Medical

SANS Medical

By: Ramos Ramon, Margret Whitley, Kevin McDonald, Alva Brownlow, James Adcock, and Ashley Clark.

General Security Policies

OverviewWhat is to be covered:Email PolicyEthics PolicyAcceptable Encryption & Clean Desk PolicyDisaster Recovery Plan PolicyPandemic Response Planning PolicyAcceptable Use PolicyPassword Construction Guidelines & Password ProtectionSecurity Response Plan Policy & Digital Security AcceptanceEnd User Encryption Key Protection

Email PolicyAll use of email must be consistent with Sans Medical policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. Sans Medical email account should be used primarily for Sans Medical business-related purposes; personal communication is permitted on a limited basis, but non-Sans Medical related commercial uses are prohibited.Users are prohibited from automatically forwarding Sans Medical email to a third party email system Individual messages which are forwarded by the user must not contain Sans Medical confidential or above information. Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Sans Medical business, to create or memorialize any binding transactions, or to store or retain email on behalf of Sans Medical. Such communications and transactions should be conducted through proper channels using Sans Medical-approved documentation. Using a reasonable amount of Sans Medical resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Sans Medical email account is prohibited. Sans Medical employees shall have no expectation of privacy in anything they store, send or receive on the companys email system. Ramon Ramos

3

Ethics PolicySans Medical employees will treat everyone fairly, have mutual respect, promote a team environment and avoid the intent and appearance of unethical or compromising practices.Every employee needs to apply effort and intelligence in maintaining ethics value.Employees will help Sans Medical to increase customer and vendor satisfaction by providing quality product s and timely response to inquiries.Employees should consider the following questions to themselves when any behavior is questionable:Is the behavior legal?Does the behavior comply with all appropriate Sans Medical policies?Does the behavior reflect Sans Medical values and culture?Could the behavior adversely affect company stakeholders?Would you feel personally concerned if the behavior appeared in a news headline?Could the behavior adversely affect Sans Medical if all employees did it?Sans Medical will not tolerate harassment or discrimination.Unauthorized use of company trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company will not be tolerated. Sans Medical will not permit impropriety at any time and we will act ethically and responsibly in accordance with laws.

Ramon Ramos

4

Acceptable Encryption & Clean Desk PolicyThis policy applies to all SANS Medical employees and affiliates.

1. Algorithm RequirementsCiphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation.2. Key Agreement and AuthenticationKey exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH).3. Key GenerationKey generation must be seeded from an industry standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.

1. Maintain a Clean DeskEmployees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period. 2. Restricted or Sensitive InformationThis information must remain in a locked desk or file cabinet when not is use.Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.Portable computing devices must be locked with a locking cable or locked away in a drawer. 3. Related Standards, Policies and ProcessesHIPAA Security Rule Workstation Security Standard 164.310(c)

Alva Brownlow

5

Disaster Recovery Plan Policy

The following contingency plans must be createdComputer Emergency Response Plan: Who is to be contacted, when, and how? What immediate actions must be taken in the event of certain occurrences?Succession Plan: Describe the flow of responsibility when normal staff is unavailable to perform their duties.Data Study: Detail the data stored on the systems, its criticality, and its confidentiality.Criticality of Service List: List all the services provided and their order of importance. Data Backup and Restoration Plan: Detail which data is backed up, the media to which it is saved, where that media is stored, and how often the backup is done. It should also describe how that data could be recovered.Equipment Replacement Plan: Describe what equipment is required to begin to provide services, list the order in which it is necessary, and note where to purchase the equipment.Margret Whitley

6

Pandemic Response Planning Policy

Communications plan: Accounts for congested telecommunications services.Employee training: Covers Personal Protection EquipmentList of Key Personnel: Who will take over if they become ill?Alert system: Monitors World Health Organization(WHO)

Margret WhitleyEmergency polices: Supplements normal SANS Medical policiesList of extra supplies: To be kept on hand or pre-contracted for supply

7

Kevin McDonaldAcceptable UseOutlines what the purpose of an acceptable use policy isDetails all the areas that the policy will cover.Gives employees a detailed list of rules that must be followed in a work place including, but not limited to:Company property, what it pertains to and what should be done regarding it.How employees handle and access information that belongs to the company.Also lists what activities are prohibited while working under the company.Details how employees should handle themselves with emails and online blogging.Explains what tools HR will use to monitor behavior and act according to any offense committed by employeesLists related policies and terms used in the Acceptable Use Policy.

8

Password Construction & Password ProtectionPassword ConstructionA poorly constructed password may result in the compromise of individual systems, data, or the entire network. Strong passwords have all of the following characteristics: Contain at least 12 alphanumeric characters. Contain both upper and lower case letters. Contain at least one number (for example, 0-9). Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'?,/).

Password ProtectionPasswords must not be shared with anyone.Do not write passwords down and store them anywhere in your officeAny user suspecting that his/her password may have been compromised must report the incident and change all passwords.James Adcock

9

Security Response Plan & Digital Signature AcceptanceSecurity ResponseService or Product Description:Must clearly define the service or application with additional attention to data flows, logical diagrams, and architecture considered highly useful.Contract Information:Must include contact information to be available during non-business hours should an incident occur.Triage:Must define triage steps to be acted out with the security incident management team so that incident may be quickly resolved.Identified Mitigations and Testing:Define a process for identifying and testing mitigations prior to deployment.Mitigation and Remediation Timelines:Must include levels of response that outline the expected timeline taken to repair the incident depending on situation.

Digital Signature AcceptanceResponsibilities:Digital signature acceptance requires action on both the side of the employee signing/sending the documents or correspondence, and the employee receiving/reading them.Signer Responsibilities:Must obtain a signing key pair from the SANS Medical Identity Management Group, sign documents and correspondences with program approved by SANS Medical, protect private key and keep it secret, and if you believe it has been stolen or compromised report it to the Identity Management Group.Recipient Responsibilities:Read documents and correspondence using software approved by SANS Medical, verify the signers public key was signed by the Certificate Authority, if signature is not valid do not trust the contents, and if a signature is being abused report it to SANS Medical Identity Management Group.Ashley Clark

10

End User Encryption Key ProtectionPolicy RulesSymmetric and asymmetric Keys:Symmetric Keys: Must be built using the strongest algorithm with a key of the longest key length. When not in use must be protected with security measures just as strong.Asymmetric Keys: Uses public-private keys, everyone will see it but only the end user should have the private key.Hardware Token Storage:These are to be treated as sensitive company equipment. In accordance with SANS Medicals Physical Security policy, all hard tokens, smartcards, USB tokens, etc can not be connected to or in same container as a computer when not in use.PINs, Passwords, and Passphrases:All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in SANS Medicals Password Policy.Loss and theft:In the case that any encryption key covered by this policy is stolen or lost you must report it to The Infosec Team, they will direct the end user on what to do.Policy ComplianceCompliance Measurement:Infosec will make sure you are following said rules though various methods such as: periodic walk thrus, video monitoring, business tool reports, internal and external audits and feedback to the policy owner.ExceptionsIf there is an exception to be made it will be by the Infosec Team and must be in advance.Non-Compliance:Breaking these rules may lead to, but is not limited to, termination of employment.

Ashley Clark

11

SummaryOverall what you should have learned from this presentation is how to follow the policies and guideline when: Communicating and emailing within the company and how to treat your co-workers. Your companys acceptable requirements of encryption and how keeping a clean desk can help information security.What plans need to be set in place incase of a disaster or pandemic.What instructions need to be set in place in regards to proper use of company equipment.How to make your passwords strong and keep them safe.How to respond in the case of an incident with the companys service and what guidelines to follow when using digital signitures.What Encryption Keys to use in certain situations, how they work, and what to do if they are lost or stolen.

Farewell.Thank you for attending this presentation brought to you by SANS Medical. If you have any questions or concerns please contact the help associate and designer Ashley Clark at SANSmedQandA@sans.com

null253012.8