Best IT Documents Web Blog: Compliances Archives

Caring for Archives

Physical maintenance of the records

All metal paper clips, rusting staples, and rubber bands should be removed.

Documents should be in containers that prevent dust from entering

Large items should be stored flat.

The ideal storage area for records:

Amenable to consistent environmental control (temperature and humidity)
No water pipes running nearby
Little or no natural light

Why does paper deteriorate?
Wood pulp = acid content = slow burn

Any paper manufactured since the mid-19th century, unless it is of the type designated permanent/durable or acid-free, has an expected useful life of less than fifty years.

What is the best defense against paper deterioration?

Environmental controls

A chemical reaction is taking place in acidic paper, and this reaction is accelerated by high temperatures and high humidity

Ideal temperature: 60-68 degrees F
Ideal relative humidity level: 40-60%
If ideal conditions cannot be reached, try to maintain
CONSISTENT conditions

Preservation common sense:

Some records are valuable as physical artifacts while others are valuable primarily for the information they contain.
For some deteriorating items, photo-copying them onto acid-free paper and discarding the originals makes more sense than spending money to deacidify, repair, or encapsulate them.
Optical scanning and digitization are the most stable way to preserve records

Repairing materials:

NEVER use cellophane tape
Get some basic supplies:
archival repair tape
wipe cloths
acid free paper

Special needs for photographs

1) Never label photographs on their reverse with ballpoint pen. The ink may bleed through to the front. Reference numbers on mounts should be written discreetly in light-resistant ink. Reference numbers on the back of photographs that have not been mounted can be written with a soft pencil that leaves a clear mark.

2) If possible, put photographs in chemically stable polyester or paper sleeves (e.g., made of a material such as Mylar, or acid-free paper.) Such sleeves help prevent curling of photographs and reduce physical contact with the photos. It is also possible to label the sleeves with identifying information or to insert a separate written label inside the sleeve.

3) If it is not feasible for you to use sleeves, be sure to store the photographs in such a way that they will not curl over time and will not be subject to excessive handling.

4) Photographs should be handled with cotton gloves, or held by the edges to avoid skin contact with the image.
5) Photographs are very susceptible to water damage and should not be stored near sources of water. If you ever have a flood situation in the archives, be sure to rescue the photographs first.

6) Photographs are susceptible to insect damage, so may be best stored in a metal container if insects are likely to be a major problem.

7) Photographs should not be scanned or photocopied repeatedly.

Special needs for films and videos

Be aware of the dangers of nitrate film
Make a video cassette use copy for films;
Store videos upright with tape on bottom.
Rewind films and videos periodically

Electronic records:

The conservative stance for a repository to take regarding electronic records is to require that all records be deposited in hard copy.
This stance will be increasingly untenable as organizations and individuals wholeheartedly enter the electronic age.

Even now, there is a danger in requesting hard copy printouts of records to be saved. The extra steps of selecting and printing records to be saved will inevitably limit the number and variety of records saved.

Basic strategies for preserving electronic data:

Medium refreshing: copying data from one physical carrier to another of the same type, e.g. backing up a hard drive, diskette, or CD ROM.
Medium conversion: transferring electronic data from one medium to another – this might mean transferring to a non-digital medium.

High quality acid neutral paper can last a century or longer and archival quality microfilm is projected to last 300 years or more. Paper and microfilm have the additional advantage of requiring no special hardware or software for retrieval or viewing
Format conversion: converting the data format in order to reduce the number of different formats being used in a particular setting, e.g. converting WordPerfect word processing files to a Word format.

Migration: converting the data so that it can operate with different hardware and software than originally intended. This could involve transferring data to a central server or computer housed in the archives.

The most important thing that an archivist can do at this point is to work with those generating the records to raise their consciousness about the problems involved in preserving electronic data. If records are received in electronic format, repositories may need to reformat them at intervals to avoid obsolescent formats and the need for obsolete hardware.

A schedule should be put in place, and a particular person made responsible, to intentionally verify at specific intervals that the following types of electronic data are still readable:

Email
Word processing and web documents
Databases.
Disaster preparedness
A disaster plan in the event of fire or flood should be an integral part of any repository's program.

It is important to have the plan in written form because of potential chaos and confusion at the height of the emergency

If there should be water damage, it is best to rescue photographs, microfilm, and any materials with coated paper first.

Posted by itcentric at 05:49 AM | Permalink | Comments (3) | TrackBacks (0)

Best Practices for Virus Protection

First and Foremost, Define your Security Policy

Virus Protection has to be part of your security policy because viruses are security threats.

What factors should you consider when designing security appropriate to your operation?

1. The number and density of personal computers

If your company has many PCs or if there is a high ratio of computers to employees, your procedures should be more formal and extensive.

2. he extent to which computers are interconnected

Note that interconnection does not have to be via a network. If data is routinely moved from one computer to another via “Network” (copying to a floppy disk and walking it across the room to the other computer), your computers are interconnected. The factor you must consider is the extent to which data is moved between computers, not the number of feet (or miles) of wire connecting them.

3. The number of locations where computers are used

To the extent that computers are physically located at a distance, more people will have to coordinate their security activities. In addition, they will have to agree on what procedures are appropriate. Remember, coordination problems increase in proportion to the square of the number of people involved.

4. The pace of operations

Some businesses simply operate at a faster pace than others. Examples include security brokerage houses, travel agents and airline reservation operations. All other things being equal, a currency trading unit will work at a faster pace than a research laboratory. The faster the pace of operations the greater the degree of protection required because the rate at which new data is generated is proportional to the pace of operations. More data equals greater risk!

5. On-line real-time operations

If a PC-based network is used to support an on-line operation, the highest possible level of anti-virus security is necessary. For example, suppose the LAN is used to capture data recorded from a technical support operation. Telephone calls come in and the information from them is logged by technical support people typing much of the information into their computers. There is one (and only one) chance to capture the data. Even daily backup procedures are not sufficient to protect this irreplaceable database.

After Defining your policy choose a vendor that can help you with implementation and execution of your policy

Criteria for choosing an enterprise wide system

· Detection
· Cost of ownership
· Completeness of virus protection offering
· Manageability
· Internet and Firewall protection
· Reporting and Alerting function

· Market Share
· Research and Development

Good Virus Protection, should guard against the damage computer viruses pose to an organization, preventive steps need to be taken to:

· Eliminate viruses currently in the organization
· Guard against the entry of computer viruses into the corporate network

· Eliminate the distribution and spreading of viruses within the network.

o Workstation PCs: A common area computer viruses enter a network is through removable media such as external drives, thumb-drives, floppy disks, cd-roms, zip drives etc. Another way computer viruses can enter the network through workstation is via e-mail attachments. Once an infected attachment is executed, the workstation is also infected. These infected files can be distributed across the network

o Servers: Networked File and Application Server are distributions points for computer viruses. End users use servers to publish and share information, and when these shared files are infected, the infection spreads as well, causing a greater degree of damage to the network.

o E-mail: Information from outside the corporate network often arrives via e-mail, thus is an entry point for computer viruses. Messages and attachments are often forwarded to multiple users within the network, and if infected, can cause widespread damage. E-mail is both an entry point and a distribution mechanism for computer viruses.

o Internet: Immediate access to information via the Internet is essential in today’s business world. It also causes risks to the corporate network. One risk is the risk of computer virus infection. Informational files, applications, and games can be downloaded from the Internet. These files may be infected with computer viruses and thus is an entry point into the network. Once the files are opened or executed, the device is infected.

Posted by itcentric at 03:54 AM | Permalink | TrackBacks (0)

HIPPA - Virus Prevention Plan

Purpose

Computer anti-virus protection has the purpose of ensuring system integrity and substantially reducing the risk of data loss and business disruption in the event of a virus attack on Health Care Providers computer systems. It is the goal of the Health Care Providers that all viruses are detected and contained at the perimeter of the business environment, and that as a result, Health Care Providers does not experience any virus incidents. However, because of the ever-changing types of viruses, as well as the high risk of business disruption in the event of a virus infection, measures must be taken to not only prevent any occurrence of a virus, but also have a contingency plan for addressing potential infections.

Background

A virus is a piece of code that replicates by attaching itself to other programs or files. When these files are run, the virus is invoked and can further replicate itself.

A Trojan horse is a piece of code embedded in a useful program for malicious purposes. A Trojan horse differs from a virus in that it does not try to replicate itself to other programs.

A worm is a program that replicates by running copies of itself across a network. A virus can exhibit both virus and worm characteristics.

Departments Affected

This policy applies to anyone using Health Care Providers. For purposes of this policy, these employees are referred to as "users." This policy applies to all Information Technology computer systems at Health Care Providers. Personal Computers, Servers, Networking equipment, as well as telephone switches are considered to be Information Technology systems for the purpose of this policy.

Risk Analysis

Virus infection of Health Care Providers threatens the company business in four distinct areas.

Threats to data

Viruses have the potential to have a direct action on data integrity. There will be inaccessibility to data while the infection is investigated and data cleaned and restored. This could cause the suspension of business activities and potentially services to customers and employees.

Threats to systems

Viruses have the potential to corrupt or destroy system software and / or services. There will be inaccessibility to systems while the infection is investigated and system cleaned and restored. This could cause the suspension of business activities and potentially services to customers and employees.

Threats to reputation

Viruses have the potential to affect our business relationships if the external world learns of the virus infection or its consequences, or if customers are inadvertently infected from our systems. The potential for Health Care Providers to appear insecure or uninformed could have serious consequences to our business reputation.

Threats to finances

Viruses have the potential to affect Health Care Providers finances due to the costs associated with dealing with the virus infection. The costs can be a threat from three areas:

1) The cost in time of cleaning, repairing and recovering from the infection;
2) The cost of interruption to Health Care Providers services; and
3) The potential legal costs due to suspension of services, infecting members, etc.

Prevention Plan

Because of the many potential entry points for virus threats, there is no single solution that allows Health Care Providers to combat viruses at a single point in their computer network. The technology defenses against virus infection must include a three-tier approach that spans from the systems that provide basic WAN connectivity, to the network servers, to the desktop, where end users perform their everyday tasks.

　

Infrastructure Backbone

The highest level of the Health Care Providers enterprise, the infrastructure backbone, provides e-mail messaging, switching, directory, and routing and proxy services. These services are also linked to external communications such as SMTP e-mail connectivity; Web browsing, partner and remote access connectivity. In most cases, there is no end-user data stored on these servers and little to no direct member interaction.

　

The goal of anti-virus protection at the infrastructure backbone level is to ensure viruses are detected and contained prior to entering the business environment. Virus protection at the backbone infrastructure level must encompass a number of services, including:

E-mail: SMTP and X.400 gateways.
HTTP, FTP, and any other external file transfer mechanisms
Virus Protection for Infrastructure Backbone

At the backbone level, virus protection is provided through the use of virus scanning of incoming emails using "Corporate AV" Server Enterprise anti-virus. Updates to virus signature files are implemented upon receipt from the software vendor.

I would suggest that we add scanning of ALL incoming and outgoing data packets at the firewall level if possible.

Network Servers

At the middle levels of the tier, the network servers provide local mailbox and file and printer services. This middle level hosts the servers that users directly access to retrieve, store, and send messages, print documents, and store internal records such as databases, spreadsheets, documentation, employee information and other sensitive and / or confidential information.

Virus protection at the middle level must encompass a number of services, including:

Mailbox and public folder scanning utilities for Exchange Server.
File-based scanning utilities.
A process, either automated or not, to update virus checking signature files.
Custom utilities that may target specific viruses or security alerts

Virus Protection for Network Servers

At the network server level, virus protection is provided through the use of virus scanning software on the servers providing shared drive access using "Corporate AV" Anti-virus software. The administrators, after updates by the software vendor, implement auto-updates to virus signature files manually, on a weekly basis.

Desktops

The desktop level is the entry point for the majority of data within Health Care Providers. The desktop is where the clients interact with client-side applications to read, create, send, and in some cases, store local messages and files. Desktops are differentiated from the local and backbone servers by performing numerous tasks such as word processing, spreadsheet and database manipulation, and Internet browsing.

Virus protection at the desktop level should encompass:

Real-time and scheduled scanning capabilities, including scanning of all files on the local hard drive thumbdrives and floppies.

A process, either automated or not, to update signature files on all client computers.

Virus Protection for Desktops

At the desktop system level, virus protection is provided through the use of virus scanning client software using "Corporate AV" Anti-virus software. Updates to virus signature files are released weekly to desktops after auto-updates by the software vendor.

　

Virus Management Plan

Health Care Providers deals with viruses and virus threats within a triage plan. The following steps explain the plan at a high level.

Escalation Plan (Preparation)

The escalation plan should include:

List of all parties to be contacted if virus threatens

Who is on the anti-virus team

Severity levels (potential risk, business disruption or virus type) and action triggers for each level

　

Early Detection

This should include how new viruses and threats are researched and reported (company web sites, news organizations, security forums, etc). and prevention. It should also address how and to whom employees report virus warnings or suspicious behavior.

　

Assembling a "High Performance" Team

Once a potential virus outbreak is detected, the next phase is to assemble a "high performance" anti-virus team, if applicable. This team has representatives from the following areas: help desk, operations, desktop support, Windows NT Administration, IT security, and an authorized executive. Each representative needs to have at least one backup and be reachable 24 hours a day, 7 days a week

Stop the Infestation

The team's first responsibility is to immediately stop the increase of infection. If a messaging system, file transfers, or a Web site is transporting the virus, those systems need to be identified and neutralized. Neutralizing a system may mean taking the system offline or reverting data to a safe location (repository) for further analysis. It is extremely important to understand the virus. Does it destroy data or applications? Can it replicate or copy itself? How is it transported? Most of the virus protection software companies publish details about known viruses on their Web sites.

Communications

This portion of the plan should address

how notification of the virus infection is communicated to the administrators, helpdesk and end users.

Who should get what communications?

Various means of communication exist (Web sites, voice mail, electronic mail, inter-office memos, etc) but some may be rendered useless by outages caused by the virus.

Systems Cleanup

This portion of the plan should identify the tools available to restore cleanup from infection and the testing and distribution of the tools to the desktops and servers in the company. These tools can be any of the following: standard file-based scanning utilities, product-specific utilities, or custom utilities created by virus protection software vendors.

Posted by itcentric at 03:39 AM | Permalink | TrackBacks (0)

PCI Validation

Posted by itcentric at 12:24 AM | Permalink | TrackBacks (0)

Standardization

Standardization is an approach to business and IT that reduces cost and simplifies change, based on :

Industry-standard architectures

Reusable components

Consistent implementation

Posted by itcentric at 02:58 AM | Permalink | TrackBacks (0)

ISO 17999, 2700x and COBIT Quick Notes

This standard contains 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

1) Security Policy

2) Organizing Information Security

3) Asset Management

4) Human Resources Security

5) Physical and Environmental Security

6) Communications and Operations Management

7) Access Control

8) Information Systems Acquisition, Development and Maintenance

9) Information Security Incident Management

10) Business Continuity Management

11) Compliance

ISO 27001 Domains to focus on:

4. Establish an ISMS

4.1 Study ISMS requirements

4.2 Develop your ISMS

4.3 Document your ISMS

5. Manage your ISMS

5.1 Show that you support your ISMS

5.2 Manage your ISMS resources

6. Audit your ISMS

Establish an audit procedure

Plan your internal audits

Conduct internal audits

Take remedial actions

7. Review your ISMS

7.1 Perform management reviews

7.2 Examine management review inputs

7.3 Generate management review outputs

8. Improve your ISMS < SAMPLE PDF

8.1 Continually improve your ISMS

8.2 Correct nonconformities

8.3 Prevent nonconformities

The COBIT-based security baseline, providing key controls and mapping to ISO 17799

1) Information security survival kits, providing essential awareness messages

Information security survival kits, providing essential awareness messages

Information security survival kits, providing essential awareness messages.

2) IT governance guideline

3) Generic IT process guideline

4) For each of the 34 IT processes

• One maturity model

• 5 to 7 KGIs Key Goal Indicators

• 8 to 10 CSFs Critical success factors

• 6 to 8 KPIs key performance indicators

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:

1) Making a link to the business requirements

2) Organizing IT activities into a generally accepted process model

3) Identifying the major IT resources to be leveraged

4) Defining the management control objectives to be considered

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identifies the resources essential for process success, i.e., applications, information, infrastructure and people.

The Information Technology Infrastructure Library (ITIL®) is a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services. ITIL outlines an extensive set of management procedures that are intended to support businesses in achieving both high financial quality and value in IT operations. These procedures are supplier-independent and have been developed to provide guidance across the breadth of IT infrastructure, development, and operations.

Posted by itcentric at 05:49 PM | Permalink | TrackBacks (0)

Data Storage Spectrum

Fibre-channel

iSCSI with Fibre-channel

SANs

Dell, EMC, HP, IBM and NetApp

10 Gig Ethernet

FCoE fibre-channel over Ethernet

Thin provisioning?

MAID Massive Array Idle Disks – Solid state drives

Tape

Raid

CD

Flash-memory

Posted by itcentric at 03:05 AM | Permalink | TrackBacks (0)

Secure Data Sharing

What is it
Where is it
What is the Risk

Strategic

What Policy should be enforced
How can the process be Audited
Ongoing Process of Sharing Data

Tactical

Manage Removable Media
Encrypt mobile data
Provide users with relevant Policy excerpts and Audit acceptance

Posted by itcentric at 02:52 AM | Permalink | TrackBacks (0)

Record Management: Sarbanes - Oxley Act

Signed into law July 30 2002

A direct result of corporate scandals, such as Enron and WorldCom

Introduced legislative changes to financial and corporate regulations

Intended to "deter and punish" corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders" (Quote: President Bush)

Section 802, Regulation S-X, Rule 2 -06

All audit and review-related information must be retained for 7 years

The penalty for anyone who knowingly destroys documents or files that may relate to a federal investigation or a bankruptcy filing can be fined and/or imprisoned for up to 20 years

Posted by itcentric at 06:38 AM | Permalink | TrackBacks (0)

HIPAA Heatlthcare Business Considerations Part 3

Financial System Data

Master Patient Index
Product Management
Provider Contract Management
Provider Network Modeling
Provider Catalog and Selection
Provider Credentialing
Product P/L Reporting
Sales & Marketing
Group Contract Administration
Enrollment and Eligibility
Membership Accounting
Customer Service/Call Center
Encounter Processing
Referral and Authorization
Claim Processing and Payment
Coordination of Benefits
Provider Profiling
Utilization Management
Disease Management
Capitation Accounting
Standards, Quality, & Reg. Reporting

Registration

Scheduling
Provider Index
General Ledger
Budgeting
Master Patient Index
Patient Accounting
Collections
DSS/Cost Accounting
Fund Development (Charity)
State and Federal Reg Reporting
Eligibility Referral Authorization/Precert
Claims Scrubber
Accounts Payable

Materials Management

Fund Management
Medical Records
Dictation and Transcription
Medical Staff Credentialing
Pt. Satisfaction Survey
Time and Attendance
Labor Productivity Report
Staff Scheduling
Asset Management

Payroll and HR

Employee Education and Registration
Help Desk
E-Mail
Calendaring
EDI
Groupware and Knowledge Management
Internet/Intranet/Extranet
Medical Database Access
Business Database Access
Workflow Process
Online Directory Services
Media Services
Nursing IS

Physical Security

Security
Parking and Registration
Utility Management
Equipment Tracking
Space Utilization
Fire
Disaster Management

Posted by itcentric at 07:03 PM | Permalink | TrackBacks (0)

HIPAA Heatlthcare Business Considerations Part 2

Telecommunications

PBX
PBX-Voice Mail
Key Systems
Key Systems – Voice Mail
Plexar
1A2Key
CDR Help Desk/Bill Back
Logger/Recorders
Operator/Paging System
Video Conference
Long Distance
Pagers
Pagers Alpha/Num Messages
ACD
CTI
Local TeCTI
Wireless Phones
Cellular

Marketing Provider Data

Provider Data
HR and Payroll Data
Healthplan Data
EMPI
Management Reporting
Executive Information System
Data Mining
Data Analysis
Research Support

Posted by itcentric at 02:02 AM | Permalink | TrackBacks (0)

VA scanning and reporting

Documents and action items considerations for reporting requirements (nCircle, Qualys, Nessus, Appscan, SAMATE and other VA Scanning tools).

1. Scope Document (Project Scope)

2. Architecture Document

3. Roles and Responsibilities (Support Plan)

4. Escalation Path (Support Plan)

5. Run books (operations guide)

6. Asset Lists

7. SLA Review and Documentation

8. Metrics and Reporting Documentation

9. Training Materials (if applicable) - Draft - Complete

10. Knowledge Transfer (From Network “resource” to “security”)

· Scheduled Scans – Scan completion are disseminated to all parties

o Help desk tickets created as appropriate

o Threat response team reviews reports
o Takes action on items that are critical

· Metrics

·

· To be continued

Posted by itcentric at 01:26 AM | Permalink | TrackBacks (0)

Why COBIT

COBIT resources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of best practices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes:

Control Objectives - High-level and detailed generic statements of minimum good control
Control Practices - Practical rationales and “how to implement” guidance for the control objectives
Audit Guidelines - Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met
Management Guidelines - Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors

COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management should establish an adequate system of internal control."

COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment specifically focused on:

Performance measurement - How well is the IT function supporting business requirements?
IT control profiling - What IT processes are important? What are the critical success factors for control?
Awareness - What are the risks of not achieving the objectives?
Benchmarking - What do others do?
How can results be measured and compared?

COBIT Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.

COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria.

Posted by itcentric at 03:02 AM | Permalink | TrackBacks (0)

HIPAA Heatlthcare Business Considerations Part 1

Data Warehousing

Master Patient Index
Inpatient and Outpatient Activity Data
Marketing Provider Data
Provider Data
HR and Payroll Data
Healthplan Data
EMPI
Management Reporting
Executive Information System
Data Mining
Data Analysis
Research Support
Order Entry
Results Reporting
Clinical Documentation
Ambulatory Clinical Documentation
OB System
Cardiology
Lab
Radiology
PACS
Pharmacy
Pyxsys
Drug Reference
Dietary
SNF Assessment
Respiratory Therapy
OR System
Acute Care Pathways
Chronic Care Pathways
ICU
Wellness Services
Interactive TV (Pt. Education)
Utilization Review
Quality Management
Outcomes Management
Patient Transport
Reflux Database
Risk Management

Posted by itcentric at 02:36 AM | Permalink | TrackBacks (0)

HIPAA - Common Healthcare Applications

Healthline

Homesys
IDX
Integral
Kronos
Labcorp
Landacorp
Lumedx
Macola
DIS (Lexar)
Dyna Care
Eclipsys
Bender
Cborg
Cerner
Clinivision
Cognos
CHUB
Comcotec
Ge
GEAC
Dictaphone
Medical Systems Mgmt
Meditech
Mediware
Medscape
Micromedex
Paces
Oasis
Bar Coding
Maintenance Tracking

Posted by itcentric at 12:48 AM | Permalink | TrackBacks (0)

Legal Compliance and E-Discovery

Aurthor unknown. Always verify your research.

Targeted audience: (Attorneys and legal practitioners)

New rules for electronic discovery adopted as part of the Federal Rules of Civil Procedure (FRCP) went into effect December 1, 2006. The purpose of these rules is to streamline e-discovery requests. In an attempt to minimize the number of motions to compel discovery, the federal courts have mandated discussions of how document production will proceed and what form the responses will take prior to issuance of its scheduling order. As a result, parties to a case now have an obligation to find out where data resides on their own systems in anticipation of any discovery requests.

As part of the information technology team, you can look forward to fielding questions and requests from your litigation practice group as to electronically stored information (ESI) formats that exist within your firm and within your clients’ systems.

The new e-discovery rules will be subject to interpretation by the federal courts. However, it is no longer an option to avoid discussing ESI with opposing parties. The new rules mandate that attorneys know their clients’ document management systems and storage practices. If the attorney does not identify specific ESI to be expensive to produce and identify them at the beginning of the case, the court may order these inaccessible documents to be produced at the expense of the producing party. This may lead to an expensive judgment against the client and potentially a malpractice lawsuit filed by the client against the attorney.

Thus, the new e-discovery rules provide motivation for communicating with clients’ IT personnel at the early stages of the case to discuss data (evidence) preservation, the types of ESI under the client’s control, whether the data is accessible and inaccessible, and the costs associated with producing inaccessible ESI.

What Are the New Rules?
The new e-discovery rule changes are included in FRCP 16, 26, 33, 34, 37, and 45. The Amendments to FRCP 33, 34, and 45, provision the addition of ESI to the rule. The following are the more extensive Civil
Rule changes:

Rule 16 Pretrial Conferences; Scheduling; Management (b)
Scheduling and Planning

Rule 16 (b)(5):
“The scheduling order may also include provisions for disclosure or discovery of electronically stored information;”

Rule 16(b)(6):
“The scheduling order may also include any agreements the parties reach for asserting claims of privilege or of protection as trial-preparation material after production;” Due to the pervasiveness of computing and the current trend to produce documents in native electronic format, the amendments attempt to encompass all ESI and delete the previously used term “data compilations” in order to more accurately state the proliferation of electronic documents in various formats. In the past, paper productions during the discovery phase included a privilege review of the documents prior to production. With the abundance of metadata and other versions of the data included in native file formats, data will be produced that is not visible and may include privileged information.

The attorneys may stipulate to a non-waiver of privilege agreement with regard to this type of inadvertent disclosure of privileged information. Obviously, it would be more beneficial to know upfront what types of data could possibly contain metadata and how to remove it prior to production in a good faith effort to perform a pre-production privilege review. Thus, the court acknowledges by way of Rule 16(b)(6) that there may be some inadvertent disclosure of privileged documents due to the nature of ESI.

Highlights - Rule 16(b) Amendments:
The scheduling order may include an agreement crafted by the attorneys of record covering how inadvertent disclosure of privileged information will be handled when discovered after production.

Rule 26 General Provisions Governing Discovery: Duty of Disclosure
Rule 26(b)(2)(B):
“A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.”

Rule 26(b)(5)(B):
“Information Produced. If information is produced in discovery that is subject to a claim of privilege or of protection as trial-preparation material, the party making the claim may notify any party that received the information of the claim and the basis for it. After being notified, a party must promptly return, sequester, or destroy the specified information and any copies it has and may not use or disclose the information until the claim is resolved. A receiving party may promptly present the information to the court under seal for a determination of the claim. If the receiving party disclosed the information before being notified, it must take reasonable steps to retrieve it. The producing party must preserve the information until the claim is resolved.”

Rule 26(f): “
The parties must, as soon as practicable and in any event at least 21 days before a scheduling conference is held or a scheduling order is due under Rule 16(b), confer to consider the nature and basis of their claims and defenses. . . “

Rule 26(f)(3):
“Any issues relating to disclosure or discovery of electronically stored information, including the form or forms in which it should be produced;”

Rule 26(f)(4):
“Any issues relating to claims of privilege or protection as trial-preparation material, including — if the parties agree on a procedure to assert such claims after production - whether to ask the court to include their agreement in an order.”

With the propagation of inexpensive storage devices, your client could feasibly have terabytes of data to be considered in an e-discovery response. Aside from the typical locations for storing data such as network servers, hard drives, shared drives, laptops, and backup tapes, there are many others to consider as well. These include mirroring of data on redundant systems, instant messaging, file transfers using instant messaging, CDs/DVDs, smart phones, cell phones, BlackBerry devices, Palm Pilots, other personal digital assistants, MP3s, and thumb drives.

The attorney may come to you for assistance in figuring out what sources will be most difficult to produce in collaboration with the client’s IT person. From this information, the parties will develop a list of ESI that may be difficult and cost prohibitive to retrieve. This resultant document may also clarify to your client the costs associated with requesting unduly burdensome data and assist with the decision as to whether or not they want to pay for the production of these documents.

During the early 1990’s, it was no picnic to review millions of responsive documents for attorney-client and/or work-product doctrine privilege one page at a time. As a result of the explosion of ESI, more reviews began to include the use of software capable of assisting in searching for such documents during the privilege review.

Highlights - Rule 26(b) Amendments:
The attorneys need to know the location(s) of their clients’ responsive ESI as well as what the economic impact of paying for the production of inaccessible documents will be for their client. The court is forcing a proactive review by determining upfront whether the case merits the expense of retrieving inaccessible ESI. The anticipated result will be a more narrowly defined set of document production requests. Clients will have to decide at the start of a case whether they are willing to pay for the restoration of inaccessible ESI.

Pursuant to the amendments to Rule 26(f), the parties are required to meet and confer at least 21 days before a scheduling conference to iron out any issues relating to the discovery of ESI. This is the rule that requires the form(s) in which the ESI will be produced to be included in the meet and confer report to the court. Parties to a federal court case can no longer avoid considering ESI document requests.

They have an obligation to find out where the data resides. In order to know what information would be overly burdensome and costly to produce, the client has to be aware of the various forms of responsive data to the document request. The attorney will serve as the advisor on what types of documents are responsive. You will have to inform the attorney as to the possible file formats and locations of such data. Your expertise will verify that the client’s IT staff performs their due diligence.

Highlights - Rule 26(f) Amendments:
The opposing parties must now meet and confer at least 21 days prior to the Rule 16(b) scheduling hearing to outline the ESI production form(s). During this meet and confer conference, the parties must also resolve how inadvertent disclosure of privileged information will be handled. This is a much earlier deadline for identifying responsive documents than how discovery was handled in the past and must be approached as soon as the dispute arises.

Rule 37 Failure to Make Disclosures or Cooperate in Discovery;

Sanctions
Rule 37(f):
“Electronically Stored Information. Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.”

While there is still a statutory duty to preserve evidence, Rule 37(f) provides a “safe harbor” against spoliation in the event that data is deleted or written over in accordance with a routine business practice such as archiving/deleting e-mail messages after a set amount of days or the overwriting of previously deleted files.

The Advisory Committee on Civil Rules acknowledges that ESI is dynamic and if separated from its system may be incomprehensible (Rosenthal, 2005). However, if there is a reasonable expectation that a lawsuit may one day be filed against the company, preservation of evidence practices should immediately go into effect.
The attorney will handle instructing the client to put a litigation hold on potential evidence related to a case. It would be extremely helpful for the attorney to have an internal law firm IT person assist in educating the client. An independent audit of the system can also assist with the due diligence requirement of locating and identifying data file formats susceptible to modification and deletion.
Highlights - Rule 37(f) Amendments:
The Advisory Committee recognizes that computing is dynamic and there may be inadvertent rather than intentional modification or deletion of responsive files. However, the ESI lost must be based on good-faith routine practices and not due to lack of placing a litigation hold on the responsive ESI collection.
How Can I Prepare to Help?
Microsoft prepared comments on the e-discovery rule changes during the public comment proceedings. In its request to appear, Microsoft filed a very extensive informative document which can be found at http://www.uscourts.gov/rules/e-discovery/04-CV-001.pdf detailing the history of computers and how they work. This document may serve as an educational resource for attorneys grappling with understanding how data is stored (Southerland, 2006). It delineates some of the concerns of identifying and preparing a discovery plan early in the proceedings.
The task at hand is for you to assist the attorney in preparing for the “meet and confer” conference. Some considerations and investigation are merited when assisting in this regard:
Inform/Educate Attorneys and Clients: Prepare to be inundated with requests to attend meetings with the client’s IT staff to figure out what ESI would be responsive to a document production for the meet and confer with opposing counsel. The critical agenda is to identify the ESI formats that would be extremely burdensome and costly to produce, such as backup tapes.
Therefore, prepare to discuss the retrieval mechanisms with the client’s IT staff and be knowledgeable about what vendors may be of assistance in this type of production. There must be convincing evidence that the production of these types of ESI would be overly burdensome. If the magnitude of procedures needed to extract the ESI is not compelling, the federal judge may order the information be produced with the burden of the cost to be absorbed by the producing party.
Visio Network Diagram: “A picture paints a thousand words.” Become familiar with a program that will produce a network diagram showing where the data resides. This document will be extremely beneficial as an exhibit to the meet and confer report filed for the scheduling conference. Perform a network assessment to produce a network architecture diagram illustrating where data resides.

Technological Attributes to Discuss: The following table represents a small number of possible file formats your clients may utilize on their systems that can be included in the meet and confer report:
Software
File Formats
MS Outlook and Outlook Express
.pst, .dbx, .mbx, .idx, .nch
MS Word
.doc
MS Access
.mdb
MS Excel
.xls
MS FrontPage
.html, .htm
MS PowerPoint
.ppt
MS Visio
.vsd
Novell GroupWise
.mlm
Netscape Mail
.na2, .smn
Photoshop
.jpg, .tif, .bmp, .psd
Audio software
.mpeg, .wav, .asf, .wma, .avi, .midi, .aiff, .au, .aac
Discover the Client’s Policies & Procedures: As previously stated, the proliferation of inexpensive storage devices has spurred the belief that everything and anything should be saved forever “just in case I need it.” The consequence is an unmanageable system and more data than you could ever get your hands around.

When a lawsuit is filed against your client, or for that matter, your law firm, how do you respond accurately? Without a records retention policy outlining the routine day-to-day operations in the normal course of business, deletions of data may be seen as destruction of evidence, and you can rest assured that opposing counsel will be quick to suggest a sinister motive. A stop on all backups overwriting other files relevant to the case must be quickly implemented upon receiving a complaint in order to avoid destruction of evidence claims. As exhibited in the Enron case, destroying evidence may lead to jail time. By having a records retention policy wherein the purging and deletion of data is routinely implemented, sanctions and penalties can be avoided.

Posted by itcentric at 02:01 AM | Permalink | Comments (10) | TrackBacks (0)

Document sets and strategies that you should consider for your organization

All security domains integrated strategy

All security domains strategy document
Review of all security domains integrated security document
Management commitment to information security
Management commitment to security
Supporting security philosophy & values
Security a business enabler
Security integrated across all business functions
All security domains security program design

Domains security program design

All security domains program charter document

Security program concept of operations
Security roles & responsibilities definition
Security program vision & mission
Encompasses all domains of security
Information security policy
Allocation of information security responsibilities
Information security coordination

Contact with authorities
Roles and responsibilities
Management responsibilities
Roles and procedures

Security organization structure

Chief Security Officer (hires the correct people and considers their advise)

Review of all security domains program charter document
Organization policies
Responsibility for assets
Acceptable use of assets
Ownership of assets
Information exchange policies and procedures
Security policy
Responsibility for assets
Ownership of assets
Acceptable use of assets
Information exchange policy
Information security policy document
Other organization policies
Employee code of conduct
Information security policy
Responsibility for assets
Access control policy
Review of the information security policy
Review of security policy document

Enterprise architecture

Enterprise reference architecture document
Review of enterprise reference architecture document

Enterprise Integrated risk management

Enterprise Integrated risk management plan
Enterprise Integrated risk management document
Review of enterprise Integrated risk management document

All security domains strategic plan

Management commitment to information security
Management commitment to security
Supporting security philosophy & values
Security a business enabler
All security domains strategic plan document
Alignment with business strategy
Review of all security domains strategic plan document
Security integrated across all business functions

All security domains security program design

All security domains program charter document

Chief Security Officer
Chief Information Officer
Security program concept of operations
Security organization structure
Security roles & responsibilities definition
Security program vision & mission

Encompasses all domains of security

Organization policies
Review of all security domains program charter document
Security policy
Responsibility for assets
Ownership of assets
Acceptable use of assets
Information exchange policy
Information security policy document

Enterprise architecture

Enterprise reference architecture
Enterprise reference architecture document
Review of enterprise reference architecture document
Other organization policies
Employee code of conduct
Information security policy
Responsibility for assets
Roles and responsibilities
Management responsibilities
Enterprise Integrated risk management

Enterprise Integrated risk management plan

Enterprise Integrated risk management document
Review of SIM / SEM awareness
All security domains strategic plan

All security domains strategic plan document

Alignment with business strategy
Review of all security domains strategic plan document

Information Security Mgmt & Ops

Information security program design
Information security program charter document
Information security program vision & mission
Information security program concept of operations
Information security organization structure
Review of Information security program charter document

Information security strategic plan

Alignment with all security domains strategic plan
Information security strategic plan document
Review information security strategic plan document

ISMS Management and Operations

Internal organization
Intellectual property rights
Operational planning for information security
Alignment with information security strategic plan
Maintain and review operational plans for information security
Relations with external entities
External parties
Information security staff training & development
Information security staff competencies
Information security career development paths
Contact with special interest groups
Information security staff certification training
Information security staff recruitment
Maintain and review information security staffing plans
Addressing security when dealing with customers
Addressing information security when dealing with customers
Identification of risks related to external parties
Identification of risks related to external parties
Information security in agreements with other organizations
Addressing security in third party agreements
Reporting legal or criminal violations
Data exchange agreements
Exchange agreements

Information technology security risk management

Management of information security incidents and improvements
Collection of evidence
Reporting information security events
Contact with law enforcement agencies
Information security incident management

Reporting information security incidents

Reporting information security events and weaknesses
Reporting information security weaknesses
Reporting security weaknesses
Investigating information security incidents

Learning from information security incidents

Collection of forensic evidence for legal action
Security policy enforcement
Information security threat and risk assessment
Identified additional safeguards to reduce unacceptable risk
Monitor that additional safeguards are applied
Prepare threat and risk assessment report
Review and update TRA report to reflect changes in system or risk environment
Confidentiality agreements with other organizations
Confidentiality agreements

Enterprise information security posture

Linkages to enterprise integrated risk management plan
Roles and procedures
Incident management procedures
Technical Vulnerability Management
Technical vulnerability and path management
Information system security compliance inspections

Regulatory Compliance

Management of compliance obligations
Identification of applicable legislation
Intellectual property rights
Protection of organizational records
Regulation of cryptographic controls
Protection of organizational records
Data protection and privacy of personal information
Prevention of misuse of information processing facilities

Compliance reporting

Data protection and privacy of personal information
Prevention of misuse of information processing systems
Regulation of cryptographic controls
Compliance with legal requirements
Intellectual property rights

ISMS Review

ISMS internal audit
ISMS metrics and measurement
ISMS internal program evaluation
Inspections for organization compliance with information security policies and standards
Compliance with security policies and standards

Audits of information systems

Information systems audit controls
Protection of information systems audit tools
Independent review of information security
ISMS external third-party review
ISMS external third-party audit

Third party Service delivery management

Managing changes to third party services
Third party services delivery
Service delivery
Monitoring and review of third party services delivery
Monitoring and review of third party services
Managing changes to third party services delivery
Third party managed security services
ISMS Quality assurance
ISMS continuous improvement
Information security standards and guidelines
Information Security standards and guideline documents
Review of information security standards and guideline documents

Information Classification

Information labeling and handling
Information classification guidelines
Classification guidelines
Information labeling and handling
Information Lifecycle Management
Destruction and disposal of information
Storage of information
Information monitoring
Traceability
Security logs

Information storage guidelines

Information disposal and destruction guidelines
Archiving organization information
Exchange of Information

ISMS Quality assurance

ISMS continuous improvement
Information security standards and guidelines
Information Security standards and guideline documents
Review of information security standards and guideline documents
Information Classification
Information labeling and handling
Information classification guidelines
Classification guidelines
Information labeling and handling
Information Lifecycle Management
Destruction and disposal of information

Storage of information

Information monitoring
Traceability
Security logs
Information storage guidelines
Information disposal and destruction guidelines
Archiving organization information
Exchange of Information

Control of information exchanged internally and externally

Control of information
Identification of assets
Protection of trade secrets, patents and copy write information
Media handling

Security of system documentation

Management of removable media
Management of removable media
Disposal of media
Disposal of media

Information handling procedures

Security of information system documentation

Management of personal information

Identification of privacy risks to personal information
Privacy Impact Assessment

Security inspections of third party service providers

Compliance with information security in third party service agreements

Physical & Environmental Security

Physical Security of IT-related infrastructure

Secure Areas
Securing offices, rooms and facilities
Physical security perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external & environmental threats
Working in secure areas
Public access, delivery and loading areas
Public access, delivery and loading areas
Physical security risk management
Physical security threat and risk assessment
Identified additional safeguards to reduce unacceptable risk
Monitor that additional safeguards are applied
Prepare threat and risk assessment report
Review and update TRA report to reflect changes in physical risk environment

Physical security of IT equipment and environment

Equipment sitting
Removal of property
IT equipment sitting and physical protection
Equipment sitting and protection
Physical protection of supporting utilities (HVAC?)
Physical security of environmental controls
Supporting utilities
Physical security of cabling
Cabling security
Equipment maintenance
Equipment maintenance
Physical security of equipment off premises
Security of equipment off premises
Secure disposal or re-use of equipment
Secure disposal or re-use of equipment
Physical security of IT media, equipment and devices
Physical media in transit
IT media in transit
IT media at rest
Storage of IT media in approved secure containers
Physical security of USBs & portable storage devices
Physical security of laptops, smart phones, and PDAs
User physical security protection measures of IT equipment, devices and services
Clear desk and workstation area
In the office
Unattended user equipment
Unattended user IT-related assets
Clear desk and clear screen policy
Mobile computing & teleworking
Working from Home
Minimal labeling
Use different travel case
No baggage check for IT devices
Prevent shoulder-surfing
Don’t share or loan organization-issued IT equipment, devices or services
Use only organization-issued and approved IT equipment and software.
Protect private keys, tokens and passwords for remote access.
No sharing of organization-issued IT equipment, devices or services.
Use only organization-approved secure VPN connections to access organization systems & services
Log off when not in use or away from the workstation.

Physical security for sensitive information systems

Guidelines for physical security fit-up of secure information systems

Assurance of physical security for IT-related Infrastructure

Physical security certification and accreditation of IT-related Infrastructure
Authorization process for information processing facilities
Physical security authorization process for IT-related infrastructure

Physical prevention measures against emanations from IT-related infrastructure & equipment

Emanations shielding for workstations
Personnel Security
Prior to employment
Terms and conditions of employment
Confidentiality agreements
Personnel security in hiring processes
Security obligations included in employment letters
Screening of potential hires and contractors
Screening
Non-disclosure agreement
During employment
Supervisory enforcement of information security policies and standards
Segregation of duties
Least privilege
Need to know
Security clearance
Review of employee access to information, buildings, information systems and networks
Disciplinary process
Disciplinary process for information security violations
Information security training and awareness
Information security awareness, education and training
Segregation of duties
Internal affairs investigations
Termination or change of employment
Removal of access rights
Termination responsibilities
Return of assets
Return of assets
Removal of access rights
Information technology security standards and guidelines
Information security standards and guidelines documentation
Review of IT security standards and guidelines documentation
Information exchange policies and procedures
Policy on the use of network services

Procurement of IT security products

Information System Security

Access control
Review of user access rights
User access management
User registration
Privilege management
User password management
Review of user access rights
Password management system
Use of system utilities
Session time-out
Limitation of connection time
Session time-out
Application and information access control
Sensitive system isolation
Information access restriction
Sensitive system isolation
Application and information access control
Operating system access control
Secure log-on procedures
User identification and authentication
Biometric authentication
Business requirement for access control
Information system back up
Back-up
Information back-up
Monitoring
Audit logging
Monitoring system use
Protection of log information
Administrator and operator logs
Fault logging

Trusted time source

Clock synchronization for all network and OS’s

Posted by itcentric at 03:06 AM | Permalink | Comments (3) | TrackBacks (0)

HIPAA Defense in depth

HIPAA Compliance:

Section Standard Specification

164.308(a)(1) Security Management Process Risk Management

164.308(a)(5) Security Awareness Training Log-in Monitoring

164.308(a)(6) Security Incident Procedures Response and Reporting

164.312(b) Audit Controls Encryption and Decryption

164.312©(1) Integrity Mechanism automating PHI

Scope:

Data
Applications
Servers
Subnets
DPA policy control
Network

Requirements:
1) Triple factor Authentication
2) Access based on need to know
3) Reasonable protection
4) Encryption
5) Log showing all access and change at every level

Posted by itcentric at 02:55 AM | Permalink | TrackBacks (0)

HIPAA Legislation

Title I: Guarantees health insurance access, portability and renewal
Title II: Cost reduction provisions

Fraud and abuse controls
Administrative simplification
Medical liability reform

Title III: Tax provisions principally for medical savings accounts
Title IV: Enforcement of group health plan provisions
Title V: Revenue offset provisions

Administrative Simplification

Purpose of administrative simplification

Improve the efficiency and effectiveness of health information systems
Establish a common set of standards and requirements for electronic information exchange of healthcare data
Protect the security and privacy of transmitted information

Creates federal regulation of

Electronic healthcare transactions (EDI)
Healthcare identifiers — payer, provider, patient and employer
Confidentiality and security practices

Financial “Metrics” of Administrative Simplification

Administration costs represent approximately 26% of total hospital costs (estimated $175 billion)
Workgroup for Electronic Data Interchange (WEDI) estimates the electronic data interchange (EDI) will lower administrative costs while improving the efficiency and enhancing the quality of healthcare services

$9 billion per year for providers
$26 billion per year for the healthcare system

Financial inaccuracies represent $0.11 of every healthcare dollar

Fraud and abuse represent $0.03–$0.05 of every healthcare dollar

Final Security Rule

Defines standards and implementation specifications (IS)
Implementation Specifications can be:

Required — must be performed as stated
Addressable — organization must document

Is the IS reasonable and appropriate?

If yes, follow it
If no, document and continue

Is there another IS that is reasonable and appropriate?

If yes, document and follow it
If no, document and continue

Is the level of risk sufficient or insufficient to require mitigation?

Sufficient— follow one of two previous points
Insufficient — document and skip requirement

Workforce Administration

Workforce security

Provide access to authorized users
Prevent access for unauthorized users
Ensure that access to electronic protected health information (ePHI) by a workforce member is appropriate
Implement procedures for terminating access when employment has ended

Information access management

Access authorization
Access establishment and modification

Define user roles within the organization
Define authorization levels for each user role
Centralize role-based administration of user privileges across all platforms
Automate account creation through the human resources (HR) system
Integrate workflow into administrative policies for account set up and termination
Modify or suspend user privileges through a web interface

Access Control

Unique user identification — required
Emergency access procedure — required
Automatic log off — addressable
Additional administrative requirements

Log-in monitoring
Password management

Current barriers to meeting these requirements

Balance security with convenience at the clinical workstations
Limited security capabilities within current applications

Single Sign-On

Support policies
Provide access to all authorized applications through a single authentication
Utilize role-based authorization methods
Automate password management with strong passwords
Record application log-in attempts
Focus on the unique needs of workstations

Direct authentication for quick change of users
Secure station lock capability
Create efficient single sign-off

Security Incident Tracking

Information system activity review — required

Review records of information system activity
Audit logs, access reports and security incident tracking reports

Security incident response and reporting — required

Identify and respond to suspected or known security incidents
Mitigate harmful effects of security incidents that are known to the covered entity
Document security incidents and their outcomes

Audit controls — required

Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain ePHI

Auditing

Security logs exist for systems that contain ePHI

Database log files
Operating system log files
Application log files (sometimes)

Other enterprise components maintain security logs
Log files are too extensive and complex
Parse individual log files to extract key information and forward to a centralized secure remote repository
Run reports from this centralized system
Correlate log information from multiple systems
Prevent security incidents through proactive notification

System Access Controls

Risk management

Reduce security risks and vulnerabilities to a reasonable and appropriate level

Isolating healthcare clearinghouse functions

Allow systems administrators to access all components

Access control and validation procedures

Control and validate access to software programs for testing and revision

Authenticating ePHI

Help ensure ePHI has not been altered or destroyed in an unauthorized manner

Current barriers to proper access controls

Provide superusers with global access to ePHI on distributed platforms

Security Management Process

Risk analysis — required

Conduct an assessment of potential risks

Risk management — required

Implement security measures to reduce risks

Information system activity review — required

Regularly review records of information system activity

Additional requirements

Protect against malicious software
Implement policies and procedures that define proper functions and manner of workstation use

Gain the best of network protection, session monitoring and internet content blocking
Monitor and review network activity to determine potential risks
Protect against network attacks, including Denial of Service attacks
Detect traffic that violates policy and automatically closes the offending session
Block access to external websites in line with company policy

Contingency Plan and Operations

Data backup plan — required

Create and maintain retrievable exact copies of ePHI

Disaster recovery plan — required

Establish procedures to restore any loss of data
Must contain documented policies and procedures

Emergency mode operation plan — required

Must provide for the protection of the security of ePHI while operating in an emergency mode

Time limit — required

Maintain documentation for six years from the date when it was last in effect

Posted by itcentric at 03:21 AM | Permalink | Comments (1) | TrackBacks (0)

Healthcare Industry Segmentation

Healthcare Payers

National Health Insurance Plans (Aetna, Cigna, BC/BS)
Federal Government (CMS – Medicare)
State Government (DHHS – Medicaid)

Healthcare Providers

Hospitals
Long-Term Care Facilities
Physician Medical Practices
Specialty Care Providers (Outpatient, Oncology, etc)

Affiliated Organizations

Clearinghouses, Third Party Administrators, etc.

Key Business Drivers

The revenue source of a hospital is driven by patient flow

Physician referral is the key to patient flow
Non-teaching hospitals generally do not have staff physicians
Insurance payments are determined based on diagnosis, not length of stay

Shortage of qualified resources

Estimated 125,000 open nursing positions in the US, projected to grow to 500,000 by year 2020
Pharmacists are being hired faster than they are graduating

Significant need to focus on user productivity and satisfaction

Posted by itcentric at 02:26 AM | Permalink | Comments (2) | TrackBacks (0)

HIPPA Setting Best Practices

HIPAA legislation does not lay out a specific, standardized course of action or "best practice." Rather, the language often suggests "reasonable and appropriate" action to protect and secure business assets and protect private data. This openness puts the burden on providers and payers to chart new territory and implement changes across a broad range of electronic, paper, and physical practices that includes:

· Policy (at organizational and department levels)
· Applications upgrade and redeployment
· Physical security
· Accountability and audit measures
· IT infrastructure improvements (especially for authentication and access control)
· Training and deployment

Most institutions dealt with this complex environment by starting with a HIPAA compliance architecture and road map. They tackled each of these areas with careful planning, coordination, and, finally, effective execution. As stated, the tasks and challenges permeate every aspect of healthcare organizations' operations. The words of the director of information security at a provider network summarized the situation: "[HIPAA] needs to be part of your daily environment."

A Business and Policy Challenge First

Given these perspectives, most healthcare organizations recognize the complexity of the problem. They understand that no one technology or single process solution provides a quick answer. In fact, most executives dismiss sales pitches that claim to provide a simple fix. The words of two compliance officers at provider organizations captured the view that was common during the planning stage. One noted, "There's not a product out there that'll systemize privacy right now. And I don't think we could afford it if it was there." Said the other, "There are little pieces of the puzzle that everybody needs, but there's not one full solution. The hard part is piecing together your puzzle."

Mapping Requirements to Infrastructure

Finally, the enterprise began to map HIPAA's privacy requirements to its infrastructure. Again, early and immediate actions involved setting clear policy and ensuring its compliance. For example, one area that had suffered from uneven policy compliance involved user account management – a simple, common, but critical security component. To avoid the issue of user access accounts "hanging around" after employee transfer or termination, the provider network set up zero-tolerance policies for immediate account termination and explicit account startup procedures. That policy included steps toward building a "role-based" account management structure. The network, in its early implementation, would like to establish simple role-based access rights for business, research, and clinical roles within the hospital. That same recognition of data classification (business, clinical, or research) opens a set of efforts to both classify and control access to that data once roles are in place.

Posted by itcentric at 02:04 AM | Permalink | TrackBacks (0)

Sample End-to-End Performance Goals

End-To-End Performance	Performance Goals
End-To-End Performance	System and Application
Windows SAP GUI	End-to-end Performance ([Client] will consider these as goals and monitor the actual results):
Macintosh JAVA GUI	90% of identified representative transactions complete: < 3 seconds
Windows HTML GUI	90% of identified representative transactions complete: < 6 seconds

Posted by itcentric at 05:34 AM | Permalink | TrackBacks (0)

Sample IT Wide Status Definitions

GREEN: Project on schedule with no gating issues.

AMBER: Significant issues with interim deliverable(s), possible Interim deliverable slips. However, final deliverable(s) is/are still achievable with proper attention/involvement.

RED: Serious issues. Unlikely to make final deliverable

MIS Status Amplifications:
Amplification on status for MIS Integration Test Leads and Release Leads:

GREEN:

· All of the project deliverable items will be accomplished in accordance to the current plan.
· Scheduled deliverables include: the Preliminary or Final Integration Test Plan, Order Entry or Traffic matrices, Feeds, and or any milestones on the release schedule. A Green Status also indicates a MIS recommendation for the project to be included in this Production release.
· If a recovery plan is being worked, then that plan is on schedule, at least one deliverable has been accomplished on this plan, and all subsequent deliverables are current against the plan.
· All known issues are actively being worked by the integration team according to an agreed to plan. In a GREEN status, expect that there will be issues, however, these issues will have a resolution plan in place that does not affect project milestones. Note: Gating means any "gates" in the testing activity or process that would prevent successful completion of the testing and project recommendation for release to production.
· For the release, all projects are reporting no significant issues with achieving implementation in the release. All, or almost, all projects are reporting a GREEN status.

AMBER:

· Significant issues with requirements or interim integration test deliverables, possible interim deliverable slips.
· This project status is used when issues that affect the delivery schedule arise. Significant software issues, schedule problems, and test case definition/requirements are good examples of things that cause non-GREEN status. AMBER is used for problems, which cause (or can cause) interim deliverables to be missed. If the final deliverable date is not in jeopardy, that is, a recovery plan is in place, the project should be AMBER and not RED.
· A contingency plan has been put in place and agreed to by all affected parties to ensure final deliverable is still achievable with proper attention/involvement. However, no interim deliverable has been made according to the new plan.
· For the Release, most projects are reporting GREEN status with a small percentage of AMBER and/or RED projects being reported. Issues are being worked and reported appropriately to the Release Lead however the recovery plans have not yet met deliverables.
· RED and AMBER are purposefully open to interpretation because of the complexity of projects and possible number of factors involved. Each test lead should consult with the manager and the release lead to ensure full agreement within MIS

RED:

· Serious integration test issues. Unlikely to make the implementation date under the current schedule and current requirements.
· A project's status will remain as RED until a plan is put in place to meet all deliverables and meet the implementation date. If all of the systems reschedule their implementation dates, the project could return to an AMBER or GREEN condition. If some of the systems implement while others do not, an out-of-sync condition can cause the project to remain RED even though the recovery plan is agreed to by all parties. In this case, a number of production problems could arise while testing continues. If the project is placed on a new schedule and no milestones have occurred or been met, the project should probably remain in RED status until the recovery plan is met.
· A status of RED does not mean that the product will not implement.
· Requirement testing is failing.
· There is no set number of test cases or requirements that determine the RED status. The interpretation is left to the integration test lead to work with the project team, including the MIS manager and release lead. Until MIS assigns weighting factors to each requirement and a minimum percentage is set, the requirements justification for a non-GREEN status is left to the integration team. If the project team is considering dropping/adding/modifying requirements, a change request needs to be brought to the Baseline Review Board.
· For the Release, a large percentage of the projects in the release are reporting AMBER and RED status. A significant project that is reporting a RED status may cause the release to go RED.
· RED and AMBER are purposefully open to interpretation because of the complexity of projects and possible number of factors involved. Each test lead should consult with the manager and the release lead to ensure full agreement within MIS.

Posted by itcentric at 03:56 AM | Permalink | TrackBacks (0)

Regulation Impact by IT Technology Domains

	Sarbanes Oxley Act	HIPAA	Gramm-Leach-Bliley Act	SEC 17a-4 and NASD and NASD	Title 21 Federal Regulations (21 CFR Part 11), Elec.	Basel Committeeon Banking Supervision Accord (Basel II)	Patriot Act	California's SB 1386
Financial compliance, business process measurement applications	X					X
Enterprise resource planning	X					X
Business intelligence and data warehousing	X					X
Content/document management and search	X	X	X	X	X	X	X	X
Data/application integration	X				X	X
Business process automation	X	X			X	X
Records management and email archiving	X	X			X	X
Storage, software, and hardware	X	X		X		X	X
Security	X	X	X	X	X	X	X	X

Posted by itcentric at 03:38 AM | Permalink | TrackBacks (0)

Sample MIL-STD-100 Objectives

The primary objective of the Standard Operating Environment was to develop the platform baseline for the Network Management Systems for Corporate campuses (Corporate NSM). This standard methodology would then be applied to all campuses in the implementation of the Enterprise Network Management Platform.

· Detail the NSM solution including hardware architecture, software architecture and Operating System;
· Detail system build sequence including environment variables, file partitions, network interfaces and dependencies;
· Identification of integration process to include any scripts, adapters and custom code written to build the platform. (Run and Build Docs);
· Document all maintenance issues necessary to keep platform performing optimally;
· Identify any other issues regarding normal operations and use of the NSM.
MIL-STD-100 Deliverables
The NSM deliverable is defined as a fully functioning Network Management Platform. The NSM database product is delivered to Corporate for a pre-determined trial period, after which, application tuning and architectural hardening will be applied. The NSM Deliverable is:

· Document and provide training on the NSM Product / usage and turn it over Corporate Staff;
· Allow Corporate to put the product into production;
· 30 day follow-up to address any issues of note raised by initial deliverables to Corporate;
· 60 day followup to do additional tuning as needed;
Please note that the NSM rollout Test and Acceptance (T&A) phase, for the remaining campuses, will be a 30-day period

Posted by itcentric at 02:44 AM | Permalink | TrackBacks (0)

ISO 17999, 2700x and COBIT shorthand

The 27000 standard contains 11 security control clauses collectively containing a total of 39 main security categories and one introductory clause introducing risk assessment and treatment.

1)      Security Policy (1);
2)      Organizing Information Security (2);
3)      Asset Management (2);
4)      Human Resources Security (3);
5)      Physical and Environmental Security (2);
6)      Communications and Operations Management (10);
7)      Access Control (7);
8)      Information Systems Acquisition, Development and Maintenance (6);
9)      Information Security Incident Management (2);
10) Business Continuity Management (1);
11) Compliance (3).

ISO 27001 Domains to focus on

4. Establish an ISMS

4.1 Study ISMS requirements
4.2 Develop your ISMS
4.3 Document your ISMS
5. Manage your ISMS
5.1 Show that you support your ISMS
5.2 Manage your ISMS resources
6. Audit your ISMS

Establish an audit procedure

Plan your internal audits

Conduct internal audits

Take remedial actions

7. Review your ISMS
7.1 Perform management reviews
7.2 Examine management review inputs
7.3 Generate management review outputs
8. Improve your ISMS < SAMPLE PDF
8.1 Continually improve your ISMS
8.2 Correct nonconformities
8.3 Prevent nonconformities

The COBIT-based security baseline, providing key controls and mapping to ISO 17799

1)      Information security survival kits, providing essential awareness messages
2)      IT governance guideline
3)      Generic IT process guideline
4)      For each of the 34 IT processes

• One maturity model
• 5 to 7 KGIs    Key Goal Indicators
• 8 to 10 CSFs   Critical success factors
• 6 to 8 KPIs       key performance indicators

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimize IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:

1)      Making a link to the business requirements
2)      Organizing IT activities into a generally accepted process model
3)      Identifying the major IT resources to be leveraged
4)      Defining the management control objectives to be considered

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identifies the resources essential for process success, i.e., applications, information, infrastructure and people.

ISO 17799 Domains
1.      Security policy
2.      Organizational security
3.      Asset classification and control
4.      Personnel security
5.      Physical and environmental security
6.      Communications and operations management
7.      Access control
8.      System development and maintenance
9.      Business continuity management
10.    Compliance

The Information Technology Infrastructure Library (ITIL®) is a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services. ITIL outlines an extensive set of management procedures that are intended to support businesses in achieving both high financial quality and value in IT operations. These procedures are supplier-independent and have been developed to provide guidance across the breadth of IT infrastructure, development, and operations.

Posted by itcentric at 03:41 AM | Permalink | Comments (16) | TrackBacks (0)

ISO-17799 Overview

Complementary standards and guidelines where inspired by ISO17799, design to or supports the implementation of ISO17799:

AS/NSZ-4360:2004, Risk Management Guidelines
HB-231:2004, Information Security Risk Management Guidelines
ISO-19011:1996, Guidelines for Management System Auditing
PAS56:2003, Guide to Business Continuity Management
ISO/TR-18044:2004, Information Security Incident Management

ISO-GMITS:1996/2001 (Guidelines for the Management of IT Security):
ISO/TR-13335/1:1996, Concepts and Model for IT Security
ISO/TR-13335/2:1997, Planning IT Security
ISO/TR-13335/3:1998, Management of IT Security
ISO/TR-13335/4:2000, Selection of safeguards
ISO/TR-13335/5:2001, Management guidance on network security

CoBIT control objectives are fully mapped to support ISO17799

ITIL is especially efficient for ‘Communication & Operations Management’

Posted by itcentric at 02:31 AM | Permalink | TrackBacks (0)

What’s new in ISO-17799:2005

Risk management where addressed only in part 2 document, the part 1 now includes a new chapter on ‘Risk Assessment and Treatment’ requirements

‘Asset classification and control’ evolve into a more holistic ‘Asset management’ approach

‘Personnel Security’ evolve into ‘Human resources security’ which now emphasis on what’s needed before, during and on termination of employment

‘Communication and operations management’ now includes service delivery management of 3^rd parties (i.e.: outsourcer performance and security obligation monitoring)

Introduction of ‘Technical Vulnerability Management’

Incident management controls that where spread all around the previous version of the standard are now consolidated within a new chapter titled ‘Information Security Incident Management’

In short: 2 new control families, a new total of 135 controls, over 80 changes within the existing controls (deletion/addition/modification)

Posted by itcentric at 02:33 AM | Permalink | Comments (3) | TrackBacks (0)

ISO-17799:2000 Overview

127 controls distributed within 10 categories

Information security policy
Organizational security
Asset classification and control
Personnel security
Physical & environmental security
Communication & operations management
Access control
System development & maintenance
Business continuity management
Compliance

Uses a Plan/Do/Check/Act implementation and operation model that starts with a risk assessment to established the required security controls needed to adequately manage information security risks within the business processes

Used in conjunction with BS7799, it also establish documentation, revision, communication, training, auditing and continuous improvement requirements

Posted by itcentric at 02:30 AM | Permalink | TrackBacks (0)

ISO-17799 Overview

BS7799 was created in 1999 as a two part document (standard + certification scheme) by the British Standards Institution (BSI)

The standard portion was adopted and converted into an ISO standard in 2000

The certification scheme portions is still a BSI only standard and it’s latest revision is dated 2002

Many worldwide governments policies, standards, guidelines and best practices are based, inspired or in compliance with ISO17799:2000 & BS7799-2:2002 and some of them don’t even know it

There is a general misconception that it is not a complete standard because it lacks implementation guidelines

Since it was built by a standard organization (BSI), the implementation guidelines where intentionally left out of the document and regroup into other specific standards and “security techniques” (i.e.: ISO13335, PAS56…)

Posted by itcentric at 02:27 AM | Permalink | TrackBacks (0)

Regulatory Requirements

Federal Information Security Management Act (FISMA)
Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, provides for development and maintenance of minimum controls required to protect federal information and information systems, and provides a mechanism for improved oversight of federal agency information security programs. http://www.fedcirc.gov/library/legislation/FISMA.html
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Corporate Information Security Accountability Act (CISAA)
A Bill has been proposed that is intended “To amend the Securities Exchange Act of 1934 to require each publicly traded Company to conduct an assessment of the Company’s computer information security.” The draft is currently on hold for industry discussion http://www.cisaa.org/

Posted by itcentric at 03:36 AM | Permalink | TrackBacks (0)

Leak Prevention Technology white paper

Excellent

Leak Prevention Technology white paper

http://www.percept.com/wp/Leak%20Prevention%20Technology_White%20Paper_FINAL_UPDATES%20v2.pdf

Posted by itcentric at 03:57 AM | Permalink | TrackBacks (0)

Electronic Health Record EHR Survey

Electronic Health Record EHR Survey (HIPAA)

http://www.aao.org/aaoesite/promo/business/upload/EHR_vendor_survey_6_17_web.xls

Posted by itcentric at 03:54 AM | Permalink | TrackBacks (0)

Gartner Web Evaluation Tool

http://www.aworc.org/went2001/tracks/joint/all-tool-web-evaluation.xls

Posted by itcentric at 03:48 AM | Permalink | TrackBacks (0)

Business Intelligence Comparisons

http://www.180systems.com/BI-Comparison.xls

PSA Comparisons

http://www.180systems.com/PSA-Comparison.xls

Posted by itcentric at 03:46 AM | Permalink | TrackBacks (0)

Excellent Business Publications

Posted by itcentric at 02:53 PM | Permalink | TrackBacks (0)

Bandwidth Technologies

Vendor Options

Caching

Apache mod_proxy:

http://httpd.apache.org/docs/mod/mod_proxy.html

A module for the world's most popular web server that provides proxying capabilities for HTTP, FTP and SSL CONNECTs. It can act as a web cache, can pass requests through a SOCKS proxy and logs proxying requests using the existing Apache logging mechanisms. It is most suitable for small workgroups that already have an Apache server installed.

Blue Coat Systems:

http://www.bluecoat.com/

Blue Coat Systems (formerly CacheFlow) offer a range of security gateway products that provide proxy caching with integrated bandwidth management and security facilities – e.g. web content filtering using SurfControl and virus scanning of web objects using the Symantec and Trend Micro systems.

Cisco Application and Content Network System (ACNS):

http://www.cisco.com/en/US/products/sw/conntsw/ps491/index.html

ACNS is Cisco's replacement for its end of life Cache Engine products. It includes caching as part of an integrated system of content management products for an Enterprise Content Delivery Network (ECDN). These products are aimed squarely at large enterprises and service providers so in the research and education community will probably be of more interest to Regional Network operators and large or geographically dispersed institutions.

LogiSense EngageIP:

http://www.logisense.com/cache_home.html

This cache server can run under Windows NT/2000/XP or Linux and is also available as a cache server appliance. It has a web based Graphical User Interface (GUI) for remote monitoring and management of the cache, supports plug-ins to enhance the functionality of the server (including a content filtering plug-in for the Cerberian Internet Access Control software), caches Domain Name Server (DNS) entries, supports Web Cache Control/Coordination Protocol (WCCP) version 1 and 2, has the ability to be monitored using SNMP and authenticates users against a RADIUS server or Windows NT LANMANAGER Protocol (NTLM).

Microsoft Internet Security and Acceleration (ISA) Server:

http://www.microsoft.com/isaserver/

ISA Server replaces the previous Windows NT based Microsoft Proxy Server (which has been discontinued and will be unsupported come January 2004). As the name suggests it is more than just a proxy web cache; it also provides firewalling and web acceleration features as well. It comes in two editions; Standard and Enterprise. Standard is aimed at workgroups and small businesses whereas enterprise is targeted at the centralised management of large networks and can support clusters of firewalling, accelerating and caching servers.

Microsoft is partnering with a number of companies to extend the ISA Server technologies, e.g. Venation are offering an integrated pre-fetching subsystem which accelerates popular sites by opportunistically caching their content:

http://www.venation.com/

Network Appliance NetCache:

http://www.netapp.com/products/netcache/netcache_family.html

Network Appliance have a range of hardware based cache appliances that include high availability features and support for less commonly cached protocols such as the Usenet News NNTP protocol and various streaming media formats.

Novell Volera Excelerator:
http://www.novell.com/products/volera/

The Novell Volera Excelerator was originally called the Novell Internet Caching System (ICS). It can be used as either a caching proxy in front of a group of clients or can provide web site acceleration. Volera has also been sold as an Original Equipment Manufacturer (OEM) product to a number of other vendors, including IBM that released it as the Netfinity server on IBM hardware.

Squid:

http://www.squid-cache.org/

Squid is a freely available caching web proxy, targeted at Unix/Linux hosts (though there is a version that also runs on Windows boxes). As well as proxying for normal HTTP, FTP and Gopher sessions it can proxy SSL, can take part in cache hierarchies, implements Internet Cache Protocol (ICP), Hypertext Caching Protocol (HTCP), Cache Array Routing Protocol (CARP), Cache Digests and WCCP, can provide HTTP server acceleration and caching of DNS lookups, has SNMP management facilities and supports a wide variety of access controls. Many new ideas in web caching get implemented in Squid first as it is the dominant, open source platform on the market. Squid is also found inside some commercial cache appliances.

Web Servers

Apache mod_bandwidth:
http://www.cohprog.com/mod_bandwidth.html

This Apache module provides the facility to set server-wide or per-connection bandwidth limits based on factors such as the directory being accessed, the size of the file being retrieved and/or the remote IP address or domain name.

Apache mod_throttle:
http://www.snert.com/Software/mod_throttle/

This module can also perform bandwidth limiting. It can throttle used bandwidth based on the remote IP address of the requesting client; an authenticated username from the remote client, the local user that owns the requested file, and/or the directory, location or virtual server that contains the requested file. This can be used in a variety of different ways, for example on a home page server to provide a maximum allowable bandwidth over a defined period to prevent suddenly popular web pages from soaking up all the available bandwidth - the so called ‘Slashdot Effect’, named after a certain website (http://slashdot.org/) that has a tendency to cause this to happen on a regular basis.

Arterial Software aXesW3 web server accelerator:

http://www.arterialsoftware.com/products/w3_advantages_index.html

The accelerator contains bandwidth throttling facilities that can be applied to an entire site or particular requests. Combined with its on-the-fly compression (see below) it allows individual or groups of URLs to be given a fixed maximum byte rate.　

Microsoft Internet Information Server (IIS):

http://www.microsoft.com/iis/

and: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/qos_throttlebw.asp

Microsoft IIS web server includes a bandwidth throttling control using the Windows Packet Scheduler. It has a minimum bandwidth of 8Kbit/s due to the Packet Scheduler limitations. If an IIS server is hosting more than one web site, each site can have a different throttle level applied.

Zeus Client Bandwidth Module:

http://www.zeus.com/products/zws/modules/client_bw.html

This is an optional module for the Zeus web server that allows bandwidth to be throttled based on the Multipurpose Internet Mail Extensions (MIME) type of the resource being returned, the size of the resource, an authenticated remote username, or the IP address of the requesting client. It can work in a clustered environment by sharing usage information amongst all the servers in the cluster using a shared file system such as Network File System (NFS).

Rate Limiting and Packet Shaping

Allot Communications:

http://www.allot.com/

The Allot NetEnforcer product line is a range of Linux based appliances offering bandwidth management features with integrated access controls, including the ability to block objects based on their content. The Allot NetAccountant software provides statistics and reporting on network usage, with extensive facilities for accounting and billing.

FortiNet:

http://www.fortinet.com/

FortiNet’s FortiGate security appliances offer a range of ASIC assisted services integrated in a single box - including firewalling, real-time anti-virus scanning, network intrusion detection/prevention and bandwidth management.

Linux Advanced Routing:

http://lartc.org/

The Linux kernel comes equipped with a set of extensible and highly sophisticated bandwidth management tools, comparable to high end commercial bandwidth management systems. It can use multiple queues with both classful and classless queue disciplines, can classify, do Layer 7 application snooping for identifying flows, and policy based routing based on packet classifications.

　
Packeteer:

http://www.packeteer.com/

Packeteer offer a range of bandwidth and application performance management hardware and software tool. A Packeteer based solution allows a network manager to monitor what traffic is actually passing over the network (using PacketSeeker) and then control the bandwidth usage of the various applications (using PacketShaper). The system performs Layer 7 application data snooping on the packets that traverse the Packeteer box and so can handle protocols such as Kazaa.

Throttled:

http://allmacintosh.xs4all.nl/preview/278580.html

Designed for MacOS X, this piece of software throttles traffic heading for the Internet from the Mac whilst leaving LAN traffic untouched.

Quality of Service

Cisco Switches and Routers QoS Tools:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/qos.htm#wp1024961

Many Cisco switch and router products provide QoS tools, although these are not available in all Feature Sets. Their routers in particular offer many options for the identification and classification of packets that can then be applied to a variety of queuing mechanisms. Recent versions of Cisco's Internet Operating System (IOS) include Network-Based Application Recognition (NBAR), which provides Layer 7 snooping into packets in order to identify and mark flows more accurately.

Linux DiffServ Tools:
http://diffserv.sourceforge.net/
The Linux kernel packet classification and filter tools also feature the ability to mark and reclassify packets. Linux has had QoS tools such as RSVP available for many years and the operating system is used in both end points (hosts) and intermediate nodes (routers). Several large network vendors are already looking at using Linux in some of their future products so QoS support is likely to expand further in the next few years.

Compression

Apache mod_gzip:

http://sourceforge.net/projects/mod-gzip/

The mod_gzip module provides an Internet Content Acceleration (ICA) function for Apache. It compresses suitable content on the fly as it is delivered to the client and requires no special client software.

Arterial Software aXesW3 web server accelerator:

http://www.arterialsoftware.com/products/w3_index.html

This is a web server accelerator that makes use of idle Central Processing Units (CPU) cycles on modern web servers to compress data before sending it. It can actually reduce the overall CPU load for SSL encrypted sites as the compression algorithms can take fewer cycles to compress the data than the SSL algorithm takes to encrypt it. By compressing the data prior to encryption, less data has to pass through the SSL algorithm and so fewer overall CPU cycles are required

Packeteer PacketShaper Xpress:
http://www.packeteer.com/prod-sol/products/xpress.cfm

This is a software upgrade to the Packeteer PacketShaper traffic shaper that provides compression based acceleration features.

Filtering

Cleanfeed:

http://www.bofh.it/~md/cleanfeed/

Cleanfeed provides spam filtering for Usenet transit servers. As well as scanning incoming newsfeeds for spam and telling the server to reject any that it finds, it can also block binary postings to non-binary groups and discard HTML postings.

DansGuardian:
http://dansguardian.org/

DansGuardian is a free, Unix based web content filtering system. It provides URL filtering/blocking, and can filter the content of text documents (including phrase matching). By default it is set up to content filter for young children but the level and amount of filtering is under complete control of the administrator.

Microsoft ISA server:
http://www.microsoft.com/isaserver/

Microsoft ISA can provide filtering for both web and e-mail traffic. As well as HTTP, FTP and SMTP protocols, it can also filter H.323 media streams and Remote Procedure Calls (RPCs). Microsoft state that its RPC filtering provides protection for Outlook users when talking to an Exchange server without the use of a Virtual Private Network (VPN).

SquidGuard:
http://www.squidguard.org/

SquidGuard is a combined filter, redirector and access controller for the Squid caching web proxy. It is free, extremely fast, and gives the administrator full control over blacklisted servers/URLs. Blocking can be done with powerful regular expression matching rules whilst requests for blocked resources can be redirected to an information page. Banner advertisements can be replaced with empty images. Access rules vary depending on the current time/date/user group, whilst unregistered users can be redirected to a registration form. SquidGuard does not however, filter text or code inside documents.

SurfControl:
http://www.surfcontrol.com/

SurfControl sell a number of filtering systems, including server based solutions for web content filtering, e-mail filtering and instant messenger filtering. SurfControl also market CyberPatrol, which is a host-based filtering system aimed at parental and school filtering of content unsuitable for minors.

Access Control

Apache mod_access:
http://httpd.apache.org/docs/mod/mod_access.html

This module provides directives in the Apache configuration file to allow access control lists to be constructed based on client hostname; client IP address, the client's request, and the method used. The mod_access module is a fundamental module in the Apache HTTP server and is shipped with it.

Cisco IOS switch/router ACLs:

http://www.cisco/cisco_acls.html

Cisco IOS ACLs can be used to permit or deny different types of traffic based on the protocol in use, source or destination addresses and port numbers. They are very useful as a quick means of providing simple firewalling of protocols at both border and internal routers on a site.

Microsoft IIS:

http://www.microsoft.com/iis/

The IIS web server can provide access controls to the content that it serves based on authenticated remote users, the remote IP address or domain name of the client browser.

Posted by itcentric at 07:11 AM | Permalink | Comments (12) | TrackBacks (0)

Securing the confidentiality of PHI

PHI (Protected Health Information) requires passwords but….

a) Easy-to-guess passwords are one of the top ten threats to network security

b) When passwords change often to improve security, users write them down, increasing the risk of a breach

In addition, employers must block terminated staff from continued access to systems that have PHI.

However, it is difficult to revoke access to multiple systems quickly.

“Centralized Password Management”. Centralized Password Management lets organizations easily enforce an unlimited number of strong password rules, such as minimums on length, unique characters, letters and numbers required, etc, to maintain security.

Centralized password management allows for, strong, complex password enforcement in addition it allows for:
1) Password synchronization

2) Integration of multiple passwords

3) Simplified password resets

4) Correction of forgotten passwords

5) Password administrative revocation

6) Password change privileges instantly and automatically on multiple systems

7) Saving administrative Time and $Money

8) Increases Corporate and Stockholder value

Posted by itcentric at 06:48 AM | Permalink | TrackBacks (0)

Short list of IEEE Standards

802.1 Internetworking
802.2 Logical Link Control
802.3 CMSA/CD or Ethernet
802.4 Token Bus LAN
802.5 Token Ring LAN
802.6 Metropolitan Area Network or MAN
802.7 Broadband Technical Advisory Group
802.8 Fiber-Optic Technical Advisory Group
802.9 Integrated Voice/Data Networks
802.10 Network Security
802.11 Wireless Networks
802.12 Demand Priority Access LAN or 100VG-AnyLAN

Posted by itcentric at 04:08 AM | Permalink | TrackBacks (0)

PCI Carholder Information Security Program

Carholder Information Security Program

Securing Visa Cardholder Data

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why Visa USA has instituted the Cardholder Information Security Program (CISP). Mandated since June 2001, the program is intended to protect Visa cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.
If you are a non-U.S.-based entity, please visit Visa International Account Information Security (AIS).

·     How CISP Compliance Works
·     CISP Compliance Validation
·     Why Comply?
·     Visa Regulations
·     Member CISP Responsibilities
·     Disclosure of Cardholder Information
·     CISP Compliance Penalties
·     Loss or Theft of Account Information
·     Learn More
·     For More Information

How CISP Compliance Works

CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands. This Standard is a result of a collaboration between Visa and MasterCard and is designed to create common industry security requirements, incorporating the CISP requirements. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.
Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry.

The PCI Data Security Standard (PDF, 149k) consists of twelve basic requirements supported by more detailed sub-requirements:

PCI Data Security Standard
Build and Maintain a Secure Network	Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program	Use and regularly update anti-virus software Develop and maintain secure systems and applications
Implement Strong Access Control Measures	Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain an Information Security Policy	Maintain a policy that addresses information security

CISP Compliance Validation

Separate and distinct from the mandate to comply with CISP requirements is the validation of compliance. It is a fundamental and critical function that identifies and corrects vulnerabilities, and protects customers by ensuring that appropriate levels of cardholder information security are maintained. Visa has prioritized and defined levels of CISP compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the Visa system by merchants and service providers.

For a detailed description of:	Go to:
Visa merchant levels of CISP compliance criteria and validation actions	Merchants
Service provider CISP compliance criteria and validation actions	Service Providers

Why Comply?

By complying with CISP requirements, Visa members, merchants, and service providers not only meet their obligations to the Visa payment system, but also build a culture of security that benefits everyone.

Benefits of CISP
Everyone	Limited risk More confidence in the payment industry
Member	Protected reputation
Merchant and Service Provider	Competitive edge gained Increased revenue and improved bottom line Positive image maintained Customers are protected
Industry	"Good security neighbors" encouraged
Consumer	Information is safeguarded Identity theft prevention

Visa Regulations

The Visa USA Operating Regulations govern the activities of member financial institutions and, by extension, merchants and service providers as participants in the Visa payment system. The simplified requirements presented here should help clarify the intent of the more formal regulations.

Member CISP Responsibilities

Members are responsible for ensuring the CISP compliance of their merchants, service providers, and their merchants' service providers. Although there may not be a direct contractual relationship between merchant service providers and acquiring members, all members remain responsible for any liability that may occur as a result of CISP non-compliance. Acquirers must include a CISP compliance provision in all contracts with merchants and Nonmember agents.

Disclosure of Cardholder Information

Issuers, acquirers, and merchants may disclose Visa transaction information only to service providers approved by Visa (i.e., those who support a loyalty program or provide fraud control services).
To receive Visa approval, a service provider must comply with the CISP requirements. Additionally, a member that discloses or allows its merchants to disclose Visa transaction information to a third party that has not demonstrated CISP compliance will be subject to the program fines and penalties.

CISP Compliance Penalties

If a merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may:
·     Fine the acquiring member
·     Impose restrictions on the merchant or its agent, or
·     Permanently prohibit the merchant or its agent from participating in Visa programs
Members receive protection from fines for merchants or service providers that have been compromised but found to be CISP-compliant at the time of the security breach. Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not CISP-compliant at the time of the incident.

Loss or Theft of Account Information

A member or the member's service provider, or a merchant or the merchant's service provider must immediately report the suspected or confirmed loss or theft of any material or records that contain Visa cardholder data.
If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data.
If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
Additional fines may be levied for exceptional circumstances where the violation presents immediate and substantial risks to Visa and its members.

See our supportive technology templates at http://www.bestitdocuments.com/Services.html for remediating PCI solutions.

Posted by itcentric at 01:55 AM | Permalink | Comments (1) | TrackBacks (0)

What is an Application Audit

Usually required to assess

• Business risk
• Internal control
• Strong linkage to corporate governance and compliances such as SOX, PCI, HIPAA and GLBA

It is an audit of a single application

• Example: audit of an Excel spreadsheet with embedded macros

It could also be an audit of business processes that use IT heavily

• Example: Payroll processing involving multiple servers and databases
• Application audit could also be technology related

o Example: audit of organizational PBX
o Example: audit of a data warehouse

Periodicity of audit:

o As the system is developed
o Post-implementation of a new system
o Every n months (n =12)

What does the auditor look for?

o Assurance that the application provides adequate control over data being processed
o Level of control related to degree of risk being assumed
o Risk coming from incorrect or unauthorized processing of data
o Job descriptions for

• Aplication developers
• Business owners
• Production support groups

What does the auditor look for?

o Level of segregation for system access and application privileges

SANS recommends checking for following controls:

• Application Administration
• Inputs, Processing, Outputs
• Logical Security
• Disaster Recovery Plan
• Change Management
• End user Support
• Third Party Services

Impact of application on the business

• Team members roles and responsibilities are defined and documented
• Organizational chart is current
• Charts and roles help managers:

o Understand the business implications
o Training tool for new members

• Legal and regulatory compliance issues with respect to an application must be specified
• Service Level Agreements (SLAs) between the application provider and the business must be in place
• Auditor will review SLA with respect to customer incentives and business objectives

What the auditor will look for?

• Evidence of data preparation
• Procedures
• Reconciliation processes
• Handling requirements
• Evidence of control over manual processes
• Verification of certain calculations using Computer Auditing Techniques (CATs)

What the auditor will look for?

• Balancing and reconciliation for outputs
• Traceability of control totals to upstream and downstream systems

http://www.bestitdocuments.com/Application_assessments.html
Biztalk Architecture Poster:

http://download.microsoft.com/download/1/1/2/112b710d-85c6-49d5-95b8-4de8c488214f/BizTalk%20Server%202006%20Runtime%20Architecture%20Poster.pdf

Posted by itcentric at 01:14 PM | Permalink | Comments (1) | TrackBacks (0)

Common Referenced Related Laws, Regulations, and Policies

The following Federal laws, directives, regulations provide guidance pertaining to the security automated information systems:

· Privacy Act of 1974 (Public Law [PL] 93-579, United States Code [U.S.C.] 552A)

· Freedom of Information Act (5 U.S.C.522)

· Paperwork Reduction Act of 1986 (44 U.S.C. 35)

· Electronic Communications Privacy Act of 1986 (PL 99-508)

· Computer Fraud and Abuse Act of 1986, (PL 99-474, 18 U.S.C. 1030)

· Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) (Division E of PL 104-106, 4 U.S.C. 35)

· Title III of the E-Government Act (PL 107-347): Federal Information Security Management Act of 2002 (FISMA)

· Office of Management and Budget (OMB) Circular A-123, Management Accountability and Control, Attachment Section II, June 21, 1995

· OMB Circular A-127, Financial Management Systems, revised July 23, 1993

· OMB Circular A-130, Appendix III, Transmittal #4, Security of Federal Automated Information Resources, February 8, 1996

· Presidential Decision Directive (PDD) 67, Continuity of Government (COG) and Continuity of Operations (COOP) Plans Practices for Securing Critical Information and Information Systems and Networks, 1988

· Executive Order (EO) 12656, Assignment of Emergency Preparedness Responsibilities (COOP Plans), November 18, 1988, as amended by EO 13074

· EO 13011, Federal Information Technology, July 16, 1996

· Homeland Security Presidential Directive (HSPD) 7, December 17, 2003

FIPS PUBs, including:

· FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems

· FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems

NIST SPs, including:

· NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems

· NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal information Systems

· NIST SP 800-53, Recommended Security Controls for Federal Information Systems, and referenced supplemental guidance documents

· NIST SP 800-60, Guide for Mapping types of Information and Information Systems to Security Categories

Posted by itcentric at 07:32 AM | Permalink | TrackBacks (0)

ITIL Request Management

Goals

Increase productivity
Enforce business rules
Provide automation where possible
Provide audit trail
De- and re-provision appropriate assets
Change Order Management
Workflow Tasks
Individual assignment and notification
Track cost & time
Often used by:
IT
HR
Facilities

Request / Incident / Problem Management Overview / benefits

Request for Change or Service
Profile information Activities Related requests Attachments Properties
Announcements
Submit requests / Self-Service
Search
Knowledge base
Check status
Track assets through the operational life-cycle
Relate assets to:

Requests or Change Orders
Contacts, end-users
Organizations
Out-of-the-box integration with Asset Management tools (inventory discovery tool)

Root Cause – knowledge retention / re-use

Key word search
Web-based
Analysts/End user enabled
Often used for:
Storing “Internal Memory”
Initial troubleshooting steps
Defining processes
Compress Ramp-Up Time
Leverage Known solutions

Business Benefits

Operational Efficiency and Cost Containment
Streamlines user management
Automates provisioning & de-provisioning
Reduces help desk and other user administration costs
Increases user productivity
Business Facilitation with Risk Mitigation
Supports new services, applications and data bases
Improves customer service
Supports regulatory compliance
Prevents “ghost-user accounts”

Posted by itcentric at 05:37 PM | Permalink | TrackBacks (0)

Software	File Formats
MS Outlook and Outlook Express	.pst, .dbx, .mbx, .idx, .nch
MS Word	.doc
MS Access	.mdb
MS Excel	.xls
MS FrontPage	.html, .htm
MS PowerPoint	.ppt
MS Visio	.vsd
Novell GroupWise	.mlm
Netscape Mail	.na2, .smn
Photoshop	.jpg, .tif, .bmp, .psd
Audio software	.mpeg, .wav, .asf, .wma, .avi, .midi, .aiff, .au, .aac

Best IT Documents Web Blog

This blog is powered by the pursuit of knowledge

May 31, 2010

Caring for Archives

Physical maintenance of the records

All metal paper clips, rusting staples, and rubber bands should be removed.

Documents should be in containers that prevent dust from entering

Large items should be stored flat.

The ideal storage area for records:

Amenable to consistent environmental control (temperature and humidity)

No water pipes running nearby

Little or no natural light

Why does paper deteriorate?

Wood pulp = acid content = slow burn

Any paper manufactured since the mid-19th century, unless it is of the type designated permanent/durable or acid-free, has an expected useful life of less than fifty years.

What is the best defense against paper deterioration?

Environmental controls

A chemical reaction is taking place in acidic paper, and this reaction is accelerated by high temperatures and high humidity

Ideal temperature: 60-68 degrees F

Ideal relative humidity level: 40-60%

If ideal conditions cannot be reached, try to maintain

CONSISTENT conditions

Preservation common sense:

Some records are valuable as physical artifacts while others are valuable primarily for the information they contain.

For some deteriorating items, photo-copying them onto acid-free paper and discarding the originals makes more sense than spending money to deacidify, repair, or encapsulate them.

Optical scanning and digitization are the most stable way to preserve records

Repairing materials:

NEVER use cellophane tape

Get some basic supplies:

archival repair tape

wipe cloths

acid free paper

Special needs for photographs

3) If it is not feasible for you to use sleeves, be sure to store the photographs in such a way that they will not curl over time and will not be subject to excessive handling.

4) Photographs should be handled with cotton gloves, or held by the edges to avoid skin contact with the image.

5) Photographs are very susceptible to water damage and should not be stored near sources of water. If you ever have a flood situation in the archives, be sure to rescue the photographs first.

6) Photographs are susceptible to insect damage, so may be best stored in a metal container if insects are likely to be a major problem.

7) Photographs should not be scanned or photocopied repeatedly.

Special needs for films and videos

Be aware of the dangers of nitrate film

Make a video cassette use copy for films;

Store videos upright with tape on bottom.

Rewind films and videos periodically

Electronic records:

The conservative stance for a repository to take regarding electronic records is to require that all records be deposited in hard copy.

This stance will be increasingly untenable as organizations and individuals wholeheartedly enter the electronic age.

Even now, there is a danger in requesting hard copy printouts of records to be saved. The extra steps of selecting and printing records to be saved will inevitably limit the number and variety of records saved.

Basic strategies for preserving electronic data:

Medium refreshing: copying data from one physical carrier to another of the same type, e.g. backing up a hard drive, diskette, or CD ROM.

Medium conversion: transferring electronic data from one medium to another – this might mean transferring to a non-digital medium.

High quality acid neutral paper can last a century or longer and archival quality microfilm is projected to last 300 years or more. Paper and microfilm have the additional advantage of requiring no special hardware or software for retrieval or viewing

Format conversion: converting the data format in order to reduce the number of different formats being used in a particular setting, e.g. converting WordPerfect word processing files to a Word format.

Migration: converting the data so that it can operate with different hardware and software than originally intended. This could involve transferring data to a central server or computer housed in the archives.

A schedule should be put in place, and a particular person made responsible, to intentionally verify at specific intervals that the following types of electronic data are still readable:

EmailWord processing and web documentsDatabases.

Disaster preparedness

A disaster plan in the event of fire or flood should be an integral part of any repository's program.

It is important to have the plan in written form because of potential chaos and confusion at the height of the emergency

If there should be water damage, it is best to rescue photographs, microfilm, and any materials with coated paper first.

May 08, 2010

Best Practices for Virus Protection

First and Foremost, Define your Security Policy

Virus Protection has to be part of your security policy because viruses are security threats.

What factors should you consider when designing security appropriate to your operation?

1. The number and density of personal computers

If your company has many PCs or if there is a high ratio of computers to employees, your procedures should be more formal and extensive.

2. he extent to which computers are interconnected

3. The number of locations where computers are used

4. The pace of operations

5. On-line real-time operations

After Defining your policy choose a vendor that can help you with implementation and execution of your policy

Criteria for choosing an enterprise wide system

· Detection

· Cost of ownership

· Completeness of virus protection offering

· Manageability

· Internet and Firewall protection

· Reporting and Alerting function

· Market Share

· Research and Development

Email
Word processing and web documents
Databases.