Educause Security Discussion mailing list archives

Re: Data integrity requirements for compliance

From: Martin Manjak <mm376 () ALBANY EDU>
Date: Tue, 20 Nov 2007 17:18:02 -0500

David,

I imagine that what you want to be able to demonstrate to an auditor is
that you have accountability, i.e., that is you can identify who had
access or made changes to the systems. I'm assuming that these are
records that are reviewed and updated fairly frequently, so you're not
trying to prevent alteration. (Hence, file integrity tools would be of
little value.)

So you would look to implement a variety of administrative, technical,
and physical controls to assure that only authorized individuals have
the appropriate level of access, and you can track that access and
activity through logging. And that connects your question with the
discussion regarding passwords, because even with strong password or
passphrase policies, you need accountability.

I wouldn't overlook the importance and usefulness of administrative
controls such as job descriptions, performance reviews, non-disclosure
agreements, and stringent hiring practices. Also, internal controls such
as separation and rotation of duties. Again, referring back to the
password discussions, internal attacks are a significant threat. If you
have a reliable, well-trained and motivated work force, you've done a
lot to protect the integrity of your data.

David Grisham wrote:

I would like to step away from the interesting password discussion for
a minute & ask how those of you who are required to show data
integrity to regulatory bodies are doing so. Especially protection
from unauthorized alterations or destruction.
I am trying to write a procedure that all of our ePHI data
stewards/owners can understand, achieve and I can enforce.  Checksums,
hash values, etc.  do not seem to be an option.  Has anybody else
tackled this issue in an enterprise that must keep the databases
running to provide patient care?



Cheers--grish
David D. Grisham, Ph.D.,  CISM, CHS, CHSP
Manager, IT Security,
UNM Hospitals, Information Technology
1650 University Blvd,  S.500, Albuquerque, NM 87102


--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN

Current thread:

Data integrity requirements for compliance David Grisham (Nov 20)
- <Possible follow-ups>
- Re: Data integrity requirements for compliance Matthew Gracie (Nov 20)
- Re: Data integrity requirements for compliance Martin Manjak (Nov 20)