New Policy Statements for the
Heart-Healthy Information Security Policy
New User Policy Statement
The current New Users section of the policy states:
“New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.”
There are procedures for creating new user account profiles. HIPPA requires that an Information Security Officer (ISO) must be assigned to the network account profiles. This appointed person(s) is usually the network or system security administrator of the organization. Once this role is assigned, the security administrator can create network profiles and assign the new user to such specified profile. The network profiles are implemented in accordance with least privilege access. This means that data intended for use will only be available to the specified profile. This method protects the privacy of the data during transmission. This process complies with the 4 standard Federal regulatory requirements stated in this policy: FISMA, HIPAA/HITECH, GLBA, and PCI-DSS.
Once the network account profiles are created, a new user is created and assigned. To implement a strong access control measure, a unique user identifier must be assigned to the new user account. Before the new user account is activated, the network or security administrator will need to validate the identity of the person receiving the new user account. Individuals should allow anyone to use his or her account. This process complies with the PCI-DSS standard.
Proper training will need to be implemented for the individual receiving the new user account. This is done to ensure the awareness of the CIA triad and potential security risks. Proper training associated with the new user account should be completed annually. This process complies with the PCI-DSS standard.
Time allocation for the new user account should be set only to the working hours of the individual who retains the user account. This limits available time for the attacker to compromise or infect the system or its resources if the user account was hacked.
Documentation should be maintained showing the latest activity of when the new user account was accessed. With regard to removing user accounts after ninety days of inactivity, it will need to be removed from the company. This is done so that unauthorized individuals who no longer with the company will not access any systems within the organization. This process is in compliance with PCI-DSS standards.
Lastly, the final component for the creation of new user account is monitoring and logging of all activity associated with user account. In the case of a security audit, the official can verify and examine the history of the company’s network. This component can also ensure and store data in the necessary areas of the company. This process is in compliance with HIPAA and FISMA standards.
New Password Policy Statement
The current Password Requirements section of the policy states:
“Passwords must be at least eight characters long and contain a combination of upper-and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”
There are additional procedures to this policy to secure the password requirements in this policy that will comply with the PCI-DSS standards. The network security administrator will assign the initial password to every new account user. Passwords will not be shared with any individual user. The account user will create a new password at the initial login attempt. All passwords will require a minimum length of seven characters. The password will also require alpha and numeric characters. To increase password complexity, the user can include upper-case letters as well as symbols.
Passwords will be required to change every ninety days. They also cannot match any four previous passwords which are stored in the user’s log file. All passwords must be stored in a security database that is using strong cryptography.
The user account will be locked if there are six incorrect attempts by an individual on the account. This method prevents a hacker from executing a brute force attack against the network. Unless the system security administrator unlocks the user account, the minimum lock out time for the user account will be set to thirty minutes.
If the user has been idled on the network for a maximum of fifteen minutes, the user will be logged out. This method alleviates the use of a replay attack against the network. The user may simply log back into the network with the correct password credentials upon return.
In conclusion, the recommended revisions for new users and password requirements in the Heart-Healthy Information Security policy create an additional layer of security for this company. Adhering to these regulations as guidelines will alleviate network issues and attacks as well as follow the national standards for information security.
Sources
PCI Security Standards Council. (November 2013). Payment Card Industry (PCI): Data Security Standard. Requirements and Security Assessment Procedures Version 3.0. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
U.S. Department of Health & Human Services. (n.d.). Health Information Privacy. Summary of the HIPAA Security Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
U.S. Department of Homeland Security. (October 2013). Federal Information Security Management Act (FISMA). Retrieved from http://www.dhs.gov/federal-information-security-management-act-fisma
University of Georgia (n.d.). Customer Information Security Program Policy and GLBA Policy. Retrieved from http://eits.uga.edu/access_and_security/infosec/pols_regs/policies/cisp