Running Head: Policy Statements
Policy Statements Kevin Corey Western Governors University
Internationally security techniques and standards, such as ISO 17799, establish guidelines
that organizations must implement in order to maintain information security. Information must be protected from those without a readily need to know to perform organizational business functions. Unauthorized access to information can have a detrimental impact on an organization from a legal and operating perspective. One of the primary preventive controls that provide an organization with many operational benefits is continuous log management policies. In addition to ...view middle of the document...
18 U.S. Code § 1028 - Fraud and related activity in connection with identification documents, authentication features, and information obtained over the internet.
Policy Statements • •
NIST SP 800-53, Provides security and information assurance controls connected to the retention, inspection, and protection of log management records. NIST SP 800-66 helps direct professionals on implementing HIPAA security standards and stresses the need to perform mandatory audit log reviews. The regulation also cites that action documentation of reviews should be maintained for six years.
Information security and HIPAA policies should cover all the necessary access and control measures needed to secure information system resources and deter, shield and protect the organization from security breaches. The scenario demonstrates that the organizations overall information security posture is poor. The HIPAA, remote access and retention policies within the information management division need to be addressed due to the healthcare organizations legal obligation to ensure the privacy of protected information. Security safeguards can be addressed through vigilance and the implementation logical and administrative access controls. Properly administered HIPAA Privacy and remote access policies would not only help alleviate but quickly identify 3 undocumented accounts with global remote access. HIPAA security standards require any user with access to protected health information have a documented need to know. Normal procedures generally require the account request to include justification for access signed off by a supervisor, a security manager, and the information security officer. The discrepancies were noticed during a routine audit. How often are log audits conducted? If not completed daily then minimum audits should be conducted weekly. Policy should follow ISO standards the risk level of a system, determines the monitoring frequency and required retention of records and account transactions. The retention policy should define the necessary types and availability of logs along with the method use to collected system logs. The current organization standard states that logs are overwritten after two weeks. If these standard policies were in place audit logs would be backed up and not just overwritten, therefore
eliminating the need to wait 60 days to complete a report. Logs generally show date and time of events attached to a user ID for each process. The organizations information security management to include HIPAA, remote access and retention policies should specify the requirements for need to know, log necessity, audit of terminal access security groups, and source destination reviews of IP addresses and protocols. Lastly, part of the organizations internal information management responsibility is to guarantee through policy fulfillment and review that administrators and users charged with the authority of...