Premium Essay

Tft2 Task 1

In: Computers and Technology

Submitted By football13
Words 598
Pages 3
Heart-Healthy Insurance is in need of an improved new user and password policy in order to become HIPPA, GLBA, and PCI-DSS compliant. I propose the following changes to the current policies:
New User Policy
Each user of this system will be given a unique username so we are able to track their use of the system, including the logging of their activities with timestamps in order to trace any and all activity on our network. Also new users will be given access based on the rule of least privilege. This rule states the only rights a user will be granted are the rights and privileges they need to complete their individual work. All requests for the creation of new user accounts or to increase the level of access of an existing user must be submitted in writing by a member of the management team. This document must include which systems and levels of access the new user requires or the new level of access needed for the existing user account. If an upper level of access is requested management must include a brief statement as to why this user needs an elevated level of access. In addition to these changes if a users status changes, i.e. they are terminated or voluntarily leave the company, they will be immediately removed from the authorized users database.
Password Policy
The new policy that will be put in place for all passwords, including existing passwords, will be as follows: * Cannot contain username * Must contain 3 uppercase letters * Must contain 3 lowercase letters * Must contain 3 numbers * Must contain 3 special characters * Must be changed every 90 days * May not be repeated until 6 other passwords have been used * May not be changed more frequently than every 14 days * After 4 unsuccessful login attempts the user will be locked out for 30 minutes * After 15 minutes of idle time, the user will be required to

Similar Documents

Free Essay

Tft2 Task 1

...The current new user security policy for Heart-Healthy Insurance states the following: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” The following changes are based upon the PCI-DSS Compliace: 1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3). With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access. 2. Explicit approval by authorized parties (PCI DSS 12.3.1). This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems. 3. Authentication for use of the technology (PCI DSS 12.3.2) Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information. 4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7) Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without authorization...

Words: 627 - Pages: 3

Premium Essay

Tft2 Task 1

...Updated Heart Healthy Information Security Policy Due to personnel, policy and system changes, and audits, Heart Healthy has voluntarily updated their information security policy to be in-line with the current information security laws and regulations. Currently Heart-Healthy Insurance, a large insurance company, plans to review and provide recommendations for an updated information security policy in the area ‘s of: Current New Users Policy The current new user section of the policy states:  “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator access.”(Heart-Healthy Insurance Information Security Policy) Current Password Requirements The current password requirements section of the policy states: “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”(Heart-Healthy Insurance Information Security Policy) Heart Healthy Insurance Information Security Policy and Update  Proposed User Access...

Words: 1532 - Pages: 7

Premium Essay

Tft2 Task 1

...ID’s to access the computer systems. This policy pertains to new and existing users. Dept. Mgr: will oversee all employees and ensure that candidates are properly trained. Customer Mgr: will oversee operations from costumer services and cashiers. Customer Service officer: will be in charge of cashiers and customer service. Cashiers/Agents: trained to handle PCI DSS and company policies. Marketing: with limited remote access to authorized information. | Network | Application | Remote | Financial | Dept. Mgr | * | * | | * | Customer Mgr | * | * | | * | Customer Service officer | * | * | | * | Cashiers/Agents | * | * | | * | Marketing | * | * | * | | 1. Access control policy: Who has access to authorized system for business applications? Users will be authorized to use only the systems that pertain to their roles. 2. User access: Employees are granted information access through passwords and...

Words: 932 - Pages: 4

Free Essay

Tft2 Task 1

...Proposed User Access Policy  * Heart-Healthy users will be granted access based on the least privilege principle. * Heart-Healthy employees must have a background check in order to have access to the company’s network. This will check for any criminal history and reduce the security risk for the company and user. * All users must also complete required training before access can be granted to the network. The training covers items such as information assurance, email protection, and identifies social engineering techniques. Training is a must in today’s computing environment. * Users will need approval from Manager level positions and up for remote access and Information Security department will implement the request. * Users of the Heart-Healthy network will be forbidden from using USB storage devices of any type unless approved by management and security department. * Heart-Healthy users are not allowed to install any additional software or hardware on company workstations and/or any other company owned computing device without written approval from the IT department. * All Heart-Healthy computer systems must be configured by the IT department prior to connecting to the company LAN in order to ensure all security settings are set to company policy.  All Heart-Healthy employees are responsible for maintaining and safe keep of their information resources and will be held accountable for any information security violations or mishaps...

Words: 480 - Pages: 2

Premium Essay

Tft2 Task 1

...current security policy to the following for new users: NEW USERS Heart-Healthy Insurance follows all rules and regulations that comply with federal and state laws. All precautions for patient privacy and the security of information are taken. In order to have access to our systems, please fill out the proper paperwork needed. If administrator access level is needed, the proper paperwork must be filled out and a manager must sign it. The level of access given will depend on your position and department. All computers have disabled USB ports for security reasons. In order to maintain compliance with Heart-Healthy Insurance, the Gramm-Leach-Bliley Act (GLBA), and the PCI-DSS, the following procedures for new users are in effect: 1. New user accounts are set up and log in information is sent to their email. 2. New users are assigned a temporary password that must be changed within 48 hours. 3. Users are not allowed to share log in information 4. Users must log out of their workstation before leaving the computer. 5. Teleworking (working from home) is not allowed. 6. Accounts from users who are on vacation or medical leave will be disabled. 7. Accounts from users who...

Words: 496 - Pages: 2

Premium Essay

Tft2 Task 1

...Information Security New Users: New users will be added into active directory where access will be granted in accordance to the roles that the new user will be assigned (HIPAA §164.308 Administrative safeguards (4) (i) Standard: Information access management). New user roles will be determined by the position in which the user has been hired. New users will have a unique login in and password for accessing computer systems (HIPAA §164.308 Administrative safeguards (3)(ii) (A) Authorization and/or supervision). User access will be need to know basis only. Any additional access will have to be approved by a senior level manager (HIPAA §164.308 Administrative safeguards (4)(i)(ii)(C) Access establishment and modification). Password Requirements: All passwords must meet or exceed the following guidelines • Contain at least 12 alphanumeric characters. • Contain both upper and lower case letters. • Contain at least two numbers. • Contain two special characters (for example,!$%^&*()_+|~-=\`{}[]:";'?,/). • Passwords cannot be found in a dictionary, including foreign languages. • Passwords will change every 60 days. Passwords should never be written down or left out in plain view. All logins and passwords will be maintained by active directory. Three incorrect password attempts will lock the user account. The account can will only be unlocked by the system administrator after the identity of the user has been verified. Users should never share passwords with anyone...

Words: 293 - Pages: 2

Premium Essay

Tft2 - Cyberlaw

...TFT2 Cyberlaw, Regulations, and Compliance Overview Kristi Lockett, Course Mentor Kristi.lockett@wgu.edu https://kristilockett.youcanbook.me Performance Assessment • • • Seven (7) Weeks to complete COS Four (4) Tasks Refer to Rubric (in Taskstream) for task requirement details Tasks – submit via Taskstream 1. Task 1 – Policy Statements • For given scenario, develop/revise two policy statements (new users and password requirements). Justify policies based on current federal information security laws/ regulations (i.e., HIPAA) 2. Task 2 - Policy Statements • For given scenario, develop three policy statements that would have prevented a security breach. Justify policies based on national or international standards (i.e., NIST, ISO) 3. Task 3 – Service Level Agreement • • • For given scenario, recommend/justify changes to service level agreement. Address the protection of the parent company’s physical property rights, intellectual property rights and the non-exclusivity clause Use Microsoft Word tracking to track your additions, deletions, and modifications. Insert your justifications after each SLA section, or write an essay describing your changes and justifications 4. Task 4 – Cybercrime • For the given scenario, write an essay responding to the following question prompts (suggested length of 3–5 pages): • • • • • • • • Discuss how two laws or regulations apply to the case study. Discuss how VL Bank will work within the parameters of appropriate legal jurisdiction...

Words: 369 - Pages: 2

Premium Essay

Tft2 Task 4

...t2 Task 4 In: Computers and Technology Tft2 Task 4 TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund...

Words: 1413 - Pages: 6

Premium Essay

Blah

...http://insights.scorpionsoft.com/bid/329695/The-Most-Recent-Password-Security-Compliance-Guidelines http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf http://www.securelink.com/wp-content/uploads/2014/09/SL_WhitePaper_Compliance.pdf http://hitachi-id.com/compliance/regulatory-compliance-using-identity-management.html http://www.sans.org/security-resources/policies/ http://security.stackexchange.com/questions/10776/regulations-that-specify-password-length ********************************************************** http://www.onlinetech.com/resources/references/what-is-hipaa-compliance Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption. •Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations. Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact. •Network, or transmission, security is the last technical safeguard required of HIPAA compliant...

Words: 329 - Pages: 2

Premium Essay

Tft2 Task3

...TFT2 Task 2 Thomas Garner Student ID: 336227 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc. After careful review of the current Service Level Agreement(SLA) “A Service Level Agreement for Provvision of Specified IT Services Between Finman Account Management, LLC, Datanal, Inc., and Minertek, Inc.” we have determined that standard Information Technology security measures have not been addressed fully. Following are the recommended changes highlighted in the specific sections that need to be addressed. These changes are being recommended to protect Finman’s data and intellectual property. Established standards such as Best Management Practices(BMP), International Organization of Standards(ISO) and the Information Technology Infrastructure Library(ITIL) for the proper handling, storage and protection of IT resources are used as guidelines for these recommendations. Recommended Changes to SLA: Section 3 Background and Rationale Modifications: Finman views this SLA as a groundbreaking venture to harness the diverse array of IT-borne customer demands and opportunities that cannot be met by adhering to traditional paradigms. Finman’s objectives in the SLA are to compete more effectively in a highly competitive industry by offering its customers a unified IT management plan across an entire organization or even, if the customer wishes, across separate departments...

Words: 1333 - Pages: 6

Free Essay

Tft2 Task1

...Security Policy Cyberlaw, Regulations, and Compliance – TFT2 Task 1   Introduction: Heart-Healthy Insurance is currently evaluating their current security policy and have requested some changes to the policy concerning adding new users and the password requirements for the users. The end goal of the requested changes is to satisfy several compliance regulations that are required by law for their business. The regulations that need to be considered are: 1. PCI-DSS (Payment Card Industry Data Security Standard) 2. HIPAA (Health Insurance Privacy and Portability Act) 3. GLBA (Gramm-Leach-Bliley Act) 4. HITECH (Health Information Technology for Economic and Clinical Health Act) 5. HHS (US. Department of Health and Human Services) New Users: The current directive for new users from the standing security policy states: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” In evaluating the current policy this standard creates a lot of overhead and administration works for the users and the admins. The new users who are not already familiar with the systems must provide a list of machines that they require access too. Being so new they may not know all of the systems they would need on a day to day basis. This also rolls over...

Words: 1129 - Pages: 5

Premium Essay

Tft2 Task 4

...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as the...

Words: 1403 - Pages: 6

Premium Essay

Tft2 Task 4

...TFT2 Cyber Law Task 4 Jordan Dombrowski Western Governors University Situation Report It has come to my attention from the security analysts of VL Bank and victims that commercial customers of VL Bank have been involved in identity theft and fraud. Multiple user accounts were created without authorization claiming the identity of our customers. These fake accounts were used to make twenty-nine transfers of $10,000 each, equaling $290,000. The bank transfers were being sent to several U.S. bank accounts of unknown individuals. The U.S. banks involved in the transfers were Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. After the funds were transferred to one of these banks, the funds were automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. After further analysis we discovered that the banks affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. The computers infected did not have an anti-virus or security software of any type installed. Additionally, these customers have reported that they have been frequently experiencing spear phishing attacks, which is most likely the way that the keylogging virus software was installed. Finally we concluded that our banks systems have not been breached and no customer data has been...

Words: 3994 - Pages: 16