Assignment: Making decisions regarding proper access controls does not always require a detailed understanding of information technology. As a matter of fact, some of the most important opportunities
Assignment, Rubric, & Lesson Content
Tip for Assignment:
WELCOME TO WEEK 5
This week we will be discussing Access Controls. This means ensuring that the correct employee in the correct role has access only to that data which they need to do their job. However, it also means that they must have access to ALL of the data they need to do their job. Just as it is not good if someone has too much access, it is also not good if they do not have enough access.
The first Written Assignment is regarding access controls to a paper records system. Although this class is titled Electronic Data Security, almost every organization still does have paper records of some type, and those records must be protected as well. To show that you covered all aspects of the rubric, it is a good idea to have a heading over every area of the criteria of the assignment you are covering, telling which question you are addressing.
Assignment:
Making decisions regarding proper access controls does not always require a detailed understanding of information technology. As a matter of fact, some of the most important opportunities for improving access controls are non-technology-based systems such as paper medical records.
Requirements:
Consider a paper medical records system that might be in use by a small doctor's office. Access to these medical records must be protected just as access to electronic health information must be protected. Based on your understanding of access controls do the following:
Describe in detail the nature of paper medical records so that it is clear what an access control policy would be protecting.
Choose and describe two physical access control rules which should be implemented for paper medical records.
Choose and describe two user access controls which could be implemented for paper medical records. Note that in this context such access controls would likely be implemented in the form of an office policy.
Comment on two ways that user access controls for paper medical records are similar to user access controls for electronic health records.
Your paper should include the following criteria:
2-3 pages in length, double-spaced.
Free of spelling, grammar, and punctuation errors.
Submit your completed assignment by following the directions linked below. Please check the Course Calendar for specific due dates.
Save your assignment as a Microsoft Word document.
Rubric:
Written Assignment: Adding Access Controls to a Paper Records System
| Criteria | Points |
| Described in detail the nature of such paper records so that it is clear what an access control policy would be protecting. | 10 |
| Chose and described two physical access control rules which should be implemented for such paper records. | 10 |
| Chose and described two user access controls which could be implemented for paper records. Comment on two ways that user access controls for paper medical records are similar to user access controls for electronic health records. | 5 |
| Free of spelling, grammar, and punctuation errors. | |
| Total | 35 |
Lesson Content:
Introduction to Access Controls
"Control" is the generic term used in the security business to label any process we put in place to limit access to a resource. The work of designing and configuring controls can be a laborious task, but many of the controls we put in place are the result of common sense.
Consider the ways in which controls are place within a doctor's office:
Secure the patients data on the computer in which nurses uses-
Use usernames and passwords for logging in
Configure the screensaver to lock when idle
Disable USB ports and CD drives
Use screen shields to conceal onscreen data
Secure the storage areas containing meds:
Keep each cabinet locked
Use an inventory sheet to track items being removed
Limit physical access to the area by using other hallways for patients waling to the exam rooms
Place a surveillance camera in the room to record after-hours intrusions
Secure the exam room:
Limit physical access by requiring a nurse or doctor to escort patients to the exam room
Track usage with charts on the exam room door
Use scheduling software to avoid conflicts for appointment times
Train staff regarding proper use of the exam room (equipment, supplies, patient behavior)
Summary of Controls:
The access controls used by any facility will include:
Appropriate electronic controls for computer equipment
Physical controls to prevent accidental or deliberate attempts to get into private areas
Simple ‘flow control’ of visitors to avoid nuisance behavior
Training staff to make controlling access part of day to day business
Many access controls may not seem like “locks,” but instead are more like record-keeping!
Each of these “controls” manages behavior a little differently, and some are more restrictive than others. The decisions made by the office managers are the result of years of experience with how people behave in this kind of environment, and each control is selected in order to balance the need to manage behavior, keep costs down, and take advantage of the ways that people can under some circumstances voluntarily help keep the office secure.
Access Controls in the Practice
Internet security depends on the IT staff making the same set of choices regarding what controls to implement. Not every environment requires the most expensive and most elaborate controls available in order to operate effectively, but smart choices about what to implement must still be made.
"Default deny" is a term commonly used among security professionals for the general practice of restricting access to resources, whether it is done on the network, when designing a server room, or when configuring an enterprise application. Every service we configure should assume that a new user to the system gets no access at all, and only through deliberate and authorized actions should access be granted, and even then only as much as is required. Two important places to put "default deny" into practice are physical access controls and user controls.
Physical access controls
One of the first smart choices that the IT staff must make regarding securing its resources is the way in which physical access to servers is limited. It is commonly accepted in the security world that once an intruder can place his or her hands on a server, the game is up and the machine is compromised. This is because physical access allows a knowledgeable person to use things such as bootable DVDs or USB keys to bypass the operating system in order to gain control. An even easier task would be to remove the hard drives from the server in order to access the data on them (including account information) by connecting the drives to another computer.
To control physical access the IT staff should place the server in an isolated, single-purpose facility where it can be clearly identified who has access. All access to the facility should be logged, preferably using some electronic method, in order to audit access for known users. In order to protect physical access to a server even further it should be configured to prevent booting to alternative media (including USB, DVD, or the network), and the server chassis should be locked to prevent direct access to the hard drives.
User access controls
Most people think of passwords as the first line of defense when it comes to access controls. In practice passwords are merely part of a larger picture of user account management. Two factors affect whether or not such user access controls will be effective: the specificity of the account and the granularity of the control practice.
The specificity of the account refers to how unique the account can be said to be. That is, if someone logs onto a system do we know for sure who it is at the keyboard? This requires use of account policies to ensure that users never share accounts, and that their usernames and passwords are unique enough to not be guessed. Long, complex passwords are important to preventing the account from being hacked, but it's irrelevant if more than one person knows that big password. Even among IT staff it is critical that no generic "administrator" or group accounts be used, and that separate accounts be created for administrative tasks and regular user tasks. The reason this is so important is that proper security requires that the system be able to audit account use so that actions taken within the system can be directly associated with an authorized user.
Just as important as good account management is the granularity of the control practice, which refers to the ways in which rights in a system are assigned to accounts. Generally speaking, users should only be granted access to those parts of a system that they need in order to do their jobs. This is known as discretionary access control (DAC), and it requires that someone (such as an administrator) be in charge of evaluating what access people need and assigning it very judiciously. Proper DAC practice includes careful documentation of who has been granted rights to what, and it also includes a clear policy on de-provisioning, or removing an account from access to a system.
Authentication and Authorization
This Authentication and Authorization in EHRS Case Study will give you a better understanding of the importance of User Access Controls in the real world.
https://content.learntoday.info/Learn/HI400_Fall_13_Update/site/mod_05/lecture_mod05_accesscontrols/mod05_case_study.pdf
