Operational Policy

Introduction

Defining an information security program charter is vital to any growth organization wanting to protect itself from threats, reduce errors, improve efficiency and avoid a potential legal obstacle. For an organization to achieve its goals, business processes must be reliable, keep costs low, and obey the law. Information security controls and procedures use common approaches that simplify the build and reduce mistakes (Johnson, 2015). An information operational policy is a set of documents purposefully containing all rules and procedures for any entity interacting with an organizations assets and resources. The operational policy is vital to protect an organization from threats, reduce errors, improve efficiency and avoid a potential legal obstacle. The policy applies to all employees, contractors, vendors, and third-party agents accessing an organization’s assets and data.

Course Work

The course work for CSOL 540 is chartering an end-to-end operational security policy for a fictitious health provider organization called HIC, inc. HIC, inc. 's mission is to fully leverage modern-day technology to employ interconnected health care platforms allowing effortless and secured healthcare for humanity across the globe. No matter where one may need help, HIC, inc. 's is always one touch away. HIC, inc. will leverage risk management and employ the latest industry-standard to mitigate potential and unknown risks to protect assets, people, and procedures. The Information Security Program will reduce vulnerabilities by developing policies to assess, identify, prioritize, and manage exposures. The management activities will support organizational objectives for mitigating the vulnerabilities and developing and using metrics to gauge improvements in vulnerability mitigation (META Security Group, 2000). HIC, inc. Shall fully leverage data encryption technology to protect HIPPA data in transit and at rest. The employed data encryption technology is used to secure access to data and protect against unauthorized access to PHI (Protected Health Information) (Narendra Sahoo, 2021).

Anti-Malware Policy

Antivirus software is the most widely known product in malware protection products and the backbone of primary anti-malware defense (Fruhlinger, 2019). The anti-malware policy applies to all employees, contractors, vendors, third parties, and partners who conduct business activities with HIC, inc. All connected electronic devices leveraging HIC, inc. 's data and network infrastructure shall be provisioned with an updated anti-malware security control. No computer or any electronic devices shall connect to HIC, inc. 's network or house a HIC, inc. 's data without the latest anti-malware provision. All anti-malware provision is automatic upon access HIC, inc. 's networks. The following are HIC, inc. 's anti-malware provisioning activities and use policies (NIST, 2013):

· All media shall be scanned from outside of the organization for malware before they can be used

· email file attachments shall be scanned before they are opened

· Sending or receipt of certain types of files (e.g., .exe files) via email are prohibited

· Unlicensed and unauthorized software shall not be installed or used on HIC, inc. 's asset

· Use of personal removable media (e.g., flash drives) shall not be used. The company approved removable media are acceptable

· Personally-owned mobile devices are acceptable once provisioned with HIC. Inc's anti-malware policy

If an infection occurs on any of HIC, inc. 's assets, all users shall be aware of how malware enters and infects hosts, the risks that malware poses, and possible resolution (NIST, 2013).

Anti-Malware Prevention guidelines

Although a software defect could cause cyber-attacks, most are caused by human error. According to (Devon Milkovich, 2020), 95% of cybersecurity breaches are human error. Cyber-criminals and hackers will infiltrate your company through your weakest link, rarely in the IT department. One of the best defenses against malware attacks is education and awareness. Understanding is the best way to protect your business against some of the most common hacking methods (Devon Milkovich, 2020). The following are anti-malware guidelines (NIST, 2013):

· Not opening suspicious emails or email attachments, clicking on hyperlinks, etc. from unknown

· or known senders, or visiting websites that are likely to contain malicious content

· Not clicking on suspicious web browser popup windows

· Not opening files with file extensions that are likely to be associated with malware (e.g., .bat,

· .com, .exe, .pif, .vbs)

· Not disabling malware security control mechanisms (e.g., antivirus software, content filtering

· software, reputation software, personal firewall)

· Not using administrator-level accounts for regular host operation

· Not downloading or executing applications from untrusted sources.

Information Classification Scheme

Data Classification Model

HIC, inc. prides itself as the most technologically advanced healthcare provider in the world while, at the same time, ensuring access to authorized information is fluid and efficient. HIC, inc. seeks maximum data protection with unobstructed access. For these reasons, HIC, inc. chooses a combination of Role Base Access Control (RBAC) with Mandatory Access Control (MAC). RBAC allows HIC, inc. to manage access control at a group or role-based level. MAC allows HIC, inc. to manage highly classified information at the data level. Mandatory access control (MAC) is a model of access control where the operating system provides users with access based on data confidentiality and user clearance levels. In this model, access is granted on a need-to-know basis: users must prove a need for information before gaining access (Ekran, 2021).

Security Labels and Identification Levels

Mandatory Access Control (MAC)

We are leveraging the Mandatory Access Control (MAC) Model, HIC, inc. shall classify assets and data based on the four classification levels below.

· Top Secret

o Based on the Executive Order (EO 12356), the Top-Secret classification level "shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security (fas.org, 2021).

· Secret

o The Secret classification level (EO 11652) "shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security (fas.org, 2021).

· Confidential

o The Confidential classification level "shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security (fas.org, 2021)."

· Unclassified

o This data asset is not assigned to any categories and shall be free for all assets.

Role-Based Access Control (RBAC)

Leveraging the Role-Based Access Control (RBAC), HIC, inc. shall categories of roles with different levels of access based on MAC. Role-based access control (RBAC) restricts network access based on individual users' roles within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them (Rosencrance, 2018). RBAC helps HIC, inc. to streamline security maintenance by grouping individuals with similar rights together.

Reflection

In CSOL 540, we created operational policy charters incorporating many sub-policies including Security Policy Definition, Laws, Regulations and Standards, Implementation Challenges, Policy Creation, Data Classification and Security Policy Models, Privacy Policies, and Policy Implementation, Enforcement, and Compliance. Although all charter policies are equally important, I selected the Anti-Malware, Data Classification Model and Security Labels.

Anti-Malware

Malware is malicious software or hardware designed to disrupt and steal information without being detected. Software or firmware intended to perform an unauthorized process that will harm the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host, spyware, and some forms of adware are also examples of malicious codes (NIST, 2021).

Why do we need malware protection?

As a healthcare provider, HIC, inc. must comply with federal and state regulations to protect PHI (Protected Health Information) and other company-wide assets. Cybercriminals targeting large organizations to disrupt the operation and hold for ransom are on the rise. Cybersecurity issues are becoming a day-to-day struggle for businesses (Sobers, 2021). According to (Morgan, 2020), an attack on companies is predicted to be every 11 seconds by 2021, up from every 40 seconds in 2016, and will cost north of six trillion dollars. Most, if not all, attacks are preventable through knowledge, training, and policies.

Data Classification Model and Security Labels

The core of HIC, inc. 's data protection policy is protecting our customer and their PHI (Protected Health Information) as prescribed by HIPPA (Health Insurance Portability and Accountability Act). PHI is any personal health information that can potentially identify an individual that was created, used, or disclosed in providing healthcare services, whether it was a diagnosis or treatment (Accountable, 2021). Under HIPAA, PHI must be protected, including when used, maintained, stored, or transmitted. Access to PHI information is highly classified and access is only granted when required.

References

Devon Milkovich. (2020). 15 Alarming Cyber Security Facts and Stats. Retrieved from https://www.cybintsolutions.com: https://www.cybintsolutions.com/cyber-security-facts-stats/

Ekran. (2021). Mandatory Access Control vs Discretionary Access Control: Which to Choose? Retrieved from https://www.ekransystem.com: https://www.ekransystem.com/en/blog/mac-vs-dac

fas.org. (2021). CLASSIFICATION LEVELS. Retrieved from https://fas.org/: https://fas.org/sgp/library/quist2/chap_7.html

Fruhlinger, J. (2019). Malware explained: How to prevent, detect and recover from it. Retrieved from https://www.csoonline.com/: https://www.csoonline.com/article/3295877/what-is-malware-viruses-worms-trojans-and-beyond.html

Johnson, R. (2015). Security Policies and Implementation.

META Security Group. (2000). META Security Group Information Security Policy Framework . Retrieved from http://horseproject.wiki/: http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf

Narendra Sahoo. (2021). How Does Artificial Intelligence Help in Data Protection and HIPAA Compliance? Retrieved from https://www.cpomagazine.com/: https://www.cpomagazine.com/cyber-security/how-does-artificial-intelligence-help-in-data-protection-and-hipaa-compliance/#:~:text=Data%20encryption%20%E2%80%93%20HIPAA%20requires%20healthcare%20organizations%20to,to%20encrypt%20data%20and%20secure%20acces

NIST. (2013). Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Retrieved from https://nvlpubs.nist.gov: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf

Rosencrance, L. (2018). role-based access control (RBAC). Retrieved from https://searchsecurity.techtarget.com: https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC#:~:text=Role%2Dbased%20access%20control%20(RBAC)%20is%20a%20method%20of,doesn't%20pertain%20to%20them.