Department of Public Health O F S A N F R A N C I S C O

Transcription

1 PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: CISSPCISSP/C Distribution: DPH-wide Other: n/a phil.mcdown@sfdph.org 1. POLICY INTENT This document establishes the San Francisco Department of Public Health (SFDPH) policy for assigning unique identifiers to workforce members for the control of access to multi-user electronic data systems at the SFDPH. It intends to conform to recognized security best practices for protecting resources and data from security threats, improving incident response, and providing accountability for access to and use of information and systems. This document is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The sections that relate to Passwords are CFR (a)(4) & (5). Inclusion by Reference: This document is an annex to the SFDPH Access Control Policy. All of the principles, standards, guidelines and responsibilities described in the Access Control Policy are included in this document by reference. The purpose of this document is to further refine and define how Access Control is to be achieved in the specific case of Password, creation, use and regulation. POLICY SCOPE This policy applies to all computer and network systems owned and/or administered by SFDPH, including: All platforms (operating systems), All computer sizes (personal digital assistants through mainframes), and All application systems (whether developed in-house or purchased from third parties). All methods of access, including wired network, wireless and internet. The policy covers only information handled via computers and/or networks. Although this document includes mention of other manifestations of information such as voice and paper, it does not directly address the security of information in these forms. (For detailed information about the protection of information in paper form, see the Health Information Privacy Policy) 2. POLICY STATEMENTS

2 PAGE 2 of To implement the Need-To-Know principle (see Access Control Policy) SFDPH requires that: Each workforce member accessing multi-user information systems be assigned a unique user-id and a private password. These user-ids are to be used to restrict system privileges based on Need-to-know as defined by job duties, project responsibilities, and other required business activities. Each workforce member is personally responsible for the security and use of his or her user-id and password Anonymous User-IDs: Users are prohibited from logging into any SFDPH system or Data Network anonymously. The exception to this policy is electronic bulletin boards, Internet web sites, intranet web sites, and other systems where all regular users are intended to be anonymous Sharing Passwords: Passwords must not be shared or revealed to anyone other than the authorized user under any circumstances, unless Management has determined that critical SFDPH operations cannot be accomplished in any other way Multiple Sessions: Computer systems will not allow any user to conduct multiple simultaneous on-line sessions. Exceptions require specific case-by-case, permission been granted by the Security Officer, based on the appropriate managers written request explaining the unique job requirements that require this capability. NOTE this in no way limits multiple windows accessing different authorized applications from a single session. 2.2 To ensure that password systems do the job they were intended to do, SFDPH requires that: Users must choose passwords that are difficult-to-guess. 2.3 To ensure that a compromised password is not misused on a long-term basis, SFDPH requires that: Passwords must also be changed at regular and frequent intervals, never to exceed six months. Whenever a workforce member suspects that his/her password has become known to another person, that password must be changed immediately. 2.4 Password data must not be stored where unauthorized persons might discover and use them (e.g., in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control systems or in other forms or locations). Electronically recorded or stored passwords must be encrypted. 2.5 Passwords must not be written down in plain language or other easily decipherable form and left in a place where unauthorized persons might discover them. A Password must never be

3 PAGE 3 of 9 written down and stored near the device to which it provides access (for example Post-It Notes, phone books, calendars etc. on or near the device or its immediate work area). 2.6 All workforce members wishing to use SFDPH multi-user computer systems must sign a compliance statement prior to being issued a user-id [link to the statement itself]. A signature on this compliance statement indicates the user understands and agrees to abide by SFDPH policies and procedures related to computers and Data Networks (including the instructions contained in this policy) At the time that this policy was implemented, or in other situations where users already have been assigned their user-ids; their signatures must be obtained and the compliance forms put on file within 30 days of the policy-effective date A policy of periodic user-id renewal is in force, a user s ID will become void after the renewal date unless the user has signed a new compliance statement or their permission to continue to have access has been granted in accordance with SFDPH general practices. 3. STANDARDS and GUIDELINES 3.1. Applicability Exemption: In cases where the technology in use (e.g., a Third-Party application) does not allow for one or more of the requirements or guidelines of this policy to be implemented, the best approximation that the technology does allow is acceptable. In such cases all reasonable attempts to upgrade, modify or replace the technology to meet the policy criteria will be made Password Structure: Passwords must NOT be related to one's job or personal life. For example, a car license plate number, a spouse's name, or fragments of an address must not be used Passwords must not be actual words. A Password must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used Passwords must be at least eight (8) characters in length: The difficulty of guessing a string of characters is equal to the number of available characters raised to the power of

4 PAGE 4 of 9 the number of characters (i.e. one letter = 26, two letters = 26 2 or 696, three letters = 26 3 or 19,604) Passwords must combine three or more of: upper case (A,B,C Z), lower-case (a,b,c z), number (1,2,3 0) and symbol characters (~,!,@, # etc.) (Taking into account the limitations of the technology involved). This also increases the difficulty of guessing the password randomly by adding 66 characters to the mix and also makes it impossible for a dictionary-based search to find the word. For example 2bad_Wordz, hard2gue$$, &knotmyd0g etc. Refer to Appendix A for helpful ideas on how to structure a difficult to guess but easy to remember password Sharing Passwords: NEVER SHARE PASSWORDS! If workforce members need to share data, they should use shared network drives, electronic mail, groupware databases, public directories on local area network servers, manual floppy disk exchange, and other mechanisms. Although user-ids may be shared for electronic mail and other purposes, passwords must never be shared with or revealed to others Systems Administrators and other technical information systems staff have all the system privileges they need to do their work -- they will never need a workforce member to reveal their personal password. If you are asked for your password by anybody, you will be correct to refuse to give it The only time when a password should be known by another is when it is first issued; these temporary passwords must be changed the first time that the authorized user accesses the system 3.4. Second Passwords for Privileged Access: System Administrators and others with privileged access must have two separate user IDs One for the privileged access and activities and the other for normal day-to-day ordinary user activities, and each must have its own unique password Password Changes: Passwords will be changed periodically, and must be changed whenever there is a suspicion that they may have been compromised Maximum Age: In normal use, a password will expire when it is 6 months (180 days) old; however a password can be changed at any time that the user feels that it may have become compromised.

5 PAGE 5 of Minimum Age: In normal use a password may not be changed until it has been in use for at least 48 hours. If the user believes that a password has been compromised, it can be changed sooner by requesting the System Administrator to make the change (such a change will require a supervisor s permission) New Password Non-repetition and History Retention: A user s password will be prevented from being reused until three other different passwords have been used. Password history will be automatically retained to prevent reuse of the last three (3) passwords Repeated Password Patterns: Users must not construct passwords with a basic sequence of characters that is then partially changed based on numeric sequence, the date or some other predictable factor (e.g., $uzieq1, $uzieq2 etc.) Login failure: A user account that fails to successfully input the correct password five (5) times in succession will be locked out of the system for 30 minutes Enforcement: The complexity, length and age requirements will be automatically enforced by the system (i.e. a password that is not complex or long enough, duplicates a recent previous password, is expired or being changed too soon won t be allowed to be used). 4. RESPONSIBILITIES Passwords may be audited periodically for compliance by using automated password cracker software. All improper use of passwords will be recorded and are subject to review by management, audit and security staff. Please refer to the Sanctions and Discipline policy and to section 5 of this document for other consequences The SFDPH Chief Information Officer/Chief Information Security Officer (CIO/CISO) is responsible for ensuring the technical security of the SFDPH Data Network and is ultimately responsible for the safety and security of the SFDPH Data Network Advocating and supporting DPH-IT security needs, concerns and projects to Chief Officer and Division Director level Senior management.

6 PAGE 6 of Implementing this policy and providing the detailed monitoring, and enforcement tools and procedures The SFDPH CIO or designee must approve all exceptions to this policy The CIO and DPH-IT Staff (see 4.1) shall develop security, policies and procedures and implement password and other identification technologies for the SFDPH Data Network, data, information and systems Directing the development and promulgation of training and orientation materials to enable employee awareness of the security problems and issues involved in the use of passwords The CIO works with the Facility and Enterprise Data Governance Committees to develop policies and procedures and implement training and awareness programs for password use when dealing with PHI and other Restricted Data in the business and clinical environments DPH Information Technology (DPH-IT) will regularly scan the Password Activity and Exception logs and will coordinate with Local Management and the SFDPH Technical and/or Incident Response Teams in the event of a possible system compromise Local/Business-Unit Management is responsible for training their workforce in correct password structure and use and will arrange for their logon ID and password assignment as required in the Access Control policy. 5. PENALTIES FOR VIOLATIONS: 5.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided.

7 PAGE 7 of Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations 5.4. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations. 6. ATTACHMENTS 6.1. Advice on Designing A Difficult Password. Wh@ $ $0 hrd ^bout pa$$wurdz? (What s So hard About Passwords?) (Reprinted from DPH Front Line with the Author s permission) Ever since the SFDPH Information Security Password Policy was approved, there has been a fair amount of comment and concern about standards and requirements for passwords. Although Emergency Rooms and Surgical Suites are obviously not appropriate places to have to enter a long, difficult password in order to access needed medical information is, they are special situations (and creative solutions are being sought by the I.T. division for them). On the other hand, for everyday log-ins in the office or at your workstation, there is no easy substitute for a Strong password. Considering that a free-ware password-cracking program downloaded from the internet can guess any actual English word in less than ten (10) seconds, something better is needed! The SFDPH Strong Password Guidelines are as follows: Passwords must not be actual words. Passwords must NOT be related to one's job or personal life. Don t use your car license plate number, your birthday, or fragments of your address.

8 PAGE 8 of 9 Passwords must be at least eight characters in length: An eight-letter password needs roughly two hundred billion more guesses than for a seven-letter one. (If your system allows) Passwords must combine three or more of: upper case, lower-case, number and symbol characters. This also increases the difficulty of guessing the password randomly by providing (94) 8 possibilities, for a total of over six quadrillion, and also makes it impossible for a dictionary-based search to find the word. SO HOW DO I BUILD AN EASILY REMEMBERED PASSWORD? Most up-to-date systems are not limited to only eight characters, SO by far the easiest thing to do is create a pass-phrase. Simply put, a pass-phrase is a group of two or more words (that have meaning to you) which have been run together into one clump of characters (e.g., askaquickquestion ). Toss in a symbol and a random upper-case letter and you have ask?aquickquestion which fulfills the requirements. Use deliberate misspellings or substitute numbers and/or symbols for letters or letter combinations (e.g.,! for I or l, 2 for to(o), 4 for for at $ for s etc.) and you can come up with a difficult password that you won t have any trouble remembering. For example: bad2theb0ne! or hard2gue$$ or st8yournam3 or #1withAbull@, the possibilities are endless, but not all that difficult to remember. Thanks for $afe c0mputing! 6.2. Procedures to be Developed: Original Assignment of Login ID and Password, Documentation and Signing of Confidentiality Agreement Requesting Resetting or Reactivation of Passwords Deactivation of Password upon termination of Employment Password security breach follow-up procedure. (ND)

9 PAGE 9 of 9 ATTACHMENT: Sample Compliance Statement Agreement To Comply With Information Security Policies A signed paper copy of this form must be submitted with all requests for (1) authorization of a new user-id, (2) authorization of a change in privileges associated with an existing user-id, or (3) periodic reauthorization of an existing user-id. Any appended modifications to the terms and conditions of this agreement will not be accepted. User's Clearly Printed Name: User's Department: User's Telephone Number: User's Office Physical Address & Mail Stop: I, the user, agree to take all reasonable precautions to assure that SFDPH internal information, or information which has been entrusted to SFDPH by third parties (such as patients), will not be disclosed to unauthorized persons. At the end of my employment or contract with SFDPH, I agree to return to SFDPH all information to which I have had access as a result of my position with SFDPH. I understand that I am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal SFDPH manager who is the designated information owner. I have access to a copy of the SFDPH Information Security Policies, I have read and understand these materials, and I understand how they impact my job. As a condition of continued employment at SFDPH, I agree to abide by these information security policies. I understand that non-compliance will be cause for disciplinary action up to and including system privilege revocation, dismissal from SFDPH, and perhaps criminal and/or civil penalties. I agree to choose a difficult-to-guess password as described in the SFDPH Information Security Policies document, I agree not to share this password with any other person, and I agree not to write this password down unless it has been transformed in an unrecognizable way. I also agree to promptly report all violations or suspected violations of information security policies to the Director of the Information Security Department (at ###-###-####). User Signature & Date: