Kinh Nghiệm Hướng dẫn What can you do to ensure that unauthorized disclosure would not be considered a breach 2022
Hoàng Lê Minh Long đang tìm kiếm từ khóa What can you do to ensure that unauthorized disclosure would not be considered a breach được Cập Nhật vào lúc : 2022-09-23 04:22:35 . Với phương châm chia sẻ Bí kíp Hướng dẫn trong nội dung bài viết một cách Chi Tiết 2022. Nếu sau khi đọc Post vẫn ko hiểu thì hoàn toàn có thể lại phản hồi ở cuối bài để Admin lý giải và hướng dẫn lại nha.CHAPTER 6
Protecting Your System: Information Security
The terms data and information are often used synonymously, but information refers to data that have meaning. For example, "87 percent" is data. It has no meaning by itself until it is reported as a "graduation rate," and then it becomes information.
Nội dung chính- What is one way you can prevent the unauthorized disclosure of PHI?What are the 3 exceptions to the definition of breach?What is not considered a HIPAA breach?Which of the following prevents unauthorized disclosure of confidential information?
Introduction to Information Security
As stated throughout this document, one of an organization's most valuable assets is its information. Local, state, and federal laws require that certain types of information (e.g., individual student records) be protected from unauthorized release (see Appendix B for a FERPA Fact Sheet). This facet of information security is often referred to as protecting confidentiality. While confidentiality is sometimes mandated by law, common sense and good practice suggest that even non-confidential information in a system should be protected as well-not necessarily from unauthorized release as much as from unauthorized modification and unacceptable influences on its accessibility.
Components of Information Security20 Confidentiality: Preventing unauthorized disclosure and use of information Integrity: Preventing unauthorized creation, modification, or deletion of information Availability: Preventing unauthorized delay or denial of information
Commonly Asked Questions
Q.. If an organization maintains physical, software, and user access security, isn't information security addressed by default?
A. Yes and no. Information backups and their storage are surely safer when the building is secure, software is used properly, and unauthorized users are effectively restricted.
However, these security features are meaningless if the information that is being backed up and stored wasn't maintained in a sound way in the first place. While there is no doubt that physical, software, and user access security strategies all contribute to protecting information, ignoring those initiatives that are aimed directly securing information is not a wise plan.
While encryption prevents others from reading your information, encrypted files can still be damaged or destroyed so that they are no longer of any use to you.
Q.. Isn't there software that can protect my information?
A. Yes, a variety of software products can help your organization in its effort to secure its information and system, but only a thorough, well-conceived, and committed effort to develop and implement an overarching security plan will prove effective in the long run.
Q.. Doesn't it make sense to just go ahead and encrypt all
information?
A. Not necessarily. Encryption and decryption are time consuming. If information is confidential, then additional time for encrypting and decrypting makes sense. But if the files aren't confidential, why would you slow down processing speed for an unnecessary step? And while encryption is a good practice for sensitive information or information that is being transmitted over unsecured lines, it should be noted that it is not a complete
security strategy in itself. Encrypting information protects files from breaches in confidentiality, but the risks of unauthorized or accidental modification (including destruction) and/or denial of use are still real.
Guidelines for security policy development can be found in Chapter 3.
Policy Issues
Perhaps more than any other aspect of system security, protecting information requires specific procedural and behavioral activities. Information security requires that data files be properly created, labeled, stored, and backed up. If you consider the number of files that each employee uses, these tasks clearly constitute a significant undertaking. Policy-makers can positively affect this effort by conducting an accurate risk assessment (including properly identifying sensitive information maintained in the system). They should also provide organizational support to the security manager as he or she implements and monitors security regulations. The security manager must be given the authority and budget necessary for training staff appropriately and subsequently enforcing information security procedures all levels of the organizational hierarchy.
A final consideration for policy-makers is information retention and disposal. All information has a finite life cycle, and policy-makers should make sure that mechanisms are in place to ensure that information that is no longer of use is disposed of properly.
As discussed more completely in Chapter 2, a threat is any action, actor, or sự kiện that contributes to risk.
Information Threats (Examples)
As discussed more completely in Chapter 2, a threat is any action, actor, or sự kiện that contributes to risk. Examples of information threats include:
- Natural events (e.g., lightning strikes, and aging and dirty truyền thông)
Intentional acts of destruction (e.g., hacking and viruses)
Unintentionally destructive acts (e.g., accidental downloading of computer viruses, programming errors, and unwise use of magnetic materials in the office)
A countermeasure is a step planned and taken in opposition to another act or potential act.
Information Security Countermeasures
The following countermeasures address information security concerns that could affect your site(s). These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in your system's information security.
Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end
countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.
Transmit Information Securely (including e-mail):
- Use e-mail only for routine office communication: Never send sensitive information as e-mail. If e-mail absolutely must be used, encrypt the file and send it as an attachment rather than in the text of the e-mail message. Encrypt everything before it leaves your workstation: Even your password needs to be encrypted before leaving
the workstation on its way to the network server-otherwise it could be intercepted as it travels network connections. Physically protect your data encryption devices and keys: Store them away from the computer but remember where you put them. Use the same common-sense principles of protection you should be giving your bank card's personal identification number (PIN). Inform staff that all messages sent with or over the organization's computers belong
to the organization: This is a nice way of saying that everything in the office is subject to monitoring. Use dial-up communication only when necessary: Do so only after the line has been satisfactorily evaluated for security. Do not publicly list dial-up communication telephone numbers.
Confirm that outside networks from which there are dial-ins satisfy your security requirements: Install automatic terminal identification, dial-back, and encryption features
(technical schemes that protect transmissions to and from off-site users). Verify the receiver's authenticity before sending information anywhere: Ensure that users on the receiving end are who they represent themselves to be by verifying: Something they should know-a password or encryption key; this is the least expensive measure but also the least secure. Something they should have-for example, an electronic keycard
or smart card.
Select only those countermeasures that meet perceived needs as identified during risk assessment and support security policy.
Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.
Pre-arranged transmission times set for the middle of the night (e.g., 1:37 a.m.) may seem odd, but they can increase security because there is less traffic on telephone lines and fewer hackers snooping around such odd hours.
Present Information for Use in a Secure and Protected Way:
- Practice "views" and "table-design" applications: A "view" selects only certain fields within a table of information for display, based on the user's access rights. Other table fields are excluded from the user's view and are thus protected from use. For example, although a school record system may contain a range of
information about each student, Food Services staff can view only information related to their work and Special Education staff can view only information related to their work. This type of system maintains information much more securely than traditional paper systems, while the same time increasing statistical utility and accountability options. Use "key identifiers" to link segregated information: If record information is maintained in a segregated manner (e.g., testing files
are kept in a different database than special education files) for security purposes, a common file identifier (e.g., a Social Security Number) can be used to match records without unnecessarily divulging the identity of individuals and compromising confidentiality.
Back up Information Appropriately (see Chapter 4):
- Back up not only information, but also the programs you use to access information: Back up operating system utilities so that you retain access to them even if your hard drive goes down. Also maintain current copies of
critical application software and documentation as securely as if they were sensitive data. Caution: Some proprietary software providers may limit an organization's legal right to make copies of programs, but most allow for responsible backup procedures. Check with your software provider. Consider using backup software that includes an encryption option when backing up sensitive information: Encryption provides additional security that is well worth the extra effort, since
it ensures that even if unauthorized users access your backup files, they still can't break confidentiality without also having access to your encryption key. If you adopt this recommendation, be sure to change your encryption key regularly.Verify that your backups are written to the disk or tape accurately: Choose a backup program that has a verification feature. Rotate backup tapes: Although backup tapes are
usually quite reliable, they tend to lose data over time when under constant use. Retire tapes after two to three months of regular use (i.e., about 60 uses) to a backup activity that requires less regular use (e.g., program backups). Also note that routine tape drive cleaning can result in longer tape life. Maintain a log of all backup dates, locations, and responsible personnel: Accountability is an excellent motivator for getting things done properly. Remember to store the logs
securely.
Avoid over-backing up: Too many backup files can confuse users and thereby increase the possibility of exposing sensitive information. Clear hard drives, servers, and other storage truyền thông that contain old backup files to save space once you have properly secured (and verified) the last complete and partial backup.Test your backup system: This point has been made numerous times throughout
the document, but it truly cannot be overemphasized!
Many organizations prefer that users back up only their own data files-leaving software and operating system backups in the responsible hands of the security manager or system administrator.
Store Information Properly (see Chapter 5):
- Apply recommended storage principles as found in this document to both original and backup files alike: Backup files require the same levels of security as do the master files (e.g., if the original file is confidential, so is its backup). Clearly label disks, tapes, containers,
cabinets, and other storage devices: Contents and sensitivity should be prominently marked so that there is less chance of mistaken identity. Segregate sensitive information: Never store sensitive information in such a way that it commingles with other data on floppy disks or other removable data storage truyền thông. Restrict handling of sensitive information to authorized personnel: Information, programs, and other data should be entered into, or exported from,
the system only through acceptable channels and by staff with appropriate clearance. Write-protect important files: Write-protection limits accidental or malicious modification of files. Note that while write-protection is effective against some viruses, it is by no means adequate virus protection in itself. Communicate clearly and immediately about security concerns: Train staff to promptly notify the system administrator/security
manager when data are, or are suspected of being, lost or damaged. Create a truyền thông library if possible: Storing backups and sensitive material in a single location allows for security to be concentrated (and perhaps even intensified). Note, however, that an on-site truyền thông library is not a substitute for off-site backup protection.
It Really Happens!
As Principal Brown's secretary, Marsha didn't have time for all the difficulties she was having with her computer--well, it wasn't really her computer that was having problems, but her most important files (and that was worse). Fed up with having to retype so many lost files, she finally called in the vendor who had sold the school all of its equipment. The vendor appeared her office promptly and asked her to describe the problem.
"Well," Marsha explained, "I keep a copy of all of my important files on a 3 1/2 inch disk, but when I go to use them, the files seem to have disappeared. I know that I'm copying them correctly, so I just can't understand it. I don't know if it's the word processing software or what, but I'm tired of losing all of my important files."
The vendor asked whether it was possible that Marsha was using a bad disk. "I thought about that," she replied as if prepared for the question, "but it has happened with three different disks. It just has to be something else." Marsha reached for a disk that was held to the metal filing cabinet next to her desk by a colorful magnet. "You try it."
"That's a very attractive magnet," the vendor said as Marsha handed over the disk. "Do you always use it to hold up your disks?"
"Yes, it was a souvenir from Dr. Brown's last conference. I just think it's beautiful. Thanks for noticing."
"It is beautiful," the vendor replied, "but you know that it's also the root of all your problems. Every time you expose a disk to that magnet, it erases the files. That's just the way magnets and computer disks get along-like oil and water. Try storing the disk away from the magnet and your troubles, not your files, will soon disappear."
Dispose of Information in a Timely and Thorough Manner:
- Institute a specific information retention and disposal policy as determined by the organization's needs and legal requirements: All data have a finite life cycle. Consult local, federal, and state regulations for guidance before implementing the following: Establish a realistic retention policy. Mark files to indicate the contents, their
expected life cycle, and appropriate destruction dates. Do not simply erase or reformat truyền thông, but overwrite it with random binary code. Sophisticated users can still access information even after it has been erased or reformatted, whereas overwriting actually replaces the discarded information. Consider degaussing (a technique to erase information on a magnetic truyền thông by introducing it to a stronger magnetic field) as an erasure option. Burn, shred, or otherwise
physically destroy storage truyền thông (e.g., paper) that cannot be effectively overwritten or degaussed. Clean tapes, disks, and hard drives that have stored sensitive data before reassigning them: Never share disks that have held sensitive data unless they have been properly cleaned. Also remember to clean magnetic storage truyền thông before returning it to a vendor for trade-ins or disposal.
It Really Happens!
Trent couldn't believe his eyes. Displayed before him on a monitor in the high school computer lab were the grades of every student in Mr. Russo's sophomore English classes: Student Name Grades Comments Linda Foster: C-, C, C+, C Improving slightly, but unable to make sufficient gains; a candidate for learning disability testing?
All Trent had done was hit the "undelete" function in the word processing software to correct a saving mistake he had made, and suddenly a hard drive full of Mr. Russo's files were there for the taking. Luckily for Mr. Russo, his sophomores, and the school, Trent realized that something was very wrong. He asked the lab supervisor, Ms. Jackson, where the computers had come from.
"Most of them have been recycled," she admitted. "Teachers and administrators were given upgrades this year, so their old machines were put to good use in the labs. They should still be powerful enough to handle your word processing. Why?"
Trent showed Ms. Jackson what he had uncovered about the sophomore English students. She gasped, "Oh my goodness, they gave us all these computers without clearing the hard drives properly. I bet it's that way across the district. Trent, you may have just saved us from a potentially disastrous situation. That information is private and certainly shouldn't be sitting here for anyone in the computer lab to see. I've got some phone calls to make!"
Retaining data beyond its useful life exposes the organization to unnecessary risk.21
Even if a vendor replaces a hard drive, require that the old one be returned so that you can verify that it has been cleaned and disposed of properly.
Information Security Checklist
While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to
customize policy to your organization's specific needs-a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text. Check Points
for Information Security Transmit Information Securely (including e-mail) Is e-mail used for only the most routine of non-sensitive office communication? Is everything, including passwords, encrypted before leaving user workstations? Are encryption keys properly secured? Have policy goals and objectives been translated into organizational security regulations that are designed to modify staff behavior? Is dial-up communication avoided as much as is possible? Are outside networks required to meet your security expectations? Is the identity of information recipients verified before transmission? Have times for information transmission been pre-arranged with regular trading partners? Are security issues considered before shipping sensitive materials? Accomplished? Present Information for Use in a Secure and Protected Way Are "views" and "table-design" applications being practiced? Are "key identifiers" used when linking segregated records? Backup Information Appropriately Are programs that are used to access information backed up? Does backup software include an encryption option that is used? Does backup software include a verification feature that is used? Are backup tapes retired after a reasonable amount of use? Is a log of all backup dates, locations, and responsible personnel kept and maintained securely? Is an effort made to avoid "over-backing up" (i.e., are old backups removed to avoid "clutter")? Does the backup system pass regularly administered tests of its effectiveness? Store Information Properly Are recommended storage principles applied to master files and their backups alike? Are disks, tapes, containers, cabinets, and other storage devices clearly labeled? Is sensitive information segregated (i.e., is it maintained separately from normal use information all times)? Is the handling of sensitive information restricted to authorized personnel? Are important files write-protected? Does staff know to communicate security concerns immediately? Has a secure truyền thông library been created as is possible? Dispose of Information in a Timely and Thorough Manner Has an information retention and disposal policy been implemented ? Are magnetic truyền thông that contain sensitive information properly cleaned before reuse or disposal?