Tft2 Task 1

In: Computers and Technology

Submitted By labanch
Words 627
Pages 3
The current new user security policy for Heart-Healthy Insurance states the following:
“New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.”
The following changes are based upon the PCI-DSS Compliace:
1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3).
With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access.

2. Explicit approval by authorized parties (PCI DSS 12.3.1).
This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems.

3. Authentication for use of the technology (PCI DSS 12.3.2)
Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information.

4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7)
Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without authorization.

5. Administer user accounts, including additions, deletions, and modifications (PCI-DSS 12.5.4)
User accounts will be administered by the appropriate personnel. This responsibility will assure that any person in the organization has the correct information along with the correct access.

6. Educate personnel upon hire and at least annually (PCI-DSS 12.6.1)
Security…...

Similar Documents

Tft2 Task 4

...TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund Transfer Act (EFTA). This states that as long as the...

Words: 1403 - Pages: 6

Tft2 Task 2

...owned by the hospital which have enhanced security (ISO 27002:2005, 7.1.1) (NIST, 164.312(a)(1))(ISO 27002:2005, 11.4.2). The Application Deployment policy aims to close security loop holes that appear to have been open for months before the EHR system was even deployed. There were no check on accounts when importing, and no alerts when permissions were escalated. Some of the key standards that I see as aiding in creating this policy is better change management (ISO 27002:2005, 10.1.2) (NIST, 164.308(a)(5)(ii)), operating system auditing after patching (ISO 27002:2005, 12.5.2), a better separation of development systems (ISO 27002:2005, 10.1.4)(ISO 27002:2005, 11.4.5)(ISO 27002:2005, 12.4.2), and better security on the production system (NIST, 164.312(a)(1))(NIST, 164.308(a)(5)(ii)(D)). The Routine Maintenance policy aims to take care of the loose ends that may have been missed in implementing the above two policies. Policies are typically created from situations that arise, or to document procedures. This policy is more of a procedural standard that set frequency for auditing the systems that are in place, These audits can help in uncovering employee malice(NIST, 164.312(a)(1))(ISO 27002:2005, 11.3.2), improper implementation of other standards (NIST, 164.312(b)), and can aid in proving compliance during controls audits. Electronic Patient Health Information Remote Access Policy   1. Purpose   This policy defines standards for accessing electronic patient......

Words: 1416 - Pages: 6

Tft2 Task 1

...If administrator access level is needed, the proper paperwork must be filled out and a manager must sign it. The level of access given will depend on your position and department. All computers have disabled USB ports for security reasons. In order to maintain compliance with Heart-Healthy Insurance, the Gramm-Leach-Bliley Act (GLBA), and the PCI-DSS, the following procedures for new users are in effect: 1. New user accounts are set up and log in information is sent to their email. 2. New users are assigned a temporary password that must be changed within 48 hours. 3. Users are not allowed to share log in information 4. Users must log out of their workstation before leaving the computer. 5. Teleworking (working from home) is not allowed. 6. Accounts from users who are on vacation or medical leave will be disabled. 7. Accounts from users who have been terminated or are no longer with the company are disabled or removed immediately (ISO, 2013). 8. PASSWORD REQUIREMENTS In order to maintain the required security, passwords must: 1. Be a minimum of eight characters long, 2. Have upper and lower case letters, 3. A number 4. A special symbol 5. Must not have repetitive numbers or letters Passwords are changed every 30 days and password reuse is not allowed for the previous six passwords used. Password sharing is not allowed on computers that can access or have patient information on them. Three log in attempts are......

Words: 496 - Pages: 2

Tft2 Task 1

...Updated Heart Healthy Information Security Policy Due to personnel, policy and system changes, and audits, Heart Healthy has voluntarily updated their information security policy to be in-line with the current information security laws and regulations. Currently Heart-Healthy Insurance, a large insurance company, plans to review and provide recommendations for an updated information security policy in the area ‘s of: Current New Users Policy The current new user section of the policy states:  “New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator access.”(Heart-Healthy Insurance Information Security Policy) Current Password Requirements The current password requirements section of the policy states: “Passwords must be at least eight characters long and contain a combination of upper- and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”(Heart-Healthy Insurance Information Security Policy) Heart Healthy Insurance Information Security Policy and Update  Proposed User......

Words: 1532 - Pages: 7

Tft2 Task 1

...Heart-Healthy Insurance Information Security Policy You are the manager of the information security analyst team for a large health insurance company. Your supervisor has asked you to review and provide recommendations for changes to the company’s information security policy. The intent of this review is to ensure that the policy complies with current regulatory requirements, obtains the benefits of industry specific standards, utilizes a recognized framework, is relevant for your company, and meets the requirements of all relevant regulations and standards. The review’s outcome should be to recommend modifications to the policy to ensure alignment with relevant regulatory requirements. The policy is a large document that discusses confidentiality, integrity, and availability across the spectrum of the electronic information systems that your company utilizes. Among the services that your company provides are patient-history evaluations for chronic illness indicators, insurance rate underwriting, paying claims to healthcare providers, accepting premium payments from employers, and accepting copayments from claimants. In addition to regulatory requirements, the U.S. Department of Health and Human Services (HHS) has set some national standards for identification of employers, providers, transactions, procedure codes, and place of service codes. The company you work for holds information that is protected by regulatory requirements. This information includes individual privacy......

Words: 473 - Pages: 2

Tft2 Task 1

...Proposed User Access Policy  * Heart-Healthy users will be granted access based on the least privilege principle. * Heart-Healthy employees must have a background check in order to have access to the company’s network. This will check for any criminal history and reduce the security risk for the company and user. * All users must also complete required training before access can be granted to the network. The training covers items such as information assurance, email protection, and identifies social engineering techniques. Training is a must in today’s computing environment. * Users will need approval from Manager level positions and up for remote access and Information Security department will implement the request. * Users of the Heart-Healthy network will be forbidden from using USB storage devices of any type unless approved by management and security department. * Heart-Healthy users are not allowed to install any additional software or hardware on company workstations and/or any other company owned computing device without written approval from the IT department. * All Heart-Healthy computer systems must be configured by the IT department prior to connecting to the company LAN in order to ensure all security settings are set to company policy.  All Heart-Healthy employees are responsible for maintaining and safe keep of their information resources and will be held accountable for any information security violations or......

Words: 480 - Pages: 2

Tft2 Task 1

...This essay has been removed. Please try searching our other hundreds of thousands of documents. ...

Words: 744 - Pages: 3

Tft2 Task 4

...several customers have reported that new user accounts have been set up under their names without their authorization and these accounts are initiating several fund transfers for $10,000. The wire transfers are being sent to various other bank accounts across the United States. As of today, the amount of fraudulent transfers has been over $290,000. The bank’s affected customers are calling to get answers and reclaim lost funds. Your supervisor is demanding answers from you as well. The bank’s general counsel is preparing for litigation threats from the affected customers. This could be a business nightmare, especially if you fail to resolve the situation quickly. After further analysis, you learn some additional information about the case: 1. The $10,000 individual transfers are going to several U.S. bank accounts of individuals before being automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. 2. The bank’s affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. These computers did not have antivirus or security software installed. 3. The bank’s customers are frequently experiencing what is known as spear phishing attacks against them, which are fake e-mails that resemble normal business e-mail messages to customers, but contain the keystroke logging virus. 4. The......

Words: 405 - Pages: 2

Tft2 Task 1

...Heart-Healthy Insurance is in need of an improved new user and password policy in order to become HIPPA, GLBA, and PCI-DSS compliant. I propose the following changes to the current policies: New User Policy Each user of this system will be given a unique username so we are able to track their use of the system, including the logging of their activities with timestamps in order to trace any and all activity on our network. Also new users will be given access based on the rule of least privilege. This rule states the only rights a user will be granted are the rights and privileges they need to complete their individual work. All requests for the creation of new user accounts or to increase the level of access of an existing user must be submitted in writing by a member of the management team. This document must include which systems and levels of access the new user requires or the new level of access needed for the existing user account. If an upper level of access is requested management must include a brief statement as to why this user needs an elevated level of access. In addition to these changes if a users status changes, i.e. they are terminated or voluntarily leave the company, they will be immediately removed from the authorized users database. Password Policy The new policy that will be put in place for all passwords, including existing passwords, will be as follows: * Cannot contain username * Must contain 3 uppercase letters * Must contain 3......

Words: 598 - Pages: 3

Tft2 Task 1

...ID’s to access the computer systems. This policy pertains to new and existing users. Dept. Mgr: will oversee all employees and ensure that candidates are properly trained. Customer Mgr: will oversee operations from costumer services and cashiers. Customer Service officer: will be in charge of cashiers and customer service. Cashiers/Agents: trained to handle PCI DSS and company policies. Marketing: with limited remote access to authorized information. | Network | Application | Remote | Financial | Dept. Mgr | * | * | | * | Customer Mgr | * | * | | * | Customer Service officer | * | * | | * | Cashiers/Agents | * | * | | * | Marketing | * | * | * | | 1. Access control policy: Who has access to authorized system for business applications? Users will be authorized to use only the systems that pertain to their roles. 2. User access: Employees are granted information access through passwords and RSA tokens. Users will appropriate authorization through authentications will be able to access position related materials. Users will be given unique ID’s to access HHI’s computer systems. 3. User responsibilities: Through training users are educated and made aware of access responsibilities. Users will not share sensitive information from HHI. 4. Network access: Access to the network will be set on roles and responsibilities of the position that is acquired. No access is......

Words: 932 - Pages: 4

Tft2 Task 4

...t2 Task 4 In: Computers and Technology Tft2 Task 4 TFT2 Task 4 As the chief information security officer for VL Bank, we were notified by several of our commercial customers of unauthorized wire transfers in an amount greater than $290,000. This is very concerning since we take pride in our information security. As soon as we were notified of the fraudulent transactions my security team, along with the network engineers, performed a thorough investigation of how such attack had occurred. Once we were able to view all logs and audit data it came to our attention that the data did not appear to be stolen from our network. All transactions performed were done so with the appropriate credentials. Once we determined that the data breach did not occur on our network we worked with the customers to check their personal computers. We discovered that all the information was gathered from the customers with a key-logging virus that collected the usernames, account numbers, passwords, personal identification numbers, URL addresses, and digital certificates used to access the VL Bank online banking site. Further investigation showed that there was not adequate virus protection on these PCs. The key-logging virus originated from a phishing email impersonating VL Bank and asking the customer to load the latest security software to protect from identity theft. The customers reported the fund transfer immediately (within 48 hours) and they are protected under the Electronic Fund...

Words: 1413 - Pages: 6

Tft2 Task 1

...TFT2 Task 1 Western Governors University TFT2 Task 1 Introduction: Due to policy changes, personnel changes, systems changes, and audits it is often necessary to review and revise information security policies. Information security professionals are responsible for ensuring that policies are in line with current industry standards. Task: A.  Develop new policy statements with two modifications for each of the following sections of the attached “Heart-Healthy Insurance Information Security Policy”: 1. New Users 2. Password Requirements   B.  Justify each of your modifications in parts A1 and A2 based on specific current industry standards that are applicable to the case study.   C.  When you use sources, include all in-text citations and references in APA format. The company you work for holds information that is protected by regulatory requirements. This information includes individual privacy information, personal health information, financial information, and credit information. Information about employees and patients, also known as demographics, contain personally identifiable information, which is covered under the U.S. Federal Privacy Laws. Health information that is personally identifiable, also known as PHI, is required to be protected under HIPAA and HITECH. Because the company is an insurance company the government classifies the company as a financial institution, it is required to comply with the GLBA. Also, the company takes credit......

Words: 891 - Pages: 4

Tft2 Task 4

...TFT2 Cyber Law Task 4 Jordan Dombrowski Western Governors University Situation Report It has come to my attention from the security analysts of VL Bank and victims that commercial customers of VL Bank have been involved in identity theft and fraud. Multiple user accounts were created without authorization claiming the identity of our customers. These fake accounts were used to make twenty-nine transfers of $10,000 each, equaling $290,000. The bank transfers were being sent to several U.S. bank accounts of unknown individuals. The U.S. banks involved in the transfers were Bank A in California, Bank B in New York, Bank C in Texas, and Bank D in Florida. After the funds were transferred to one of these banks, the funds were automatically transferred to several international bank accounts located in Romania, Thailand, Moldavia, and China. After further analysis we discovered that the banks affected customers all used computers infected with a keystroke logger virus that collected usernames, passwords, account numbers, personal identification numbers, URL addresses, and digital certificates. The computers infected did not have an anti-virus or security software of any type installed. Additionally, these customers have reported that they have been frequently experiencing spear phishing attacks, which is most likely the way that the keylogging virus software was installed. Finally we concluded that our banks systems have not been breached and no customer data has been...

Words: 3994 - Pages: 16

Tft2 Task 2

...com/news/two-factor-authentication-what-you-need-to-know-faq/ Rouse, M. (2008, September). TechTarget. Retrieved from privilege bracketing definiton: http://whatis.techtarget.com/definition/privilege-bracketing Rouse, M. (2014, June). TechTarget. Retrieved from IT audit (information technology audit) : http://searchcompliance.techtarget.com/definition/IT-audit-information-technology-audit Rouse, M. (n.d.). principle of least privilege (POLP. Retrieved from TechTarget: http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP Souppaya, M., & Kent, K. (2006, September). Guide to Computer Security Log Management. Retrieved from NIST.gov: http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Policy #3 Justification for recommendations in Policy #1 [->0] - http://advisera.com/20000academy/documentation/conflicts-and-exceptions/?icn=paid-document-20000-conflicts-and-exceptions&ici=bottom-monitoring-txt ...

Words: 3049 - Pages: 13

Tft2 Task 1

...current industry standards. Task: A.  Develop new policy statements with two modifications for each of the following sections of the attached “Heart-Healthy Insurance Information Security Policy”: 1. New Users 2. Password Requirements   B.  Justify each of your modifications in parts A1 and A2 based on specific current industry standards that are applicable to the case study.   C.  When you use sources, include all in-text citations and references in APA format. A. Develop new policy statements with two modifications for each fo the following sections of the attached “Heart-Healthy Insurance Information Security Policy”;: 1. New Users: I would change the access from what is requested to what is required for the job and that both a supervisor and the employee sign the access sheet for a check and balance of rights to the system. I would also modify just needing a manager’s approval to grant administrator level access to requiring the manager’s and the IT directors or HIPAA regulator’s approval. There needs to be a very good reason that is properly documented showing the need to allow administrative level access B. Justification of the modification. . Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions.(1) This is the......

Words: 662 - Pages: 3