Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations



Similar documents
White Paper. BD Assurity Linc Software Security. Overview

Information security guidelines

Preparing BD Systems for Data Migration. Summary of the Upgrade Process on page 6. Copying User Data Files onto an Upgraded System on page 7

TeamViewer Security Information

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Quick Install Guide - Safe AutoLogon For First-time Users - Installing and Running the Software. Published: February 2013 Software version: 5.

BOWMAN SYSTEMS SECURING CLIENT DATA

TeamViewer Security Information

TeamViewer Security Information

TeamViewer Security Information

Global VPN Client Getting Started Guide

Endpoint Security VPN for Windows 32-bit/64-bit

Manual to Access SAP Training Systems Technical Description for Customer On-Site Training

Estate Agents Authority

DHHS Information Technology (IT) Access Control Standard

File and Printer Sharing with Microsoft Windows

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

RevShield Software Suite Network Security Review

Installing Act! for New Users

Citrix Receiver. Configuration and User Guide. For Macintosh Users

Installing Sage ACT! 2013 for New Users

Activity 1: Scanning with Windows Defender

BeamYourScreen Security

Dell Statistica Statistica Enterprise Installation Instructions

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

FileCloud Security FAQ

SOS Suite Installation Guide

Endpoint Security Client for Mac

Windows 7 Hula POS Server Installation Guide

MIKOGO SECURITY DOCUMENT

Windows OS Security/Critical Patch List for BD Workstations

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Research Information Security Guideline

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Client Security Risk Assessment Questionnaire

Securing Remote Desktop for Windows XP

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

WebEx Remote Access White Paper. The CBORD Group, Inc.

Remote Access End User Guide (Cisco VPN Client)

NETWRIX IDENTITY MANAGEMENT SUITE

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Online Backup by Mozy. Common Questions

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

How To Install Help Desk Premier

CHIS, Inc. Privacy General Guidelines

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Policy Based Encryption Z. Administrator Guide

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA USA. November v1.0

TeamViewer 9 Manual Remote Control

How To Set Up Dataprotect

Remote Maintenance, Support, Home Office and Presentations

HP ProtectTools Embedded Security Guide

Centran Version 4 Getting Started Guide KABA MAS. Table Of Contents

Policy Based Encryption E. Administrator Guide

TeamViewer 8 Manual Remote Control

Policy Based Encryption E. Administrator Guide

ScoMIS Encryption Service

Diamond II v2.3 Service Pack 4 Installation Manual

Important. Please read this User s Manual carefully to familiarize yourself with safe and effective usage.

Supplier Information Security Addendum for GE Restricted Data

HIPAA: The Role of PatientTrak in Supporting Compliance

BlackShield ID Agent for Remote Web Workplace

Network Setup Instructions

Cyber Security: Software Security and Hard Drive Encryption

UCLH VPN User Guide. January VPN User Guide v

ecstudent-ts Terminal Server How to Use

Project management integrated into Outlook

NetWrix USB Blocker. Version 3.6 Administrator Guide

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Contents Notice to Users

Guide to Installing BBL Crystal MIND on Windows 7

Verizon Remote Access User Guide

QUANTIFY INSTALLATION GUIDE

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security Analytics Engine 1.0. Help Desk User Guide

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

ViPNet ThinClient 3.3. Quick Start

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Section 12 MUST BE COMPLETED BY: 4/22

How to Connect to Remote Desktop & How to Use Cisco AnyConnect Secure Mobility Client Secure VPN Connection

Accessing the Media General SSL VPN

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

WhatsUp Gold v16.2 Installation and Configuration Guide

White Paper. Software version: 5.0

AT&T Global Network Client Client Features Guide. Version 9.6

CITY OF BOULDER *** POLICIES AND PROCEDURES

IPSec VPN Client Installation Guide. Version 4

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

The City of New York

BorderGuard Client. Version 4.4. November 2013

SECURITY DOCUMENT. BetterTranslationTechnology

This guide provides all of the information necessary to connect to MoFo resources from outside of the office

Procedure Title: TennDent HIPAA Security Awareness and Training

Transcription:

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations 11/2010 This document includes the following topics: About this guide (page 2) TeamViewer remote desktop support software (page 3) Security configuration of BD Biosciences workstations (page 9) Organizational security and data privacy measures (page 12) Recommendations for practical security measures (page 14)

2 Remote Support Security Guidelines About this guide About this topic This topic describes the information contained in this guide. Guide contents This guide is intended to provide information and recommendations to customers to ensure maximum security when using BD Biosciences workstations and the BD Remote Instrument Support Solution. It describes the security features and operation of the BD Remote Instrument Support solution on BD Biosciences workstations that have BD FACSDiva software, BD FACSCanto Clinical software, BD FACS SPA software or BD FACSArray software. Who should read this guide All IT administrators and users of BD Biosciences workstations which will be connected to the internet for the purpose of enabling the BD Remote Instrument Support solution. Where to store this guide This information should be stored near the BD Biosciences workstation for reference.

Remote Support Security Guidelines 3 TeamViewer remote desktop support software About this topic This topic describes the functionality and inherent security features of the TeamViewer remote desktop support software. In addition this topic describes the TeamViewer software installation and subsequent configuration required to maximize security. Details on how to use the application are also provided. Responsibility BD is responsible for the installation of the TeamViewer application on BD Biosciences workstations. During installation BD will apply all TeamViewer configuration options required for safe and secure operation of the software. It is the responsibility of the customer to ensure that the TeamViewer software is used in accordance with the BD guidelines provided in this document to ensure continued security of the solution and to prevent any impact on the routine operation of BD software and instruments. Warranty and liability BD does not provide any warranty with respect to the TeamViewer software. BD recommends that the TeamViewer software is not used during routine operation of BD software on a BD Biosciences workstation or during routine operation of the instrument connected to a BD Biosciences workstation. The TeamViewer application must only be started when instructed to do so by a BD support representative. About TeamViewer TeamViewer is a software solution for desktop sharing, allowing remote access and support over the internet. TeamViewer software is manufactured in accordance with the ISO 9001:2008 quality standard guidelines. The product has passed a security review qualifying it for use on the bank workstations of major banking institutions. Teamviewer is in use in several healthcare institutions. TeamViewer is a widely known tool used today by more than 100.000.000 users spread over more than 200 countries.

4 Remote Support Security Guidelines TeamViewer security features TeamViewer has the following unique combination of security features: An on-demand connection session of TeamViewer software is hosted on the BD Biosciences workstation. A connection to the BD Biosciences workstation will only be available once the operator has started the TeamViewer application. Connection is established directly over the internet via a Master server hosted by TeamViewer GmbH. Connectivity is established over TCP or UDP and data is transferred via http tunnelling. TeamViewer works with complete encryption based on RSA public/private key exchange and AES (256 bit) session encoding. Data can only be deciphered using the private key of the client application. Since this private key is never communicated during the communication session, interconnecting systems cannot decipher transmitted data. Each TeamViewer client has a unique Partner ID which is automatically generated by TeamViewer based on the hardware characteristics of the BD Biosciences workstation. The Partner ID is validated on a Master TeamViewer server prior to every connection. During each session the TeamViewer client will create a unique password. A two factor authentication consisting of the Partner ID and session password is required for a remote support representative to connect. TeamViewer prevents brute-force attacks by exponentially increasing the amount of time between failed connections. 24 Failed attempts will take 17 Hours. Latency is only reset after entering the correct password. TeamViewer software is signed using VeriSign Code Signing technology, ensuring that the publisher of the software executables can always be identified. TeamViewer servers are located in a highly modern data centre with all the required redundancy features built in to ensure availability of service. Physical access to the data centre is only possible after a thorough identity check through a single entrance gate. CCTV, intrusion detection, 24/7 surveillance and on-site security personnel protect TeamViewer servers against attacks from within. Detailed information on TeamViewer security can be found online at www.teamviewer.com

Remote Support Security Guidelines 5 TeamViewer Applications Two TeamViewer applications are used to allow for remote desktop support of BD Biosciences workstations: TeamViewer Manager: This application is installed on the desktops of BD remote support personnel. It is used to store partner details in a database that can be shared with other BD support personnel. In addition the application will keep an audit trail recording the date, time and length of remote support sessions. BD will take proper care to ensure that partner details are only shared with the local BD service organization of the customer. TeamViewer All-In-One: This application is installed on the desktops of BD remote support personnel and on the customer s BD Biosciences workstation. On the BD Biosciences workstation the application will be started in host mode to allow a BD remote support representative remote access to the workstation of the customer. On the desktop of the BD remote support personnel the application is launched in client mode and used to connect to the customer s Biosciences workstation. TeamViewer installation and configuration The following configuration options will be applied during installation of TeamViewer to ensure the application can be used securely: TeamViewer will not be installed as a service but must be launched manually when remote support is required. When the application is closed it will exit as opposed to minimizing to the Windows application tray. TeamViewer will be configured to generate a new unique secure 6 digit password using a mixture of numbers and upper and lowercase letters at the start of each remote support session. It is possible to generate secure 10 digit passwords containing a mixture of numbers, upper and lower case letters and punctuation. However this may make it more difficult for the user to accurately convey the password to the BD remote support representative. Access to other computers in the remote (customer) network can be activated at the discretion of the IT administrator. To minimize user interaction, the option to view and control the remote desktop (instrument workstation) will be automatically enabled after launch of the application by the customer. The customer may choose to change this setting to allow access only after having given confirmation. The ability to transfer files from the customer s workstation to the BD network will be configured as either After confirmation or Denied depending on the preference of the customer and IT administrator. Details of remote control sessions will be automatically logged and stored by BD.

6 Remote Support Security Guidelines Once TeamViewer has been installed on the BD Biosciences workstation, the BD support representative will record the unique Partner ID that was generated for the workstation. The unique Partner ID will be communicated to the data privacy and security administrator for the local BD service organization. The unique Partner ID will be recorded in the TeamViewer Manager database at the customer s local BD service organization. It will therefore not be necessary for BD support personnel to request the unique Partner ID from the customer before initiating a remote support session. If the unique Partner ID should, however, be lost due to unforeseen circumstances, the partner ID should only be communicated to the data privacy and security administrator of the local BD service organization. This should either be done by a BD support representative when visiting the customer s site or by someone within the customer s organization who has been authorized by the organization to deal with Data Privacy and / or remote access security. TeamViewer operation If a remote support intervention is required, a BD remote support representative will contact the customer by phone and instruct the customer to launch the TeamViewer application. A shortcut to the TeamViewer application will be available on the desktop of the BD Biosciences workstation. Figure 1 - TeamViewer shortcut In order to host a remote support session on the workstation, the user must launch the TeamViewer application by double clicking the shortcut. Caution! The TeamViewer application must not be operated while the BD Biosciences workstation software and / or connected instrument are used for routine sample processing. The application should only be launched to allow a BD representative access for remote support. The application must be closed before routine sample processing is performed. Once the TeamViewer application has been launched, a new session password will be generated. The user must communicate the session password by telephone to the BD remote support representative.

Remote Support Security Guidelines 7 Figure 2 - TeamViewer application showing the Partner ID and session password Caution! The Partner ID should already be known to the BD remote support representative. If the customer is requested to provide the Partner ID to the BD remote support representative, the customer should only do so if he/she has initiated the telephone call to BD. The Partner ID should not be provided to anyone that has contacted the customer to initiate a remote support session! After the remote support session has been established, the BD remote support representative will take control of the BD Biosciences workstation desktop. The user may receive a prompt from TeamViewer to confirm access for the BD remote support representative to take remote control of the desktop. If the user wants to allow remote control of the BD Biosciences workstation, the user has to click Yes to grant access. Figure 3 - Remote Control confirmation dialog During the remote support session the desktop background of the BD Biosciences workstation will become grey to indicate a remote support session is in progress. The user will be able to see all the actions performed by the BD remote support representative. The TeamViewer application will be minimized above the Windows system tray from where the user will have access at all times to disable input from the remote support representative. To disable remote input, the user can click on the mouse icon within the TeamViewer status window.

8 Remote Support Security Guidelines Figure 4 - Remote input disabled To re-enable remote input, the user should click the mouse icon in the TeamViewer status window again. Figure 5 - Remote input enabled The remote session can be terminated at any point by clicking the red cross within the TeamViewer status window. TeamViewer records all remote sessions in an audit log which is stored on the BD Biosciences workstation. In addition, TeamViewer Manager maintains an audit log which records the user name and length of connection for each remote session initiated from BD. The additional TeamViewer Manager log can be supplied to the customer upon request. Once the remote support session is terminated, the BD Biosciences workstation desktop background will be restored. The user must close the TeamViewer application before commencing routine sample processing using BD Biosciences software and / or the instrument connected to the workstation.

Remote Support Security Guidelines 9 Security configuration of BD Biosciences workstations About this topic This topic describes the configuration of the BD Biosciences workstation to ensure a reasonable level of security for systems connected to the internet. Before getting started Please refer to the Information Security Guidelines document (23-11718-00 REV. 01) for recommendations on how to manage Antivirus software and Microsoft Updates on BD Biosciences workstations. This document can be downloaded at www.bdbiosciences.com/eu/support/resources/information_sec urity Responsibility and liability BD is responsible for configuring the BD Biosciences workstation to ensure reasonable security is applied when connecting to the internet. It is the responsibility of the customer to ensure that the guidelines stipulated in the Information Security Guidelines document are implemented to ensure that Antivirus and Windows Updates are installed and maintained on the BD Biosciences workstation. It is the customer s responsibility to ensure that all routine users have a limited Windows user account to access the BD Biosciences workstation. The use of Windows Administrator accounts should be restricted for the use of customer s IT administrator(s) and BD service personnel. BD strongly advises against the installation of additional security related software above and beyond Antivirus and Microsoft Security Updates on the BD Biosciences workstation. Doing so will invalidate any regulatory or quality marking the system may carry. BD will not be liable for any impact of additional software on the quality of the results produced by BD Biosciences software and / or instrumentation if any additional software has been installed on the BD Biosciences workstation. Workstation configuration In order to allow users to operate BD Biosciences software using standard Windows user accounts, the following user account configuration will be performed on the BD Biosciences workstation by BD: A standard Windows account is created for each operator of the BD Biosciences workstation / instrument. Operator accounts are added to a local user group. Access permissions for BD Biosciences software and 3 rd Party programs are configured to allow full access for all members of the local user group.

10 Remote Support Security Guidelines In order to allow users to operate BD Biosciences software using standard Windows user accounts, the following user account configuration will be performed on the BD Biosciences workstation by BD: A standard Windows account is created for each operator of the BD Biosciences workstation / instrument. Operator accounts are added to a local user group. Access permissions for BD Biosciences software and 3 rd Party programs are configured to allow full access for all members of the local user group. The following local Account Policies may be enforced as required by the customer s IT administrator: Enforce password history 3 passwords remembered or a setting that conforms to the Group policy in use by the customer. Maximum password age 60 days or a setting that conforms to the Group policy in use by the customer. Minimum password age 1 day or a setting that conforms to the Group policy in use by the customer. Minimum password length 8 characters or a setting that conforms to the Group policy in use by the customer. Password must meet complexity requirements Enabled. Can be disabled at the discretion of the customer and / or local IT administrator. The following Account Lockout Policies may be enforced as required by the customer s IT administrator: Account lockout duration 30 minutes or a setting that conforms to the Group policy in use by the customer. Account lockout threshold 5 invalid logon attempts or a setting that conforms to the Group policy in use by the customer. Reset account lockout counter after 10 minutes or a setting that conforms to the Group policy in use by the customer. The following local security Audit policies may be enforced as required by the customer s IT administrator: Audit account logon events Success and Failure Audit account management - Success and Failure Audit logon events Success and Failure Audit object access Success and Failure Audit policy change Success and Failure Audit privilege use Success and Failure Audit system events Success and Failure

Remote Support Security Guidelines 11 The following Security Options may be enforced as required by the customer s IT administrator: Interactive logon: Do not display last user name Enabled or a setting that conforms to the Group policy in use by the customer. Interactive logon: Do not require CTRL+ALT+DEL Disabled or a setting that conforms to the Group policy in use by the customer. Interactive logon: Prompt user to change password before expiration 14 days or a setting that conforms to the Group policy in use by the customer. At the discretion of the customer and / or local IT administrator, access to USB storage devices can be disabled.

12 Remote Support Security Guidelines Organizational security and data privacy measures About this topic This topic describes the organizational security measures implemented by BD to ensure reasonable security for the BD Remote Instrument Support Solution. Data Privacy BD has defined and implemented an Instrument Remote Support Privacy Procedure to comply with applicable privacy laws and to ensure that: Remote access to a customer s network and instrumentation will only be implemented in agreement with the customer. Training is provided for all BD support personnel to understand and comply with BD s internal data privacy policy. All BD personnel that may inadvertently be exposed to Protected Health Information (PHI) as a consequence of supporting our customers understand their responsibility to maintain such information in confidence. All BD support personnel sign a non-disclosure of PHI agreement. Auditable records are kept of each customer with whom remote service has been agreed upon, detailing the end and termination of the agreement. Records will also be kept in the event of remote service being provided by a third party if agreed with the customer. Organizational Security Measures BD has implemented a range of organizational measures to ensure information access and control can be managed in a secure fashion. These measures include, but are not limited to: A comprehensive security management system to ensure users are only given access to information and information systems as required by their role in the organization. User training and awareness on data privacy and confidentiality. Physical security measures to ensure that non-authorized users cannot enter BD premises. This includes physical access restrictions to data servers and data hosting environments for non-authorized personnel. Access to and permissions on BD business desktops, laptops and data and application servers are controlled through a mixture of two factor authentication and Microsoft Group policies. Additionally Virtual Private Network (VPN) authentication is required for users accessing the systems from outside the BD network. Password complexity and expiration policies are in place to ensure that passwords cannot be easily compromised. Systems connected to the BD network are protected from external security risks with a combination of hardware firewalls, Antivirus software, Intrusion Prevention Systems and regular updating with Microsoft Security Updates.

Remote Support Security Guidelines 13 Hard disks of decommissioned computers are erased using DOD compliant software. This software will erase the contents of the hard disk multiple times to ensure no remaining data remains on the hard disk. Access and use of BD information systems is auditable. BD personnel is trained on and expected to comply with the Acceptable Use policy of BD business systems and Information Systems. Random checks are carried out by BD to ensure all personnel act according to this policy. BD conducts random audits to ensure that the internal data privacy policy is respected and that any deviations from the policy are addressed in a timely manner.

14 Remote Support Security Guidelines Recommendations for practical security measures About this topic This topic describes additional practical security measures that can be implemented by the customer s organization to improve the overall security of BD Biosciences workstations that may be connected to the customer s network and the internet. Practical security measures The guidelines outlined in this document do not prevent the customer from implementing any of the following security or organizational measures to safeguard the data on BD Biosciences workstations provided they do not involve the installation of third party components on the workstation. 1. Information Security Management System/Privacy and Data Protection Management System 2. Physical Security 3. Access Controls 4. Security and Privacy Technologies 5. Awareness, training and security checks in relation to personnel 6. Incident/Response Management/Business Continuity 7. Audit Controls/Due Diligence

2010, Becton, Dickinson and Company. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in retrieval systems, or translated into any language or computer language, in any form or by any means: electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission from BD Biosciences. The information in this document is subject to change without notice. BD Biosciences reserves the right to change its products and services at any time to incorporate the latest technological developments. Although this guide has been prepared with every precaution to ensure accuracy, BD Biosciences assumes no liability for any errors or omissions or for any damages resulting from the application or use of this information. BD Biosciences welcomes customer input on corrections and suggestions for improvement. TeamViewer is a registered trademark of TeamViewer GmbH and/or its affiliates in Germany and/or other countries. Microsoft and Windows are registered trademarks of Microsoft Corporation in the Unites States and/or other countries. BD, BD Logo and all other trademarks are property of Becton, Dickinson and Company. 2010 BD EUR SPP 10-02 11/2010 BD Biosciences European Customer Support Tel 32.2.400.98.95 Fax 32.2.401.70.94 help.biosciences@europe.bd.com www.bdbiosciences.com/eu

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information