Company Security Policy

The most common threat in a networked system is unauthorized access to information and computer resources. This may cause a loss of confidentiality, integrity, and availability of information technology assets. To ensure business endurance and minimize potential damage, companies need to establish a computer-based access control (so-called logical access control) to protect their proprietary information from intentional or accidental disclosure, modification, erasure, or copying, as well as their IT resources from misuse. This control provides an organization with the ability to restrict, monitor, and protect the confidentiality, integrity, and availability of these resources.     

Another most common threat is data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged.

This document provides details about security policy and strategy for the identified risks from the Community Health Care system such as data leakage and unauthorized disclosure of information,. The details of real-world security breaches, security policies, recommended implementation plans, and other details are explained in this document.

Introduction

In these days of seemingly daily reports of data breaches, the danger lies in the potential for contentment in those charged with overseeing the design, implementation, and maintenance of cyber-security measures to protect data that healthcare companies collect from their patients. In other words, those responsible for corporate leadership and governance in the area of cybersecurity will become passively resigned to the perceived “inevitability” of a data breach, instead of systematically and systemically reviewing and transforming the company’s cultural approach to cybersecurity and risk management

For example, in this case, if cybersecurity had been deep-rooted as a dominant priority in the development, maintenance, and security teams at Community Heath system, a “test” server would never have been loaded with valuable VPN credentials without the corresponding cyber-security features to prevent unauthorized access if the server was ever connected to the Internet. If this is in fact how the data breaches occurred, this was an utterly foreseeable occurrence that could have been easily anticipated and guarded against.

Unauthorized Disclosure of Information:[1]

Disclosure of confidential, sensitive information can result in loss of trustworthiness, reputation, market share, and economical advantage.

Risk Assessment:[2]

The risk system security breach is the unauthorized disclosure of information through weak access controls and a lack of patch management.

Threat Identification

Hackers gain control through weak access controls & outdated/weak Cryptographic library to inject malicious code to expose the sensitive data.

Vulnerability Identification

Weak access controls and outdated cryptographic libraries were in place.

Likelihood Determination and Impact Analysis

As per Likelihood analysis, it is measured high likelihood because hackers are highly motivated and sufficiently skilled, and there are also weak access controls due to the outdated cryptographic library used. As per Impact analysis, it is measured high impact because vulnerable servers are connected to the Internet without hardening & latest patches and also weak crypto libraries in place. Hence it may lead to unauthorized disclosure of information

Risk Mitigation Strategy[3]

Deliver high-level data security and ensure that there is no unauthorized disclosure of information incident will happen in any organization by achieving the risk mitigation strategies to protect the data against external or internal threats.

To achieve this organizational goal, a management security framework shall be time-honored to initiate and control the implementation of information security across the organization, which will provide clear direction and perceptible support on matters of information security.  The following are the mitigation strategies for “Unauthorized Disclosure of Information” Risk through Internal/External threats.

Security Policy and Controls Strategies[4]

The scope of this policy is appropriate to all Information Technology (IT) resources owned or operated by any Organization. All users (employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy. The intention of this policy to establish an access control capability throughout the organization and its commerce units to help the organization implement security best practices concerning logical security, account management, and remote access.

Access Control

The following subsets outline the Access Control principles that constitute Organization policy.  Each System is then assured to this policy, and must develop or adhere to a program plan which establishes compliance with the policy related the standards documented that all system should follow: 

Identify account types (i.e., individual, group, system, application, guest/anonymous, and temporary).

Least Privilege:  All Systems must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users), which are necessary to accomplish assigned tasks in agreement with organizational missions and business functions

Session Lock:  All Systems must prevent further access to the information asset by initiating a session lock after 60 minutes of inactivity or upon receiving a request from a user.  Besides, Systems must retain the session lock until the user reestablishes access using established identification and authentication procedures. 

Controls Strategies

As follows:

Malicious code and Virus Protection

The following requirements shall be followed to at all times to ensure the protection of the information technology resources:

 Prevention and Detection

 Response and Recovery

Patch Management Control

Workstations and servers owned by organizations must have up-to-date operating system/ software security patches installed to protect the asset from known vulnerabilities.  This includes all laptops, desktops, and servers owned and managed by the organization. 

Risk 2: Data Leakage

Due to the leakage of data in the community health care system, the following implications are identified.

Implications

Risk Mitigation Strategy

To protect the system from the risk of “Data Leakage”, the risk assessment is a continuous process in the system development cycle and continuous discovery of risk and improvement of risk mitigation strategies are vital for a safer environment. We cannot eliminate the risk, but we apply the mitigation strategies to reduce the risk in advance to minimize the risk. The organization‘s security governance, guidelines, policies enable the business to sustain itself in the uncertain business world.

These are the risk mitigation strategies to mitigate the risk of “Data Leakage”.

Control Strategies[5]

Firewall Management

Patch Management:

Change Management:

Software development life cycle

Conclusion

Companies are increasingly dependent on computer/network technology for improving the efficiency and productivity of their business to continue and prosper in today’s competitive world. It is a business essential and occasionally is a legal requirement to protect their trademarked information against the threats of unauthorized disclosure and data leakage. Companies may undergo financial and efficiency losses, as well as the loss of reputation due to extensive internal and/or external security threats. A properly implemented logical access control, patch management, Firewall, OS hardening, version and change management provides for the safeguarding of assets against threats, ensures business continuity, minimizes potential damages, and maximizes the return on investment.

FAQs:

Who can access data?

Where sensitive data is stored & protected?

How can be data protected?

How do you verify that controls and policies are working?

References:

  1. http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-million-patients-from-   healthcare-system/
  2. http://www.csoonline.com/article/2466084/data-protection/community-health-systems-blames-china-for-recent-data-breach.html
  3. http://www.giac.org/paper/gsec/3161/unauthorized-access-threats-risk-control/105264
  4. http://heartbleed.com/
  5. https://www.owasp.org
  6. http://www.nist.gov

  • [1] https://ist.mit.edu/security/data_risks
  • [2]https://www.manageengine.com/products/netflow/healthcare_it_risk_mitigation.html
  • [3] Idib.
  • [4]http://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Information_Security_and_Risk_Management
  • [5]http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-million-patients-from-healthcare-system/

Leave a Reply

Your email address will not be published. Required fields are marked *