Rlht Task 2
A. Create three organizational policy statements that may have prevented the security breach.
During a routine audit of the electronic health record system, a security breach was discovered. The lack of a log retention, log audit, or remote access policy contributed to the unauthorized access.
* Log retention policy statement: The intent of this policy statement is to provide the organization guidance on information systems security log retention. Log rotation will be conducted on a daily basis with rotated logs stored on a shared network resource. Daily backups of the rotated logs will be conducted. The backups will be retained for 12 months locally with a weekly copy stored offsite.
* Log auditing policy statement: The intent of this policy statement is to provide the organization guidance on information systems security log auditing. The purpose of routine log review is to identify possible security incidents, potential operational problems, or policy violations. Security logs will be reviewed daily. Careful attention will be made to events pertaining to account creation and account modification.
* Remote access policy statement: The intent of this policy statement is to provide the organization guidance on information systems remote access. Due to the sensitive nature of the information stored on the electronic health record system remote access needs to be better secured and controlled. Two-factor authentication for will be used when accessing network resources remotely. Additionally, role based access will be used to determine what resources will be accessed remotely.
1. Justify each organizational policy statement on a nationally or internationally recognized standard.
Log Retention: In this scenario the attacker patiently executed his or her plan to gain access over several months, avoiding detection, and exploiting the lack of long term security log retention. The Guide to Computer Security Log Management,
During a routine audit of the electronic health record system, a security breach was discovered. The lack of a log retention, log audit, or remote access policy contributed to the unauthorized access.
* Log retention policy statement: The intent of this policy statement is to provide the organization guidance on information systems security log retention. Log rotation will be conducted on a daily basis with rotated logs stored on a shared network resource. Daily backups of the rotated logs will be conducted. The backups will be retained for 12 months locally with a weekly copy stored offsite.
* Log auditing policy statement: The intent of this policy statement is to provide the organization guidance on information systems security log auditing. The purpose of routine log review is to identify possible security incidents, potential operational problems, or policy violations. Security logs will be reviewed daily. Careful attention will be made to events pertaining to account creation and account modification.
* Remote access policy statement: The intent of this policy statement is to provide the organization guidance on information systems remote access. Due to the sensitive nature of the information stored on the electronic health record system remote access needs to be better secured and controlled. Two-factor authentication for will be used when accessing network resources remotely. Additionally, role based access will be used to determine what resources will be accessed remotely.
1. Justify each organizational policy statement on a nationally or internationally recognized standard.
Log Retention: In this scenario the attacker patiently executed his or her plan to gain access over several months, avoiding detection, and exploiting the lack of long term security log retention. The Guide to Computer Security Log Management,
References: Kent, K. & Souppaya, M. (2006) Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology. Gaithersburg, MD: National Institute of Standards and Technology. Retrieved May 28 2012, from http://csrc.nist.gov/publications/nistpubs/800-92/SP800- 92.pdf HIPAA Security Guidance (2006). Retrieved May 28 2012, from http://www.hhs.gov/ ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf