HIPAA and Network Security Curriculum

Size: px
Start display at page:

Download "HIPAA and Network Security Curriculum"

Transcription

1 HIPAA and Network Security Curriculum This curriculum consists of an overview/syllabus and 11 lesson plans Week 5 Developed by NORTH SEATTLE COMMUNITY COLLEGE for the IT for Healthcare Short Certificate Program Funded by the Seattle Community-Based Health Care Partnership Project Seattle CENTRAL Community College NORTH Seattle Community College SOUTH Seattle Community College SVI Seattle Vocational Institute This product was funded by a grant awarded under the President s Community-Based Job Training Grants as implemented by the U.S. Department of Labor s Employment & Training Administration. The information contained in this product was created by a grantee organization and does not necessarily reflect the official position of the U.S. Department of Labor. All references to nongovernmental companies or organizations, their services, products, or resources are offered for informational purposes and should not be construed as an endorsement by the Department of Labor. This product is copyrighted by the institution that created it and is intended for individual organizational, non-commercial use only.

2 Lesson 5 Network Infrastructure and Security Policies Note: I have set up the entire curriculum for this class with weekly lesson plans. This will allow the Instructor to determine how to incorporate the information into lesson plans whether it is a daily class, a twice weekly class, a three times a week s class, or even a one class per week calendar. Network security is a complicated subject. A basic understanding of computer networks is required in order to understand the principles of network security. In this section, we'll cover some of the definitions of computer networking, then move on to an overview of some popular networks. What is a network? A ``network'' has been defined as ``any set of interlinking lines resembling a net, a network of roads an interconnected system, a network of alliances.'': A computer network is simply a system of interconnected computers. It involves a set of locations, or nodes, consisting of hardware, programs, and information linked together as a system that transmit and receives data and information. Oddly enough, how they're connected is irrelevant, and there are a number of ways to do this. The International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types, and the interfaces among them. (See Figure draw on board) Each layer depends on the services provided by the layer below it, all the way down to the physical network hardware, such as the computer's network interface card, and the wires that connect the cards together. It isn't important to memorize the ISO/OSI Reference Model's layers; but it's useful to know that they exist, and that each layer cannot work without the services provided by the layer below it. Application Presentation Session Transport Network Data Link Physical HIPAA and Network Security Curriculum - Week 5 Page 2 of 18

3 Networks come in three configurations, topologies. (Write definition of topology on board: A network configuration, or the arrangement of the nodes or workstation of a network in relation to one another.) To determine which topology network to use, network designers consider the distance between nods, the frequency, and volume of transmissions, and processing capability at each node. The star topology interconnects many different sites through a central computer (a server). The central computer is typically a mainframe. Nodes may be other mainframes, midrange systems, or microcomputer. Sending a message from one node to another entails sending the message to the central server or host computer first, who receives and retransmits the message to the intended destination. In the ring topology, each node is connected to an adjacent node. There is no central note. A message is sent from one node through the network. Each location examines the identification code in the message (which is inserted by network software) and accepts the message if it has the code. Otherwise, it transmits the message to the next node. The process continues until the message reaches its destination. The bus topology is linear network a data highway, so to speak. All nodes tap onto the bus. Data transmissions from one node are sent to every other node on the network. Each node examines the identification code, accepting those messages containing its code and ignoring the others. The type of connection and the span of the network define the three types of networks: (1) wide area, (2) local area and (3) metropolitan area. Wide Area Network (WAN) is a network that connects sites dispersed across states, countries, or continents. Corporations often develop high-speed WANs that transmit over networks using a T-carrier, a very high-speed channel designed for use as the backbone of a network. A backbone is a high-speed transmission link that interconnects lower-speed networks or computers at different sites. The speed at which information is transmitted over a communication medium is determined by bandwidth. A greater bandwidth means that more information is sent through a medium in a given amount of time. The bandwidth of a network is measured (indirectly) by the bits of data transmitted per second. HIPAA and Network Security Curriculum - Week 5 Page 3 of 18

4 A modem frequently used for dial up transmission from a PC is said to be a t 56.6 kilobits per second, a T-1 line (T-carrier) is at megabits per second. Local Area Networks (LAN) is a network that interconnects computers and communication devices within an office or series of offices; typically spans a distance of a few hundred feet to several miles. The network components (the LANS s nodes), including the cable linking the device, are generally owned by the company using the network. LANs are generally comprised of desktop computers, servers, storage area networks (SANs) and the printers designed to work with them. A desktop computer connect to a network may be called a workstation (alternatively, it may be called a node or a client). The computer that hosts the network and provides the resources that are shared on the network is called the server. The server provides services to each of the workstations attached to it. When workstations that is PCs access a server, they can execute (use)the software residing on the server or process data in a file or database on the server. The server typically has more primary memory and storage capacity and a higher processing speed than the other computers. Some networks have multiple servers, either to provide a backup in case one is not working or to distribute databases more quickly for faster access to information. A file server is a computer containing files available to all user connected to a LAN. In some LANs a microcomputer is designated as the file server, in others a computer with a large disk drive and specialized software acts as the file server. Metropolitan area networks (MANs) transmit data and information over longer distances and may do so a greater speeds than is possible with LANs. MANs are often designed to carry more diverse forms of information than LANs, including combinations of voice, data, image, and video. MANs are usually optimized for voice and data transmission. MANs do not operate over telephone lines. Rather, to obtain the combination of highpeed performance and citywide transmission fiber-optic cables are generally used as the transmission medium. Companies are also using wireless technologies to construct local are networks, or wireless LANs (WLANs) because they enable staff members to move around the building with laptops, tablets, and PDAs and still connect to the enterprise s local area network without a wire. What kind of network does the school have? Do we have more than one? Do we have wireless? Do we have a MAN? Encourage class discussion on what students have experienced. HIPAA and Network Security Curriculum - Week 5 Page 4 of 18

5 Virtual private network (VPN) technology was developed to enable client systems to securely connect to server over the Internet. VPN s powerful encryption and user authentication methods have proven extremely successful in providing security for message transmissions. VPN works by establishing a secure, private connection between an external device and a VPN gateway. (A gateway is a device that connects two other wise incompatible networks, network nodes, or devices) Hand out article at this time and have open discussion, encourage questions. Much of the security-related activities in the health industry are a direct result of the increasing focus and stringent requirements of the US regulation, HIPAA (Health Insurance Portability and Accountability Act). Compliance with HIPAA and other key health regulations is often incumbent on creating a secure office network. Your codes, transactions, and identifiers may all be designed to protect privacy and adhere to standards, but if the network can serve as a gateway for hackers and other unauthorized visitors to the patients' personal information, all of the other elements of compliance processes will be wasted. Protection of information and computer systems should receive top priority. Typically, security mechanisms use a combination of logical and physical restrictions to provide greater level of protection than is possible with either approach alone. This includes measures such as firewalls and the installation of antivirus and spyware detection software. An example of a logical restriction is automatic sign-off. Automatic sign-off is a mechanism that logs a user off the system after a specified period of inactivity on their computer. This procedure is recommended in all client care areas, as well as any other area in which sensitive data exist. The healthcare organization makes business decisions about how important the computer network and the data it holds are to the practice, and how it wants to protect those key resources. Security systems are the implementation of those business decisions. Physical security measures include placement of computers, file servers, or computers in restricted areas. Especially challenging is the growing use of mobile wireless devices such as notebooks, tablet PCs, and PDAs. These items may fall into unauthorized hands. Good place to discuss with class why this is an issue. What type of information could be released? How would it impact the clients? The company? What type of security measures do they think could be used? Security cables, motion detector, alarms, secure locked cabinets when the devices aren t in use. HIPAA and Network Security Curriculum - Week 5 Page 5 of 18

6 A security policy is a general statement of the business rules that define the goals and purposes of security within an organization. While each individual practice will have its own unique policy, the basics of establishing a policy are the same, whether it is a small practice or a larger-sized hospital, because HIPAA security measures apply to all health organizations across the board. Security policies are considered strategic documents, and they define the overall purpose and direction for security. The process of identifying an individual usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. The security requirement for authentication becomes important in the context of networked organizations. Authentication assures that the message is from a source it claims to be from. In case of an ongoing interaction between a terminal and a host, authentication takes place at two levels. First there is assurance the two entities in question are authentic. Second, the connection between the two entities is assured such that third party cannot masquerade as one of the two parties. Access codes and passwords have long been favored as a means to authenticate access to automated records, largely because they represent a familiar, available, and inexpensive technology. A password is a collection of alphanumeric characters that the user types into the computer. This may be required after the entry and acceptance of an access code, sometimes referred to as the user name. IS administrators require this information to problem-solve or reissue passwords. The password does not appear on the screen when it is typed, nor should it be known to anyone but the user and the IS administrators. Obvious passwords such as the user s name, house number, or pet are easily compromised. Strong passwords use combinations of letters, numbers, and symbols that are not easily guessed. An example is: Weak Password: seahawks Good Password: SeaHawk86d Strong Password: Se@H86!s Individuals should not share passwords or leave computers logged on and unattended. System administrators must keep files that contain password lists safe from view or copying by unauthorized individuals. One compromised password can jeopardize information and the system that contains it. For this reason, users should not use the same password for access to more than one site or system. Using the same password at HIPAA and Network Security Curriculum - Week 5 Page 6 of 18

7 various sites reduce security. System administrators need to allow legitimate users the opportunity to access the system while refusing entry to others. One means to accomplish this is to shut down a workstation after a random number of unsuccessful access attempts and send security to check that area. Sign on access codes and passwords are generally assigned on successful completion of system training. Passwords may be difficult for the user to recall. This leads some people to write passwords down and post them in conspicuous places, like with a post it note on their computer. Users also have a tendency to share passwords if a coworker has not yet gone through system training, coworkers tend to let that worker have access to the system with their own user ID and password. This is a huge HIPAA violation and a security violation, the password has to be regarded as the electronic signature! Frequent and random password change is recommended as a routine security mechanism. This can be set by Information Services as required by most software. Users find this unpleasant because of the difficulty of learning new passwords. There are situations that mandate immediate change or deletion of access codes and passwords, including suspicion of unauthorized access and termination of employees. Codes and passwords should also be deleted with status changes such as resignations, leaves of absence, and the completion of rotations for students, faculty, and residents. It is important to develop authentication policies jointly with information technology personnel, business staff, and the end users. It is also critical to factor in the time and resources required to enroll and update users with these policies. Support costs and training times increase as the complexity of authentication process increases. User Authentication can be verified with passwords; passwords used along with either a passkey type of deice or scanned employee identification. Encrypted key-based authentication is another technology. An example is public key infrastructure (PKI). PKI uses an encrypted passkey that can be provided to the user in various formats, including a smartcard, token, or wireless transmitter. Hand out article on smartcard. The passkey provides a secret number that is verified against a registered digital certificate. The user submits the passkey information during the sign-on process and the PKI system compares it against the registered digital certificate ID to very a match. Scanned employee identification may include a name badge (frequently used in Information Services Departments) but generally refers to biometric authentication which is based on a unique biological trait, such as a fingerprint, voice, or iris pattern, retinal scan, hand geometry, face recognition, ear pattern, smell, or gat recognition. This is now feasible technology which is very accurate. Talk with class about what types of authentication they have had to use, encourage questions and answers. HIPAA and Network Security Curriculum - Week 5 Page 7 of 18

8 . HIPAA and Network Security Curriculum - Week 5 Page 8 of 18

9 General Security Policies and Procedures 1. Change access passwords frequently: Users should be required to enter personal identification codes and individually assigned code words in order to access the system. Passwords should be kept strictly confidential. 2. Restrict system use: Users should be given access to only the functions they need to use, rather than full-system access. 3. Limit access to data: Users should be allowed to access only the data they need to perform processing within their area of responsibility 4. Set up physical access controls: Access cards and biometric devices which recognize voice patterns, finger or palm prints, retinal eye patterns, and signatures-are among the most effective physical security systems. It is difficult to fool these systems. 5. Partition responsibilities: Critical functions involving high risk or high value in the data being processed should be separated so that more than one person must be involved to perform the processing. Database and network administrators should be given separate (but important) responsibilities for controlling access to the system. 6. Encrypt data: Changing the appearance of data through scrambling and coding makes it more difficult to use information even if a hacker is able to access it. 7. Establish procedural controls: When clearly stated security procedures guide users and IT staff members, it is more difficult to breach security 8. Institute educational program: There is no substitute for well informed staff members. Security education programs stress the threat of intrusion, explain hackers methods and tactics, and provide guidelines on how to respond when intrusions are detected. 9. Audit system activities: In an audit, independent parties review transactions and computer processing to analyze their origin and their impact on the system, as well as to determine that these activities were approved and performed by authorized individuals. 10. Log all transactions and user activities: Keep a record of each activity and the individual responsible for that activity. HIPAA and Network Security Curriculum - Week 5 Page 9 of 18

10 Week 5 Quiz 2 1. Threats to information technology include threats to a. Hardware b. Software c. Data d. All of the above Answer: D 2. Which of the following is a way of attempting to protect computer systems and data from unauthorized use? a. Encryption b. Codes of conduct c. Restricting access through the use of passkey d. All of the above Answer: D 3. Biometric security methods include a. Use of passwords b. Locking the computer room c. Iris scans, lip prints, and body odor sensors d. Carrying ID cards Answer: C HIPAA and Network Security Curriculum - Week 5 Page 10 of 18

11 4. To remember her computer system password, hospital nurse Sherri Brinkman taped her password to the back of her name badge. When Mrs. Brinkman lost her name badge recently, it was turned into hospital security and subsequently the IS department with her password still attached. When Mrs. Brinkman picked up her name badge, she stated she would continue to use her current password. Is this an appropriate way to treat a password? Should she use the same password again? Provide your rationale. Answer: looking to see if the student understands the rational for password security, should have mention of strong passwords, IS security policies, and that the password is the nurse s electronic signature and legal difficulties could occur from misues. 5. Name two types of networks Answer: WAN, LAN, MAN, WLAN HIPAA and Network Security Curriculum - Week 5 Page 11 of 18

12 LAB Week 5 This week lab should be focused on identifying what type of Network does the school have? Who has used VPN? How did that work? In the IT Healthcare lab I will walk the students thru a VPN connection setup, look at security profiles (authorization), and different form of authentication used in the student s lives. Practice should include changing passwords, and the use of strong passwords. HIPAA and Network Security Curriculum - Week 5 Page 12 of 18

13 HIPAA and Network Security Curriculum - Week 5 Page 13 of 18

14 HIPAA and Network Security Curriculum - Week 5 Page 14 of 18

15 HIPAA and Network Security Curriculum - Week 5 Page 15 of 18

16 HIPAA and Network Security Curriculum - Week 5 Page 16 of 18

17 HIPAA and Network Security Curriculum - Week 5 Page 17 of 18

18 HIPAA and Network Security Curriculum - Week 5 Page 18 of 18

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

CA Technologies Solutions for Criminal Justice Information Security Compliance

CA Technologies Solutions for Criminal Justice Information Security Compliance WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

IT Networking and Security

IT Networking and Security elearning Course Outlines IT Networking and Security powered by Calibrate elearning Course Outline CompTIA A+ 801: Fundamentals of Computer Hardware/Software www.medallionlearning.com Fundamentals of Computer

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

HIPAA and Network Security Curriculum

HIPAA and Network Security Curriculum HIPAA and Network Security Curriculum This curriculum consists of an overview/syllabus and 11 lesson plans Week 1 Developed by NORTH SEATTLE COMMUNITY COLLEGE for the IT for Healthcare Short Certificate

More information

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014 Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology

More information

Policy Title: HIPAA Access Control

Policy Title: HIPAA Access Control Policy Title: HIPAA Access Control Number: TD-QMP-7018 Subject: Ensuring that access to EPHI is only available to those persons or programs that have been appropriately granted such access. Primary Department:

More information

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI Office of Regulatory Compliance 13001 E. 17 th Place, Suite W1124 Mail Stop F497 Aurora, CO 80045 Main Office: 303-724-1010 Main Fax: 303-724-1019 HIPAA Policy 7.1 Title: Source: Prepared by: Approved

More information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING 6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Stable and Secure Network Infrastructure Benchmarks

Stable and Secure Network Infrastructure Benchmarks Last updated: March 4, 2014 Stable and Secure Network Infrastructure Benchmarks 501 Commons has developed a list of key benchmarks for maintaining a stable and secure IT Infrastructure for conducting day-to-day

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

How to Prevent a Data Breach and Protect Your Business

How to Prevent a Data Breach and Protect Your Business Enforcing Security Policies Key Differentiator NetVanta Microsoft Desktop Auditing Providing Insight Into Your Network With an increasingly mobile workforce, technology portability, and the increase in

More information

Course: Information Security Management in e-governance

Course: Information Security Management in e-governance Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

NETWORKING TECHNOLOGIES

NETWORKING TECHNOLOGIES NETWORKING TECHNOLOGIES (October 19, 2015) BUS3500 - Abdou Illia, Fall 2015 1 LEARNING GOALS Identify the major hardware components in networks. Identify and explain the various types of computer networks.

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Lesson 24 Network Fundamentals

Lesson 24 Network Fundamentals Network Fundamentals Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition 1 Objectives Describe a network. Explain the benefits of a network. Identify the risks of network computing. Describe

More information

Research Information Security Guideline

Research Information Security Guideline Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different

More information

C20.0001 Information Systems for Managers Fall 1999

C20.0001 Information Systems for Managers Fall 1999 New York University, Leonard N. Stern School of Business C20.0001 Information Systems for Managers Fall 1999 Networking Fundamentals A network comprises two or more computers that have been connected in

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

IT Networking and Security

IT Networking and Security elearning Course Outlines IT Networking and Security powered by Calibrate elearning Course Outline CompTIA A+ 801: Fundamentals of Computer Hardware/Software powered by Calibrate www.medallionlearning.com

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

How To Write A Health Care Security Rule For A University

How To Write A Health Care Security Rule For A University INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

BSHSI Security Awareness Training

BSHSI Security Awareness Training BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

More information

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1

Security Policy JUNE 1, 2012. SalesNOW. Security Policy v.1.4 2012-06-01. v.1.4 2012-06-01 1 JUNE 1, 2012 SalesNOW Security Policy v.1.4 2012-06-01 v.1.4 2012-06-01 1 Overview Interchange Solutions Inc. (Interchange) is the proud maker of SalesNOW. Interchange understands that your trust in us

More information

Responsible Access and Use of Information Technology Resources and Services Policy

Responsible Access and Use of Information Technology Resources and Services Policy Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong

More information

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014 The Practice of Internal Controls Cornell Municipal Clerks School July 16, 2014 Page 1 July 18, 2014 Cash Receipts (Collection procedures) Centralize cash collections within a department or for the local

More information

Standard: Network Security

Standard: Network Security Standard: Network Security Page 1 Executive Summary Network security is important in the protection of our network and services from unauthorized modification, destruction, or disclosure. It is essential

More information

Information Systems Security Assessment

Information Systems Security Assessment Physical Security Information Systems Security Assessment 1. Is the server protected from environmental damage (fire, water, etc.)? Ideal Answer: YES. All servers must be housed in such a way as to protect

More information

HIPAA Security Training Manual

HIPAA Security Training Manual HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,

More information

NETWORK AND INTERNET SECURITY POLICY STATEMENT

NETWORK AND INTERNET SECURITY POLICY STATEMENT TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004

More information

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG ITMC TECH TIP ROB COONCE, MARCH 2008

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG ITMC TECH TIP ROB COONCE, MARCH 2008 INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ WWW.LIVINGSTONNJ.ORG What is wireless technology? ITMC TECH TIP ROB COONCE, MARCH 2008 In our world today, this may mean sitting down at a coffee

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Local-Area Network -LAN

Local-Area Network -LAN Computer Networks A group of two or more computer systems linked together. There are many [types] of computer networks: Peer To Peer (workgroups) The computers are connected by a network, however, there

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HANDBOOK 8 NETWORK SECURITY Version 1.0

HANDBOOK 8 NETWORK SECURITY Version 1.0 Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives

More information

Computer Security Policy (Interim)

Computer Security Policy (Interim) Computer Security Policy (Interim) Updated May, 2001 Department of Information Systems & Telecommunications Table of Contents 1. SCOPE...1 2. OVERVIEW...1 3. RESPONSIBILITIES...3 4. PHYSICAL SECURITY...4

More information

A network is a group of devices (Nodes) connected by media links. A node can be a computer, printer or any other device capable of sending and

A network is a group of devices (Nodes) connected by media links. A node can be a computer, printer or any other device capable of sending and NETWORK By Bhupendra Ratha, Lecturer School of Library and Information Science Devi Ahilya University, Indore Email: bhu261@gmail.com Network A network is a group of devices (Nodes) connected by media

More information

Chapter 1 Instructor Version

Chapter 1 Instructor Version Name Date Objectives: Instructor Version Explain how multiple networks are used in everyday life. Explain the topologies and devices used in a small to medium-sized business network. Explain the basic

More information

Computer Networking: A Survey

Computer Networking: A Survey Computer Networking: A Survey M. Benaiah Deva Kumar and B. Deepa, 1 Scholar, 2 Assistant Professor, IT Department, Sri Krishna College of Arts and Science College, Coimbatore, India. Abstract- Computer

More information

Local Area Network By Bhupendra Ratha, Lecturer School of Library and Information Science Devi Ahilya University, Indore Email: bhu261@gmail.com Local Area Network LANs connect computers and peripheral

More information

Computers and Society: Security and Privacy

Computers and Society: Security and Privacy 1 Chapter 12 Computers and Society: Security and Privacy 2 Chapter 12 Objectives 3 Computer Security: Risks and Safeguards What is a computer security risk? 4 Computer Security: Risks and Safeguards 1

More information

eztechdirect Backup Service Features

eztechdirect Backup Service Features eztechdirect Backup Service Features Introduction Portable media is quickly becoming an outdated and expensive method for safeguarding important data, so it is essential to secure critical business assets

More information

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006 Electronic Prescribing of Controlled Substances Technical Framework Panel Mark Gingrich, RxHub LLC July 11, 2006 RxHub Overview Founded 2001 as nationwide, universal electronic information exchange Encompass

More information

Online Backup Solution Features

Online Backup Solution Features CCC Technologies, Inc. 700 Nicholas Blvd., Suite 300 Elk Grove Village, IL 60007 877.282.9227 www.ccctechnologies.com Online Backup Solution Features Introduction Computers are the default storage medium

More information

How To Backup Your Hard Drive With Pros 4 Technology Online Backup

How To Backup Your Hard Drive With Pros 4 Technology Online Backup Pros 4 Technology Online Backup Features Introduction Computers are the default storage medium for most businesses and virtually all home users. Because portable media is quickly becoming an outdated and

More information

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

How To Protect Research Data From Being Compromised

How To Protect Research Data From Being Compromised University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

HIPAA Audit Risk Assessment - Risk Factors

HIPAA Audit Risk Assessment - Risk Factors I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your

More information

Remote Deposit Terms of Use and Procedures

Remote Deposit Terms of Use and Procedures Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update

More information

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014)

Checklist of Requirements for Protection of Restricted Data College of Medicine Departments (v 03/2014) hecklist of Requirements for Protection of Restricted ata ollege of Medicine epartments (v 03/2014) These requirements must be met to comply with U data protection policies, including HIPAA Policies and

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines California State Polytechnic University, Pomona Desktop Security Standard and Guidelines Version 1.7 February 1, 2008 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM DESKTOP SECURITY STANDARD...3 ROLES

More information

Introduction to Computer Networks and Data Communications

Introduction to Computer Networks and Data Communications Introduction to Computer Networks and Data Communications Chapter 1 Learning Objectives After reading this chapter, you should be able to: Define the basic terminology of computer networks Recognize the

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Chapter 7 Information System Security and Control

Chapter 7 Information System Security and Control Chapter 7 Information System Security and Control Essay Questions: 1. Hackers and their companion viruses are an increasing problem, especially on the Internet. What can a digital company do to protect

More information

Information Security Policy. Policy and Procedures

Information Security Policy. Policy and Procedures Information Security Policy Policy and Procedures Issue Date February 2013 Revision Date February 2014 Responsibility/ Main Point of Contact Neil Smedley Approved by/date Associated Documents Acceptable

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

Remote Access Security

Remote Access Security Glen Doss Towson University Center for Applied Information Technology Remote Access Security I. Introduction Providing remote access to a network over the Internet has added an entirely new dimension to

More information

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

More information

Wireless Network Security

Wireless Network Security Wireless Network Security Bhavik Doshi Privacy and Security Winter 2008-09 Instructor: Prof. Warren R. Carithers Due on: February 5, 2009 Table of Contents Sr. No. Topic Page No. 1. Introduction 3 2. An

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

How To Protect A Hampden County Hmis From Being Hacked

How To Protect A Hampden County Hmis From Being Hacked Hampden County HMIS Springfield Office of Housing SECURITY PLAN Security Officers The Springfield Office of Housing has designated an HMIS Security Officer whose duties include: Review of the Security

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

ABERDARE COMMUNITY SCHOOL

ABERDARE COMMUNITY SCHOOL ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been

More information

COMPUTERS ARE YOUR FUTURE CHAPTER 7 NETWORKS: COMMUNICATING AND SHARING RESOURCES

COMPUTERS ARE YOUR FUTURE CHAPTER 7 NETWORKS: COMMUNICATING AND SHARING RESOURCES COMPUTERS ARE YOUR FUTURE CHAPTER 7 NETWORKS: COMMUNICATING AND SHARING RESOURCES Answers to End-of-Chapter Questions Matching g 1. router o 2. node i 3. ring l 4. hub c 5. star n 6. backbone b 7. latency

More information

Introduction. Ease-of-Use

Introduction. Ease-of-Use Remote Data Backup Introduction Computers are the default storage medium for most businesses and virtually all home users. Because portable media is quickly becoming an outdated and expensive method for

More information

ADM:49 DPS POLICY MANUAL Page 1 of 5

ADM:49 DPS POLICY MANUAL Page 1 of 5 DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The

More information

Advanced HIPAA Security Training Module

Advanced HIPAA Security Training Module Advanced HIPAA Security Training Module The Security of Electronic Information Copyright 2008 The Regents of the University of California All Rights Reserved The Regents of the University of California

More information

How To Protect A Wireless Lan From A Rogue Access Point

How To Protect A Wireless Lan From A Rogue Access Point : Understanding Security to Ensure Compliance with HIPAA Healthcare is a natural environment for wireless LAN solutions. With a large mobile population of doctors, nurses, physician s assistants and other

More information

Accounting and Administrative Manual Section 100: Accounting and Finance

Accounting and Administrative Manual Section 100: Accounting and Finance No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security

More information

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft) 1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

IT@DUSON. IT Service Desk

IT@DUSON. IT Service Desk IT@DUSON Technology plays a key role in the learning process for nursing students at Duke. This is your guide to the technology used at the Duke School of Nursing and how to request assistance for all

More information

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction Policy: Title: Status: 1. Introduction ISP-S12 Network Management Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1.1. This information security policy document covers management,

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

1 Which network type is a specifically designed configuration of computers and other devices located within a confined area? A Peer-to-peer network

1 Which network type is a specifically designed configuration of computers and other devices located within a confined area? A Peer-to-peer network Review questions 1 Which network type is a specifically designed configuration of computers and other devices located within a confined area? A Peer-to-peer network B Local area network C Client/server

More information

Best Practices For Department Server and Enterprise System Checklist

Best Practices For Department Server and Enterprise System Checklist Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information