What do you really need to know

1
Roadmap to ComplianceIT Best Practices for
Business

• What do you really need to know?

2
Who am I ?

• Manager, Databranch, Elmira Heights, NY
• Director of IT, Schuyler Hospital
• HIPAA Academy Certified
• Advisory Councils for manufacturers,
  distributors, and industry associations

3
Relevant Experience
Race Rescue, Fire Service, Red Cross, Emergency
Planning
4
Schuyler Hospital
5
Federal Regulations

• HIPAA
• Health Insurance Portability Accountability Act
• Health Insurance Portability (1996)
• Healthcare Information Privacy (2003)
• Healthcare Data Security (April 21, 2005)
• GLBA
• Gramm-Leach-Bliley Act
• Financial Data Privacy (May 23, 2003)

6
IT Best PracticesWhere do they come from?

• IT Security Framework
• ISACA Information Security Audit Control Assn.
• SANS SysAdmin, Audit, Network Security
• GIAC Global Information Assurance Certification
• Government Agencies
• Leading Businesses
• Confidentiality, Integrity, Availability (CIA) of
  Data

7
IT Best Practices/HIPAA/GLBA

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• GOTCHAS
• PRIORITIES

8
Administrative Safeguards

• Assigned Security Responsibility
• Written Risk Assessment
• Workforce Security/Access Mgt.
• Awareness Training
• Security Incident Procedure
• Contingency Plan
• Business Associate Contracts

9
Physical Safeguards

• Locks, barriers, biometrics
• Device and Media controls

10
Technical Safeguards

• Policies Procedures
• Written, Enforceable, Revised as needed
• Access Control
• Unique User Identification
• Server Security
• Specialized Software Profiles
• Firewall
• Audit Controls
• Transmission Security

11
Policies

• What is a Policy?
• IT Policies
• Written
• Adopted
• Communication, Education
• Updates Revisions
• Can HR enforce your policies?

12
Passwords
13
Procedures

• Specific Steps
• Tested
• Accessible
• Updates Revisions
• Can someone else follow your procedures in your
  absence ?

14
Data Protection

• What is your best protection ?
• RESTORABLE BACKUPS, IN
  MULTIPLE PLACES

15
How much data can you afford to lose ?

• Cost of Downtime
• 150 users x 20/hour x 8 hours
  24,000 per day
• Lost Business
• Missed Deadlines
• Manual Data Re-entry
• Compliance violation ?

16
Backup Options

• Tape
• DVD
• Hard Drive
• Remote (via the Internet or WAN)
• Replication
• Clustering

17
Challenges
18
Can your network be hacked?

• Firewall with Intrusion Detection and
  Prevention
• Perimeter virus and spam protection
• Secure Operating Systems
• Virus Protection
• Secure data structure
• Remote access control
• Wireless
• NO MODEMS

19
Desktops and Servers

• Secure Operating System
• Windows 2000, XP, Server 2003
• Patches and updates
• Virus protection (complete and current)
• Spyware removal and protection
• A constant battle
• or
• THIN CLIENT (server-based) COMPUTING

20
Gotchas

• People
• Training
• Turnover
• Freelancing
• External Partners
• Remote Access
• Modems
• Re-evaluate
• E-mail
• Internet Use
• Time, knowledge, money

NOTHING should be connected to your network
without the IT department evaluating it and
approving it in advance.
21
Priorities

• Verify your backups are COMPLETE and RESTORABLE
  (including a set off-site)
• Limit Remote Access to your network
• Eliminate Modems
• Patches and Updates
• Consistent Virus Protection
• Then, everything else

22
Ask yourself

• Am I absolutely sure ?
• Can I prove it ?
• Can I maintain it consistently ?
• Do I need outside help ?

23
Compliance/Best Practices Toolkit CD

• Spyware removal tools
• Belarc Advisor PC profile tool
• Links to
• Symantec on-line virus scan
• Microsoft Baseline Security Analyzer
• Microsoft Office Updates
• SANS sample policies

?
PLEASE COMPLY WITH ALL SOFTWARE LICENSING !