issue #12 (Workstation Security) ➲ Issue: The users of the System's workstations do not have, or do not follow, appropriate procedures for initiating, terminating, and suspending their sessions. ➲ Control Ideas: ● Define and document these procedures (see Issue #6). ● Discipline workforce members who disregard procedures. ● Implement workstation session time-outs, as a last line of defense against user carelessness.

15 1515 Issue #13 (Workstation Security) ➲ Issue: Physical access to the System's workstations is not restricted to authorized users. ➲ Control Ideas: ● To the extent possible, use physical security measures (e.g. locked doors) to restrict access. ● Address the need to protect the physical security of workstations in user documentation / training. E.g., users should be trained to recognize and report suspected unauthorized access.

16 1616 Issue #14 (Workstation Security) ➲ Issue: Visual access to workstation displays is not being restricted to authorized users. ➲ Control Ideas: ● Orient workstations in a way that minimizes opportunities for “shoulder surfing” by unauthorized users. ● Use directional display filters where appropriate, e.g. if workstations must be used in high traffic areas.

17 1717 Issue #15 (Device and Media Controls) ➲ Issue: Protected information is not being erased from the System’s media prior to disposal or re- use. ➲ Control Ideas: ● Document appropriate procedures, and assign responsibilities clearly. ● Note: Procedures should address all electronic or digital media used or produced by the system: disks, tapes, cd- roms, etc. Examples: ● Surplus disks: Use secure disk wiping procedure, or otherwise render any stored data unrecoverable. ● Tapes: Use de-gausser (OCIO-IS Operations).

18 1818 Issue #16 (Device and Media Controls) ➲ Issue: The physical security of the System’s devices and media is not being maintained during movement and storage. ➲ Control Ideas: ● Develop, document, and implement procedures for maintaining physical security of all devices and media. ● Notes: ● Mobile devices and media, such as laptops, PDAs, and portable disks/memory devices, require special attention. Consider encryption (see Issue #23). ● Backup tapes rotated off-site require appropriate tracking and control of all tapes in inventory.

19 1919 Issue #17 (Device and Media Controls) ➲ Issue: Hardware maintenance contracts do not address confidentiality requirements. ➲ Control Ideas: ● Review all hardware maintenance contracts to see if confidentiality of device/media contents is protected. ● At contract renewal time, negotiate protections for confidentiality of device/media contents. ● Note: For new systems, address this requirement up front (before any contracts signed or P.O.'s issued).

20 2020 Issue #18 (Access Control) ➲ Issue: The System lacks adequate access control procedures. ➲ Control Ideas: ● Develop, document, and implement access control procedures to protect against all reasonably anticipated threats. ● Note: Access control is a very broad protection category. Most systems are exposed to a wide range of threats. Make sure that both the threats and the vulnerabilities that could create opportunities for unauthorized access to your System are understood by your risk assessment team, and that the access controls that are selected and implemented, are reasonable and appropriate.

21 2121 Issue #19 (Access Control) ➲ Issue: Users of the System are not assigned unique identifiers to enable tracking of access. ➲ Control Ideas: ● Develop, document, and implement procedures for assigning unique identifiers and access credentials (e.g. passwords) to each authorized user. ● Note: Audit Controls (Issues #25-28) are a necessary, complementary control to enable tracking of access.

22 2 Issue #20 (Access Control) ➲ Issue: Users are capable of managing their passwords or other access credentials. ➲ Control Ideas: ● Document procedures for user management of passwords or other credentials. ● Ensure that all users are trained / aware of their responsibilities, including maintaining the confidentiality of their passwords, and reporting any apparent discrepancies in the use of their accounts.

23 2323 Good Password Practices (Issues #19-20) ➲ Passwords should be conveyed to new users in a controlled manner. Positive identification should be required. ➲ Procedures for resetting forgotten passwords must provide for positive identification of the person requesting the password reset. ➲ No user should ever be required to reveal his password in order to obtain technical support. Users should be trained to recognize any such request as a possible social engineering attack.

24 2424 More Good Password Practices (Issues #19-20) ➲ Users should be required to choose a password that cannot be easily guessed by an attacker. ➲ Users should be instructed not to choose a password that they have ever been assigned previously. ➲ Users should be instructed not to choose a password that they have ever used or been assigned on any non-MUSC system. ➲ Users should be required to change their assigned password upon their first login. ➲ Users should be required to change their passwords at reasonable intervals.

25 2525 Issue #21 (Access Control) ➲ Issue: User sessions that provide access to protected information do not time out. ➲ Control Ideas: ● Implement application session time-outs if feasible. ● If infeasible, document why, and implement and document appropriate workarounds (e.g., workstation time-outs, user training, reminders, monitoring, enforcement...)

26 2626 Issue #22 (Access Control) ➲ Issue: There is no (documented) procedure to allow users to obtain access to the System in an emergency. ➲ Control Ideas: ● In the System's contingency plan (see Issue #8), document any emergency scenarios in which users would need to be able to obtain access. ● Develop, document, and implement emergency access procedures, if and as appropriate.

27 2727 Issue #23 (Access Control) ➲ Issue: Encryption of the System's data is not being used when reasonable and appropriate. ➲ Control Ideas: ● Through the risk analysis process, identify any critical points, either within the System or in interfaces between the System and other systems, where data that being stored or transmitted should be encrypted to protect it from unauthorized access. ● If and as needed, develop, document and implement appropriate encryption and key management procedures (see Issues #31-32).

28 2828 When to Encrypt? Assess the Risks (Issue #23) ➲ Examples (often considered “high risk”) ● Sensitive data stored on a device that is at a non- negligible risk of loss or theft. Examples include portable devices such as laptops, PDAs, thumb drives, etc. ● Data transmitted over any network where there is a non- negligible risk of interception or eavesdropping. Examples include wireless transmission, and transmission over the Internet. ● Any stored and/or transmitted data that is especially sensitive, such as passwords and encryption keys.

29 2929 Issue #24 (Network Access) ➲ Issue: One or more of the System's networked components is not being kept hardened in accordance with MUSC standards. ➲ Control Ideas: ● Develop and maintain an inventory of all networked system components. ● Identify who is responsible for configuring and maintaining each device in accordance with MUSC's security and networking standards.

30 3030 Issue #25 (Audit Controls) ➲ Issue: There are no (documented) procedures for collecting and maintaining appropriate records of System activity. ➲ Control Ideas: ● Guided by the risk analysis process, identify what types of System event records should be collected. ● Document any gaps in the System's capability to collect the event records of interest. ● Develop, document and implement procedures for collecting and maintaining the event records of interest, to the extent possible and feasible.

31 3131 Issue #26 (Audit Controls) ➲ Issue: An appropriate retention schedule for System activity records has not been established, has not been documented, or is not being followed. ➲ Control Ideas: ● Guided by the risk analysis process, determine an appropriate retention schedule for the System's event records, and document it. ● Implement the documented retention schedule. ● Re-visit / revise as needed, and during the System's normal risk management cycle.

32 3232 Issue #27 (Audit Controls) ➲ Issue: System activity records are not being regularly reviewed and analyzed. ➲ Control Ideas: ● Assign responsibility for regular review and analysis of the System's event logs. ● If and as warranted by assessed risks, implement procedures for automated analysis of event records, and timely generation of security alerts, routed to the appropriate personnel.

33 3 Issue #28 (Audit Controls) ➲ Issue: Procedures have not been established for making System activity records available for external review. ➲ Control Ideas: ● Determine who will be responsible for making logs and other event records available to authorized personnel during incident response and compliance investigations. ● If any special procedures need to be observed in these situations, document them.

34 3434 Issue #29 (Person or Entity Authentication) ➲ Issue: Appropriate procedures and other controls are not being used to authenticate each person or entity seeking access to the System's protected information. ➲ Control Ideas: ● Develop, document and implement appropriate procedures for authenticating users, recipients, etc. ● Develop, document and implement appropriate procedures for authenticating other entities (e.g., interfaces with other systems).

35 3535 Issue #30 (Data Integrity) ➲ Issue: The System's data is not being appropriately protected against improper alteration or loss during storage, processing or transmission. ➲ Control Ideas: ● Guided by the risk analysis process, determine any critical points in processing, storage and/or transmission where data requires special integrity protection. ● Develop, document and implement appropriate procedures and controls to protect data integrity at each of these critical points.

36 3636 Issue #31 (Encryption) ➲ Issue: Appropriate encryption procedures are not being used. ➲ Control Ideas: ● For each critical point where encryption is needed (see Issue #23), develop, document and implement appropriate encryption procedures. ● Notes: Good encryption = good algorithms + good implementation + good configuration. It is easy to do encryption badly. Done badly, it can do more harm than good, so it's important to get it right.

37 3737 Issue #32 (Encryption) ➲ Issue: Appropriate (documented) procedures are not being used to manage encryption keys. ➲ Control Ideas: ● Address key management during the development, documentation and implementation of the System's encryption procedures. ● Notes: The processing power of computers makes encryption (relatively) easy, but key management remains a fundamentally hard problem. It takes work to do it right.

38 3838 Issue #33 (Documentation) ➲ Issue: The System's processes for security management and operations are not being documented. ➲ Control Ideas: ● Assign clear responsibility for documenting each of the System's security management processes (including risk assessment, security planning, and monitoring and evaluation of the effectiveness of operational procedures). ● Assign clear responsibility for documenting each of the System's operational security procedures.

39 3939 Issue #34 (Documentation) ➲ Issue: The System's security documentation is not available, reviewed, updated, or retained as required. ➲ Control Ideas: ● Assign clear responsibilities for: ● Making operational documentation available to all authorized personnel who need access to it. ● Reviewing and updating all documentation as needed. ● Use red binder for tracking changes, and for ensuring that all retention requirements are met.

Download ppt "1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Similar presentations

Ads by Google