Tft2 Task 2

In: Computers and Technology

Submitted By fjrpilot
Words 1416
Pages 6
Presented Problem

After examining the incident, there are some key things that stick out as major risks, these include:

• Accounts existed before EHR system was deployed.
• Accounts were undocumented.
• Non Authorized remote users had access to the EHR application.
• Undocumented account was created/added to a new system.
• Method or Vulnerability to gain privilege escalation outside of change control policy.

This led me to propose three policies, each address some of these key issues from separate fronts. The three policies include a Remote Access Policy, Application Deployment, and a Routine Maintenance policy. The Remote Access policy aims to correct the issue that non-authorized users were able to access the EHR system. HIPAA has included provision in the Security Rule that allows for remote access, but with certain limitations. I have included provision that restricts remote access based on Job Role and Job Necessity(ISO 27002:2005, 7.1.1), and restricted to assets that are owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have…...

Similar Documents

Tft2 Task 4

...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as...

Words: 1403 - Pages: 6

Tft2 Task 2

..., 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have been missed in implementing the above two policies. Policies are typically created from situations that arise, or to document procedures. This policy is more of a procedural standard that set frequency for auditing the systems that are in place, These audits can help in uncovering employee malice(NIST, 164.312(a)(1))(ISO 27002:2005, 11.3.2), improper implementation of other standards (NIST, 164.312(b)), and can aid in proving compliance during controls audits. Electronic Patient Health Information Remote Access Policy   1. Purpose   This policy defines standards for accessing electronic patient information systems while away from the facility. These standards are designed to minimize the exposure of patient data and damages that may occur from misuse.   2. Scope   This policy applies to all employees who utilize the electronic health record (EHR) system, and all devices used to connect the hospital data network. This policy applies to remote access connections used to modify, and view patient information on behalf of the hospital, including but not limited to the EHR......

Words: 1416 - Pages: 6

Task 2

... receives AUTHOR DETAILS and MANUSCRIPT to process book publishing, and generating BOOK RECORD which display the production progress to PRODUCTION WORKER. Receiving BOOK STATUS from PRODUCTION WORKER, Process 2 gives a list to SHEPHERD and transits TASK ASSIGNMENT into ASSIGNMENT which is sent to TECHNICIAN. (Black lines) Web checking -The process CHECK BOOK STATUS extracts UDDATED BOOK STATUS from BOOK(DATA STORE) with UPDATE OPERATION from TECHNICIAN to self-service website, and allows AUTHOR to check their BOOK STATUS.(brown lines) Promotion services – When manuscript is well edited, Process 1 will receive BOOK PROMOTION LIST (drived from PRESS INFORMATION including promotion approaches, ISBN and relevant information)from Process 2, and assigns it to different AUTHORs. (Red lines) Book selling and reporting – As Process 2 works out the PUBLISHED BOOK for selling, E-COMMENCE SITE hands in sales information to ACCOUNT SALES process for calculating report data and generating sales REPORT.(green lines) 5. Data Flow Diagram – Level 1 Below is the Level 1 DFD of the ‘MAKE SALES’ process which in Level 0 DFD. The whole ‘MAKE SALES’ process is divided into six sub processes including ‘UPDATE CALL INFOR’, ’CREATE RECALL LISTS’, ‘GENERATE SALES PROFORMANCE REPORT’, ‘ADD AUTHORS’, ‘PRODUCE MAILING LABLES’ and ‘SELL PROMOTION OPTIONS’. Details explanation of each process is recoded in data dictionary in section 6. Relevant entities including ‘SALSES...

Words: 3520 - Pages: 15

Tft2 Task 1

... their email. 2. New users are assigned a temporary password that must be changed within 48 hours. 3. Users are not allowed to share log in information 4. Users must log out of their workstation before leaving the computer. 5. Teleworking (working from home) is not allowed. 6. Accounts from users who are on vacation or medical leave will be disabled. 7. Accounts from users who have been terminated or are no longer with the company are disabled or removed immediately (ISO, 2013). 8. PASSWORD REQUIREMENTS In order to maintain the required security, passwords must: 1. Be a minimum of eight characters long, 2. Have upper and lower case letters, 3. A number 4. A special symbol 5. Must not have repetitive numbers or letters Passwords are changed every 30 days and password reuse is not allowed for the previous six passwords used. Password sharing is not allowed on computers that can access or have patient information on them. Three log in attempts are allowed, if the log in has failed after three attempts, the user account is locked for fifteen minutes before the password can be reset. REFERENCES International Standard (ISO) (2013). Information technology — Security techniques — Code of practice for information security controls (ISO/IEC 27002). ISO. Gramm-Leach-Bliley Act: Subchapter I: Disclosure of Nonpublic Personal Information. (n.d.). Retrieved from http://www.ftc.gov/privacy/glbact/glbsub1.htm PCI Security......

Words: 496 - Pages: 2

Tft2 Task 1

... based on dictionary words are prohibited * Passwords based on pet names, biographical information, children’s names, no names of relatives * Passwords must consist of a mixture of uppercase, lowercase, and a special character * System will remember last 12 passwords * If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be written down and tape to the bottom of the keyboard, stuck to the computer monitor with a sticky note, or put in an unlocked desk drawer. * All passwords will be changed every 90 days Proposed Password Policy Heart-Healthy password policy guideline is a recommendation for creating a new user password. This policy is a guideline to help end users in: * Choosing and creating a strong password * Ensure that passwords are highly resistant to brute force attacks and password guessing * Recommendations on how users should handle and store their passwords safely * Recommendations on lost or stolen passwords Password expiration * Password expiration will serve 2 specific purposes: * Password expiration will limit the time crackers have to either guess, or brute force a password. * If a password has been compromised, the password expiration will help to limit the time the cracker / hacker has access to Heart-Healthy’s internal networking system.  Heart-Healthy has embarked on a path to bring their information security posture regarding “Password...

Words: 1532 - Pages: 7

Task 2

...Leadership is important in managing and organizing the structure of the organization while trying to maintain a profitable company that takes into consideration employees, shareholders, customers and board of directors, etc. Another attribute of a great leader is managing diversity in the workplace. However, diversity includes many different issues and needs to be managed and if done properly can lead to competitive advantages for the company. Thomas A. Kochan, professor at MIT, stated “Diversity can enhance business performance only if the proper training is provided and the organizational culture supports diversity (Dubrin, 2010). Managing Cultural Diversity: Managing cultural diversity is not an easy task, however, when incorporated into the organizations core values, is makes it easier to incorporate (Dubrin, 2010). Below is a diagram that provides a breakdown of areas or issues that may need to be looked at to evaluate the possibility of creating and leading a culturally diverse organization. These areas may help to identify areas where a competitive advantage may be available in the organization. In such a culturally diverse world and as the organization makes decisions that will impact them globally, these discussions are vital for the success of the company. Whether not decisions are made to implement or not to implement decisions based on diversity within the organization, these ideas, may identify some of the organizations strengths and weaknesses...

Words: 1249 - Pages: 5

Tft2 Task 4

... the network access. Organization can avail and use all the available resources by using the software Datanal The purpose of the risk management is give the organization the strategies which can be useful in protecting the data and information .even the organization can use the Host Based Intrusion detection system which can give better safety to data and information that s available on the network. The implementation of the firewall can protect the entire network form the various kinds of threats which can easily destroy the network. so there is a need to implement the router and firewall on the network which can give the encryption to both LAN and WLAN and various protocol can be sued in this regards. The idea to implement the Vendor manufacturing gents or partners is to protect the company from any misuse or theft of the data from the assailants. These mechanisms also serve to protect from the external threats by engaging the organization to identify its used resources. 2. Justify how your recommendations will assure that Finman’s property, patents, copyrights, and other proprietary rights are protected. There are three basic ISM concepts which are called the Availability, Confidentiality and Integrity. More work is to be completed when the ACLs, GPs and TPV are implemented. For the Finman’s organization, various approaches can be sued for granting the permissions to use the network where the user is included in the particular groups called Active Directory. Even......

Words: 758 - Pages: 4

Tft2

...Page 1 June 4, 2014 ABC Company Proposed revision of Information Security Policy Anthony Ronning: Information Security Manager OBJECTIVE: Due to the recent breach of our electronic health record (EHR) systems, it is necessary that policies pertaining to access and control mechanisms of health records be reviewed and/or modified to mitigate future incidents SPECIFIC GOALS: 1.) Implement a standard based on Attribute Based Access Control (ABAC) to ensure that electronic health records (EHR) are protected from unauthorized entities 2.) Implement a standard for the use of remote access methods to information systems 3.) Implement a standard that ensures that access to electronic health records (EHR) is audited and backed up without changes or over writing INFORMATION SECURITY POLICY GOALS: * Confidentiality = data or information is not made available or disclosed to unauthorized persons or processes * Unauthorized access = the INABILITY of unauthorized persons to read, write, modify, or communicate data/information or otherwise use any system resource * Integrity = data or information has not been altered or destroyed in an unauthorized manner * Availability = data or information is made accessible and usable upon demand by authorized users * Legislative and Regulatory Requirements = policies comply with Federal and HIPAA regulatory standards * Business continuity plan integration = policy revisions fall within the business...

Words: 2279 - Pages: 10

Task 2

...Task 2 Compare and contrast the life span and the diseases and illnesses profile for an infant born today in the developed world and in the developing world. Sierra Leone (developing country) United States of America (developed country) Life expectancy 47.5years 78.7 years Population 5.4 million 313.9 million Fertility rate 6.3 births per women 1.8 births per women Effecting factors • pervasive poverty • high level of illiteracy significantly among females • limited access to safe drinking water • proper sanitation • malnutrition • overcrowded housing • access to quality health services • obesity • lack of a healthy life style • eating and workout habits • smoking • drinking Diseases • Malaria • Acute Respiratory Illnesses • STI • Diarrhoea • Heart disease • Cancer • Chronic lower respiratory disease • Stroke • Accidents • Diabetes If a baby girl was born in a developing country such as Sierra Leone, her chances of survival are minimum. The effecting factors of life expectancy is primarily based on the lack of resource her county has to ensure her survival. Factors such as "limited access to safe drinking water" is a non-problem to a child born in a developed country. In regards, to diseases many individuals in developing countries do not live long enough to contract any chronic illness. Developing countries are plagues with acute diseases, like Malaria and STI's that demolish their population because they lack efficient health care...

Words: 385 - Pages: 2

Tft2 Task 1

... | * | * | | * | Customer Service officer | * | * | | * | Cashiers/Agents | * | * | | * | Marketing | * | * | * | | 1. Access control policy: Who has access to authorized system for business applications? Users will be authorized to use only the systems that pertain to their roles. 2. User access: Employees are granted information access through passwords and RSA tokens. Users will appropriate authorization through authentications will be able to access position related materials. Users will be given unique ID’s to access HHI’s computer systems. 3. User responsibilities: Through training users are educated and made aware of access responsibilities. Users will not share sensitive information from HHI. 4. Network access: Access to the network will be set on roles and responsibilities of the position that is acquired. No access is granted unless authorized. 5. Remote access: Will be encrypted and have limited access to sensitive information. This access will be granted by role based positions and will monitor inbound and outbound data. 6. Application access: Users with authorized access to programs for financial transactions will be trained for compliance to PCI DSS standards Compliance requirements for PCI DSS * A secure network must be built and maintained by installing a firewall with the configuration that is necessary to protect cardholder data and customer personal......

Words: 932 - Pages: 4

Task 2

...Task Stream 2 Microbiology can be broken down into categorizations based upon the environmental conditions necessary for organisms in which to grow. Two large categories of microorganisms are those requiring oxygen to live (obligate aerobes) and those which can grow with oxygen but have the ability to also grow without it (facultative aerobes). The obligate aerobes produce more energy from nutrients than anaerobes by using oxygen as the “final electron acceptor in the electron transport chain, which produces most of the ATP in these organisms”(Betsy & Keogh, 2005, p.104). The facultative microorganisms are able to use oxygen but can also go without by using fermentation or anaerobic respiration when it is not available (Betsy & Keogh,2005). The microorganisms being cultured in our first task (Lactobacillus acidophilus and Staphylococcus epidermidis) are obligate aerobes. Microorganisms can grow in a variety of conditions with temperature being one of those variables, but the types we frequently encounter in our environment thrive in fairly warm temperatures. Both Lactobacillus acidophilus and Staphylococcus epidermidis are examples of these, which are referred to as mesophiles. Extreme temperatures (as in deep freezing or auotoclaves for example) are effective in destroying microorganisms due to their inability to thrive outside of more moderate temperatures). Growth of these two organisms would be optimized by remaining between 25 and 40 degrees celsius...

Words: 1281 - Pages: 6

Task 2

...Task 2, Community Health (C228) Edward Croston Western Governors University Task 2, Community Health (C228) MEASLES Measles was at one time in the not too distant past, a killer of those that became infected. Measles has been around for centuries. The first published, written account of the disease was in the ninth century by a Persian doctor. According to the Centers for Disease Control and Prevention (CDC) website on measles, it was not until 1757 that a Scottish physician, named Francis Home, proved that something infectious in the blood was causing the disease. By the early 1900’s, the United States began requiring every healthcare provider and laboratory to report all identified cases, with approximately 6,000 deaths being related to measles each year. Almost all children contracted the disease by the time they were the age of 15, with an estimated yearly infection rate of three to four million United States citizens. Each year, it is estimated, 400 to 500 people died from measles, 48,000 hospitalized, and 4,000 developing encephalitis as a side effect of the disease. The measles, mumps, and rubella (MMR) vaccine was made available to the public in 1963. The MMR has significantly reduced the reported cases of measles. In the year 2000 measles was declared eradicated in the United States. But since then, the disease has returned from time to time. ("Measles History," 2014, p. 2) Measles is a virus that has an incubation period of approximately 14 days. It is...

Words: 1240 - Pages: 5

Tft2 Task 4

...TFT2 Cyber Law Task 4 Jordan Dombrowski Western Governors University Situation Report It has come to my attention from the security analysts of VL Bank and victims that commercial customers of VL Bank have been involved in identity theft and fraud. Multiple user accounts were created without authorization claiming the identity of our customers. These fake accounts were used to make twenty-nine transfers of $10,000 each, equaling $290,000. The bank transfers were being sent to several U.S. bank accounts of unknown individuals. The U.S. banks involved in the transfers were Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. After the funds were transferred to one of these banks, the funds were automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. After further analysis we discovered that the banks affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. The computers infected did not have an anti-virus or security software of any type installed. Additionally, these customers have reported that they have been frequently experiencing spear phishing attacks, which is most likely the way that the keylogging virus software was installed. Finally we concluded that our banks systems have not been breached and no customer data has...

Words: 3994 - Pages: 16

Tft2 Task 2

... Introduction The major healthcare provider in question has experienced a potential security breach within their records. They are now currently investigating how this happened and what information was access by the unauthorized individual. However, the company is now interested in established a baseline framework to avoid future information breaches from occurring. This document will outline three major IT frameworks and how each could have mitigated the recent information breach. ISO Policy The ISO 27001 recommendation is a high-level discussion. A precise policy was not located. The discussion did contain a preventive feature to denied access afterhours; however, how the afterhours check relates to a policy is not clear. The COBIT5 recommendation is a discussion and needs to develop a policy. The discussion includes auditing in general; however, details about the auditing need to be developed once a precise policy is developed. The NIST framework discussion includes review of log files. Details need to be developed about the review once a policy is developed. The three major security frameworks in the discussion are excellent overall recommendations. Precise policy statements that will prevent an identified security flaw in the scenario need to be developed. The first policy presented is ISO 27001 (International Standards Organization Security Standards). According to the ISO website, “The ISO 27000 family of standards helps organizations keep information assets...

Words: 3049 - Pages: 13

Task 2

...Linksys WRT54G Running DD-WRT v24-sp2 firmware The Linksys WRT54G series router was released in 2002. This is an older router capable of utilizing the 802.11b/g standards, however by flashing the WRT54G with DD-WRT firmware you now have a SOHO router that is on par with most business-class wireless routers in capabilities and features. Contents: 1. Configure Linksys WRT54G/DD-WRT to perform NAT 2. Enable packet filter on Linksys WRT54G/DD-WRT 3. Setup the default gateway to share internet and network services among hosts Enabling NAT 1. After powering on the Linksys WRT45G connect the data cable from computer or laptop to Ethernet port 1 on the back of the Linksys. 2. Open a web browser and enter IP Address 192.168.1.1 into the address bar. The browser will open the DD-WRT browser interface at the System Information Page. 3. Click on the Setup tab in the upper left corner of the page. 4. You will be prompted for a username and password. The default username and password is root & admin. 5. From the setup page you will configure the WAN connection (the connection to the ISP). In almost all cases ISPs use DHCP to configure the connection. In the rare case that the ISP use a Static IP you will need to know the IP Address, Subnet Mask, Default Gateway and DNS servers all this info should be provided by the ISP. 6. Once the WAN connection is configured. You will now configure DHCP so the hosts on the client’s network...

Words: 594 - Pages: 3