A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements:
+All access must be correlated to a user account.
+All user accounts must be assigned to a single individual.
+User access to the PHI data must be recorded.
+Anomalies in PHI data access must be reported.
+Logs and records cannot be deleted or modified.
Which of the following should the administrator implement to meet the above requirements? (Select three.)
A.
Eliminate shared accounts.
B.
Create a standard naming convention for accounts.
C.
Implement usage auditing and review.
D.
Enable account lockout thresholds.
E.
Copy logs in real time to a secured WORM drive.
F.
Implement time-of-day restrictions.
G.
Perform regular permission audits and reviews.
A, B, and E
B is needed to be sure that each account is for one and only one individual.
C is not needed to meet the requirements.
E is needed because of the requirements that logs not be modified or deleted
G is not needed to meet the requirements.
2
16
A, C and E
22
0
The answer is A, C and E.
First set of requirements:
* All access must be correlated to a user account.
* All user accounts must be assigned to a single individual.
This means that we must use individual accounts linked to a person, and that we cannot use generic or shared accounts.
Second set of requirements:
* User access to the PHI data must be recorded.
* Anomalies in PHI data access must be reported.
* Logs and records cannot be deleted or modified.
For the above to take place
** Auditing of data needs to be logged (success and failures)
** The logs cannot be modified.
WRONG ANSWERS:
B.Create a standard naming convention for accounts. This is not a requirement. It does not matter if the account is called “JBLOGS” or “Joe.BLOGS” as long as the account is assigned to a single individual.
D.Enable account lockout thresholds. This is not a requirement. We are talking about creating audit trails and tracking of data in case of a breach.
F.Implement time-of-day restrictions. This is not a requirement. After all, we are talking about PHI in here (Personal Health Information). People do not get sick only during working hours, and there is therefore the need to access medical records for a person 24/7. One cannot afford in a time of crisis to have to wait some 7 or more hours just to have access to critical medical records which may save a person’s life.
G.Perform regular permission audits and reviews. That is all good for account access but it does not meet the requirements. It will not show whether a breach (unauthorized access to data) occurred of not, as this is an audit on account’s permissions and not on data access.
CORRECT ANSWERS:
A.Eliminate shared accounts. All accounts must (a) be correlated to a user account and (b) assigned to a single individual. Shared accounts do not meet the criteria hence they must be removed.
C.Implement usage auditing and review. This is correct. Data usage (access) must be audited and reviewed in order to check for “anomalities” (high levels of failed attempts to access data)
E.Copy logs in real time to a secured WORM drive.
Write once read many (WORM) describes a data storage device in which information, once written, cannot be modified. This write protection affords the assurance that the data cannot be tampered with once it is written to the device. This means that logs once written into a WORM drive cannot be modified
16
0