New Policy Statements for the
Heart-Healthy Information Security Policy
New User Policy Statement
The current New Users section of the policy states:
“New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access.”
There are procedures for creating new user account profiles. HIPPA requires that an Information Security Officer (ISO) must be assigned to the network account profiles. This appointed person(s) is usually the network or system security administrator of the ...view middle of the document...
This process complies with the PCI-DSS standard.
Time allocation for the new user account should be set only to the working hours of the individual who retains the user account. This limits available time for the attacker to compromise or infect the system or its resources if the user account was hacked.
Documentation should be maintained showing the latest activity of when the new user account was accessed. With regard to removing user accounts after ninety days of inactivity, it will need to be removed from the company. This is done so that unauthorized individuals who no longer with the company will not access any systems within the organization. This process is in compliance with PCI-DSS standards.
Lastly, the final component for the creation of new user account is monitoring and logging of all activity associated with user account. In the case of a security audit, the official can verify and examine the history of the company’s network. This component can also ensure and store data in the necessary areas of the company. This process is in compliance with HIPAA and FISMA standards.
New Password Policy Statement
The current Password Requirements section of the policy states:
“Passwords must be at least eight characters long and contain a combination of upper-and lowercase letters. Shared passwords are not permitted on any system that contains patient information. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset.”
There are additional procedures to this policy to secure the password requirements in this policy that will comply with the PCI-DSS standards. The network security administrator will assign the initial password to every new account user. Passwords will not be shared with any individual user. The account user will create a new password at the initial login attempt. All passwords will require a minimum length of seven characters. The password will also require alpha and numeric...