CYB:407-WK5-PART1-PASSWORD-POLICY
docx
keyboard_arrow_up
School
University of Phoenix *
*We aren’t endorsed by this school
Course
407
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
8
Uploaded by lejb1288
CYB/407-WK5-PART1-PASSWORD-POLICY Develop a 1- to 2—page Password Policy. Version: Version 115.224 — Creation, storage of passwords, and protection — last revised 01/10/2023 Purpose: This policy prohibits the use, storage, and discloser of Personal Health Information (PHI) and Electronic Personal Heal information (EPHI) except as specifically permitted or required by HIPAA regulation. Scope: This policy applies to all employees, contractors and vendors who have an account of any kind within the organization that requires a password, including remote personnel accessing via a VPN, personnel on site, and anyone that has access to a user name and password to gain entry to any systems/software on the organizations network. Policy: 1. Authentication- this process helps to prove or offer verification of someone’s identity. Data integrity- The accuracy and consistency of the organizations data over the term of its lifecycle. Hash function- A group of characters also known as a key and helps maps them to the value of a specific length known as the hash value or hash. Multi-factor Authentication- a method that uses two or more verification factors for the purpose of gaining authorized access to a system, network, application, or VPN.
Personal Identifiable Information (Pll)- information that can be related to identifying an individual. The following should be the policy for created and changing authorized passwords: - Passwords should contain no more and no less then 8 characters in length. - Passwords not contain the username, first or last name, or any specific characters that can determine the identity of the authorized user. - Password must contain one special character, only including @, #, $, or % (NO OTHER SPECIAL CHARACTERS WILL BE AUTHORIZED). - Passwords must be changed every 90 days. - The last 10 previous passwords cannot be used again. . The following is how all organizational passwords should be stored: - All passwords will be encrypted and they should not be stored in any form of plain text. - The use of multi-factor authentication should be used at all times to provide an extra layer of security while accessing the networks and systems. - Making sure to apply hashing of password encryption with a one-way algorithm. - All remote employees, contractors, or vendors are required to use a VPN when accessing any of the organizations network. 4. the covered entities included in this policy consist of all healthcare providers, such as doctors, clinics, pharmacies, and etc. Health plans,, such as health insurance companies, HMO's, company health plans, and etc. Also, health Care clearinghouses that have any business with PHI and/or ePHI. 5. Any employee, contractor, or vendor that violates/breaches this password policy may be subjected to disciplinary actions, and/or immediate termination of employment or access to the organization. 6. This policy will follow the guidelines set forth in NIST SP 800-63B — the Digital Identity Guidelines- Authentication and Lifecycle Management — this will provide the technical guidelines for implementing the organizations digital authentication.
Description Severi | Mitigation | Policy Schedule | Require | Organizati | Milestone of ty d d onal s Vulnerability | Categ Completi | Resour | Departmen ory on Date ces t (Risk Level) -Very Low -Low Moder ate -High -Very High <Describe <Indica | <As <Indicate | <Best <Best <Departme | <ldentify vulnerability> | te the described | the policy | guess guess nts specific severit | by IT that is based on | monetar | responsible | requireme y.> security used to the y cost> | for nts to managem | address complexit resourcing, | correct the entteam; | this y of the implementi | identified include vulnerabili | vulnerabil ng, etc.> vulnerabilit the ty> ity> y. There applicable should be NIST SP at least 800-53a two of security these> controls> 1. A High The best Anti- January $4,000- | The Update malware mitigation | malware 03,2023 | $6,000 organizatio | patches on attack via technique | policy that ns, clients all your sQL fora is and system | anti-virus injection malware currently owners. software performe attack is in place on dona to lower should be organizatio critical its threat implemen nal software level, by ted for systems
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
applicatio n that helps to process and store patient PHI, thus allowing access to this data stored within your organizati ons database. removing and interceptin g the hacker before the attack is performed prevention by implement ing advanced security protocols, and also to help reduce the impact if any malware attack were to occur. Updating software patches regularly, install and configure an anti- virus software that is needed this vulnerabili ty. regularly. Making sure to have the appropriat e malware protection implement ed and perform frequent scans to help minimize the opportunity of future attacks.
based on the needs of your organizati on, and perform back-ups ona regular basis to help protect your data. An Moder | To help The Decembe | $1,000 - | All Security employee | ate mitigate organizati | r 28, $2,000 employees, | and error that this risk of | ons 2022 contractors, | employee allowed a future disciplinar vendors, awareness patients employee |y policy and training will PHI errors, all | should be security be emailed employee | implemen team. conducted to the s will go ted or regularly, wrong for regular | employee perhaps recipient, security training every who is and and quarter. All also not awarenes | developm roles and authorize s training, | ent policy responsibili dto so they should ties will be access can also be assigned this PHI. remain used for to aware. It this employees is also vulnerabili and any important | ty. other for individuals organizati that have ons and access to
all the employee system. sto remain vigilant and aware of what and to whom they are sending patient PHI to. An alert High The best The Decembe | $4,000 - | The entire Create and of way to organizati | r15, $5,000 security train all unauthori mitigate ons 2022 team. employees zed the password i access to unauthoriz | policy contractors a clients ed access | should be , and account via weak implemen vendors on via the password | ted for the organizati s can be this importance ons done by vulnerabili of creating official securing ty. passwords login the and website, infrastruct protection made via ure and of password the information cracking immediate . of weak use of Implementi password multi- ng the use S. factor of a multi- authentica factor tion authenticat procedure ion tool for
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
s. Having an added a layer of particular security. set of rules and guidelines implement ed for organizati onal password s are the key to helping reduce to potential for further attacks to occur. Implement ing password s to be changed every 90 days, all password s must include 8 characters , including @, # 3, or %. The names or user ID’s - cannot be More actions 1
included, and none of the previous 10 password s can be used. Also, to include multi- factor authentica tion software to provide an extra layer of security and only authorized personnel can have access. Cited References 1. NIST Special Publication 800-63B. (2021). Authentication and Lifecycle Management. https://pages.nist.gov/800-63-3/sp800-63b.html 2. Computer Passwords Policy (2021). Password Policy Requirements. https: hrm.org/re tools/tools-and- 1 lici rdpoli X