Security+ Lesson1

You need to research Health Insurance Portability and Accountability Act (HIPAA) compliance as it is a federal law designed to protect the health insurance coverage of workers who change or lose their jobs. The important part from an IT perspective is how it protects the privacy of patient records. HIPAA defines protected health information (PHI) and regulates how it can be used or disclosed. It also defines security standards for the storage and access of PHI.

You are practicing due diligence and complying with FISMA before migrating some of the internally hosted data to a cloud-based service. Due diligence involves taking a regulated activity or anything else that could lead you into a legal liability. You must investigate the situation you’re entering, understand the risks and obligations it brings, then take reasonable care in your following actions whereas Federal Information Security Management Act (FISMA) is a law applying to all federal agencies. It requires every agency to develop, document, and implement an information security and protection program.

Technical controls enforce confidentiality, integrity, and availability in the digital space. Technical controls include firewall rules, access control lists, intrusion prevention systems, and encryption. In modern data systems, technical controls do a great amount of work and require the most exacting knowledge. However, they’re still only effective in conjunction with human activities used to implement and enforce them.

It’s costly when your organization’s data and other resources aren’t available to those who need it, when they need it. Apart from any other harm done by a security incident, the more it disrupts your business operations, the more harm it will do. Many attacks are designed to damage solely by targeting availability. Availability is typically described in the percentage of the time a system or resource is expected to be operating and responsive. There are many security controls used to enhance availability during routine operations and during or after attacks or system errors.

> Redundancy

> Fault tolerance

> Patch management

For a typical example of regulatory compliance, PCI DSS defines twelve mandated controls needed to meet them.

> Install and maintain a firewall configuration to protect cardholder data.

> Do not use vendor-supplied defaults for system passwords and other security parameters.

> Protect stored cardholder data.

> Encrypt transmission of cardholder data across open, public networks.

> Use and regularly update antivirus software or programs.

> Develop and maintain secure systems and applications.

> Restrict access to cardholder data by business need to know.

> Assign a unique ID to each person with computer access.

> Restrict physical access to cardholder data.

> Track and monitor all access to network resources and cardholder data.

> Regularly test security systems and processes.

> Maintain a policy that addresses information security for all personnel.

Due care is less about the research you put in ahead of time and more about the ongoing actions you perform for whatever assets you’re responsible for. For example, maintaining the safety standards of your property over time or making reasonable business decisions for a company you manage for others are examples of due care. If something goes wrong anyway, due care allows you to establish that you worked in good faith to protect the company and its assets from harm.

The audit is a systematic evaluation of effectiveness against a set of established criteria, such as to verify regulatory compliance or cost-effectiveness. Audits are intended to provide independent proof of performance to parties such as upper management, investors, external partners, and regulatory bodies. They tend to be formal and follow strictly designed criteria, and there can be severe consequences for production systems failing an audit. Depending on the audience of an audit, it might be performed by an independent internal team, or by an external contractor.

The disclosure of sensitive information to unauthorized individuals is a violation of the principle of confidentiality. Confidentiality ensures that information is viewable only by authorized users or systems, and is either inaccessible or unreadable to unauthorized users. Confidentiality is most crucial for obviously sensitive information, but even information that isn’t secret in itself might be valuable to attackers who wish to compromise your organization.

Your supervisor is promoting defense-in-depth and vendor diversity strategies. Defense-in-depth typically defines multiple layers on which the organization's internal network needs to be secured. Those layers define where you need to look when you set up security systems or troubleshoot security issues. Defense-in-depth doesn’t just describe parts of your organization: a single layer can be made more secure by applying multiple complementary controls. Even if they’re all physical security, having locked doors, cameras, and patrolling guards is more robust protection for a secure facility than any one of the above. Even with the same type of control, vendor diversity can add security. Having two network firewalls made by two different vendors means if an attacker learns about a vulnerability in one, it might not be applicable to the other.

National Institute of Standards and Technology (NIST) is a US government agency charged with developing and supporting standards used by other government organizations, while it primarily promotes standards for use by the US government, they frequently are used by others with similar technology needs. In recent years, computer security standards have become a major part of its mission. NIST shares most of its findings with the broader security community and regularly publishes information about known software vulnerabilities and security best practices.