Heart Healthy Information Security Policy Essay

Due to personnel, polity and system changes, and audits, marrow healthy has voluntarily updated their study credential insurance policy to be in-line with the authorized information tribute measures laws and regulations. presently heart-healthy Insurance, a large indemnity comp any(prenominal)(prenominal)(prenominal), plans to review and raise recommendations for an updated information hostage policy in the bea s of 1. live New Users insurance policy The on-line(prenominal) unseasoned user component of the policy statesNew users be assigned attack based on the content of an entranceway request. The submitter must sign the request and hint which systems the new user provide use up entranceway to and what level of memory price of admission get out be needed. A managers approval is required to grant executive director inlet.(heart-healthy Insurance selective information guarantor indemnity)2. Current intelligence Requirements The actual inte lligence requirements section of the policy statesPass delivery must be at least eight dispositions presbyopic and learn a conclave of upper- and lower-case letter letters. divided discussions are not permitted on whatsoever system that contains patient information. When resetting a password, users stinkpotnot reprocess any of the previous cardinal passwords that were used. Users get in an incorrect password more than triple times leave be locked proscribed for at least 15 proceeding before the password can be reset.(heart-healthy Insurance reading tribute Policy)Heart Healthy Insurance Information credential Policy and UpdateProposed User inlet PolicyThe purpose of the User entre Policy is to provide admission charge to heart-healthys web infrastructure and to train appropriate entranceway to every(prenominal) of heart-healthys information resources. The purpose of wholesomes Network approach Policy is to establish the appropriate level of user access to wholesomes network infrastructure. wholesomes network access rules are necessary in determine to preserve the secludedity, Integrity and availability of heart-healthys proprietary information.heart-healthys Information certificate measure Office pass on be responsible for(p) for management and nerve of heart-healthys information security function(s). wholesomes Information Security Office result be the brain point of contact for any and all security related functions. User Access Policy* wholesome users leave be permitted access based on the doctrine of least privileges * Remote access or dial-in-services forget be requested by Manager level positions and up, and approved by the Information Security Department. * End users are not allowed to re-transmit or extend any of heart-healthys network services. E.g. users leave not attach hubs, switches, firewalls, access points to heart-healthys network without prior scripted authorization. * Users are not allowed to const itute any additional hardware or software product without the express written consent from the Heart-Healthy information technology department.* All Heart-Healthy calculator systems will conform to strain office standards * End users are not allowed to download, install or run any programs that could potentially reveal or undermine Heart-Healthys in-place security system, e.g. packet sniffers, password crackers or network purpose tools are strictly forbidden. All Heart-Healthy employees, 3rd party contractors are responsible for managing their information resources and will be held accountable for any information security violations or infractionsCurrent give-and-take Policies and Requirements intelligences must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were use d. Users entering an incorrect password more than cardinal times will be locked out for at least 15 minutes before the password can be reset(Heart-Healthy Insurance grouping Information Security Policy).NIST Special takings 800-63The stronger the password, the more likely that password anticipate and cracking will be deterred. The combination of the password and the complexity directly star topology to its unpredictability. With 8 character complex passwords, with current GPU processing power a password can be broken in less than 26 days by exhausting all possible combinations.Proposed Password Guidelines* Passwords should be a minimum of 14 characters* Passwords based on dictionary words are prohibited* Passwords based on pet names, biographical information, childrens names, no names of relatives* Passwords must consist of a mixture of uppercase, lowercase, and a special character* System will remember final stage 12 passwords* If passwords are written down, they must be kept in a safe place, e.g. a wallet, or a safe. Passwords are not be be written down and tape to the lavatory of the keyboard, stuck to the computer admonisher with a ungainly note, or put in an unlatched desk drawer.* All passwords will be changed every 90 daysProposed Password PolicyHeart-Healthy password policy guidepost is a recommendation for creating a new user password. This policy is a road map to help end users in* Choosing and creating a strong password* Ensure that passwords are highly resistant to brute cram attacks and password guessing* Recommendations on how users should carry on and store their passwords safely* Recommendations on bemused or stolen passwordsPassword expiration* Password expiration will serve 2 specific purposes* Password expiration will limit point the time crackers feel to either guess, or brute wildness a password.* If a password has been compromised, the password expiration will help to limit the time the cracker / hacker has access to Hear t-Healthys internal networking system.Heart-Healthy has embarked on a path to exact their information security posture regarding Password Requirements and New Users up-to-date. Heart-Healthy has used NIST (National form of Standards) and HIPAA ( Health Insurance Portability and Accounting Act) regulations in set to achieve their goal of providing the CIA (Confidentiality, Integrity, Authorization) tether for information security. The federal government has implement a number of laws and regulations that pertain to the handling, reviewing and entry assurance of one-on-one or confidential data. With respect to NIST, and HIPAA although they do not specifically outline the methods in these documents, Heart-Healthy is induce to make an attempt to implement fairish standards in order to meet the current legal obligations outlined by these laws and regulations.Heart-Healthy will focus on three main categories for their security posture corporal,Technical,Administrative,* Physical Security Heart-Healthy has designed their somatogenetic security around protecting computer systems that store confidential data. * Technical Security Heart-Healthy has implemented software and security safeguards designed specifically to go steady access is controlled, and the integrity and the authentication of the stored data mud intact. * Administrative Security Heart-Healthys administrative security ensures that Heart-Healthy procedures, standards, security measures, and organizational policies are implemented by qualified personnel.The HIPAA Security RuleThe HIPAA Security Rule establishes national standards to protect individuals electronic personal health information (ePHI) that is created, received, used, or maintained by a cover entity. The Security Rule requires appropriate administrative, sensual and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (HSS.gov ).NIST ensures that the CIA (Confident iality, Integrity, and Availability) of any electronic personal health information (EPHI) information that is maintained, received or contagious is protected from potential threats and hazards that could potentially tint the integrity of the ePHI information. NIST likewise provides safeguard against the inadvertent or intentional flick of private information.Heart-Healthy understands that information security factor protecting their information from unauthorized disclosure, access and any disruptions. Heart-Healthy understands the difference in protecting their sensitive data lies generally in their approach. Heart-Healthy has taken precautions to obstruct unintended or intentional exposure to electronic private health information. Heart-Healthy feels confident that these policies put forth will help eliminate unauthorized access to Heart-Healthys information systems. Heart-Healthys technical security policies will help ensure that end users are responsible for their infor mation. Technical policies will also serve to protect end users from accidental exposure by providing adequate protection to end users passwords and confidential data.Heart-Healthy will provide annual training on their new policies, in order to ensure end users are aware of security risks and that end users will ultimately be accountable for their personal security awareness. Heart-Healthy personnel will ultimately be responsible for the management of their information resources and will be held accountable for their actions in social intercourse to their information security. All access to Heart-Healthy information resources are for authorized business purposes only. Heart-Healthy will not provide access to or guarantee access to email, web browsing. Heart-Healthy will monitor all electronic communications that cogency be needed in order to fulfill a complaint or any investigatory requirements. Heart-Healthy understands that if any confidential information is breached or fall in to the hands of a competitor or a hacker that the consequences could be devastating.Referencesmailchip.com. (2012). 3 Billion Passwords Per Second. Are Complex Passwords ample Anymore?. Retrieved from http//blog.mailchimp.com/3-billion-passwords-per-second-are-complex-passwords-enough-anymore/ nist.gov. (2011). NIST Policy on Information Technology Resources Access and Use. Retrieved from http//www.nist.gov/director/oism/itsd/policy_accnuse.cfm hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/index.html hss.gov. (). Health Information Privacy. Retrieved from http//www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html nist.gov. (). Guide to opening move Password Management. Retrieved from http//csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf