BCP/DR, Remote Backup and Recovery

Compliance Configurations / Data Security

  

Table of Contents:        
Introduction    
Compliance In General     Data Security
HIPAA Compliance Discussion     Data Security Overview
Appendix        

Introduction

Business's and Information Technology managers are being challenged with the implementation and administration of system access controls mandated by federal regulations such as Sarbanes Oxley (SOX), Gramm-Leach-Bliley (GLBA) and Health Insurance Portability Accountability Act (HIPAA).

Our experience in the configuration and deployment methodologies used to ensure systems under the compliance umbrella are implemented within regulatory guidelines has been used in the financial services and health services industries.  We have provided assistance to financial services companies to achieve their compliance goals for SOX and have worked with health service providers to lay down the building blocks for HIPAA compliance.  We can assist your business in these areas too.  Contact us to learn more about systems configurations in support of regulatory compliance.

Table Of Contents

Compliance In General

Beyond SOX, GLBA and HIPAA there is still a fundamental requirement to protect proprietary data with applied access controls, especially for systems that are a part of a deployment and implementation effort for Internet facing services.   Sustained Maintenance adds to the woes of Systems Management practices to keep pace with operating systems fixes, software security / network security vulnerabilities and protecting the compute infrastructure from internal exploits.  These are but a few examples of the concerns that increases the stress levels of Information Technology managers but are essential competencies necessary to survive in today's world of information.

Our systems deployment philosophy is based on denying access to everything, then allowing access based on documented business requirements and logged controls.   This systems deployment methodology applies the proper level of security touch points to your corporate data and provides the evidence of managed controls to satisfy internal and external audit reviews of your compute infrastructure.   Internal and external auditor reviews are necessary to expose gaps in your control points based on current trends and to maintaining your business's compliance rating.

Internal and external auditor reviews are common practice occurrences within the financial services industry and large health service providers (over $5M).   Internal and external audits are typically conducted yearly.   Small health service providers (under $5M) are not challenged by yearly audit reviews as their larger counterparts.  Small health service providers should not grow complacent in this area as the risk of failing an audit review (should it become necessary to investigate your practice) can be a costly experience.

Auditors are not looking to close down business's but instead, auditors are a reinforcement of the business's support in doing all they can to be within compliance of the regulatory mandates.  Business's need to demonstrate compliance with maintained documentation of policies, practices and procedures and to have them ready for review if and when requested.

Below is an example of what auditors look for.  This is a short list of items to be considered for development.  Your business industry and compliance mandates will dictate if there is a requirement for additional documented controls and any additional policies and procedures that will be necessary to be put in place.

  • Documented and logged systems access controls.
  • Documented user account management practices.
  • Documented change control and systems maintenance practices.
  • Documented and enforced separation of roles and responsibilities for users, business application accounts and deployed middle-ware technologies.
  • Documented operations/operator controls, policies and procedures.
  • Documented processes and procedures for the management of development source control practices.
  • Documented processes and procedures on how solution specifications are determined and validated based on business requirements.
  • Documented solution specifications and procurement procedures.
  • Documented processes and procedures on solution defect management and revalidation against original design specifications.
  • Documented processes and procedures release management of new products and services.

Table Of Contents

Data Security - Implementation and Administration

Networking Scenario

There are many different methods deployed in an attempt to satisfy access controls to sensitive data from all areas of a business.  Software developers, systems administrators, operations personnel, security officers and senior management all need to get to information.  How much access and how many controls are necessary are dependent on how well defined the business requirement to the information is documented and how effective a solution can be put in place to manage the access control.

Dependent on your business requirements for access controls are the controls mandated by regulatory compliance that need to be satisfied.  Under non-regulatory compliance requirements there are many methods that can be employed using base tools provided by the operating system manufacturers. &mbsp;The use of base operating systems tools to satisfy compliance mandates may fall short in their capabilities and leave gaps in your ability to audit and log usage and access controls to satisfy an internal or external audit review.   Suggesting any methods on how to configure systems and what tools to use is out of scope of this discussion.

Data security best practices are well documented by operating system providers, middle-ware software suppliers and there is wealth of source information that can be found on the Internet.  As stated earlier, your requirements for data security controls will be dependent on your industry, business needs and budget.

Tiered architected infrastructures are designed with access controls as the primary area of focus.  No service, server, network traffic pattern, users, applications or administrators are granted access privileges without an access control or audit logging methodology put in place.

Unlike it's cousin the "flat" architecture", tiered architectures can be implemented and designed to provide access controls that can enable:

  • Separation of roles and responsibilities across IT personnel
  • Implementation of access controls to sensitive data and systems (i.e. HR payroll, procurement, or customer portfolio management)
  • Separation of roles and responsibilities at the business application and data access layers
  • Hardened controls for Internet facing systems and systems used to manage the companies books and records

Table Of Contents

Data Security Overview:        
Operating System Hardening     Network Routing and Firewalls
Layered Model     Internet Web Access

Table Of Contents

  • Bastion Host Configuration:

    Bastion host configuration is the hardening of computer operating systems and with access controls to compute resources that are an essential step in the layering of security configurations.  A Bastion host configuration is where all extraneous services on a computer system are completely locked down (or shut off) except for those services that the server needs to provide in support of business functionality and services.  Bastion host configurations should be conducted based on the suppliers recommendation to mitigate any ill effects incurred during the hardening process.

    Bastion host configuration is accomplished via the removal, or stoppage, of any runtime services that are deemed non-essential to the operating environment and tasks related to a specific compute resource.  The services to be turned off will include services that are already known to have promiscuous behaviors.  All other services will need to undergo assessment and validation of their required use.  Check with your operating system provider for their checklist and best practices information regarding operating system hardening before proceeding.

    Data security configurations should be applied in a layered model approach and targeted for specific results; demonstrate logging and auditing capabilities; measured to assure stability and reliability of the service platform and, security rules should be monitored for configuration drifts or other operating anomalies.

    Every layer of the model is designed to manage a specific security control point. See the layered model definitions section of this discussion for the details of each layer.

    Another area to be reviewed in operating systems hardening is the removal of any systems tools or utilities that are determined to be non-essential to the operating environment of a specific compute resource.  As with operating systems services check with your operating system provider for their checklist and best practices information before proceeding.

    • Data Security - Layered Model

      Each component of a computer system identified in your organization as a server or workstation should follow the layered model approach in assessing and implementation of security controls.

      The layered model approach for use in the implementation of security controls is viewed as a bottom-up approach to define the security access controls an hence forth identified as the security controls stack.

      For an understanding of the layered model approach to computer hardening methods see the Layered Model Definitions section of this discussion.

      Layered Security Model

      Data Security Overview

    Data Security - Layered Model Definitions

    Maintenance and Administration

    Proprietary Business Applications
    Networked Access Controls

    Business Confidential Data
    Local Access Controls

    Client Confidential Data

    Data Security Overview

    • Maintenance and Administration

      The foundation of efficient computer system performance is directly correlated with the ability of maintaining the system free from defects and running at current vendor supported operating levels.   Operating system patches, security vulnerability fixes, software updates and hardware components all need to be maintained to ensure platform reliability and is an essential control point for regulatory compliance.

      Layered Model Definitions

    • Networked Access Controls

      How a computer system gains access to your Local Area Network (LAN) is an essential control point for both data security and regulatory compliance.  Network access policies and procedures should exist to manage the introduction of new computer systems onto your LAN.  The policy should also include control points for managing connections to your LAN by foreign computers (systems not belonging to your company) that may be allowed, or disallowed, to connect to your LAN.

      Layered Model Definitions

    • Local Access Controls

      Who can log on to a computer systems and when is determined by the policies implemented for Local Access and are an essential control point for both data security and regulatory compliance.

      Local access controls are also applicable to the users local rights on the system and can influence where they can store data; whether or not they can install software outside of the standard procedures and if they are granted special user privileges (access to administrator, root, or other system management accounts).

      Layered Model Definitions

    • Proprietary Business Applications

      Pertains to whomever or whatever business application service gaining access to launch or utilize proprietary (in-house built or vendor provided) business application services is an essential control point for both data security and regulatory compliance.

      Access to proprietary business applications should be documented and provisioned only when there is a justified business requirement for each individual, process, or application requiring access prior to granting usage privileges.

      Layered Model Definitions

    • Business Confidential Data

      Pertains to whomever or whatever business application services gaining access to proprietary or confidential business data (i.e. books and records of the company, human resource data, etc.) is an essential control point for both data security and and regulatory compliance.

      Access to proprietary or confidential business data should be documented and provisioned only when there is a justified business requirement for each individual, process, or application requiring access to confidential data prior to granting access.

      Layered Model Definitions

    • Pertains to whomever or whatever business application services gaining access to proprietary or client confidential data (i.e. client personal information, account numbers, balance of accounts, transaction histories, etc.) is an essential control point for both data security and regulatory compliance.

      Access to proprietary or client confidential data should be documented and provisioned only when there is a justified business requirement for each individual, process, or application requiring access to client confidential data prior to granting access.

      Layered Model Definitions

  • Network Routing and Firewalls:

    As with computer systems, network routers and firewalls must have operational policies and procedures in place governing their maintenance and administration control points.  All maintenance and administrative access are essential controls for both data security and regulatory compliance.

    Network Routers and Firewall

    Network routers and firewalls are used as access control facilities managing all traffic in and out of the business LAN.  Routing filters and firewall rules should be put in place so that all network traffic patterns are accounted for on your business network.  Only those network traffic patterns that are assessed as being necessary for business purposes should be allowed to be routed within your LAN and scrutinized for routing requests outside of your LAN and/or Internet bound.

    Network routing and firewall access should be documented and provisioned only when there is a justified business requirement for each individual, process, or application requiring access to Internet services prior to granting the access.

    .

    Data Security Overview

  • Internet Web Access:

    As with computer systems, network routers and firewalls must have operational policies and procedures in place governing their maintenance and administration control points.  All maintenance and administrative access are essential controls for both data security and regulatory compliance.

    Internet Web Access

    Internet inbound (ingress) and outbound (web access or egress) access policies and procedures should be put in place so that all Internet services are accounted for on your business network.  Only approved Internet inbound and outbound access that is necessary for business purposes should be allowed to be routed to and from you LAN and scrutinized for routing requests that are Internet bound.

    Internet access should be controlled as any other service provisioning request within your business.  In other words, access to Internet services should not be provided by default.  Internet access should be documented and provisioned only when there is a justified business requirement for each individual, process, or application requiring access to Internet services prior to granting the access.

    .

    Data Security Overview

HIPAA compliance:

In 1986 Congress passed the Consolidated Omnibus Budget Reconciliation Act (COBRA) to provide workers with a means to receive temporary health insurance services at group rates.  in 1986 if you left an employer your group health insurance coverage would have been terminated leaving spouses, children and retirees without a means of gaining access to affordable health insurance coverage.

HIPAA Legislation was enacted in 1996.  In it's original form, HIPAA legislation was to provide workers with a means to transfer their health insurance services from one provider to another, while in between employment assignments.  HIPAA guidelines provided legislative actions enforceable by the Department of Justice (DOJ) for non-compliance of insurance portability.

Congress continued to review the legislation and subsequently the following sections to the HIPAA legislation were included:

  • Title1 - Health Insurance Portability - Ensures health insurance coverage between employment
  • Title 2 - Administrative Simplification - Provides guidelines for electronic transactions and the privacy of health information
  • Title 3 - Medical Savings Accounts & Health Insurance Tax Deductions
  • Title 4 - Enforcement of Group Health Plan provisions
  • Title 5 - Revenue Offset Provisions

In February, 2003 the Final Rule was published amending significantly the Administrative Simplification section Title 2.  It is this section of the compliance legislation that changes significantly how the laws apply to the handling and management of electronic health care transactions, the use of specific technologies and sets forth guidelines for administrative and technical security controls.

HIPAA Legislation Historical Time line

The HIPAA Title 2 - Administrative Simplification section outlines two key areas where our services and our experiences in Remote Backup and Recovery and compliance configurations are of benefit to your business.  Contact us to discuss how we can be of assistance.

HIPAA Enforcement:

  • Civil Penalties - Administrative and Technical Security violations
    • $100 per violation up to $25,000
  • Criminal Penalties - Knowingly obtains/discloses, false pretenses, sells, use, transfers
    • $50,000 per violation up to $250,000 + imprisonment from one, five or ten years
  • As of June, 2006 14,000 grievances have resulted in Department Of Justice disciplinary actions
  • First landmark case of DOJ enforcement and penalties levied directly related to HIPAA violations were assessed to a Seattle phlebotomist.
    • This case sets the tone by the US government to pursue and prosecute HIPAA compliance violations.  Health service providers will do well to address their practices and to bring them in line with the legislative guidelines.

Table Of Contents

Appendix:

Sarbanes Oxley (SOX) compliance:

Congress enacted legislation in 2002 as a result of corporate scandals involving World Com, Enron, Global Crossing and Arthur Andersen.  SOX compliance mandates became effective in 2006 requiring all publicly traded companies to report on their internal processes and controls in managing the company's financial books and records.

Table Of Contents

Gramm-Leach-Bliley (GLBA) compliance:

Congress enacted legislation in 1999 changing the way the financial services industry provides services to consumers, rationalized how financial service providers will be regulated and provided additional guidelines for the protection of personal financial information.

Table Of Contents

Operating System Fixes:

Some examples of computer manufacturer operating systems are: Microsoft Windows, Linux, UNIX, MAC OS, etc.  This is not a complete list of all available operating systems.

An operating systems is the interface between the user, the application services provided and the hardware components of a computer system.  Operating systems fixes are also known as patches, services packs, updates, etc.  Operating system patches can include updates to how hardware is addressed, apply fixes to operating system instability and reliability and provide fixes to exposed security vulnerabilities that impact the runtime state of an operating system.

Table Of Contents

Software Security Vulnerabilities:

Software security vulnerabilities deals with the application interfaces of an operating system, in-house provided or third party application service providing business functionality.  Software security vulnerability remediation must be done in a proactive manner to ensure that all known (and applicable) security vulnerability fixes are applied as a part of sustained maintenance.

Table Of Contents

Network Security Vulnerabilities:

Network security vulnerabilities deals with the connectivity interfaces of a network operating system at both hardware and software layers.  Networking security embraces routers, hubs, switches, firewalls, computer network interfaces and their associated software components providing the business functionality.  Network security vulnerability remediation must be done in a proactive manner to ensure that all known (and applicable) security vulnerability fixes are applied as a part of sustained maintenance.

Table Of Contents

Compute Infrastructure:

A compilation of computer hardware deployed as application servers, client desktops/laptops and the associated hardware used to provide the communications connectivity layer (such as routers, hubs, modems, switches, etc.).

Table Of Contents

Internal Exploits:

Today's security measures require greater access controls to be applied to protect business intellectual properties from unauthorized use by the internal work force.  Regulatory compliance legislation sucn as SOX, GLBA and HIPAA have mandates for business's to demonstrate how access controls are applied, monitored and controlled via change management procedures.

Table Of Contents

 

BCP/DR, Remote Backup and Recovery Home | About Us | Privacy Policy | Contact Us | Copyright © 2000 - 2017.  FR Technologies, LLC.   All rights reserved.