Information security policy – white paper
Katix Dental (the business, the organization) has seen a tremendous amount of growth in the last few years. Our existing computer system has become slow and can no longer support the business and its goals. The decision has been made to expand the IT infrastructure and build a new system. The business has contracted an outside vendor to build an internal data and customer management application. This application (business management software) will track and manage customer data, billing and schedule appointments. It will also maintain staff and customer protected health information (PHI) including appointments, schedules, payments, balances, fees and other business related items. In order to keep customer data secure, internal communications safe and comply with local, state and federal laws and regulations – including HIPPA, the following database / IT security plan and requirement definition document has been established (1). All employees must follow and abide by these guidelines and ensure customer data security in order to be in compliance and stay in business. Any breach to customer data can potentially cost thousands of dollars and put the business at risk.
Database Access: Authorities and Responsibilities
The organization owner is the sole ‘Owner’ of the IT system. He shall retain this ownership until the organization is transferred to another entity. The database system of the IT department will be managed and maintained by a database admin staff member. He will be responsible for set up, configuration, security and maintenance of the database. He will implement the existing information security guidelines and standards including the (C.I.A.) triad model. It is based on three components: confidentiality, integrity, and availability. As a security model, the C.I.A. triad has been used to identify possible problems in a database system and discover appropriate solutions for information security. One more position has been identified to work with the DB admin to support, collaborate and resolve system issues either identified by audits or from users across the company. These two positions (DB Admin and IT support) will constitute the IT Services department and will be responsible for overall system maintenance and security. He will coordinate database activities with the database admin to support and assist in all IT and database related issues and ensure the business is not affected by down times and slow system performance. The following (Architecture and OS) computer system equipment and software requirements have been established to ensure data and application security for the organization, clients and employees.
System Backend
- Microsoft SQL Server 2008 – Microsoft SQL Server is a comprehensive database server and information platform offering a complete set of enterprise-ready technologies and tools that help people derive the most value from information at the lowest total-cost-of-ownership.
- Internet Information Services 7 (IIS 7.0) in Windows Server 2008 – Internet Information Services (IIS) for Windows® Server is a flexible, secure and easy-to-manage Web server for hosting anything on the Web. From media streaming to web application hosting, IIS’s scalable and open architecture is ready to handle the most demanding tasks.
Application/System Access
- Owner – Admin right on all system supported applications and database.
- DB Admin – database configuration, setup and maintenance. Admin must use NT groups roles to control and administer privileges
- DB/IT/Application Services – in charge of setting up and maintaining user accounts, application and database troubleshooting & issue resolution and requests for password resets. He will also create a list of domain names to block from system. Users will not be able to access these web sites. They may include social media, video and other offensive web sites that may be harmful to the system.
Our business is dealing with sensitive customer data and protecting that information is everyone’s priority. All employees including application and database users will follow standard industry guidelines and best practices (an information security packet is provided to all new employees during first week of training) to ensure information security. Staff are required to report any compromised or breach of a username and/or password to IT services immediately. Employees are required to report – event if they think their username/password are compromised by any means. The business cannot take any chances of security breach. IT can reset and/or disable the account in questions to prevent any violation and ensure the system is secure.
When application, network or database issues occur, users must report these incidents to the IT services email box. The email inbox will be monitored by IT service personnel and issues will be logged, tracked and users notified of the status. Users can also send a ‘Status’ email to get an update on the ticket/issues they submitted. Depending on the issue, a 48 hour turn-around time should be reasonable for IT related issues (2) to resolve as submitted by the users. Database issues including performance and system-slowness will be escalated to the DM admin. To ensure database performance and security, DB admin will set up daily tasks. As part of the daily database management and data security policies, database admin and/or IT services must follow established industry standards and keep up-to-date with the latest database news and security patches. He must include the following tasks into his daily database maintenance routine:
Database Admin daily tasks:
- Regular Monitoring of The free space in Database – SQL server is a robust system capable of expansion if necessary. DB admin must monitor disk space daily.
- Check alerts logs, Trace files and Listener Logs – to ensure data availability, confidentiality and integrity, all alert logs must be monitored to ensure security
- Check backups – automatic nightly DB backup must be scheduled. There must also be an offsite back up planned.
- Check users sessions and cancel dead sessions – the application may leave open and dead user sessions. DB must check these and unlock these sessions
- Analyzing the performance – DB performance must be monitored to ensure no slowness or delay response to user/application requests
The in-house computer network system will run on a client-server base system. The application will be accessible through the intra site supported by backend database application servers. The system will be in-house, only on intranet site with no connections/ports open to the World Wide Web. Employees will have access to the internet, but only certain web sites will be permitted. Personal use of the internet must be at minimum and manager approval may be required for certain activities. All user activity is logged and audited. Use of social network and video sites are strictly prohibited. To ensure data and network security, uses of company resources for personal online activities must remain limited (5).
NT Groups
To make assigning access rights and privileges to application and the database easier to manage, Windows NT group enables you to group users together. In order to keep access limited to number of users, IT services department with collaboration with DB Admin will need to create 2 NT groups that will determine access role to the application and the database (6). DB admin will determine group roles bases on job function of the users. General application users will not have direct access to the database. Only IT services is the only groups that will have direct access to the database to perform audits, security monitoring and performance, and other troubleshooting activities. IT services can determine who may have access to the database – based on the ‘business need’.
General (application) user group: This group will have application role access only. It will be setup in the application configuration and will access the database for daily activities such as creating tasks for doctors, creating appointments, updating and other application functions. This user group must not be shared with anyone and cannot have direct access to the database.
IT user group: This group will have direct access to the database and application server. It will have Read and Write access to the database and primarily be assigned to the IT services personnel for troubleshooting and issue resolution purposes.
All application users shall receive a Windows 7 desktop computer with Microsoft .NET Framework 4.0, MS Office 2010 and access to company’s intra site. The (business management software) application is web based and accessible through the (Intranet) for all business users. New employees/users will need to be included in the designated NT group as defined to get access to the application. New computer and access to the application will be provided upon completion of the week long training class. IT services shall create the userid/password and assign them to the General NT group. Upon completion of the user setup, the IT services will send logging instructions along with other related (IT) information to users email address. User then can login to the application and let IT services know of any issues.
Passwords
Given enough time and computing power, attackers can compromise almost any system and publish its content online. To prevent such attackers from succeeding, we are determined to make the task of cracking user passwords as difficult as possible. During the first week of training, new employees will be educated on general company policy and procedures including password creation and maintenance. Windows Servers provide security policies that ensure that all users select strong passwords. IT services shall enforce the following password policy guidelines for all internal users as set forth by the company and used widely by the industry (4).
- Use passwords at least eight characters long that include upper, lower, alphanumeric and special characters
- Pick a password that you can remember – part of the security policy training
- Change passwords frequently – this will occur every three months. The Application will prompt users to change. It will provide a two week advance notice for password change.
- Give 2 week (grace period) notice to allow user be change passwords before the expiration change date
- Maintain a history of passwords to prevent password re-use
- Accounts shall lock after 3 failed logins – users must contact IT services
The application vendor has provided us with the full documentation on the application and database setup configuration and logging tools specifically built for the application. The application will not have direct access to the internet and there is no open port and connection from the database or application to the internet. The application cannot be access through an outside link and is built on IIS server internally. The application will use the NT general group (created by IT services) to access the database for read and write roles. The application will access to the database views and not the base tables. These views are created from base tables during the application installation and setup. Only relevant information is populated to the views per application documentation. Nightly stored procedures must be scheduled so the views are always populated with up to date information from the relevant tables. The application creates multiple application-specific views from the table data, enabling the database to easily support multiple application instances. For example, users table consist of userid, username, password, employee name, address, employee number and other related information. But users view will only have userid, username and password fields so users/employees can login to the application.
Database admin shall use the built-in SQL Server Audit object to collect and analyze data from user actions and/or groups of actions. Database must be set up to log all application and user activities including successful logins for analysis. These log files shall be recorded, logged and archived across the organization for ad-hoc and scheduled audit purposes. DB admin shall make any necessary changes to the database to improve performance and enhance security. These audit logs must be kept for period of one year or otherwise specified. Database audits must be schedules for quarterly review. When there is a report of database, userid/password or application breach, ad-hoc audits must take place to trace and track down the source of security breach (8).
The database and application servers are built in the IT department which can only be accessed through the manager’s office. The manager’s office is only accessible through a security card controlled door and locked at nights. The Room cooling and humidity control is newly built via an independent AC system (i.e., not connected to main building system), with a return air design point temperature and relative humidity of 72°F (±2°F) and 45% (±5%), respectively (9). To enter the room, IT services employees must swipe their designated security cards to enter the manager’s office and then the server room. Only IT services and the owner shall enter the server room. Employees will not have access to the room and are not allowed to enter these premises for any reason.
All database server activities including log files and application databases must be backed up nightly. Nightly backup will start at 12 midnight (local time) and run until completed. These log files must be archived and kept in off-line storage devices and stored away on weekly bases. In case a disaster, for example a fire or flood which may destroys the original data/room/facility, the backup files in a remote location will be unaffected, enabling the organization to recover and be back to business in reasonable time. Off-line storage also increases information security. It is physically inaccessible from a computer and the internet so the data confidentiality and integrity will not be affected (10).
In the last few years the business has grown from five employees to more than twenty. As we have expanded, the need for new infrastructure, system, application and policies have become necessary. The business has decided to renew the entire IT system with new computers, servers and an business management application. Along with the new system we have also renewed our policies and procedures for all employees to follow and abide by. We want to ensure our customer’s information is secure and safe. The company has contracted an outside vendor to develop the new application which required backend database and application servers. Along with the new system, there is a need for IT services department which will be in charge of the database security, setup, configuration and user roles and responsibilities. We have built a new office space specifically to house the new system. The office will be limited to only certain group of employees who have legitimate business need to be in the room. All other visits must be cleared by the management and must have a ‘business need’ to enter the room.
We have selected a highly recommend Microsoft SQL 2008 and Window IIS 7.0 web server which will host the application in house. The new system will be supported by the IT services department and will troubleshoot and resolved all user issues including any security breaches. New employees are given new username/passwords along with their new computer. IT services will set up their accounts and will email them the relevant information and login instructions. All users are required to report any security incident including misplaced or lost userid/passwords. IT services will take immediate action to remedy the incident and ensure data and information security.
References
- http://www.hhs.gov/ocr/privacy/
- http://www.symas.com/blog/?page_id=66
- https://www.microsoft.com/sqlserver/en/us/product-info/why-sql-server.aspx
- https://www.sans.org/security-resources/policies/Password_Policy.pdf
- http://boeing.com/companyoffices/aboutus/ethics/pro10.pdf
- http://msdn.microsoft.com/en-us/library/aa163548%28v=office.10%29.aspx
- http://database-programmer.blogspot.com/2009/02/comprehensive-database-security-model.html
- http://msdn.microsoft.com/en-us/library/cc280386.aspx
- http://www-act.ucsd.edu/blink/svr_rm_stds.pdf
10. https://en.wikipedia.org/wiki/Computer_data_storage
help red cross help Haiti
I text: HAITI to 90999
Got reply: To confirm you $10 donation to Red Croxx Int’l Response Fun reply YES. Reply HELP for help or vist mGIVE.com/a
I text: YES
Got reply: Thanks! $10 charged to your phone bill for Red Cross Int’l Relief. Reply HELP for help or visit mGive.com/a Reply STOP to cancel.
Got another reply: Reply YES to receive the latest news about Red Cross Int’l Relief! Up to 4 msgs/mo. Info? Txt HELP, to end txt STOP.
Write the more
April 26, 2007
MBNA / Bank of America
1825 E. Buckeye Road
Phoenix, AZ 85034-4216
MBNA Account: 40000000000
Your address;
This is my fourth letter regarding this matter.
I am not sure what is the law concerning a written inquiry, but this has gone over a year without any response.
Your company (MBNA) sold and/or transferred my account to NCO Financial Systems aka NCO Portfolio Management, 507 Prudential Road, Horsham, PA 19044.
The said company filed a complaint against me in the Superior Court of County of Arizona on or around August 18, 2005 claiming that I owe them $6769.04.
I have been writing to your company (MBNA –now BoA) asking verification of how much was my total balance on the time of transfer. This matter is becoming extremely important and is not getting solved.
The complaint has turned into a judgment against me and is on my file. I cannot get mortgage or a decent credit because of this. I cannot dispute this matter because I need more information from your company but to no avail.
I will file another complaint with FTC, FCC and AZ Attorney General’s office again. I hope to get a response to this matter as soon as possible.
Thank you,