Corporate Information Security

Altura Centers for Health / Revise date: 6/14/2016

Introduction

This paper was written to raise security awareness and provide corporate employees with essential security information that emphasizes critical issues surrounding an implementation of security “best practices” throughout the organization. Do not assume that this paper is an all-inclusive guide to corporate information security. Information security consists of four major components: technology, process, policy and culture. This paper focuses on culture and specific human factors that weaken security in an organization. This paper is written in a style that attempts to address the non-technical person. We lightly touch on the “why to do” but comments are limited to providing only basic understandings. Our goal is to facilitate changing current culture through security awareness so that each day, every one of us demonstrates a proactive role in protecting intellectual assets from falling into the wrong hands.

 Information Security’s weakest link is people. The Computing Technology Industry Association states that nearly two-thirds of reported security breaches are primarily the result of human error.  Information security is a distributed responsibility and is very important to the survival of an organization. Each one of us must make it our personal business to know and adhere to company security policies otherwise security attacks will always present an unacceptable risk to the enterprise and its future well-being.

 Table of Contents 

1.1 Sharing Information

1.2 Confidential Information

1.3 Access and Workstation Security

2.1 Electronic Storage and Transfer of Information

3.1 Security Risk Types: Social Engineering

3.2 Security Risk Types: Email 

3.3 Security Risk Types: Computers and Personal Devices

3.4 Security Risk Types: Telephone Voicemail 

Summary

 

 1.1 Sharing Information

 Always verify the identity of the requestor before providing confidential information. Verify the requestors’ identity in person with a picture ID or on-line with a secure-id. If you are on the phone, verify the requestors’ identity by recognizing the date of birth and/or social if applicable.

1.2 Confidential Information

Confidential information is any information considered to be private and sensitive.

Here are some examples of confidential information:

  • Protected Health Information (PHI)
  • Social security numbers (SSN) employees or patients
  • Credit card information
  • Financial Records
  • Passwords, PINs, or other security codes

Confidential information takes on many forms. It can be information printed on paper, or data files in a system or handheld device such as a smartphone, computer media or voice mail. Regardless of its’ form, you are responsible to protect it from unauthorized disclosure. Your supervisor or Corporate Privacy Officer can provide specific guidance on how to properly handle confidential information.

1.3 Access and Workstation Security

Access Privileges

To obtain access to an application or computer system, an access request must be submitted to the Information Technology department through the Help Desk ticketing process. Contact the IT Help Desk at extension 4300 or via email at [email protected] for assistance.

Management may limit or deny anyone’s access privileges at any time. Reasons for denying access privileges include, but are not limited to, the following:

  • Change of job duties or employment termination
  • Failure to comply with policies and procedures
  • Conduct that interferes with the normal and proper operations of computer systems
  • Behavior that is harmful, unprofessional, offensive, or harassing to others

  Workstation Security

Position workstation monitors to be facing away from the public view when possible. Log off or lock your workstation whenever leaving it unattended. Also, log off when you are leaving your work area, especially at the end of your shift. Leaving a workstation logged on and unattended could lead to an unauthorized access of information.

Passwords 

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of your organizations entire corporate network. As such, all corporate employees (including contractors and vendors with access to systems) are responsible for the appropriate steps outlined below.

 Only you can protect your organizations sensitive information. Do not use family names, nicknames, anniversaries, birthdays or pet names. Do NOT use the word “password” for any of your personal password selections. Ideally, use a minimum of 8 characters using both upper and lower case characters and symbols. Keeping your password to yourself is critical to our company’s security. Never display your password anywhere especially on a post-it note near your PC or under your keyboard.

 As a common security practice the organization changes account passwords every 120 days and does not permit the last 24 passwords used. This process requires user account passwords to prompt for change at initial logon.

2.1 Electronic Storage and Transfer of Information


In an effort to improve business efficiencies, many networks are connected to the internet and possibly one or more partner networks. Because an organization has no control over the quality of security methods practiced on the internet or partner networks you personally need to take special care when storing or transferring sensitive data.

  •  If you are unsure of the level of sensitivity of the information you are working with, contact the HIPAA compliance officer or IT services desk.
  • If you are the data owner, be sure to communicate the sensitivity of your data.
  • If you have a choice between storing internal information on a local drive (C:) or a network drive choose to store your information on the network drive. Company network drives are more secure and are backed up on a regular basis.
  • Personal storage devices are strictly prohibited and should not be installed to networked computers under any circumstance. These devices can increase the risk of data loss, data exposure and an increased risk of network based attacks.
  • If PHI is to be transferred it must be through the means of a HIPAA certified solution. Unencrypted email is open to potential breach of information.

3.1 Security Risk Types: Social Engineering

 Most individuals are trusting and helpful. People looking to acquire information they wouldn’t normally have access to will attempt to exploit this natural behavior using deceptive practices to abuse your trust. Phony telephone calls, phony websites, dangerous email attachments and poorly configured equipment are just a few example methods people use to acquire information they shouldn’t have. Thieves commonly use deceptive tactics such as sympathy, guilt and intimidation to access or obtain confidential information by masquerading as a legitimate employee, contractor, vendor or business partner. These thieves sometimes referred to as “social engineers”, work to exploit your trust.

 If you find yourself on the following list then be aware, you are one of the common people targets of social engineering attacks…

  • Receptionists, Telephone Operators, Admin Assistants
  • Help Desk personnel, Technical Support, System Administrators
  • Finance, Human Resources
  • Any employee new to a given area

Watch for these warning signs of a possible attacker…

  • Refusal to provide a direct callback phone number
  • Their request is not ordinary
  • They try to claim authority
  • They stress urgency
  • They threat negative consequences if you don’t comply
  • They show discomfort when questioned

3.2 Security Risk Types: Email

What would we do without email? Today it’s hard to imagine any organization not providing its employees with Email access. Best practice is to not include sensitive data (PHI, PII) within email messages under any circumstance. In an effort to mitigate risk Altura has provided the Health Information Management team with secure cloud technology for exchange of ePHI.

When it comes to email the best security practice you can perform is to never open or respond to an email or attachment from an unknown source as it may contain a Virus, Trojan or Worm that can affect your computer and others on the network. Corporate email accounts should only be used for purposes related to work function.

3.3 Security Risk Types: Computers and Personal Devices

Personal computers are today’s workhorse tool of choice. While computer prices continue to fall and functionality and performance continues to rise, we find more and more users adapting to this new way of getting work done faster. If you do not take responsibility for the safe management of the computer you use, you may be at risk of losing sensitive data or even worse, having your personal identity stolen.

  • · Do not install software without approval from the IT department
  • · Anti-virus is essential on all networked computers
  • · No computer should be connected to the internet unless it is protected by an anti-virus and firewall system.
  • · If you are unsure if your computer is protected by an anti-virus and firewall system contact your IT Help Desk to verify protection before connecting.
  • · Never leave your portable computer unattended, even briefly, in any public place.

3.4 Security Risk Types: Telephone Voicemail

An often overlooked area of personal security best practice is telephone voicemail. How secure is the access to your personal voicemail? Are you currently using a strong password to protect your voicemail or is your voicemail password one that is easy to guess after just a few tries?

  • Phone “Phreaking” is a term used when an intruder tries to break into your voicemail box.
  • Do not set your voicemail password to the same number as your extension
  • Change your voicemail password often, for assistance contact the IT Help Desk

Summary

After reading this paper we trust we have raised your level of awareness and your sense of responsibility towards information security. Information security’s weakest link is people. You do not have to be a weak link. Take advantage of your new understandings as you should now be better prepared to take a proactive role in protecting organizational assets.