Educause Security Discussion mailing list archives
Re: Data integrity requirements for compliance
From: Martin Manjak <mm376 () ALBANY EDU>
Date: Tue, 20 Nov 2007 17:18:02 -0500
David, I imagine that what you want to be able to demonstrate to an auditor is that you have accountability, i.e., that is you can identify who had access or made changes to the systems. I'm assuming that these are records that are reviewed and updated fairly frequently, so you're not trying to prevent alteration. (Hence, file integrity tools would be of little value.) So you would look to implement a variety of administrative, technical, and physical controls to assure that only authorized individuals have the appropriate level of access, and you can track that access and activity through logging. And that connects your question with the discussion regarding passwords, because even with strong password or passphrase policies, you need accountability. I wouldn't overlook the importance and usefulness of administrative controls such as job descriptions, performance reviews, non-disclosure agreements, and stringent hiring practices. Also, internal controls such as separation and rotation of duties. Again, referring back to the password discussions, internal attacks are a significant threat. If you have a reliable, well-trained and motivated work force, you've done a lot to protect the integrity of your data. David Grisham wrote:
I would like to step away from the interesting password discussion for a minute & ask how those of you who are required to show data integrity to regulatory bodies are doing so. Especially protection from unauthorized alterations or destruction. I am trying to write a procedure that all of our ePHI data stewards/owners can understand, achieve and I can enforce. Checksums, hash values, etc. do not seem to be an option. Has anybody else tackled this issue in an enterprise that must keep the databases running to provide patient care? Cheers--grish David D. Grisham, Ph.D., CISM, CHS, CHSP Manager, IT Security, UNM Hospitals, Information Technology 1650 University Blvd, S.500, Albuquerque, NM 87102
-- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- Data integrity requirements for compliance David Grisham (Nov 20)
- <Possible follow-ups>
- Re: Data integrity requirements for compliance Matthew Gracie (Nov 20)
- Re: Data integrity requirements for compliance Martin Manjak (Nov 20)