Citywide Identity Management Performance Audit

Save this PDF as:
Size: px
Start display at page:

Download "Citywide Identity Management Performance Audit"

Transcription

1 Citywide Identity Management Performance Audit March 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor

2 The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring the proper and efficient use of City resources and providing other audit services and information to City Council, the Mayor and the public to improve all aspects of Denver s government. He also chairs the City s Audit Committee. The Audit Committee is chaired by the Auditor and consists of seven members. The Audit Committee assists the Auditor in his oversight responsibilities of the integrity of the City s finances and operations, including the integrity of the City s financial statements. The Audit Committee is structured in a manner that ensures the independent oversight of City operations, thereby enhancing citizen confidence and avoiding any appearance of a conflict of interest. Audit Committee Dennis Gallagher, Chair Maurice Goodgaine Leslie Mitchell Rudolfo Payan Robert Bishop Jeffrey Hart Timothy O Brien, Vice-Chair Audit Staff Audrey Donovan, Deputy Director, CIA, CRMA, CGAP Robert Pierce, IT Audit Supervisor, CISA, CISSP Shannon Kuhn, Lead IT Auditor, CISA Nicholas Jimroglou, Senior IT Auditor Jacqueline Boline, Senior IT Auditor You can obtain copies of this report by contacting us at: Office of the Auditor 201 West Colfax Avenue, Department 705 Denver CO, (720) Fax (720) Or download and view an electronic copy by visiting our website at:

3 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX March 20, 2014 Mr. Frank Daidone, Chief Information Officer Technology Services City and County of Denver Dear Mr. Daidone: Attached is the Auditor s Office Audit Services Division s report of its audit of Citywide Identity Management. The purpose of the audit was to assess the effectiveness of internal controls used by Technology Services organizations, the Department of General Services Facilities Management unit, and the Office of Human Resources to manage and monitor access to City systems and data. We tested both physical and logical access to City systems and facilities. For physical access, we focused on the buildings under the control of General Services Facilities Management (GSFM) and the Department of Human Services (DHS). For logical access, we tested all of the networks in use throughout the City. During the course of the audit, we identified that access to all of the buildings tested were not solely administered by GSFM and DHS. As a result, copies of this report will be provided to all agencies where improvements are required. We identified several areas where controls need to be improved related to identity management. Our audit recommendations address processes related to both logical and physical access controls. If implemented, these recommendations will enhance security across the City and help ensure that access to sensitive information is appropriately restricted. If you have any questions, please call Kip Memmott, Director of Audit Services, at Sincerely, Dennis J. Gallagher Auditor rp/dg cc: Honorable Michael Hancock, Mayor Honorable Members of City Council Members of Audit Committee Ms. Cary Kennedy, Deputy Mayor, Chief Financial Officer To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

4 City and County of Denver Dennis J. Gallagher Auditor 201 West Colfax Avenue, Department 705 Denver, Colorado FAX AUDITOR S REPORT We have completed an audit of Citywide Identity Management. The purpose of the audit was to assess the effectiveness of internal controls used by the City to manage and monitor access to City systems and data. In addition to assessing overall City controls, the audit examined identify management practices for the Departments of Aviation, Human Resources, General Services, and Technology Services as well as the Denver County Court. This performance audit is authorized pursuant to the City and County of Denver Charter, Article V, Part 2, Section 1, General Powers and Duties of Auditor, and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit found that the City does not have an adequate identity management governance structure in place to ensure that the risk of inappropriate access to City facilities and systems is mitigated. We found that the lack of consistent processes for granting and revoking physical and logical access has resulted in former employees retaining access to information that is protected by the federal Health Insurance Portability and Accountability Act as well as the Criminal Justice Information System Security Policy. This report makes a number of specific recommendations that will strengthen the governance surrounding these issues and ensure that access to City facilities and systems is appropriate. We extend our appreciation to Technology Services, Denver International Airport Technologies, Denver County Court Technologies, Facilities Management, and the Office of Human Resources and the personnel who assisted and cooperated with us during the audit. Audit Services Division Kip Memmott, MA, CGAP, CRMA Director of Audit Services To promote open, accountable, efficient and effective government by performing impartial reviews and other audit services that provide objective and useful information to improve decision making by management and the people. We will monitor and report on recommendations and progress towards their implementation.

5 City and County of Denver Office of the Auditor Audit Services Division REPORT HIGHLIGHTS Citywide Identity Management Performance Audit March 2014 The audit focused on Citywide identity management of both physical and logical access to systems and data. Background Identity management is the task of controlling information about users on computers. This information includes credentials that authenticate the identity of a user, within systems. Information can include user descriptions and actions they are authorized to access and perform. Access to physical spaces can also be handled through identity management when software is the mechanism to grant and revoke building access. Purpose The purpose of this audit was to determine whether physical and logical access control policies are in place and adhered to; personnel with identity management responsibilities are adequately trained; access provisioning and de-provisioning is appropriately performed; periodic entitlement reviews are conducted to identify unauthorized access; password parameters align with best practices and the Federal Information Security Management Act; and access is managed in compliance with applicable regulations. Highlights The audit found that improvements need to be made to the City s identity management governance with regard to both physical and logical access. Specifically we identified: Thirty-eight active network accounts were not removed for former employees and contractors who are no longer affiliated with the City. Six of these accounts appear to have been logged into after separating from the City. One hundred physical access badges were not disabled for former employees with clearances that allowed access to doors to the Denver Human Services Records Room, Child Welfare Office, 911 Emergency Communications Center, District and City Attorney s Offices, and the City data centers. Former employees retained access to hard copy child welfare and health information protected by the Health Insurance Portability and Accountability Act. A former Technology Services employee retained remote access to databases containing criminal information restricted by the Criminal Justice Information Services Security Policy. One individual within the City Attorney s Office did not have logical or physical access revoked following employment. These and other instances of inappropriate access have occurred as a result of the City not having an adequate governance process in place to manage all steps in granting and revoking access to facilities and systems. For a complete copy of this report, visit Or Contact the Auditor s Office at

6 TABLE OF CONTENTS INTRODUCTION & BACKGROUND 1 Identity Management 1 Breach Case Studies 2 Background on Applicable Laws and Regulations 3 Logical Access Controlled through Centralized Directory Services 4 Physical Access Control Systems 5 SCOPE 6 OBJECTIVE 6 METHODOLOGY 6 FINDING 8 The City Needs to Improve Governance around Identity Management to Ensure that Access to Facilities and Systems Is Appropriately Restricted RECOMMENDATIONS 13 AGENCY RESPONSE 16

7 INTRODUCTION & BACKGROUND Identity Management Identity management (IdM) is the task of controlling information about users on computers. This information includes credentials that authenticate the identity of a user, information that describes users, and actions users are authorized to perform. It also includes the management of descriptive information about the users and how and by whom that information can be accessed and modified. Managed areas typically include users, hardware, network resources, applications, and physical premises. Effective governance around identity management helps ensure that access to facilities and systems is appropriately controlled and that threats related to unauthorized access are minimized. Threats to Denver City agencies are very real. The following example demonstrates effective identity management and physical access control and also illustrates the type of threat that a City like Denver faces when providing numerous public services to its citizens. On November 11, 2013, the Denver Post reported an incident involving a woman who drove a car onto the sidewalk, set the vehicle on fire, and then watched it burn in front of the Wellington E. Webb Municipal Office Building (Webb Building). 1 The Webb Building houses several key City agencies including the District and City Attorney s Offices, the Controller s Office, and Technology Services. The Denver Post reported that, after lighting fire to her car, the woman briefly entered the Webb Building at the main entrance off West Colfax Avenue. The woman was stopped before she could pass building security and the metal detectors, but she did publicly demonstrate one type of threat the City and County of Denver faces when providing numerous public services to Denver citizens. In today s world of increased threats related to computer hacking and terrorism, effective governance around identity management is critical. Following are a few risks associated with weak identity management: Increased risk to public and employee safety Loss or compromise of sensitive data protected by rules and regulations Heightened risk of costly fines, negative publicity, and an erosion of public trust Increased risk of fraud Elevated exposure to computer network hacking and malware 1 Denver police arrest woman suspected of setting car ablaze downtown, Denver Post, accessed January 2, 2014, Page 1 Office of the Auditor

8 Breach Case Studies A data breach is the intentional or unintentional release of secure information to an unsecured or non-trusted environment. Data breaches can be costly, create negative publicity, and occur in a number of ways. Following are a few examples of breaches that have occurred recently: Target Corporation had a massive data breach on November 15, 2013, when the company s payment system was hacked, exposing more than 40 million debit and credit cards. The hack occurred as a result of a third-party vendor having access to the Target network. Corporations often allow third-party vendors remote network access to perform periodic maintenance on information systems. It is believed that hackers stole the third-party network credentials, which allowed them to gain access to Target s payment system. 2 The City of Springfield, Missouri, had one of its websites hacked on February 28, Hackers were able to obtain more than 6,000 records containing social security numbers from online police records as well as more than 15,000 records relating to warrant information, including crime data. Officials are taking steps to notify approximately 2,100 individuals whose personal information may have been obtained when the site was breached. 3 The Alaska Department of Health and Human Services (DHHS) agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule for a breach that occurred on July 26, The HHS Office for Civil Rights (OCR s) investigation followed a breach report submitted by DHHS as required by the Breach Notification Rule within the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a USB thumb drive, possibly containing electronic protected health information (ephi), was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ephi. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule. 4 2 Target Hackers Broke in Via HVAC Company, Krebs on Security, accessed February 6, 2014, 3 Springfield city website hacked as part of series of hacks involving government and law enforcement, databreaches.net, accessed February 6, 2014, 4 Alaska settles HIPAA security case for $1,700,000, U.S. Department of Health and Human Services, accessed January 2, 2014, City and County of Denver Page 2

9 Background on Applicable Laws and Regulations Due to the breadth of services that the City provides, the City must comply with a number of rules and regulations designed to protect the personal data of the City s employees and residents. Following are examples of a few applicable rules and regulations that relate to some of the services the City and County of Denver provides: The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rule: 5 HIPAA establishes national standards to protect the confidentiality, integrity, and availability of individuals protected health information that is created, received, used, or maintained by a covered entity. The Privacy Rule gives individuals rights over their protected health information and sets rules and limits regarding who can look at and receive that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. There are a variety of ways in which a city may be considered a covered entity under HIPAA, and the rule potentially impacts several departments if the city does any of the following: Administers a public health program, such as the Department of Human Services Administers police and corrections departments that retain health information on inmates Contracts with or is considered a business associate of a covered entity, such as a third-party administrator for its self-insured health plan, or is a plan sponsor under a fully insured health plan Owns medical clinics, hospitals, or ambulance services, such as the Denver 911 Emergency Communications Center Performs certain health plan functions on behalf of the insurance carrier Offers employees a Health Flexible Spending Account Transmits individual health information electronically Several of Denver s agencies are considered Covered Entities under HIPAA and are subject to the HIPAA Privacy and Security Rules that are in place to ensure the privacy of an individual s health information. The HHS OCR is responsible for administering and enforcing the standards and may conduct complaint investigations and compliance reviews of Covered Entities. Another key component of HIPAA s HITECH Act is that agencies are required to provide the Secretary of HHS with notice of breaches of protected health information C.F.R. 160 and Subparts A and C of 164 (2013). Page 3 Office of the Auditor

10 Criminal Justice Information System (CJIS) Security Policy: 6 Due to the need for increased information sharing between federal, state, and local law enforcement agencies, the Federal Bureau of Investigation (FBI) has developed the CJIS policy to provide consistent guidelines for all law enforcement agencies to follow when securing Criminal Justice Information (CJI). The CJIS Security Policy provides guidance for the creation, viewing, modification, transmission, dissemination, storage, and destruction of CJI. The policy integrates presidential directives, federal laws, FBI directives, and the criminal justice community s Advisory Policy Board decisions along with nationally recognized guidance from the National Institute of Standards and Technology (NIST). The Denver Police, Sheriff, and Fire Departments, the District and City Attorney s Offices, and other City agencies with access to databases containing CJI must be physically and logically secured in compliance with CJIS requirements. Payment Card Industry Data Security Standards (PCI DSS): 7 Any organization or merchant that accepts, transmits, or stores any credit cardholder data must comply with PCI DSS. PCI DSS contains twelve requirements with directives against which businesses may measure their own payment card security policies, procedures, and guidelines. By complying with periodic assessments performed by Qualified Security Assessors (QSAs), businesses and entities can become accepted by the PCI Standards Council as compliant with the twelve requirements and thus receive a compliance certification and a listing on the PCI Standards Council website. Compliance with the PCI DSS is vital for all merchants who accept credit cards, online or offline, due to the sensitivity of payment card data and the risks associated with credit card fraud. Since the City acts as a credit card merchant when providing some City services, the City must comply with PCI requirements and receives a Report on Compliance annually. The PCI requirements mandate that physical and logical access to cardholder data is restricted to authorized individuals only. 8 Logical Access Controlled through Centralized Directory Services Directory services are used to manage access across various portions of the City networks. A log-on is used as a point of entry to gain access to the majority of City systems. Whether connecting remotely from outside the City s networks or in person to systems on the City s networks, directory services authentication is required to gain access to City data. The City operates multiple network segments that are designed to restrict logical access to systems and data. Although Technology Services manages a large portion of the network, some segments are managed by other agencies. 6 Criminal Justice Information Services Security Policy, last modified August 9, 2013, U.S. Department of Justice. 7 PCI DSS v3.0, last modified November, 2013, 8 Logical access refers to user based authenticated access to the application systems and data that is processed. City and County of Denver Page 4

11 Physical Badge Access Successful logon gains logical access to city data Directory Services Authentication Remote Access Source: Created by Audit Services Division Staff Unsuccessful logon restricts logical access to city data Physical Access Control Systems Several agencies throughout the City have the ability to grant and remove physical badge access to facilities under their control. For example, the Facilities Management unit within the Department of General Services is responsible for the administration of building badge access, in addition to the general management, maintenance, and daily operations of several City-owned facilities. Physical Badge Access Access to hard copy city data Source: Created by Audit Services Division Staff Prior to gaining access to secured City agencies and hard copy information, physical badge readers provide the first layer of physical security. Photo identification access badges, used for both identification and authentication of an individual, are used to restrict access to secured areas throughout the City. The City operates six separate physical access control systems. Each of the physical access control systems is used to restrict access to a number of City facilities. It is possible that an employee may have clearance to access more than one City owned location. Clearance may be granted to a current badge or a separate badge may be issued to provide access. Each access control system has a number of individuals who may grant, remove, and modify physical access clearances to their respective area. For example, we noted that the system controlling access to the Webb Building has separate agencies that may grant and revoke access rights to physical areas under their control. Agency representatives fill out a form to have Facilities Management create a badge ID card, and they notify Facilities Management when access is no longer needed. As described in the findings of this report, we identified instances where access badges were assigned by agencies other than Facilities Management and were not disabled by those groups following an employee s departure from the City. Page 5 Office of the Auditor

12 SCOPE The audit focused on Citywide identity management of both physical and logical access to systems and data. For logical access, the audit focused on all the directory services, which are used as the primary point of entry to access the majority of applications and electronic data in use within the City. For physical access, the audit tested two separate access control systems, which are used to control access to the following buildings: Performing Arts Center Minoru Yasui City Permit Center Denver Animal Shelter Roslyn Building DHS Main Family Crisis Center DHS East Webb Building City Data Center DHS Montbello 911 Technologies In accordance with Generally Accepted Government Auditing Standards the reader should be aware that some details about information security weaknesses are considered sensitive security information and are not disclosed within this report. The details of all findings, however, have been presented to Technology Services and Facilities Management. As part of our regular follow-up for audit issues, we will return at a future date to ensure that all findings have been addressed. OBJECTIVE The purpose of the audit was to assess the effectiveness of internal controls used by Technology Services, the Department of General Services Facilities Management unit, and the Office of Human Resources to manage and monitor access to City facilities, systems, and data. Audit objectives included an assessment of provisioning and deprovisioning processes for user accounts. METHODOLOGY We used several methodologies to achieve the audit objectives. Our evidence-gathering techniques included, but were not limited to: Interviewing agency staff with identity management responsibilities Reviewing existing policies and procedures related to access provisioning and deprovisioning City and County of Denver Page 6

13 Querying the Office of Human Resources system of record to identify former and current employees for testing Using data analytics to compare the listing of both current and former employees against the listing of users with logical and physical access o User accounts were judgmentally selected from the full populations of potentially active accounts for former employees based on the risk associated with what each account had access to. We selected the following samples: Access de-provisioning: 85 samples Access provisioning: 20 samples Privileged accounts: 20 samples Physical de-provisioning: 100 samples Reviewing applicable laws, rules, and regulations related to identity management including: o o o o o Federal Information Security Management Act of 2002 (FISMA) Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA s Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry Data Security Standard (PCI DSS version 3.0 November 2013) Criminal Justice Information Services Security Policy (CJIS version 5.2 August 2013) Querying Technology Services help desk ticketing system to identify whether individuals access was provisioned in accordance with existing policies Reviewing existing security awareness training content Reviewing relevant audits conducted in the past related to DIA information security awareness training Performing tail-gate testing to determine the effectiveness of the physical badge control system Page 7 Office of the Auditor

14 FINDING The City Needs to Improve Governance around Identity Management to Ensure that Access to Facilities and Systems Is Appropriately Restricted Audit work identified several weaknesses related to the City s identity management governance structure for both physical and logical access to facilities and systems. With regard to physical access, we found inconsistent application of procedures used to provision and de-provision employee physical access badges, which resulted in former employees having active badges after they no longer worked for the City. With regard to logical access, we found that some individuals who no longer worked for the City still had active credentials, allowing them to access City systems, some of which contain sensitive information. To mitigate the risk associated with unauthorized access to City facilities and systems, we recommend that the City create a comprehensive information security governance structure including security awareness training, periodic entitlement reviews, a list of third-party workers, and procedures for requesting and removing access. Physical Access to Some City Facilities and Secured Areas Is Not Restricted to Authorized Individuals Physical access controls prevent unauthorized individuals from accessing City buildings. The City uses a variety of idenfication tools to ensure that physical access is only granted to City employees and only to the extent that they need access to perform their job duties. However, in the course of our audit work, we found a number of instances where individuals who no longer work for the City still had active badges that would grant them entry to secured facilities. During the audit, we tested two badging systems controlling access to the Wellington E. Webb Municipal Office Building (Webb Building), Performing Arts Center, Denver Animal Shelter, City data centers, Minoru Yasui Building, Roslyn Building, City Permit Center, 911 Technologies, and Department of Human Services facilities. A Significant Number of Badges for Previous City Employees Remain Active New City employees are issued photo identification badges to access secured City facilities and rooms. Badges are provisioned upon receipt of a signed access request form from the new employee s agency. To test the badge-provisioning process, we compared the list of all former City employees since 2000 against the list of active badge holders. Our testing identified 972 active badges for employees who are no longer on the City s centralized payroll system. Some of these active badges could be legitimately active if a former employee was rehired but is paid outside of the City s centralized payroll system; however, since there is no list of these contractors, volunteers, or interns, we were not able to make that determination. City and County of Denver Page 8

15 We performed additional testing on 100 of the potentially unauthorized badges based on the sensitivity of the areas to which the badges allowed access. Testing showed that all 100 of the badges were for former employees who were no longer authorized to have access. These active badges allowed access to areas including the City Attorney s Office, the District Attorney s Office, City data centers, 911 technologies, child welfare offices, the Department of Human Services human resources file room, and the Department of Human Services records room. We found that agency representatives do not follow a consistent process to revoke badge access so we were Auditors found 100 active badges for former employees with access to high risk areas. unable to identify a single root cause for why the badges were not disabled following an employee s employment with the City. After identifying active badges for employees who were no longer authorized to have access, we attempted to identify the date of the last activity for each of the unauthorized badges. This testing showed that no unauthorized badges accessed sensitive areas at the Department of Human Services after the individuals assigned to those badges separated from the City. For sensitive areas within 911 technologies, the Webb Building, City data centers, and the City and District Attorney s Offices, we were able to determine that no unauthorized individuals accessed those facilities within the past six months. 9 Facilities Management should determine whether the remaining badges are for active employees who require access or whether the badges need to be disabled. Facilities Management should also perform additional testing to ensure that no breaches occurred related to former employees accessing high-risk areas. Badge Administrators Not Consistently Informed of Need for Badge Deactivation We found that badge administrators do not know when an employee s badge should be disabled unless the employee s manager or agency representative notifies the administrator and requests access to be revoked. In the event that a badging administrator is not notified to revoke access for a former employee, access for that individual may remain active following employment. We also found that some badging administrators cannot verify whether an individual s badge access is authorized because they do not have access to the Office of Human Resources system of record showing current City employees. For example, after we identified active badges that appear to belong to former employees, Facilities Management personnel could not confirm whether any of these individuals still require access to City facilities. Therefore badge administration personnel rely solely on City agencies to notify them when badge access should be removed. In addition, there is no documented process that City agency representatives follow to consistently disable badge access. In the absence of a consistent process, 9 Auditors were only able to inspect badge activity for the past six months due to the size of the reports, and Facilities Management had difficulty configuring them to report activity for high-risk areas only. Facilities Management should configure and run additional reports to determine whether any former employees accessed sensitive areas after they were employed by the City over the past two years. Page 9 Office of the Auditor

16 agency representatives may notify badging administrators to disable badges in a number of ways. For example, some requests to disable access are phoned in, others are ed, and still more are sent via electronic forms to Technology Services. After performing additional audit procedures and contacting supervisors of former employees, we found that at least 100 of the badges with access to high-risk areas should be disabled. There Are No Controls to Prevent Former Employees with Deactivated Badges from Entering Certain City Facilities We found that it is possible for individuals who separate from the City to access some secure facilities, circumventing the metal detectors. This can occur when employees do not turn in their badges following employment. Additional information related to this issue has been provided confidentially to the appropriate City agency. Logical Access to City Systems Is Not Appropriately Restricted Logical access controls prevent unauthorized users from accessing the City s computer information systems. The City has a variety of identification and authorization tools in place to ensure that logical access is only granted to City employees and only to the extent that they need access to perform their job duties. However, in the course of our audit work, we found a number of instances where individuals who no longer work for the City still had active credentials, allowing them to access the City s network. To determine whether any former employees retained active network credentials, we first obtained a list of all users in the City s directory services. We also obtained a list of the folders and groups the users had access to as employees and their last log-on dates. Then we generated a list of current City employees by running queries against the Office of Human Resources system of record, as well as by generating a list of all former employees since We used data analytics to compare the current and former employee lists against the active user accounts within each of the City s directory services. On three of the five City networks tested, we found that some individuals had retained network access following employment. City Government Directory Services Issues We identified three issues related to inappropriate logical access. First, some employees have retained network access following employment with the City; second, some contractor accounts have not been set up or disabled in accordance with established policy; and third, some user accounts are not being set up with appropriate password requirements. Some accounts have not been deactivated following employee separation We identified fourteen network accounts for former employees who should no longer have network access to City systems. Six of the fourteen individuals appeared to have accessed their accounts after separating from the City. Accounts should be disabled timely when an individual is no longer employed. In the event that Technology Services needs to access the account, the account should be added as an extension to an existing employee s account rather than using the former employee s City and County of Denver Page 10

17 account. Rules and regulations such as HIPAA, PCI, and CJIS mandate that certain data is protected and access is restricted to authorized individuals only. One of the accounts retained remote access to crimerelated information following employment. The account that retained remote access to crime-related information is regulated by the CJIS security policy. 10 Other directory services details have been provided confidentially to the appropriate agency separate from this report. A former City employee retained remote access to a crime database. Some contractor accounts are not being provisioned or de-provisioned in accordance with policy Many City contractors are provided with logical access to City networks to perform their job duties. We found that contractor accounts are not always end dated within the directory services and therefore may remain active after a contractor is no longer working for the City. For example, we identified several former Department of Human Services (DHS) contractors who retained access to data after they were no longer authorized. One contractor also retained remote access to DHS files and folders after the individual was no longer working on behalf of DHS. Upon further inquiry with DHS personnel, a determination could not be made as to whether former employees retained access to client files. In total, we identified twenty-four manually provisioned accounts that were not end dated across agencies managed by Technology Services. As a result, these twenty-four individuals had active network accounts after they were no longer employed by the City. Contractor end-dating is also required by the City s LAN and Policy. End dating contractor accounts helps mitigate risks to data. Some account passwords are not set to expire in accordance with policy We identified forty-one user accounts set with passwords that never expire. Passwords are required to be changed every ninety days in accordance with the City s LAN and Policy. Passwords that have been in place for long periods of time increase the risk of unauthorized access to systems. Some of the accounts we tested during the audit have passwords that have not been changed since Increased Governance Is Needed to Mitigate Physical and Logical Identity Management Risks To remediate identified issues and increase both physical and logical access security, the City should perform periodic entitlement reviews, develop and maintain a comprehensive and accurate listing of third-party workers, establish procedures for requesting and removing access to City facilities and systems, and implement security awareness training. Procedures for disabling physical and logical access should include a process for verifying 10 CJIS security violations must be reported to the regional CJIS Systems Officer, the national CJIS Director, as well as the Federal Bureau of Investigation (FBI). Upon notification, the FBI has the right to investigate any report of unauthorized use and suspend or terminate access and services. We were able to determine that the account in question did not access CJIS data following separation from the City. As a result, there was no CJIS violation; however, the City was out of compliance with the CJIS security policy and the individual could have remotely accessed crime related data following separation from the City. Page 11 Office of the Auditor

18 that access has been removed and specifically identify the parties that are responsible for removing access upon notification. Periodic entitlement reviews The City does not perform periodic access entitlement reviews to determine whether physical and logical user access remains authorized over time. These types of reviews can help identify accounts that are no longer authorized when the processes to remove access are not performed. DIA performs limited entitlement reviews related to financial systems; however, these reviews do not include areas related to privileged accounts, such as database and domain administrators. Entitlement reviews also help ensure that access is commensurate with job duties. For example, high-risk file shares containing protected or sensitive data should be identified and individuals with access to the high-risk file shares should be periodically reviewed to ensure that access is appropriate. Without a periodic review process in place, it is possible that accounts that are no longer authorized to have access, such as those identified within this audit, go unnoticed and uncorrected. Develop a list of contractors, volunteers, and interns who are not on the City s payroll In addition to regular employees, the City occasionally uses contractors, volunteers, and interns to perform work and services on behalf of the City. These third party workers may be granted access to City systems and buildings to perform their work. However, we found that Technology Services and Facilities Management organizations do not have a record of the current employment status for City workers who are paid outside of the centralized payroll system. A centralized list that includes all City employees and third-party individuals would assist in determining the full population of valid City workers and is essential for performing periodic account reviews. PeopleSoft, the Office of Human Resources system of record, is the only source for tracking active employees, which in turn serves as the control for authorization of access to City networks through an automated tool. When a third-party worker is not in PeopleSoft, it is difficult to determine whether a particular individual is authorized to have access. Currently third-party workers not paid through PeopleSoft are manually provisioned and de-provisioned, which has resulted in some of the issues identified within this audit. For example, we identified instances where manual processes failed to remove network access for former third-party workers. We used data analytics to identify manually provisioned accounts for former employees and noted that sixteen of the twenty accounts (80 percent) tested were not disabled following employment. Establish a consistent process for requesting and removing access to City facilities and systems As discussed throughout this report, the City does not have a consistent governance process to grant or remove an individual s access to City facilities and systems. Access changes may be requested through help desk tickets, electronic forms, or hard copy forms, and there is no training provided regarding which forms to use under certain circumstances. In the absence of an established process, access change requests are inconsistently sent to Technology Services and Facilities Management, which has resulted in access remaining active for some former employees, such as those identified within this audit report. City and County of Denver Page 12

19 Additionally, we identified that electronic forms are filled out by hiring managers or agency representatives to disable physical badge access to the Webb Building, yet these forms are never sent to Facilities Management to facilitate removal of access. Instead, these forms are sent to Technology Services, but no action is taken to disable the badges. Our audit found that even though Facilities Management has developed building-specific access control criteria available through the City s intranet site, there are no procedures that address the creation and termination process for administration of employee badges. In the absence of such a guide to help ensure a consistent process is used, auditors sampled 100 badges for further testing and found that access was assigned and removed inconsistently. 11 Technology Services and Facilities Management should develop consistent processes for granting and removing access to facilities and systems and then ensure that employees are trained on the processes. Such procedures should include a process for verifying that access has been removed. Security awareness training Security awareness training is not provided consistently throughout the City. While all Department of Aviation employees receive security awareness training, only about 40 percent of the remaining City employees receive the training. This type of training informs employees of the types of threats with which cities and other entities are being targeted. For example, some City employees were recently targeted through an scam attempting to collect their user IDs and passwords. More than half of the City s employees are not trained on current information security threats. This type of threat could severely compromise the security of the City s data network. Currently, 60 percent of employees are not trained on how to identify these types of threats and effectively protect their personal access credentials. Therefore, we recommend that security awareness training should be developed jointly by Technology Services and Facilities Management to promote employee awareness of known threats to their access credentials. RECOMMENDATIONS 1.1. The Director of Facilities Management should disable active badges for former employees identified within this audit and work with other badging administrators to ensure that any other potentially active accounts for former employees are disabled The Director of Facilities Management should install badge readers on the secured facility identified within the confidential findings provided to Facilities Management The Chief Information Security Officer should update the network and account management policy to reflect the current process for network credential creation and termination. The policy should also be adopted by Technology Services so that 11 See the Methodology section of this report for all sampling methodology used during the audit. Page 13 Office of the Auditor

20 individuals responsible for access control understand the logical access requirements and comply with them. A separate process should be developed and implemented for interns, contractors, and volunteers to ensure that network accounts are provisioned and de-provisioned consistently The IT Governance Manager should disable active network accounts for former employees and contractors within this audit and ensure that any other active accounts for former employees are disabled The IT Governance Manager should ensure that password and group policy settings align with the City s LAN and Policy The IT Governance Manager should ensure that access to data protected by rules and regulations such as HIPAA and CJIS is periodically monitored and controlled appropriately over time The Chief Information Security Officer and the Director of Facilities Management should work together to develop and implement security awareness training for all City employees, contractors, volunteers, and interns who receive physical or logical access credentials. The format and extent of the security awareness training is at the discretion of Technology Services and Facilities Management; however, these entities should take the following high-risk areas into consideration when developing the program: The nature of sensitive material and physical assets employees may come in contact with, such as privacy concerns and government classified information Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage, and destruction Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication Proper methods for protecting physical access credentials, such as not sharing badges, reporting lost or stolen badges immediately, etc. Computer security concerns, including malware, phishing, social engineering, etc. Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc. Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the City, damage to individuals whose private records are divulged, and possible civil and criminal penalties 1.8. The Chief Information Security Officer and the Director of Facilities Management should implement periodic entitlement reviews and help facilitate agency access reviews, taking into consideration the following: All accounts should be reviewed on a pre-defined basis (monthly, quarterly, or annually) City and County of Denver Page 14

21 High-risk access permissions should be identified, and periodic account reviews should assess the appropriateness of high-risk access over time Account reviews should be assigned to a designated system owner with a general understanding of the appropriateness of access Account reviews should incorporate segregation of duties Reviews should be based on system-generated access reports 1.9. The Executive Director of Human Resources should work closely with the Chief Information Officer and other agencies to implement a centralized method for tracking contractor, volunteer, and intern (contingent) workers to allow these types of workers to be tracked and thereby have their network access provisioned and de-provisioned through an automated tool The Executive Director of Human Resources should work closely with the IT Governance Manager and independent IT departments across the City to train hiring managers and supervisors on provisioning and de-provisioning processes, taking into consideration the following when developing the training: A role-based approach for access provisioning Avoid mirroring accounts based on job functionality Develop a consistent agreed-upon method for physical and logical access provisioning and de-provisioning (e.g., required forms, approvals) Develop a consistent method for handling contractors and other manually provisioned accounts (e.g., account end dating) The Director of Facilities Management should create procedures that define daily badge management processes. Facilities Management should then train all badging administrators on the procedures to ensure that access is consistently provisioned and de-provisioned The Director of Facilities Management should consider centralizing the badge administration process and minimize the number of administrators assigning badge access. Page 15 Office of the Auditor

Citywide Identity Management Follow up Report

Citywide Identity Management Follow up Report Citywide Identity Management Follow up Report July 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

DIA Network Device Security Management Performance Audit

DIA Network Device Security Management Performance Audit DIA Network Device Security Management Performance Audit June 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Network Security Management Phases 1 and 2 Follow up Report

Network Security Management Phases 1 and 2 Follow up Report Network Security Management Phases 1 and 2 Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

DIA Network Security Management Follow up Report

DIA Network Security Management Follow up Report DIA Network Security Management Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver

More information

City Attorney s Office: Litigation and Claims Management Follow-up Report

City Attorney s Office: Litigation and Claims Management Follow-up Report City Attorney s Office: Litigation and Claims Management Follow-up Report April 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

PeopleSoft IT General Controls

PeopleSoft IT General Controls PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

Police Records Management System IT General Controls Follow up Report

Police Records Management System IT General Controls Follow up Report Police Records Management System IT General Controls Follow up Report March 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City

More information

FOLLOW-UP REPORT Change Management Practices

FOLLOW-UP REPORT Change Management Practices FOLLOW-UP REPORT Change Management Practices May 2016 Office of the Auditor Audit Services Division City and County of Denver Timothy M. O Brien, CPA The Auditor of the City and County of Denver is independently

More information

The Department of General Services Contract Administration Follow up Report

The Department of General Services Contract Administration Follow up Report The Department of General Services Contract Administration Follow up Report June 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of

More information

Citywide Social Media Usage Follow-up Report

Citywide Social Media Usage Follow-up Report Citywide Social Media Usage Follow-up Report May 2015 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

911 Data Center Operations Performance Audit

911 Data Center Operations Performance Audit 911 Data Center Operations Performance Audit June 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is

More information

Denver 311 Follow up Report

Denver 311 Follow up Report Denver 311 Follow up Report December 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Mobile Devices Performance Audit

Mobile Devices Performance Audit Mobile Devices Performance Audit August 2014 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Assessor s Office Performance Audit

Assessor s Office Performance Audit Assessor s Office Performance Audit June 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

Network Security Management Phase 1 Performance Audit

Network Security Management Phase 1 Performance Audit Network Security Management Phase 1 Performance Audit March 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Audit Report. University Medical Center HIPAA Compliance. June 2013. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

Audit Report. University Medical Center HIPAA Compliance. June 2013. Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT Audit Report AUDIT DEPARTMENT University Medical Center HIPAA Compliance June 2013 Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT COMMITTEE: Commissioner Steve Sisolak Commissioner Chris Giunchigliani

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

DIA Information Security Management Performance Audit

DIA Information Security Management Performance Audit DIA Information Security Management Performance Audit November 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians Compliance HIPAA Training Steve M. McCarty, Esq. General Counsel Sound Physicians 1 Overview of HIPAA HIPAA contains provisions that address: The privacy of protected health information or PHI The security

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Network Security Management Phase 2 Performance Audit

Network Security Management Phase 2 Performance Audit Network Security Management Phase 2 Performance Audit July 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of

More information

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT THIS AGREEMENT ( Agreement ) is made and entered into this day of, 20, by and between Franciscan Health System ( Hospital ), and ( Community Partner ). RECITALS

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Physical Protection Policy Sample (Required Written Policy)

Physical Protection Policy Sample (Required Written Policy) Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

The Department of General Services Contract Administration Performance Audit

The Department of General Services Contract Administration Performance Audit The Department of General Services Contract Administration Performance Audit August 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

Third-Party Access and Management Policy

Third-Party Access and Management Policy Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and

More information

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report April 2009 promoting efficient & effective local government Background The Health Insurance Portability and Accountability

More information

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

Accepting Payment Cards and ecommerce Payments

Accepting Payment Cards and ecommerce Payments Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Police Records Management System IT General Controls Performance Audit

Police Records Management System IT General Controls Performance Audit Police Records Management System IT General Controls Performance Audit December 2012 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011

Richmond Police Department Police Records Management System (PISTOL) 12 Months ended December 31, 2011 REPORT # 2012-10 AUDIT Of the TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction.......... 1 Background........ 2 Conclusion........ 3 Recommendations........

More information

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg. ACCG Identity Theft Prevention Program ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia 30303 (404)522-5022 (404)525-2477 www.accg.org July 2009 Contents Summary of ACCG Identity Theft Prevention Program...

More information

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/ Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system

More information

Iowa Health Information Network (IHIN) Security Incident Response Plan

Iowa Health Information Network (IHIN) Security Incident Response Plan Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security

More information

Fixed Assets Management Performance Audit

Fixed Assets Management Performance Audit Fixed Assets Management Performance Audit May 2010 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of Denver is independently

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9. 95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL. Doug A. Ringler, CPA, CIA AUDITOR GENERAL DATA SECURITY USING MOBILE DEVICES PERFORMANCE AUDIT OF MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF DATA SECURITY USING MOBILE DEVICES DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET January 2015 Doug A. Ringler, CPA, CIA AUDITOR

More information

Audit Committee. Audit Staff

Audit Committee. Audit Staff The Auditor of the City and County of Denver is independently elected by the citizens of Denver. He is responsible for examining and evaluating the operations of City agencies for the purpose of ensuring

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

Denver International Airport Airport Legal Services Section Performance Audit

Denver International Airport Airport Legal Services Section Performance Audit Denver International Airport Airport Legal Services Section Performance Audit July 2014 Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N 1 COURSE OVERVIEW This course is broken down into 4 modules: Module 1: HIPAA Omnibus Rule - What you need to know to remain

More information

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title

More information

Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY

Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Case 2:13-cv-01887-ES-JAD Document 282-1 Filed 12/09/15 Page 1 of 18 PageID: 4861 THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF NEW JERSEY Federal Trade Commission, Plaintiff, v. Wyndham Worldwide

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

MCOLES Information and Tracking Network. Security Policy. Version 2.0

MCOLES Information and Tracking Network. Security Policy. Version 2.0 MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology RUTGERS POLICY Section: 70.2.22 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Electronic Information and Information Systems Access Control

More information

CA Technologies Solutions for Criminal Justice Information Security Compliance

CA Technologies Solutions for Criminal Justice Information Security Compliance WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Effective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head:

Effective Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Policy Title: Effective Date: Revision Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Every 2 years or as needed Purpose: The purpose of

More information