Educause Security Discussion mailing list archives

Re: Data integrity requirements for compliance

From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Tue, 20 Nov 2007 14:07:35 -0500

David Grisham wrote:

I would like to step away from the interesting password discussion for a
minute & ask how those of you who are required to show data integrity to
regulatory bodies are doing so. Especially protection from unauthorized
alterations or destruction.
I am trying to write a procedure that all of our ePHI data
stewards/owners can understand, achieve and I can enforce.  Checksums,
hash values, etc.  do not seem to be an option.  Has anybody else
tackled this issue in an enterprise that must keep the databases running
to provide patient care?


Obviously, methods will differ depending on what exactly you're signing,
but would a decentralized PKI system work for you? Something like GnuPG
could be used to generate keypairs, and the tools from gpg4win.org allow
users to right click and sign arbitrary files.

The GnuPG system is cross-platform, as well, for the Mac and *nix users
among us.

--Matt

--
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

Data integrity requirements for compliance David Grisham (Nov 20)
- <Possible follow-ups>
- Re: Data integrity requirements for compliance Matthew Gracie (Nov 20)
- Re: Data integrity requirements for compliance Martin Manjak (Nov 20)