Multimodal transportation performance certificates (MTPC ...
FEF Group eHealth Privacy 1 Security Considerations for Health Care Organizations Frank E. Ferrante...
-
Upload
ashton-grant -
Category
Documents
-
view
213 -
download
0
Transcript of FEF Group eHealth Privacy 1 Security Considerations for Health Care Organizations Frank E. Ferrante...
FEF GroupeHealth PrivacyeHealth Privacy1
Security Considerations for Health Care Security Considerations for Health Care OrganizationsOrganizations
Frank E. FerranteFrank E. FerrantePresident President
FEF Group, LLCFEF Group, LLC
Chair MTPCChair MTPC
11 January 200111 January 2001
FEF Group, LLCFEF Group, LLC
Presented at SAINT2001 Global Telehealth/Telemedicine and the Internet Workshop
San Diego, CA
2
FEF GroupeHealth PrivacyeHealth Privacy
OutlineOutline
HIPAAHIPAA HHS Patient Information PrivacyHHS Patient Information Privacy Threats and Protection MechanismsThreats and Protection Mechanisms Information Protection RulesInformation Protection Rules Typical Security Architectural ViewsTypical Security Architectural Views Policies to be consideredPolicies to be considered
3
FEF GroupeHealth PrivacyeHealth Privacy
HIPAAHIPAA
IEEE-USA’s Medical Technology Policy Committee PositionsIEEE-USA’s Medical Technology Policy Committee Positions– implementation timetable of two yearsimplementation timetable of two years– Patient information must be protected by all means of electronic Patient information must be protected by all means of electronic
transmission and storage (includes fax, phone, wireless)transmission and storage (includes fax, phone, wireless)– Authorization for accessing data bases must be assured Authorization for accessing data bases must be assured – IEEE USA recommended coordination among agencies and organizationsIEEE USA recommended coordination among agencies and organizations
on a more realistic time scheduleon a more realistic time schedule Costs for compliance in two years as estimated in the HIPAA NPRM - too Costs for compliance in two years as estimated in the HIPAA NPRM - too
low (conflict between timely compliance and financial viabilitylow (conflict between timely compliance and financial viability)) IEEE recommended effective date be divided into three phasesIEEE recommended effective date be divided into three phases
– Phase 1: Includes prepare Policies, Plans and Risk Assessments (my estimate: 1 year)
– Phase 2: Certify new hardware, software and firmware (my estimate: 2 years)– Phase 3: Replace installed based of hardware, software and firmware with
HIPAA-compliant products (my estimate: 3 to 5 year program)• Changes date of compliance to 2008 not 2002 (realistic given cost,
technology changes, and training for implementation)
4
FEF GroupeHealth PrivacyeHealth Privacy
New Patient Privacy New Patient Privacy RegulationsRegulations
Takes effect in two years (2003)Takes effect in two years (2003) Bars all health care providers and insurance companies from Bars all health care providers and insurance companies from
disclosing private health information for non-health related purposesdisclosing private health information for non-health related purposes Doctors required to have written permission from patient before Doctors required to have written permission from patient before
sharing patient information (includes billing and treatment)sharing patient information (includes billing and treatment) Prohibits employers from perusing medical information on employees Prohibits employers from perusing medical information on employees
and job applicantsand job applicants If an employer manages their own healthcare plan it cannot use the If an employer manages their own healthcare plan it cannot use the
employee’s information for anything other than for healthcareemployee’s information for anything other than for healthcare RULE COVERS BOTH ELECTRONIC AND PAPER RECORDSRULE COVERS BOTH ELECTRONIC AND PAPER RECORDS Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs
prisonprison LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN
ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)
5
FEF GroupeHealth PrivacyeHealth Privacy
Healthcare Information SharingHealthcare Information Sharing
Consulting physicians;Consulting physicians; Managed care organizations; Managed care organizations; Health insurance companies Health insurance companies Life insurance companies; Life insurance companies; Self-insured employers; Self-insured employers; Pharmacies; Pharmacies; Pharmacy benefit managers; Pharmacy benefit managers; Clinical laboratories; Clinical laboratories; Accrediting organizations; Accrediting organizations; State and Federal statistical agencies; and State and Federal statistical agencies; and Medical information bureaus.Medical information bureaus.
6
FEF GroupeHealth PrivacyeHealth Privacy
Information Protection FailuresInformation Protection Failures A Michigan-based health system accidentally posted the medical records of thousands of patients on A Michigan-based health system accidentally posted the medical records of thousands of patients on
the Internet (The Ann Arbor News, February 10, 1999). the Internet (The Ann Arbor News, February 10, 1999). A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its
owner, a drug store (Kiplingers, February 2000).owner, a drug store (Kiplingers, February 2000). An employee of the Tampa, Florida, health department took a computer disk containing the names of An employee of the Tampa, Florida, health department took a computer disk containing the names of
4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).1996).
The health insurance claims forms of thousands of patients blew out of a truck on its way to a The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her medical record had been read by more than A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).200 of the hospital's employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered that the computer still contained the A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).1997).
7
FEF GroupeHealth PrivacyeHealth Privacy
Trust and Risk Trust and Risk
Do you trust the Internet?Do you trust the Internet? Do you trust wireless Cell Do you trust wireless Cell
phone Communications?phone Communications? Are you sure that the Are you sure that the
person at the other end person at the other end of the connection is who of the connection is who they say they are?they say they are?
8
FEF GroupeHealth PrivacyeHealth Privacy
Trust and RiskTrust and Risk
Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently)(usually $50 maximum if cards used fraudulently)
Approach focused on reducing Approach focused on reducing risk risk since technology was not yet readysince technology was not yet ready Limiting Limiting riskrisk compensates for a lack of compensates for a lack of trusttrust Many consider this approach however, as a band-aid to the real issue – Many consider this approach however, as a band-aid to the real issue –
increasing user increasing user trusttrust What is available and what can be provided? What is available and what can be provided?
9
FEF GroupeHealth PrivacyeHealth Privacy
Typical Hacker Threats and Typical Hacker Threats and ProtectionsProtections
Hackers Hackers – MasqueradingMasquerading– EavesdroppingEavesdropping
– InterceptionInterception
– Address SpoofingAddress Spoofing– Data ManipulationData Manipulation– Dictionary AttackDictionary Attack
– Replay AttacksReplay Attacks
– Denial of ServiceDenial of Service
ProtectionProtection– AuthenticationAuthentication– Encryption Encryption – Digital Carts./SignaturesDigital Carts./Signatures– FirewallsFirewalls– EncryptionEncryption– Strong PasswordsStrong Passwords– Time Stamping & sequence Time Stamping & sequence
NumbersNumbers– AuthenticationAuthentication
10
FEF GroupeHealth PrivacyeHealth Privacy
Root access by buffer Root access by buffer overflowsoverflows
Distributed Denial of ServiceDistributed Denial of Service E-Mail spamming, and E-Mail spamming, and
relayingrelaying Exploitation of Exploitation of
misconfigured software and misconfigured software and serversservers
Mail attachment attacksMail attachment attacks
Common Internet Attacks and Common Internet Attacks and Typical FixesTypical Fixes
Upgrade Systems;Training Upgrade Systems;Training Creating attack bottlenecks and Creating attack bottlenecks and
coordinationcoordination TrainingTraining Verification/Certification of Verification/Certification of
SoftwareSoftware Training of Users to recognize Training of Users to recognize
AttachmentsAttachments
Internet AttacksInternet Attacks FixesFixes
11
FEF GroupeHealth PrivacyeHealth Privacy
Goals of Security MeasuresGoals of Security Measures
Authentication – Who or what am I transacting with?Authentication – Who or what am I transacting with? Access Control – Is the party allowed to enter into the Access Control – Is the party allowed to enter into the
transaction?transaction? Confidentiality – Can any unauthorized parties see the Confidentiality – Can any unauthorized parties see the
transaction?transaction? Integrity – Did the transaction complete correctly and as Integrity – Did the transaction complete correctly and as
expected?expected? Non-Repudiation – Are authorized parties assured they will Non-Repudiation – Are authorized parties assured they will
not be denied from transacting businessnot be denied from transacting business
12
FEF GroupeHealth PrivacyeHealth Privacy
Goals Satisfied by Current Goals Satisfied by Current Security MechanismsSecurity Mechanisms
Authentication
Access Control
Confidentiality
Integrity
Non-Repudiation
User N
ame/
Passw
ord
Encry
ptio
nFi
rew
all
Intru
sion
Detec
tion
Syste
m
Public
Key
Infra
stru
ctur
e
Virtua
l Priv
ate
Netw
ork
13
FEF GroupeHealth PrivacyeHealth Privacy
Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public/Private KeyPublic/Private Key Most comprehensive Most comprehensive
security model to datesecurity model to date– EncryptionEncryption– Digital certificates Digital certificates
for authenticationfor authentication– Digital Signatures Digital Signatures
for non-repudiationfor non-repudiation Certificates (Hash Certificates (Hash
function and Certificate function and Certificate assignments automated)assignments automated)
– Integration into Integration into applications (Can applications (Can be implemented be implemented Rapidly using Rapidly using existing CA existing CA Servers)Servers)
Certificate Authority------------------------------------------------------
Senders Private
Key
Recipients Public Key Encrypted
Message
Verify Digital
Signature
Decrypt
Message
Recipients Private
Key
Senders Public Key
Digitally Signed
Message
14
FEF GroupeHealth PrivacyeHealth Privacy
Global eCommerce Global eCommerce EnvironmentEnvironment
Cross-certification
Bridging
Root Anchor
CA Islands
Distinguish Name Server(DINS)
• Distinguish name
• Path• Policy map
Cross-certification
Bridging
Root Anchor
CA Islands
Distinguish Name Server(DINS)
Distinguish Name Server(DINS)
• Distinguish name• Distinguish name
• Path• Policy map
15
FEF GroupeHealth PrivacyeHealth Privacy
Virtual Private Networks (VPN)Virtual Private Networks (VPN)
Provides Virtual Network Provides Virtual Network ConnectivityConnectivity– User to LAN/WANUser to LAN/WAN– LAN/WAN to LAN/WANLAN/WAN to LAN/WAN
Encrypted at the TCP/IP Encrypted at the TCP/IP LevelLevel
Provides Protected Provides Protected Communications for All Communications for All TCP/IP ServicesTCP/IP Services
LAN/WAN
LAN/WAN
16
FEF GroupeHealth PrivacyeHealth Privacy
FirewallsFirewalls
Provides Traffic Management in Provides Traffic Management in Both DirectionsBoth Directions
Generally Located at Border Generally Located at Border between Public and Private between Public and Private NetworksNetworks
Features IncludeFeatures Include– Proxy Server/Network Proxy Server/Network
Address Translation (NAT)Address Translation (NAT)– User Name/Password User Name/Password
Authentication Authentication – Packet FilteringPacket Filtering– Stateful vs. Stateless Stateful vs. Stateless
Packet ProcessingPacket Processing– Traffic Audit LogsTraffic Audit Logs
17
FEF GroupeHealth PrivacyeHealth Privacy
Intrusion Detection System Intrusion Detection System (IDS)(IDS)
Audit Audit – Store security-pertinent system dataStore security-pertinent system data– Detect traffic patterns Detect traffic patterns – Develop reports and establish critical Develop reports and establish critical
parameters intrusion criteria using parameters intrusion criteria using agent softwareagent software
– Set up revocation listsSet up revocation lists Detect Detect
– Predefine flexible security violations Predefine flexible security violations criteria (e.g., identify zombie criteria (e.g., identify zombie placement, Super User, Root user placement, Super User, Root user occurrences)occurrences)
– Be proactive Be proactive – Become network-oriented Become network-oriented
Secure Secure – Fix applications or alterations that were Fix applications or alterations that were
made by an attacker where appropriate made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant (e.g., Trojan Horse ID, Zombie Ant detection eliminated)detection eliminated)
?
??
?
!!!!
LAN/WAN
18
FEF GroupeHealth PrivacyeHealth Privacy
Security Policies - Why Are Security Policies - Why Are They Needed?They Needed?
Security policies drive the general security frameworkSecurity policies drive the general security framework Policies define what behavior is and is not allowedPolicies define what behavior is and is not allowed Policies define who, what, and how much to trustPolicies define who, what, and how much to trust
– Too much trust leads to security problemsToo much trust leads to security problems– Too little trust leads to usability problemsToo little trust leads to usability problems– Principle of least accessPrinciple of least access
Policies will often set the stage in terms of what tools and procedures are Policies will often set the stage in terms of what tools and procedures are needed for the organizationneeded for the organization
Policies communicate consensus among a group of “governing” peoplePolicies communicate consensus among a group of “governing” people Computer security is now a global issue and computing sites are Computer security is now a global issue and computing sites are
expected to follow the “good neighbor” philosophyexpected to follow the “good neighbor” philosophy
19
FEF GroupeHealth PrivacyeHealth Privacy
Key Elements of an Information Key Elements of an Information Protection PolicyProtection Policy
Define who can have access to sensitive informationDefine who can have access to sensitive information– special circumstancesspecial circumstances– non-disclosure agreementsnon-disclosure agreements
Define how sensitive information is to be stored and transmitted Define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc)(encrypted, archive files, uuencoded, etc)
Define on which systems sensitive information can be storedDefine on which systems sensitive information can be stored Discuss what levels of sensitive information can be printed on physically Discuss what levels of sensitive information can be printed on physically
insecure printers.insecure printers. Define how sensitive information is removed from systems and storage Define how sensitive information is removed from systems and storage
devicesdevices Discuss any default file and directory permissions defined in system-Discuss any default file and directory permissions defined in system-
wide configuration files.wide configuration files.
20
FEF GroupeHealth PrivacyeHealth Privacy
Key Elements of a Network Key Elements of a Network Connection PolicyConnection Policy
Defines requirements for adding new devices to your Defines requirements for adding new devices to your network.network.
Well suited for sites with multiple support teams.Well suited for sites with multiple support teams. Important for sites which are not behind a firewall.Important for sites which are not behind a firewall. Should discuss:Should discuss:
– who can install new resources on networkwho can install new resources on network– what approval and notification must be donewhat approval and notification must be done– how changes are documentedhow changes are documented– what are the security requirementswhat are the security requirements– how unsecured devices are treatedhow unsecured devices are treated
21
FEF GroupeHealth PrivacyeHealth Privacy
Other Important PoliciesOther Important Policies
Policy which addresses forwarding of email to offsite Policy which addresses forwarding of email to offsite addressesaddresses
Policy which addresses wireless networksPolicy which addresses wireless networks Policy which addresses baseline lab security standardsPolicy which addresses baseline lab security standards Policy which addresses baseline router configuration Policy which addresses baseline router configuration
parametersparameters
Backup Charts
23
FEF GroupeHealth PrivacyeHealth Privacy
Open PKI Support for Customer Open PKI Support for Customer ChoiceChoice
Internet
Corporate
Intranet
Mobile User
Remote Office
Entrust
CustomerNetwork
VerisignSupplierNetwork
Baltimore
Microsoft
Entrust
Verisign
Microsoft
Netscape
Mobile User
Netscape
Baltimore
24
FEF GroupeHealth PrivacyeHealth Privacy
Firewall-1 / VPN-1 High AvailabilityFirewall-1 / VPN-1 High Availability
Corporate
Intranet
IKE Synchronization
Secondary VPN-1 Gateway
Primary VPN-1Gateway
VPN-1SecuRemote
VPN-1 Gateway
InternetInternet
Transparent fail-over of IPSec communications without loss of connectivityTransparent fail-over of IPSec communications without loss of connectivity Enables hot fail-over and load balancing across VPN gatewaysEnables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session integrityIndustry’s first transparent VPN fail-over that maintains session integrity
25
FEF GroupeHealth PrivacyeHealth Privacy
Architecture of a Distributed Architecture of a Distributed SystemSystem
Web ServersMiddlewareApp Servers
DNSMessaging
DataStorage
User
Backup/Recovery
DataStorage
User
User
Web ServersMiddlewareApp Servers
Internet
User
InternalWANs and LANs
Clients/Partners
26
FEF GroupeHealth PrivacyeHealth Privacy
Critical Elements of Security Critical Elements of Security Architecture Architecture
AUDIT, DETECT, and SECUREAUDIT, DETECT, and SECURE Three stages of secure process that are to be followedThree stages of secure process that are to be followed
Provide security agentsProvide security agents– Automated Automated – Continually monitor all systemsContinually monitor all systems
Ensures that Zombie Ants are not being introduced or Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not that Distributed Denial of Service conditions do not occur occur
27
FEF GroupeHealth PrivacyeHealth Privacy
Call CentersCall Centers
New systems availableNew systems available– IP InclusiveIP Inclusive– SecureSecure– Minimize Labor ElementMinimize Labor Element– Customer OrientedCustomer Oriented– FlexibleFlexible– High PerformanceHigh Performance
Products Vendors Products Vendors – LucentLucent– OthersOthers
Recommendation for SupportRecommendation for Support
28
FEF GroupeHealth PrivacyeHealth Privacy
Added Notes:Added Notes:
Biometric and Smart Card Technology can be applied where appropriateBiometric and Smart Card Technology can be applied where appropriate– Biometrics is being testedBiometrics is being tested
Standards still in the millStandards still in the mill People issue – many feel uneasy about providing fingerprints of People issue – many feel uneasy about providing fingerprints of
eye scans, or physical variations as means to set up secure eye scans, or physical variations as means to set up secure operations)operations)
Firms exist to do this today (e.g., International Biometric Group)Firms exist to do this today (e.g., International Biometric Group)– Smart cards now used by GSA for their badges have fingerprints Smart cards now used by GSA for their badges have fingerprints
embedded (3GI developed this – locally available support)embedded (3GI developed this – locally available support) See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital
Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc (Florida firm)Inc (Florida firm)
29
FEF GroupeHealth PrivacyeHealth Privacy
List of PKI Operation Reference List of PKI Operation Reference Specs and RequirementsSpecs and Requirements
DOD5200RDOD5200R– DOD 5200.2-R, Personnel Security Program.DOD 5200.2-R, Personnel Security Program.
FIPS1401FIPS1401– Security Requirements for Cryptographic ModulesSecurity Requirements for Cryptographic Modules, 1994-01. , 1994-01.
http://http://csrccsrc..nistnist..govgov//fipsfips/fips1401./fips1401.htmhtm FIPS112FIPS112
– Password Usage,Password Usage, 1985-05-30. 1985-05-30. http://http://csrccsrc..nistnist..govgov//fipsfips// FIPS186FIPS186
– Digital Signature StandardDigital Signature Standard, 1994-05-19. , 1994-05-19. http://http://csrccsrc..nistnist..govgov//fipsfips/fips186.pdf/fips186.pdf
FPKI-EFPKI-E– Federal PKI Version 1 Technical Specifications: Part E – Federal PKI Version 1 Technical Specifications: Part E –
X.509 Certificate and CRL Extensions Profile, X.509 Certificate and CRL Extensions Profile, 7 Jul 1997. 7 Jul 1997. http://http://csrccsrc..nistnist..govgov//pkipki/FPKI7-10.DOC/FPKI7-10.DOC
ISO9594-8ISO9594-8– Information Technology-Open Systems Interconnection-The Information Technology-Open Systems Interconnection-The
Directory: Authentication Framework, Directory: Authentication Framework, 1997. 1997. ftp://ftp.bull.com/pub/ftp://ftp.bull.com/pub/OSIdirectoryOSIdirectory/ITU/97x509final.doc/ITU/97x509final.doc
NS4005NS4005– NSTISSI 4005, Safeguarding COMSEC Facilities and NSTISSI 4005, Safeguarding COMSEC Facilities and
MaterialMaterial, 1997 August., 1997 August.
30
FEF GroupeHealth PrivacyeHealth Privacy
List of PKI Operation Reference List of PKI Operation Reference Specs and Requirements Specs and Requirements (Concluded)(Concluded) NS4009; NS4009; NSTISSI 4009, National Information Systems Security NSTISSI 4009, National Information Systems Security
Glossary, Glossary, 1999 January.1999 January. RFC2510; Adams and Farrell.RFC2510; Adams and Farrell. Certificate Management Protocol, Certificate Management Protocol, 1999 1999
March. March. http://www.ietf.org/rfc/rfc2510.txthttp://www.ietf.org/rfc/rfc2510.txt RFC2527; Chokhani and Ford. RFC2527; Chokhani and Ford. Certificate Policy and Certification Certificate Policy and Certification
Practices FrameworkPractices Framework, 1999 March. , 1999 March. http://www.ietf.org/rfc/rfc2527.txthttp://www.ietf.org/rfc/rfc2527.txt SDN702; SDN702; SDN.702, Abstract Syntax for Utilization with Common SDN.702, Abstract Syntax for Utilization with Common
Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 CRLs, Revision 3, CRLs, Revision 3, 31 July 1997. 31 July 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdfhttp://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf
SDN706; SDN706; X.509 Certificate and Certification Revocation List Profiles and X.509 Certificate and Certification Revocation List Profiles and Certification Path Processing Rules for MISSI Revision 3.0,Certification Path Processing Rules for MISSI Revision 3.0, 30 May 30 May 1997. 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdfhttp://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf
Information Technology Security Program; Used for assessing and Information Technology Security Program; Used for assessing and modifying existing security policies) – Draft from CIO Council; March modifying existing security policies) – Draft from CIO Council; March 2000.2000.
Circular A-130; Management of Federal Information Resources,OMBCircular A-130; Management of Federal Information Resources,OMB Special Pub 800-14; Generally Accepted Principles and Practices for Special Pub 800-14; Generally Accepted Principles and Practices for
Security Information Technology Systems (GSSP), NISTSecurity Information Technology Systems (GSSP), NIST
31
FEF GroupeHealth PrivacyeHealth Privacy
Operational Documentation Operational Documentation ChecklistChecklistProject PlanProject PlanCONOPSCONOPSSystem Security Plan (SSP)System Security Plan (SSP)Risk AssessmentRisk AssessmentWaiver Letter(s)Waiver Letter(s)Approvals to TestApprovals to TestInterim Approvals to OperateInterim Approvals to OperateCertificate PolicyCertificate PolicySubscriber AgreementSubscriber Agreement
32
FEF GroupeHealth PrivacyeHealth Privacy
Security Program ElementsSecurity Program Elements
Mint-wide Security ProgramMint-wide Security Program– planning and managing to provide a framework and continuing cycle of activity for planning and managing to provide a framework and continuing cycle of activity for
managing risk, developing security policies (in conjunction with the Office of managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the Mint's Protection), assigning responsibilities, and monitoring the adequacy of the Mint's computer-relatedcomputer-relatedcontrols.controls.
Access Control –Access Control –– controls that limit or detect access to computer resources (data, programs, and controls that limit or detect access to computer resources (data, programs, and
equipment) that protect these resources against unauthorized modification, loss or equipment) that protect these resources against unauthorized modification, loss or disclosure.disclosure.
Segregation of Duties – Segregation of Duties – – establishing policies, procedures, and an organizational structure such that one establishing policies, procedures, and an organizational structure such that one
individual cannot control key aspects of IT-related operations and thereby conduct individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.unauthorized actions or gain unauthorized access to assets or records.
Service Continuity –Service Continuity –– implementing controls to ensure that when unexpected events occur (i.e., virus) critical implementing controls to ensure that when unexpected events occur (i.e., virus) critical
operations continue without interruption or are promptly resumed and critical and operations continue without interruption or are promptly resumed and critical and sensitive information is protected.sensitive information is protected.
33
FEF GroupeHealth PrivacyeHealth Privacy
Comprehensive Network Comprehensive Network Security Policy ApproachSecurity Policy Approach
AssuranceAssurance
Mission
Policy
Sec. Org Structure
Sec. Implementation Procedures
Awareness, Training, & Education
Phy & Env Protection
Connectivity Controls
Access Controls
Sys Admin Controls
Storage Media Controls
Accountability Controls
Reference Model
Deny
Detect
Assess
Train
Enforce
Protect Model
Respond
Report
Isolate
Contain
Recover
Response Model
34
FEF GroupeHealth PrivacyeHealth Privacy
Level 4. Security Implementation Procedures
Level 3. Security Organizational Structure
Level 7-11.Controls: System Access, Connectivity, Administration,
Storage Media, & Accountability
Level 6.Physical & Environmental Systems Protection
Network Security ModelNetwork Security Model
Level 1.System Mission
Level 2.Security Policy
Level 5. Security Awareness, Training , & Education
Level 12. Assurance
Value of Information
Threat Start Network Security Strategic Reference Model
Protect ModelDeny, Detect, Assess,
Train, & Enforce
Response ModelRespond, Report, Isolate,
Contain, & Recover
35
FEF GroupeHealth PrivacyeHealth Privacy
Telecommunications Trends Telecommunications Trends and Increasing Complexityand Increasing Complexity
• ISDN
1950 1955 1960 1965 1970 1975 1980 1985 1990 1995 2000
75 bps
1200 bps
Data Rates
IBM's Token Ring16 Mbps
Ethernet(IEEE 802.3)
10 Mbps
Direct Access
300 bpsDial-Up
Early Modem Access
100 Mbps
10 bps
100 bps
1 Kbps
10 Kbps
100 Kbps
1 Mbps
10 Mbps
1 Gbps
10 Gbps
ATM/SONET Networks10 Gbps+
9.6 KbpsModem Access
Fast Ethernet100 Mbps
FDDI100 Mbps
X.2556 Kbps
3G Wireless256Kbps - 2Mbps+
•RAM (8Kbps)•ARDIS (4.8 - 19.2Kbps)
AMPS (Analog)
Wireless Systems
100 Gbps
Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz ) Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed - 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range) RAM - Radio Analog Mobile Service ARDIS - Advanced Radio Data Information Service AMPS - Analog Mobile Paging System
LMDS/MMDS Wireless2.4 - 38 GHz upper band, 10-
155 Mbps