Heart Healthy Information Security Policy Essay

Due to personnel, insurance and system changes, and audits, Heart Healthy has voluntarily updated their information earnest policy to be in-line with the reliable information hostage laws and regulations. Currently heart-healthy Insurance, a large insurance company, plans to review and let recommendations for an updated information security policy in the argona s of 1. Current New Users Policy The current new user section of the policy statesNew users be assigned portal based on the content of an approach request. The submitter must sign the request and indicate which systems the new user allow need overture to and what level of feeler will be needed. A managers approval is required to grant administrator get to.( wholesome Insurance Information trade protection Policy)2. Current Password Requirements The current password requirements section of the policy statesPasswords must be at least eight components long and contain a combination of upper- and lowercase lette rs. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than troika times will be locked out for at least 15 minutes before the password can be reset.( wholesome Insurance Information warranter Policy)Heart Healthy Insurance Information Security Policy and UpdateProposed User Access PolicyThe purpose of the User Access Policy is to depict access to wholesomes network infrastructure and to ensure appropriate access to all of Heart-Healthys information resources. The purpose of Heart-Healthys Network Access Policy is to establish the appropriate level of user access to Heart-Healthys network infrastructure. Heart-Healthys network access rules are necessary in order to preserve the confidentiality, Integrity and availability of Heart-Healthys proprietary information.Heart-Healthys Information Security plaza will b e responsible for management and administration of Heart-Healthys information security function(s). Heart-Healthys Information Security Office will be the chief point of contact for any and all security related functions. User Access Policy* Heart-Healthy users will be permitted access based on the principle of least privileges * Remote access or dial-in-services will be requested by Manager level positions and up, and approved by the Information Security Department. * End users are not allowed to re-transmit or extend any of Heart-Healthys network services. E.g. users will not attach hubs, switches, firewalls, access points to Heart-Healthys network without prior scripted authorization. * Users are not allowed to install any additional hardware or software without the express written consent from the Heart-Healthy information technology department.* All Heart-Healthy com governer systems will conform to agency standards * End users are not allowed to download, install or run any pr ograms that could potentially reveal or undermine Heart-Healthys in-place security system, e.g. packet sniffers, password crackers or network purpose tools are strictly forbidden. All Heart-Healthy employees, 3rd party contractors are responsible for managing their information resources and will be held accountable for any information security violations or infractionsCurrent Password Policies and RequirementsPasswords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than trio times will be locked out for at least 15 minutes before the password can be reset(Heart-Healthy Insurance grouping Information Security Policy).NIST Special Publication 800-63The stronger the password, the more likely that password guessing and cracking will be deterred. The combination of the password and the complexity this instant lead to its unpredictability. With 8 character complex passwords, with current GPU processing power a password can be broken in less than 26 days by exhausting all possible combinations.Proposed Password Guidelines* Passwords should be a minimum of 14 characters* Passwords based on dictionary words are prohibited* Passwords based on pet names, biographical information, childrens names, no names of relatives* Passwords must consist of a mixture of uppercase, lowercase, and a special character* System will remember last 12 passwords* If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be be written down and tape to the bottom of the keyboard, stuck to the computer monitor with a sticky note, or put in an unlocked desk drawer.* All passwords will be changed every 90 daysProposed Password PolicyHeart-Healthy password policy guideline i s a recommendation for creating a new user password. This policy is a guideline to foster end users in* Choosing and creating a strong password* Ensure that passwords are highly resistant to brute force attacks and password guessing* Recommendations on how users should handle and store their passwords safely* Recommendations on lost or stolen passwordsPassword button* Password expiration will serve 2 specific purposes* Password expiration will limit the time crackers have to either guess, or brute force a password.* If a password has been compromised, the password expiration will help to limit the time the cracker / hacker has access to Heart-Healthys internal networking system.Heart-Healthy has embarked on a path to bring their information security posture regarding Password Requirements and New Users up-to-date. Heart-Healthy has used NIST (National make up of Standards) and HIPAA ( Health Insurance Portability and Accounting Act) regulations in order to achieve their goal of p roviding the CIA (Confidentiality, Integrity, Authorization) triad for information security. The federal government has implemented a number of laws and regulations that link up to the handling, reviewing and compliance assurance of private or confidential data. With respect to NIST, and HIPAA although they do not specifically outline the methods in these documents, Heart-Healthy is obligated to make an onrush to implement reasonable standards in order to meet the current legal obligations outlined by these laws and regulations.Heart-Healthy will focus on three main(prenominal) categories for their security posturePhysical,Technical,Administrative,* Physical Security Heart-Healthy has designed their physical security around protecting computer systems that store confidential data. * Technical Security Heart-Healthy has implemented software and security safeguards designed specifically to ensure access is controlled, and the integrity and the authentication of the stored data re mains intact. * Administrative Security Heart-Healthys administrative security ensures that Heart-Healthy procedures, standards, security measures, and organizational policies are implemented by qualified personnel.The HIPAA Security RuleThe HIPAA Security Rule establishes study standards to protect individuals electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and proficient safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (HSS.gov ).NIST ensures that the CIA (Confidentiality, Integrity, and Availability) of any electronic personal health information (EPHI) information that is maintained, received or communicable is protected from potential threats and hazards that could potentially affect the integrity of the ePHI information. NIST also provides protection against the accidental or intentional exposure of private information.Heart-Healthy understands that information security means protecting their information from unauthorized disclosure, access and any disruptions. Heart-Healthy understands the difference in protecting their sensitive data lies primarily in their approach. Heart-Healthy has taken precautions to prevent accidental or intentional exposure to electronic private health information. Heart-Healthy feels confident that these policies put forth will help eliminate unauthorized access to Heart-Healthys information systems. Heart-Healthys technical security policies will help ensure that end users are responsible for their information. Technical policies will also serve to protect end users from accidental exposure by providing adequate protection to end users passwords and confidential data.Heart-Healthy will provide annual training on their new policies, in order to ensure end users are aware of security risks and that end users will ultimately be accountable for their personal security awareness. Heart-Healthy personnel will ultimately be responsible for the management of their information resources and will be held accountable for their actions in relation to their information security. All access to Heart-Healthy information resources are for authorized business purposes only. Heart-Healthy will not provide access to or guarantee access to email, web browsing. Heart-Healthy will monitor all electronic communications that might be needed in order to fulfill a complaint or any investigatory requirements. Heart-Healthy understands that if any confidential information is breached or falls into the hands of a competitor or a hacker that the consequences could be devastating.Referencesmailchip.com. (2012). 3 Billion Passwords Per Second. Are Complex PasswordsEnough Anymore?. Retrieved from http//blog.mailchimp.com/3-billion-passwords-per-second-are-complex-passwords-enough-anymore/ nist.gov. (2011). NIST Policy on Information engineering Re sources Access and Use. Retrieved from http//www.nist.gov/director/oism/itsd/policy_accnuse.cfm hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/index.html hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html nist.gov. (). Guide to Enterprise Password Management. Retrieved from http//csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf