Skip to main content

Writing Policy for Networked PCs that Control Public Metric Displays | Week 1

All right all right, maybe the title is not that catchy but this is something that has been a pain in my side for a while so I figured it would be a great first post. In the health care organization I work for there is a demand to display team metrics on large wall-mounted TVs, so a given team can see how they are doing. Fair enough request right? Well...not when said metrics live on an internal corporate server.  

Here’s the issue, and let me know if I lose you behind red tape. Health care industries need to follow what is called HIPAA regulations. These regulations are imposed by the government to enforce the security of personal health information (PHI). To ensure compliance with HIPAA many health organizations implement a security framework called HITRUST. HITRUST details what policies need to be implemented to comply with HIPAA. Think of it as an instruction manual to this specific government regulation. If I haven’t lost you yet, congratulations! And welcome to my life.  

You will likely see references to HIPAA and HITRUST in many of my future blog posts, but for now let’s get back on track, shall we? Remember how I mentioned that the metrics to display publicly on wall-mounted TVs live on servers on a private corporate network? Well that means that any computer hooked up to the TV needs access to said corporate network. Considering that the computer needs to be logged in 24/7 to display content, and no one individual user owns said computer, HITRUST auditors have a field day with this security flaw. 

How do we get around all these security concerns? We write policies! To start, these computers must be small form factor Windows PCs without any keyboard/mouse built in. The rationale behind this is so we can easily mount the smaller computer to the wall where it’s more difficult for anyone to walk off with it. The lack of built in keyboard and mouse means it’s more difficult to walk up to the computer and use it to gain access to our internal network. Using Windows as the OS utilized enables disk encryption called Bitlocker, which secures the hard drive. We also can remotely audit all our PCs for logs and tracking through software that runs on Windows. As for the user access on the logged in account, we are able to limit the websites it has access to through organizational units in Active Directory. Finally, we still are able to assign an individual as an owner of this display PC to adhere to HITRUST policies, but are also able to distinguish the use-case for this PC in our asset tracking database. 

Seems crazy right? All these hoops to jump through just to show a pie chart on a TV screen. Our end users look at us like we are insane, and maybe they are right. Outside of an information security department this does all sound insane, but in this industry it’s simply routine.  

Comments

Post a Comment

Popular posts from this blog

A Balancing Act: When Security Controls Disrupt Operations | Week 10

In an ideal world security controls should integrate seamlessly with business strategy and through policy and procedure support operations.  In reality however  security controls often disrupt operations. From a user perspective an Information Security Department is simply a group of people sitting behind computers all day saying “no” to everyone. Although that is sometimes the case (“no” is a common word in their vocabulary from what I have seen), there are reasons behind it.   This week I want to share a story of how a change in policy and procedure by one security department, disrupted current operational workflow in another. Our AV engineering team works with integration vendors to build out the videoconferencing infrastructure through our offices. One day our director of security decided this  vendor  had too many badges assigned to them and wanted to reel back access to physical locations by limiting the badges to 2.    The reasonin...
Post a Comment
Read more

A Test of Physical Security - A Real World Example | Week 5

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...
Post a Comment
Read more

Bitlocker, Filevault, JAMF, and KACE – Auditable Encryption Verification | Week 9

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...
Post a Comment
Read more