Heart Healthy Information Security Policy Essay

Due to personnel, policy and dust of rules changes, and audits, Heart sound has voluntarily updated their schooling warranter policy to be in-line with the current information security laws and regulations. up-to-dately wholesome Insurance, a mountainous insurance comp any(prenominal), plans to review and provide tributes for an updated information security policy in the ara s of 1. Current New Users form _or_ system of government The current in the raw substance abuser section of the policy statesNew users are assigned admission price based on the content of an entrance money entreat. The submitter must sign the request and indicate which systems the new user allow need entrancewayion to and what take aim of access bequeath be needed. A managers acclaim is required to grant administrator access.( wholesome Insurance breeding surety Policy)2. Current war cry Requirements The current word requirements section of the policy states give-and-takes must be at least eight characters long and contain a confederacy of upper- and lowercase letters. Shared paroles are non permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous hexad passwords that were used. Users entree an incorrect password more than three times will be locked out for at least 15 minutes in the beginning the password can be reset.( wholesome Insurance education warrantor Policy)Heart Healthy Insurance reading Security Policy and UpdateProposed User rile PolicyThe purpose of the User Access Policy is to provide access to Heart-Healthys lucre infrastructure and to check appropriate access to all of Heart-Healthys information resources. The purpose of Heart-Healthys Network Access Policy is to establish the appropriate level of user access to Heart-Healthys network infrastructure. Heart-Healthys network access rules are necessary in order to pre assist the confidentiality, lawfulness and availabil ity of Heart-Healthys proprietary information.Heart-Healthys Information Security Office will be responsible for management and brass of Heart-Healthys information security function(s). Heart-Healthys Information Security Office will be the chief point of progress to for any and all security related functions. User Access Policy* Heart-Healthy users will be permitted access based on the ruler of least privileges * Remote access or dial-in-services will be bespeak by Manager level positions and up, and approved by the Information Security Department. * End users are not allowed to re-transmit or extend any of Heart-Healthys network services. E.g. users will not attach hubs, switches, firewalls, access points to Heart-Healthys network without prior indite authorization. * Users are not allowed to come in any additional hardware or software without the express written consent from the Heart-Healthy information technology department.* All Heart-Healthy ready reckoner systems will conform to agency standards * End users are not allowed to download, ensnare or run any programs that could authorityly reveal or debase Heart-Healthys in-place security system, e.g. packet sniffers, password crackers or network mapping tools are strictly forbidden. All Heart-Healthy employees, tertiary party contractors are responsible for managing their information resources and will be held accountable for any information security violations or infractionsCurrent rallying cry Policies and Requirements intelligences must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset(Heart-Healthy Insurance Group Information Security Po licy).NIST Special Publication 800-63The stronger the password, the more likely that password anticipate and cracking will be deterred. The combination of the password and the complexity immediately lead to its unpredictability. With 8 character complex passwords, with current GPU processing advocator a password can be broken in little than 26 days by exhausting all possible combinations.Proposed tidings Guidelines* Passwords should be a minimum of 14 characters* Passwords based on lexicon words are prohibited* Passwords based on pet names, biographical information, childrens names, no names of relatives* Passwords must consist of a compartmentalization of uppercase, lowercase, and a special character* System will remember lead 12 passwords* If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be be written down and tape to the bottom of the keyboard, stuck to the estimator monitoring device with a sticky note, or p ut in an unsecured desk drawer.* All passwords will be changed every 90 daysProposed Password PolicyHeart-Healthy password policy guideline is a recommendation for creating a new user password. This policy is a guideline to befriend end users in* Choosing and creating a strong password* Ensure that passwords are highly resistant to brute force attacks and password guessing* Recommendations on how users should handle and store their passwords safely* Recommendations on lost or stolen passwordsPassword expiration* Password expiration will serve 2 specialised purposes* Password expiration will limit the time crackers ware to either guess, or brute force a password.* If a password has been compromised, the password expiration will help to limit the time the cracker / hacker has access to Heart-Healthys internal networking system.Heart-Healthy has embarked on a path to bring their information security posture regarding Password Requirements and New Users up-to-date. Heart-Healthy has used NIST (National Institute of Standards) and HIPAA ( Health Insurance Portability and chronicle Act) regulations in order to achieve their goal of providing the CIA (Confidentiality, Integrity, Authorization) triad for information security. The federal official government has implemented a number of laws and regulations that pertain to the handling, reviewing and compliance say-so of private or confidential data. With respect to NIST, and HIPAA although they do not specifically outline the methods in these documents, Heart-Healthy is obligated to make an attempt to implement reasonable standards in order to meet the current legal obligations outlined by these laws and regulations.Heart-Healthy will focus on three chief(prenominal) categories for their security posturePhysical, technological,administrative,* Physical Security Heart-Healthy has designed their material security around protecting computer systems that store confidential data. * Technical Security Heart-Healt hy has implemented software and security safeguards designed specifically to ensure access is controlled, and the integrity and the authentication of the stored data remains intact. * Administrative Security Heart-Healthys administrative security ensures that Heart-Healthy procedures, standards, security measures, and organizational policies are implemented by qualified personnel.The HIPAA Security districtThe HIPAA Security Rule establishes national standards to protect individuals electronic personal wellness information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (HSS.gov ).NIST ensures that the CIA (Confidentiality, Integrity, and Availability) of any electronic personal health information (EPHI) information that is maintained, received or transmitted is protect ed from potential threats and hazards that could potentially affect the integrity of the ePHI information. NIST also provides fortress against the accidental or intentional exposure of private information.Heart-Healthy understands that information security core protecting their information from unauthorized disclosure, access and any disruptions. Heart-Healthy understands the oddment in protecting their sensitive data lies primarily in their approach. Heart-Healthy has taken precautions to prevent accidental or intentional exposure to electronic private health information. Heart-Healthy feels confident that these policies put forth will help eliminate unauthorized access to Heart-Healthys information systems. Heart-Healthys technical security policies will help ensure that end users are responsible for their information. Technical policies will also serve to protect end users from accidental exposure by providing adequate protection to end users passwords and confidential data.He art-Healthy will provide annual planning on their new policies, in order to ensure end users are aware of security risks and that end users will ultimately be accountable for their personal security awareness. Heart-Healthy personnel will ultimately be responsible for the management of their information resources and will be held accountable for their actions in relation to their information security. All access to Heart-Healthy information resources are for authorized business purposes only. Heart-Healthy will not provide access to or guarantee access to email, web browsing. Heart-Healthy will monitor all electronic communications that might be needed in order to fulfill a complaint or any investigatory requirements. Heart-Healthy understands that if any confidential information is breached or falls into the men of a competitor or a hacker that the consequences could be devastating.Referencesmailchip.com. (2012). 3 Billion Passwords Per Second. Are Complex PasswordsEnough Anymore ?. Retrieved from http//blog.mailchimp.com/3-billion-passwords-per-second-are-complex-passwords-enough-anymore/ nist.gov. (2011). NIST Policy on Information Technology Resources Access and Use. Retrieved from http//www.nist.gov/director/oism/itsd/policy_accnuse.cfm hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/ silence/index.html hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html nist.gov. (). Guide to Enterprise Password Management. Retrieved from http//csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf