Upload File

security policy

32
Abstract The most common threat in a networked system is unauthorized access to information and computer resources. This may cause the loss of confidentiality, integrity, and availability of the information technology assets. To ensure business endurance and minimize potential damage, companies need to establish a computer-based access control (so- called logical access control) to protect their proprietary information from intentional or accidental disclosure, modification, erasure, or copying, as well as their IT resources from misuse. This control provides an organization with the ability to restrict, monitor, and protect the confidentiality, integrity, and availability of these resources. Another most common threat is data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged. This document provides the details about security policy and strategy for the identified risks from Community Health Care system such as data leakage and unauthorized disclosure of information,. The details of real world security breaches, security policies, recommended implementation plans and other details are explained in this document. Real World Security Data Breaches - USA Community Health care system In 2014, a USA based Community Health Systems (CHS) revealed in its Form 8-K SEC filing in August 2014 that the health care organization computer network had been hacked at minimum twice in April and June of 2014 through criminal cyber attacks patenting from China. Community Heath system, which owns, operates and leases 206 hospitals across 29 different states in US confirmed that these hacking incidents followed in the theft of non-medical, patient-

Upload: iniyaal

Post on 16-Sep-2015

32 views

Category:

Documents


4 download

Report

Tags:

DESCRIPTION

security policy

TRANSCRIPT

CI6231 Security Policy & StrategyAbstractThe most common threat in a networked system is unauthorized access to information and computer resources. This may cause the loss of confidentiality, integrity, and availability of the information technology assets. To ensure business endurance and minimize potential damage, companies need to establish a computer-based access control (so- called logical access control) to protect their proprietary information from intentional or accidental disclosure, modification, erasure, or copying, as well as their IT resources from misuse. This control provides an organization with the ability to restrict, monitor, and protect the confidentiality, integrity, and availability of these resources.

Another most common threat is data leakage and how it can impact an organization. Because more forms of communication are being utilized within organizations, such as Instant Messaging; VOIP; etc, beyond traditional email, more avenues for data leakage have emerged. This document provides the details about security policy and strategy for the identified risks from Community Health Care system such as data leakage and unauthorized disclosure of information,. The details of real world security breaches, security policies, recommended implementation plans and other details are explained in this document.

Real World Security Data Breaches - USA Community Health care systemIn 2014, a USA based Community Health Systems (CHS) revealed in its Form 8-K SEC filing in August 2014 that the health care organization computer network had been hacked at minimum twice in April and June of 2014 through criminal cyber attacks patenting from China.Community Heath system, which owns, operates and leases 206 hospitals across 29 different states in US confirmed that these hacking incidents followed in the theft of non-medical, patient-identifying information of 4.5 million individuals who had, in the last five years, been referred to or received services from physicians affiliated with Community Heath system. This information included patient names, addresses, birthdates, telephone numbers, and social security numbers.Although Community Heath system represents the attacks as an incidents in which hackers used highly classy malware and technology to attack their system and were thereby able to bypass its security measures to access the personal data of millions of patients sources closer to the investigation have described a different scenario. According to these sources, Community Heath systems were hacked through a test server that was never intended to be connected to the Internet at all. Because Internet connectivity was not expected, the security features that would and should be deployed in a live production server were not installed on the test server.Unfortunately, sensitive VPN credentials were stored in the memory of the test server so, when it did become connected to the Internet, hackers were able to access the test server via the Heartbleed bug and obtained those VPN credentials. The hackers then used these credentials to access Community Heath system and had stolen millions of patients' personal information. In a sense, it was as though Community Heath system left the lights on and a note on the door, saying, "Hey, come on in. The key is under the doormat!".Absolutely voidable:In these days of seemingly daily reports of data breaches, the danger lies in the potential for contentment in those charged with overseeing the design, implementation, and maintenance of cyber-security measures to protect data that healthcare companies collect from their patients. In other words, those responsible for corporate leadership and governance in the area of cyber security will become passively resigned to the perceived "inevitability" of a data breach, instead of systematically and systemically reviewing and transforming the company's cultural approach to cyber security and risk managementFor example, in this case, if cyber security had been deep-rooted as a dominant priority in the development, maintenance, and security teams at Community Heath system, a "test" server would never have been loaded with valuable VPN credentials without the corresponding cyber-security features to prevent unauthorized access in the event that the server was ever connected to the Internet. If this is in fact how the data breaches occurred, this was an utterly foreseeable occurrence that could have been easily anticipated and guarded against.What can healthcare learn? The healthcare industry has developed, as it must policies, procedures, and redundancies to protect patients from mistakes made in a medical handling context. The same approach should be taken to protect patients' personal identifying information. Healthcare organizations must conduct a thorough review of their cyber-security policies and procedures for their computer network and data systems from their initial development to their implementation, maintenance, and ultimately, retirement. They should then document these policies and procedures and bring in an independent third-party vendor to review them to identify any gaps or vulnerabilities that could be exploited by cyber criminals.Having documented these cyber-security policies and procedures and closed any gaps or vulnerabilities identified by a thorough, self-determining review healthcare organizations should then monitor, on an continuing basis, compliance by their employees and/or vendors with those documented policies and procedures. Encompassing cyber security as a core value in a healthcare organization's culture is essential to minimizing, if not altogether excluding, the risk of a data breach that damages not only the healthcare organization, but the patients who have delegated their personal information to its care.As a part of this assignment, we have identified two risks from this health care system security breach incident. The risks are 1. Unauthorized Disclosure of Information 2. Data Leakage. Risk #1: Unauthorized Disclosure of Information Disclosure of confidential, sensitive information can result in loss of trustworthiness, reputation, market share and economical advantage.Risk AssessmentThe risk identified from Community healthcare system security breach is unauthorized disclosure of information through weak access controls and lack of patch management.System Characterization: Hardware and SoftwareAsset Identification: As part of risk assessment phase, the following asset has identified as impact for this risk.Asset CategoryAsset NameAsset DescriptionAsset Type

Information AssetPatient health information and records

This includes all patient related health information that has been disclosed

Electronic/Paper

Asset Valuation:The goal of asset valuation is to assign impact values to the assets in the context of confidentiality, integrity and availability. The following table represents the asset impact valuation with respect to malicious code.

ValueArea of Impact

Service Delivery ReputationPrivacy Infringement

Low

MediumExternal breach of personal information

HighDown: Service completely UnavailableUnfavorable widespread press interest

Detrimental effect on person and personal life

Threat Security Concerns

ConfidentialityIntegrityAvailability

Malicious code Y YY

Threat Identification Hackers gain control through weak access controls & outdated/weak Cryptographic library to inject malicious code to expose the sensitive data.Threat Source: HackerThreat Action: Unauthorized access and malicious codeThreat: Unauthorized access by hacker / Hacker uses classy malwareVulnerability IdentificationWeak access controls and outdated cryptographic library were in place.Likelihood Determination and Impact Analysis.As per Likelihood analysis, it is measured high likelihood because hackers are highly motivated and sufficient skilled, and there are also weak of access controls due to outdated cryptographic library used. As per Impact analysis, it is measured high impact because vulnerable servers are connected to Internet without hardening & latest patches and also weak crypto library in place. Hence it may lead to unauthorized disclosure of information. The following table provides the analysis of Threat likelihood determination and impact for sensitive data exposure.Likelihood Severity HighImpact Severity- High

Hackers are highly motivated and sufficient skilled to use classy malware/malicious code.Loss of the organization sensitive and confidential information to unauthorized public entity

Risk Mitigation StrategyDeliver high level data security and ensure that there is no unauthorized disclosure of information incident will happen in any organization by achieving the risk mitigation strategies to protect the data against from external or internal threats. In order to achieve this organizational goal, a management security framework shall be time-honored to initiate and control the implementation of information security across the organization, which will provide clear direction and perceptible support on matters of information security. The following are the mitigation strategies for Unauthorized Disclosure of Information Risk through Internal/External threats.

Guard the system from unauthorized disclosure of information by implementing proper logical and physical system access control Guard the system from exposing sensitive data by implementing up-to-date cryptography library patches at various layers. Malicious and Virus protection management. Should use certified and latest up-to-date cryptography libraries in production Creating a defense-in-depth system. Security awareness and Training for users and developers. Risk Assessment and Mitigation Plan When a security or privacy breach has occurred, review and revise related policies and processes as needed. Conducting periodic reviews or audits to assess the security of sensitive information Continuous Vulnerability testing, review and implementation.Security Policy and Controls StrategiesPolicy Details Scope & Intent of the Policy:The scope of this policy is appropriate to all Information Technology (IT) resources owned or operated by any Organization. All users (employees, contractors, vendors or others) of IT resources are responsible for adhering to this policy. The intention of this policy to establish an access control capability throughout organization and its commerce units to help the organization implement security best practices with regard to logical security, account management, and remote accessRoles & Responsibilities to implement the policy Software Developers and Architects: Involved from design and development. Ensure all security controls are taken care. CIO:Operating system and other software selection should adhere to organization strategy. Office Heads, and Facility Directors: Ensure locally purchased software are adhere to organization strategy System administrators:Manage patch and virus management ISO Information Security Officer:Selection of software and controls are managed and engage with development to deploy the security fixes.Access control: . The following subsets outline the Access Control principles that constitute Organization policy. Each System is then assured to this policy, and must develop or adhere to a program plan which establishes compliance with the policy related the standards documented.

Account Management: All Systems must follow: Identify account types (i.e., individual, group, system, application, guest/anonymous, and temporary). Establish conditions for group membership. Identify authorized users of the information asset and specifying access privileges. Require appropriate approvals for requests to establish accounts. Establish, activate, modify, disable, and remove accounts. Specifically authorize and monitor the use of guest/anonymous and temporary accounts. Notify account managers when temporary accounts are no longer required and when information asset users are terminated, transferred, or information assets usage or need-to-know/need-to-share changes. Deactivate provisional accounts that are no longer required and accounts of terminated or transferred users. Grant access to the system based on (1) valid access authorization, (2) intended system usage, and (3) other attributes as required by the organization or associated missions/business functions. Review accounts on a periodic basis or at least annuallyLeast Privilege: All Systems must employ the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users), which are necessary to accomplish assigned tasks in agreement with organizational missions and business functions

Concurrent Session Control: All Systems must limit the number of concurrent sessions for each system account to ten for information assets.

Session Lock: All Systems must prevent further access to the information asset by initiating a session lock after 60 minutes of inactivity or upon receiving a request from a user. In addition, Systems must retain the session lock until the user reestablishes access using established identification and authentication procedures. Controls Strategies: Malicious code and Virus Protection The following requirements shall be followed to at all times to ensure the protection of the information technology resources:

Prevention and Detection:

The automatic update frequency of software that safeguards against malicious code should not be disabled, altered or bypassed by end-users to reduce the frequency of updates.

Response and Recovery:

If malicious code is exposed, or supposed to exist, an attempt should be made to remove or separate the malicious code using current antivirus or other control software.Patch Management ControlWorkstations and servers owned by organization must have up-to-date operating system/ software security patches installed to protect the asset from known vulnerabilities. This includes all laptops, desktops, and servers owned and managed by the organization. Workstations: Desktops and laptops must have automatic updates enabled for operating system patches. This is the default configuration for all workstations built by organization. Any exception to the policy must be documented and forwarded to the information security office of the organization for review. Servers: Servers must fulfill with the minimum baseline requirements that have been approved by the CISO team. These minimum baseline requirements define the default operating system level, service pack, hotfix, and patch level required to ensure the security of the organization asset and the data that resides on the system. Any exception to the policy must be documented and forwarded to the information security office of the organization for ReviewImplementation timeline

Risk #2: Data Leakage: Due to the leakage of data in community health care system, the following implications are identified.Implications Legal Liability Regulatory Compliance Lost productivity Business reputation Financial Loss Risk AssessmentThe second risk identified from the Community healthcare system security breach is Data (information) leakage through unsecured network/server.System Characterization: Hardware and SoftwareAsset Identification: As part of risk assessment phase, the following asset has identified as impact for this risk.Asset CategoryAsset NameAsset DescriptionAsset Type

Information AssetPatient health information and their records

This includes all patient related health information that has been disclosed

Electronic/Paper

Asset Valuation:The goal of asset valuation is to assign impact values to the assets in the context of confidentiality, integrity and availability. The following table represents the asset impact valuation with respect to unsecured server.

ValueArea of Impact

Service Delivery ReputationPrivacy Infringement

Low

MediumExternal breach of personal information

HighDown: Service completely UnavailableUnfavorable widespread press interest

Detrimental effect on person and personal life

Threat Security Concerns

ConfidentialityIntegrityAvailability

Unsecured NetworkY YY

Threat Identification Hackers gained access of the community health care system through unsecured network/servers.Threat Source: Hacker Threat Classification: External threatThreat Action: Unsecured NetworkMotivation: Steal intellectual propertyThreat: Unsecured network access by HackerVulnerability IdentificationUnsecured test server connected to the internet.Likelihood Determination and Impact Analysis.As per Likelihood analysis, it is measured high likelihood because hackers are highly motivated and sufficient skilled to gain access and steal data from community health care system. As per Impact analysis, it is measured high impact because vulnerable servers are connected to Internet without strong firewall mechanism, operating system hardening & the latest patches. Thus, the hackers applied their skills to get control of the health care system and stolen the data. The following table provides the analysis of Threat likelihood determination and impact for sensitive data exposure.

Likelihood Severity - HighImpact Severity- High

Hackers are highly motivated and sufficient skilled to get access of unsecured network/serversLoss of the organization sensitive and confidential information to unauthorized public entity

Risk Mitigation Strategy.Information system security risk mitigation strategy is the top most priority today in every organization .The intruders are targeting on personal information of customers and intellectual property of the enterprises. In order to protect the information from the intruders/hackers, the strong security governance and security policy framework should be in place in every organization. Evaluation procedure of the security policy framework and system security audit mechanism of security of the governance should be part of organization policy. To protect the system from the risk of Data Leakage, the risk assessment is continuous process in system development cycle and continuous discovery of risk and improvement of risk mitigation strategies are vital for safer environment. We cannot eliminate the risk totally, but we apply the mitigation strategies to reduce the risk in advance to minimize the risk. The organizations security governance, guidelines, policies enables the business to sustain in the uncertain business world. These are the risk mitigation strategies to mitigate the risk Data Leakage. 1. Implement Host based intrusion detection and data loss prevention system (IDPS).2. Implement Network based intrusion detection and data loss prevention system.3. Software based application firewall :Block outgoing and incoming network traffic if it is not legitimate4. Disallow direct Internet connection from servers/workstations.5. Patch Operating systems vulnerabilities. Protect the system from potential operation system vulnerabilities by applying and maintaining up-to-date patch level of operating systems.6. Application White listing.Allow only trusted/authorized program to access the system and protect it from unauthorized program or malicious code.7. Appropriate security governance should be incorporated and integrated in SDLC of application & system development.8. Create awareness of System Security and educate all stakeholders.Security Policy & Control StrategiesFirewall Management Policy:A hardware and software based firewall implementation is mandatory in all instances where sensitive data is transacted and stored. A host based and server based firewall mechanism should be in place in all instances where sensitive data is transacted and stored.Objective:To protect the information asset of organization and to ensure confidentiality, availability and integrity of information system.Scope: The policy applies to people, processes and technology across the organization and the third party vendors.

Role & Responsibilities:Information security committeeThe information security committee is responsible for governing and overseeing the information system security of organization. Analyze the potential risk and review the security policies, procedure and recommend for changes. The committee is also responsible for consistency of the policy and for finding violation as well.Chief information officerThe CIO is responsible for influencing and negotiating with the top management to get fund for investment on security solutions and also responsible for getting approval for system implementation.Chief information security officerThe CISO is overall responsible for enterprise security program. CISO gives direction for all security solutions and for implementation of the solutions. He is responsible for developing and implementing information system security policies, governance, guidelines and standards. Investigate on security incidents and closely with other business heads for feasible solutions. Firewall administratorThe firewall administrator is responsible for implementing, monitoring the firewall and logging and auditing the activities of network traffic. Authorized usersIndividuals who has access to retrieve and transact information asset and he is responsible to uphold the policies and report to information security committee for up normal or any vulnerabilities he/she has found out in the information systems.Data custodian Individual or group of operational people who owns and transacts the data Control Strategies:Firewall Management All external network connections and changes to firewall shall go through a formal approval process. Requirements on a firewall which is placed between internets and internal /DMZ network shall be clearly defined. A configuration standard for all the security devices. i.e firewalls ,routers, IPS,proxies antivirus etc shall be maintained. A firewall shall be configured that denies all traffic from un-trusted networks and hosts, except for protocols specifically permitted. Stateful inspection for all the packets shall be implemented. Controls shall be configured to hide information about the internet network getting exposed to the outside world. Backup of the firewall rule base and configurations shall be done on weekly basis. Any remote access over un-trusted networks to the firewall for administration shall use strong authentication, such as one time passwords and /or hardware tokens. Firewall logs shall be examined on a fortnightly basis to determine if attacks have been detected. The firewall shall reject any kind of probing or scanning tool that is directed to it so that information is being protected is not leaked out by the firewall itself. The prepared method of firewall administration shall be through console. Physical access to the firewall terminal shall be limited to the firewall administrator. If firewall system requires any modification, it shall be ensured that these modifications are approved and made by firewall administrator only. No access to the firewall operating software shall be permitted via remote access except access to internal network through SSH only.Patch Management An assessment of new released patches and their implication on the critical servers shall be carried out before installing the patch on any of the critical servers. Patches on the system where vendor is responsible for providing the maintenance support shall be applied only after receiving the approval from the concerned vendor. Patches on critical information system shall be tested before their application in production environment. The system at high risk shall be addressed on priority. Timelines shall be defined and maintained while installing patches on critical servers.Change Management The user shall be made aware of the steps necessary to determine if their system is infected and inform system administrators or ISD function if any virus/malicious code are detected. Any machine discovered to be infected by a virus shall immediately be disconnected from all networks. The machine shall not be reconnected to the network until ISD staff can verify that the virus has been removed. When applicable, off the-shelf virus scanning tools shall be used to remove a virus from an infected file or program. If virus scanning software fails to remove the virus, all software on the computer shall be deleted including boot records if necessary.

Software development life cycle While developing software, incorporate organization security policy, governance.guidlines. Follow strict coding standards and do code verification of all segments of programs. Developer should attend security awareness program before start to do any program Any unauthorized or non-standard program will not be implemented or accepted by the information security committee. All programs should go through security stress test before accepting it for implementation. All program changes should be recorded and monitored.1.1.1 Schedule

Recommended Implementation Plan1.1.2 StakeholdersBusiness or Functional owners, Approval Authority, Chief information officer, Chief System security officer, Senior Management, Technical support Personnel, third party vendors, government agencies, IT Security auditors, IT Consultants, Risk Assessment Officer, IT Application Programmer, IT Project managers ,IT quality assurance personnel and all other system Users.ConclusionCompanies are increasingly dependent on computer/network technology for improving the efficiency and productivity of their business in order to continue and prosper in todays competitive world. It is a business essential and occasionally is a legal requirement to protect their trademarked information against the threats of unauthorized disclosure and data leakage. Companies may undergo financial and efficiency losses, as well as loss of reputation due to extensive internal and/or external security threats. A properly implemented logical access control, patch management, Firewall, OS hardening, version and change management provides for the safeguarding of assets against threats, ensures business continuity, minimizes potential damages, and maximizes return on investment.

ReferenceWeb Page: http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-million-patients-from- healthcare-system/ http://www.csoonline.com/article/2466084/data-protection/community-health-systems-blames-china-for-recent-data-breach.html http://www.giac.org/paper/gsec/3161/unauthorized-access-threats-risk-control/105264 http://heartbleed.com/ https://www.owasp.org http://www.nist.gov http://arstechnica.com/security/2014/08/hackers-steal-records-on-4-5-million-patients-from-healthcare-system/ http://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Information_Security_and_Risk_Management https://www.manageengine.com/products/netflow/healthcare_it_risk_mitigation.html https://ist.mit.edu/security/data_risks

Appendix

Presentation slides:

Page | 21


CT CJIS SECURITY POLICY V - Connecticut CJIS Security Policy v. 1.0 ... more stringent requirements of the FBI CJIS Security Policy v. 5 ... The CT CJIS Security Policy describes the

Information Security Policy - records.nsw.gov.au · Information Security Policy 2.3 Compliance Audits The Information Security Policy, all additional supporting policies, standards,

PHYSICAL SECURITY & ENVIRONMENTAL SECURITY · Physical Security & Environmental Security Policy and Procedures Title [company name] Physical Security & Environmental Security Policy

Security policy analyzer

IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards

Security Policy

Information Security Policy (revised February 2016) Web viewInformation Security Policy: Revised February 2016. ... Lancaster University Information Security Policy and ... Development

Transforming Security Policy Management · Firewall & Security Policy Management Network Security Change Automation Application Connectivity Management Security ... IT Operations

Thales e-Security Security Policy - v0.9

Router Security Policy - Stony Brook University · Router Security Policy CS Department Router Security Policy 1.0 Purpose This document describes a required minimal security configuration

Security Policy 1.4

17.471.01 National Security Policy - MIT OpenCourseWare · 1 17.471 American National Security Policy Elements of National Security ... 17.471 American National Security Policy 22

Security Policy. TOPICS Objectives WLAN Security Policy General Security Policy Functional Security Policy Conclusion

Security Policy Critique

Indonesia Security Policy

SDMunicipality Security Policy - Sedibeng District ... · PDF filesecurity policy and directives: sedibeng district municipality security policy: sdm page 3 of 73 1. security policy

WS – Security Policy

SECURITY POLICY 2014

Yammer Security Policy

Global Physical Security Policy - Sightsavers · Global Physical Security Policy Document authors Physical Security Team Policy owner Security & Resilience Manager Document owner

Site Security Policy - Yahoo! Security Week

Router Security Policy...Router Security Policy CS Department Router Security Policy 1.0 Purpose This document describes a required minimal security configuration for all routers and

Security Policy – Framework - VDE ITG - … · 2017-11-03 · Security Policy – Framework Security Policy (SP) driven Security Management ... we aim to extend / enhance / integrate

CJIS Security Policy Template Security Policy Template (This document is part of the CJIS Workbook package, which also includes CJIS Security Policy Requirements, CJIS Security Policy

AE57C1 Security Policy

Network Security Policy

Information Security Policy

Policy Security Setting

Security policy

Aviation Security Policy Update · Aviation Security Policy Update Security and Facilitation Policy Section Aviation Security Branch . May 2012 . 2 Purpose of presentation • Overview

Security Idp Policy

CVCL Security Policy

ICT Security Policy

CCPB Security Policy

SECURITY POLICY - riso.co.jp · RISO KAGAKU CORPORATION SECURITY POLICY Introduction