Premium Essay

Tft2 Task 1

In: Computers and Technology

Submitted By beegood
Words 496
Pages 2
Heart-Healthy Insurance Information Security Policy Recommendations
New user Access and Password Requirements

In the current policy, new users are currently informed that access is given after proper request forms are submitted with the signature of a manager. The access given conforms to their employee level within the company. They are assigned log in information that allows them access to the system with the proper permissions.
The current policy does not cover all the steps and processes of access levels as well as any disciplinary action that will be taken if the user has broken regulation, privacy, or other compliance rules.
Recommendation to update the current security policy to the following for new users:
NEW USERS
Heart-Healthy Insurance follows all rules and regulations that comply with federal and state laws. All precautions for patient privacy and the security of information are taken.

In order to have access to our systems, please fill out the proper paperwork needed. If administrator access level is needed, the proper paperwork must be filled out and a manager must sign it. The level of access given will depend on your position and department.
All computers have disabled USB ports for security reasons.
In order to maintain compliance with Heart-Healthy Insurance, the Gramm-Leach-Bliley Act (GLBA), and the PCI-DSS, the following procedures for new users are in effect: 1. New user accounts are set up and log in information is sent to their email. 2. New users are assigned a temporary password that must be changed within 48 hours. 3. Users are not allowed to share log in information 4. Users must log out of their workstation before leaving the computer. 5. Teleworking (working from home) is not allowed. 6. Accounts from users who are on vacation or medical leave will be disabled. 7. Accounts from users who…...

Similar Documents

Premium Essay

Tft2 Task 4

...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as the...

Words: 1403 - Pages: 6

Premium Essay

Tft2 Task 2

...owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have been missed in implementing the above two policies. Policies are typically created from situations that arise, or to document procedures. This policy is more of a procedural standard that set frequency for auditing the systems that are in place, These audits can help in uncovering employee malice(NIST, 164.312(a)(1))(ISO 27002:2005, 11.3.2), improper implementation of other standards (NIST, 164.312(b)), and can aid in proving compliance during controls audits. Electronic Patient Health Information Remote Access Policy   1. Purpose   This policy defines standards for accessing electronic patient......

Words: 1416 - Pages: 6

Premium Essay

Tft2 Task 1

...Updated Heart Healthy Information Security Policy Due to personnel, policy and system changes, and audits, Heart Healthy has voluntarily updated their information security policy to be in-line with the current information security laws and regulations. Currently Heart-Healthy Insurance, a large insurance company, plans to review and provide recommendations for an updated information security policy in the area ‘s of: Current New Users Policy The current new user section of the policy states:  “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator access.”(Heart-Healthy Insurance Information Security Policy) Current Password Requirements The current password requirements section of the policy states: “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”(Heart-Healthy Insurance Information Security Policy) Heart Healthy Insurance Information Security Policy and Update  Proposed User......

Words: 1532 - Pages: 7

Premium Essay

Task 1

...Business Research Report Title Presented to: Assessment Code: RWT1 Student Name: Student ID: Date: Mentor Name: Table of Contents Executive Summary 3 Introduction 4 Research Findings 4 Finding Number 1 4 Finding Number 2 5 Finding Number 3 5 Recommendations 5 Conclusion 6 References 7 Executive Summary Task instruction: Prepare a business report based on your research findings that includes: 3. Executive summary (suggested length of 1 page) that overviews the purpose of this report. The executive summary should be the last section you write after the remainder of the report is completed. The executive summary is a mini-version of your paper and should not exceed one page. For information about executive summaries, please refer to the study materials. Please note that your executive summary, and your paper, should be written using single spaced text. Introduction Task instruction: Prepare a business report based on your research findings that includes: 4. Introduction (suggested length of 1 page) that will: a. Introduce the subject and purpose of the report; b. Preview the main ideas of the report; c. Establish your relationship to the audience. It is recommended that you use single spaced text as you see here. Regarding item 4c, please keep in mind that your relationship with the audience will come from the scenario you selected from the topic list. In some cases your position is specified. In others you will need to define......

Words: 1226 - Pages: 5

Free Essay

Tft2 Task 1

...Proposed User Access Policy  * Heart-Healthy users will be granted access based on the least privilege principle. * Heart-Healthy employees must have a background check in order to have access to the company’s network. This will check for any criminal history and reduce the security risk for the company and user. * All users must also complete required training before access can be granted to the network. The training covers items such as information assurance, email protection, and identifies social engineering techniques. Training is a must in today’s computing environment. * Users will need approval from Manager level positions and up for remote access and Information Security department will implement the request. * Users of the Heart-Healthy network will be forbidden from using USB storage devices of any type unless approved by management and security department. * Heart-Healthy users are not allowed to install any additional software or hardware on company workstations and/or any other company owned computing device without written approval from the IT department. * All Heart-Healthy computer systems must be configured by the IT department prior to connecting to the company LAN in order to ensure all security settings are set to company policy.  All Heart-Healthy employees are responsible for maintaining and safe keep of their information resources and will be held accountable for any information security violations or......

Words: 480 - Pages: 2

Free Essay

Tft2 Task 4

...several customers have reported that new user accounts have been set up under their names without their authorization and these accounts are initiating several fund transfers for $10,000. The wire transfers are being sent to various other bank accounts across the United States. As of today, the amount of fraudulent transfers has been over $290,000. The bank’s affected customers are calling to get answers and reclaim lost funds. Your supervisor is demanding answers from you as well. The bank’s general counsel is preparing for litigation threats from the affected customers. This could be a business nightmare, especially if you fail to resolve the situation quickly. After further analysis, you learn some additional information about the case: 1. The $10,000 individual transfers are going to several U.S. bank accounts of individuals before being automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. 2. The bank’s affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. These computers did not have antivirus or security software installed. 3. The bank’s customers are frequently experiencing what is known as spear phishing attacks against them, which are fake e-mails that resemble normal business e-mail messages to customers, but contain the keystroke logging virus. 4. The......

Words: 405 - Pages: 2

Premium Essay

Tft2 Task 1

...Heart-Healthy Insurance is in need of an improved new user and password policy in order to become HIPPA, GLBA, and PCI-DSS compliant. I propose the following changes to the current policies: New User Policy Each user of this system will be given a unique username so we are able to track their use of the system, including the logging of their activities with timestamps in order to trace any and all activity on our network. Also new users will be given access based on the rule of least privilege. This rule states the only rights a user will be granted are the rights and privileges they need to complete their individual work. All requests for the creation of new user accounts or to increase the level of access of an existing user must be submitted in writing by a member of the management team. This document must include which systems and levels of access the new user requires or the new level of access needed for the existing user account. If an upper level of access is requested management must include a brief statement as to why this user needs an elevated level of access. In addition to these changes if a users status changes, i.e. they are terminated or voluntarily leave the company, they will be immediately removed from the authorized users database. Password Policy The new policy that will be put in place for all passwords, including existing passwords, will be as follows: * Cannot contain username * Must contain 3 uppercase letters * Must contain 3......

Words: 598 - Pages: 3

Premium Essay

Tft2 Task 1

...ID’s to access the computer systems. This policy pertains to new and existing users. Dept. Mgr: will oversee all employees and ensure that candidates are properly trained. Customer Mgr: will oversee operations from costumer services and cashiers. Customer Service officer: will be in charge of cashiers and customer service. Cashiers/Agents: trained to handle PCI DSS and company policies. Marketing: with limited remote access to authorized information. | Network | Application | Remote | Financial | Dept. Mgr | * | * | | * | Customer Mgr | * | * | | * | Customer Service officer | * | * | | * | Cashiers/Agents | * | * | | * | Marketing | * | * | * | | 1. Access control policy: Who has access to authorized system for business applications? Users will be authorized to use only the systems that pertain to their roles. 2. User access: Employees are granted information access through passwords and RSA tokens. Users will appropriate authorization through authentications will be able to access position related materials. Users will be given unique ID’s to access HHI’s computer systems. 3. User responsibilities: Through training users are educated and made aware of access responsibilities. Users will not share sensitive information from HHI. 4. Network access: Access to the network will be set on roles and responsibilities of the position that is acquired. No access is......

Words: 932 - Pages: 4

Premium Essay

Tft2 Task 4

...t2 Task 4 In: Computers and Technology Tft2 Task 4 TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund...

Words: 1413 - Pages: 6

Premium Essay

Tft2 Task 3 V1.Docx

...companies for substantial monetary fees. Finman trademarks and marketing information is only to be used by the Finman Corporation or with the express consent of Finman Account Management. Only defined and expressed marketing information may be used during the course of the SLA and will not be allowed for use after the terms of the SLA have ended.  This model creates a protection of the Finman brand and reputation. Protecting the brand and reputation of Finman is a key piece of their intellectual property due to the fact that one of the corner stones of this SLA is Finman’s reputation in the field of intellectual property management. Conclusion Finman’s business interests, including data and intellectual property, will remain secure if: 1. All the appropriate changes are made to the final Service Level Agreement 2. The SLA final draft is prepared by an independent third party law firm 3. All three working groups agree on the finalized documentation 4. All three groups have a notarized signed copy of these agreements Following the methodology laid out above limits the use, sharing, retention and destruction of Finman’s corporate data. Additionally, these recommendations assure Finman’s intellectual property rights are protected....

Words: 2292 - Pages: 10

Free Essay

Tft2 Task 1

...The current new user security policy for Heart-Healthy Insurance states the following: “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.” The following changes are based upon the PCI-DSS Compliace: 1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3). With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access. 2. Explicit approval by authorized parties (PCI DSS 12.3.1). This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems. 3. Authentication for use of the technology (PCI DSS 12.3.2) Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information. 4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7) Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without......

Words: 627 - Pages: 3

Premium Essay

Tft2 Task 4

...TFT2 Cyber Law Task 4 Jordan Dombrowski Western Governors University Situation Report It has come to my attention from the security analysts of VL Bank and victims that commercial customers of VL Bank have been involved in identity theft and fraud. Multiple user accounts were created without authorization claiming the identity of our customers. These fake accounts were used to make twenty-nine transfers of $10,000 each, equaling $290,000. The bank transfers were being sent to several U.S. bank accounts of unknown individuals. The U.S. banks involved in the transfers were Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. After the funds were transferred to one of these banks, the funds were automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. After further analysis we discovered that the banks affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. The computers infected did not have an anti-virus or security software of any type installed. Additionally, these customers have reported that they have been frequently experiencing spear phishing attacks, which is most likely the way that the keylogging virus software was installed. Finally we concluded that our banks systems have not been breached and no customer data has been...

Words: 3994 - Pages: 16

Premium Essay

Tft2 Task 2

...com/news/two-factor-authentication-what-you-need-to-know-faq/ Rouse, M. (2008, September). TechTarget. Retrieved from privilege bracketing definiton: http://whatis.techtarget.com/definition/privilege-bracketing Rouse, M. (2014, June). TechTarget. Retrieved from IT audit (information technology audit) : http://searchcompliance.techtarget.com/definition/IT-audit-information-technology-audit Rouse, M. (n.d.). principle of least privilege (POLP. Retrieved from TechTarget: http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP Souppaya, M., & Kent, K. (2006, September). Guide to Computer Security Log Management. Retrieved from NIST.gov: http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Policy #3 Justification for recommendations in Policy #1 [->0] - http://advisera.com/20000academy/documentation/conflicts-and-exceptions/?icn=paid-document-20000-conflicts-and-exceptions&ici=bottom-monitoring-txt ...

Words: 3049 - Pages: 13

Premium Essay

Tft2 Task 1

...Information Security New Users: New users will be added into active directory where access will be granted in accordance to the roles that the new user will be assigned (HIPAA §164.308 Administrative safeguards (4) (i) Standard: Information access management). New user roles will be determined by the position in which the user has been hired. New users will have a unique login in and password for accessing computer systems (HIPAA §164.308 Administrative safeguards (3)(ii) (A) Authorization and/or supervision). User access will be need to know basis only. Any additional access will have to be approved by a senior level manager (HIPAA §164.308 Administrative safeguards (4)(i)(ii)(C) Access establishment and modification). Password Requirements: All passwords must meet or exceed the following guidelines • Contain at least 12 alphanumeric characters. • Contain both upper and lower case letters. • Contain at least two numbers. • Contain two special characters (for example,!$%^&*()_+|~-=\`{}[]:";'?,/). • Passwords cannot be found in a dictionary, including foreign languages. • Passwords will change every 60 days. Passwords should never be written down or left out in plain view. All logins and passwords will be maintained by active directory. Three incorrect password attempts will lock the user account. The account can will only be unlocked by the system administrator after the identity of the user has been verified. Users should never share passwords with anyone...

Words: 293 - Pages: 2

Premium Essay

Tft2 Task 1

...current industry standards. Task: A.  Develop new policy statements with two modifications for each of the following sections of the attached “Heart-Healthy Insurance Information Security Policy”: 1. New Users 2. Password Requirements   B.  Justify each of your modifications in parts A1 and A2 based on specific current industry standards that are applicable to the case study.   C.  When you use sources, include all in-text citations and references in APA format. A. Develop new policy statements with two modifications for each fo the following sections of the attached “Heart-Healthy Insurance Information Security Policy”;: 1. New Users: I would change the access from what is requested to what is required for the job and that both a supervisor and the employee sign the access sheet for a check and balance of rights to the system. I would also modify just needing a manager’s approval to grant administrator level access to requiring the manager’s and the IT directors or HIPAA regulator’s approval. There needs to be a very good reason that is properly documented showing the need to allow administrative level access B. Justification of the modification. . Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.(1) This is the......

Words: 662 - Pages: 3