System Owner

1
System Owner
System Operator Training
2
Why are you here?

• You are a System Owner or Operator
• Per UW Medicine Security policy all SOSOs must
  take this course
• You have questions about the UW Medicine security
  policies
• You have general information security questions

3
What we will go over

• After you are finished with this course, you
  should know
• What the UW Medicine Security Program is
• System Owner and Operator Responsibilities
• Other security concepts identified in the UW
  Medicine Security Policies, Standards, and
  Guidelines

4
First What is the Program?

• The Security Program is a complete initiative
  designed to ensure the confidentiality of all
  information on UW Medicine systems.
• It consists of a set of policies, security
  procedures, and guidelines.
• Concepts are the same used since 1989 Keep your
  System up to date.

5
Guiding Principles of the Security Program

• Security is everyone's responsibility, not
  something to delegate to a security team.
• We need to build a culture of commitment to
  security.
• We need to design a great system, not do a
  patchwork job in response to "issues" or
  consultant reports.

6
A System - Defined

• First, What is a System?
• A system as previously defined in UW Medicine A
  Server System is a type of Networked System that
  serves data or other resources to users or other
  systems across a network. Examples include file
  servers, web servers, and database servers.

7
A System Defined cont.

• The Guide
• System Definition A very complex idea when
  instituted across multiple entities in an
  environment like UW Medicine.
• Examples You need to read through before looking
  at Fig. 1 or Table 1.

8
Roles and Responsibilities

• Executive Management
• Provide adequate funding for IT support at all
  levels
• Mandate Process to insure security planning
• System Owner and System Operator
• Planning and Acquisition insure compliance with
  policies
• Responsible for implementation, maintenance and
  monitoring
• IT Services Security Team
• Consultation, Troubleshooting and Education

9
What is a System Owner

• System Owner is the one person that takes full
  responsibility for a particular system(s)
• Look at the responsibilities list
• System Owners are basically a manager,
• Ensuring
• Proper documentation
• Security Certification
• Proper maintenance
• And Operator knowledge
• System Owner does not need to be technically
  savvy or knowledgeable, but it will help.

10
What is proper documentation

• Documents needed for all systems
• System Purpose
• System Owner and Operator training requirements
• Component System Inventory
• Application Inventory
• How it meets compliance with UW Medicine Security
  Policies
• System Diagram
• Description of Firewall rules
• Business continuity and Disaster Recovery Plan
• All processes used to maintain the system
• System level risk assessment

11
What is a System Operator

• A person designated by the System Owner that
  takes the responsibility of being the technical
  go to person for a system.
• This does not mean that there can not be more
  than one person that works on or administers a
  system.
• You are ultimately going to be held responsible
  for the technical aspects of your system and that
  it meets the minimum security requirements.

12
System Operator cont.

• Minimum Security Requirements
• Use only operating system versions that have
  current security update support. Consult with
  your operating system vendor to determine product
  lifecycle and security support policies.
• Do not connect any system directly to the
  University of Washington network or a networked
  device until the system has been properly
  configured and secured. Build computer systems
  off the network or while behind other
  network-based firewall protection.
• Follow appropriate operating system hardening
  guidelines, http//security.uwmedicine.org/resourc
  es/default.asp
• Use strong passwords for all accounts. (See
  Information Security Policy SEC 06 Identity
  and Access Management Policy)
• Ensure that no built-in accounts have blank,
  weak, or well-known passwords.
• Ensure that all passwords provided with vendor
  products are changed from their defaults.
• Protect administrative accounts with stronger
  passwords and/or more frequent rotation.

13
System Operator cont.

• Minimum Security Requirements cont.
• Apply all major operating system and application
  service packs or updates in a timely manner.
  Ensure security patches are installed in a timely
  manner between major service packs and updates.
• Block unnecessary or potentially malicious
  network traffic through use of a firewall or
  other forms of network traffic filtering.
• Reduce the risk of infection and spread of
  malicious software through use of anti-virus,
  anti-spyware, and system integrity enforcement
  software as appropriate to your operating system.
  Ensure updates are installed in a timely manner.
• Enable the logging of important security related
  events.
• Acquire an appropriate IP address.
• Obtain a dynamic or static IP address through an
  IT Services Help Desk or UW Technology or other
  UW Medicine approved DHCP server, or
• Use a private IP address that is logically
  separated from the University of Washington IP
  network.
• Ensure that appropriate data classification has
  been documented

14
System Operator cont.

• Minimum Security Requirements cont.
• Additionally, System Owners of UW Medicine
  Servers must meet the following requirements
•  
• Review system and security logs regularly.
  Investigate, report, and correct irregularities
  as appropriate.
• Create and maintain a server backup and
  restoration plan. (See Information Security
  Policy SEC-05 Communications and Operations
  Management Policy)
• Implement appropriate environmental and physical
  security controls.(See Information Security
  Policy SEC-04 Physical and Environmental
  Information Security Policy)
• System Owners must certify that servers are in
  compliance with all UW Medicine Information
  Security Policies.

15
The System Owner and Operator Dependencies

• Communication is key to the security of a system.
• Work together and know each others work load.
• Share knowledge of the system both technical and
  non-technical.

16
System and Data Security

• Think Security from the beginning
• Part of the purchasing process should include
  security.
• Talk with vendors about how to keep their system
  secure on our networks.
• How to implement the system securely. You CAN NOT
  connect a system to the network to configure it.
  This must be done off of the network.

17
System and Data Security

• Supplemental Protection
• At device connection
• At subnet level
• At wider layers (IPS and other broader controls)
• Important to note that all security controls need
  to be based on risk.

18
System and Data Security

• System Maintenance All Systems should be
  maintained on a regular basis.
• Regular basis defined by System Owner.
• Systems logs checked.
• Anti-virus updates checked.
• General System Health checked.
• Maintenance logs must be retained for 6 years
• Review logs to ensure all issues have been
  resolved

19
Vendor Contract Addendum

• Includes requirements set forth if a vendor
  intends to connect their equipment to a UW
  Medicine network.
• All system owners should review this with the
  vendor prior to purchasing to ensure both parties
  are on the same page.

20
System and Data Classification

• System Owners must classify data
• Data classification is used to implement security
  controls
• Classification should be risk based

21
Workforce Security

• Background Checks
• Security Training
• Request user accounts and privileges
• Protect Accounts and Passwords
• Protect Data
• No misuse of state resources
• Termination and Separation
• http//security.uwmedicine.org/AccountsAndPassword
  s/

22
Risk Management

• Enterprise wide risk assessment conducted
  annually
• System owners must perform risk assessment on
  their systems as needed
• Risk assessments required before
• Completing purchase agreements
• Initial production release
• Major upgrades
• Prior to integration with other production
  systems
• When high risk factors are found steps must be
  taken to reduce that risk

23
Risk Assessment Musts

• System Owners must evaluate and document sources
  of danger that could significantly impact system
  or data confidentiality, integrity, and/or
  availability.
• System Owners must have a process in place to
  assess known and relevant vulnerabilities to
  their Information System(s).
• System Owners must document known information on
  patches, updates, reconfiguration, and/or general
  process improvements.
• System Owner must take steps to reduce the risk.
• The System Owner must maintain a report
  describing the outcome of the Risk Assessment
  Process.
• The System Owner must document the remediation
  plan in the Remediation column for each threat
  that has a Moderate (M) or High (H) Risk level.

24
Physical Security

• Physical security controls must provide adequate
  security based on system and/or data
  classification, and risk assessment
• Environmental controls, such as, cooling, fire
  detection and prevention, temperature monitoring,
  and power systems must be employed where needed
  to ensure a safe and stable operating environment

25
Application Security

• Applications have most direct control over access
  to data
• Special attention should be paid to
  authentication, authorization, and audit controls
  provided at the application level
• System owner of applications usually dont have
  control of the security measure in place on the
  system an application resides on. Communicate
  your security needs to the other system owners.

26
Data Security

• All data entered in to UW Medicine systems are UW
  Medicine property
• System owners should provide rules of behavior
  to their users that describe acceptable uses of
  data stored in their systems
• Data copied out of a system becomes the
  responsibility of the individual that copied it
• Encryption should be considered for all
  Restricted and Confidential information

27
Network Security

• Where necessary or appropriate extra security
  controls can be utilized beyond host level
  security
• This could include
• Firewalls
• Proxy Servers
• Intrusion Prevention/Detection Systems
• Encryption
• Many more.

28
Access Controls

• All access to a system that contains ePHI must be
  logged for each user.
• All systems and applications must use encrypted
  authentication mechanisms.
• All system owners must provide rules for
  role-based access on their system.
• For termination with cause, account deactivation
  must occur immediately.

29
Contingency Planning

• System owners must take proactive measures to
  ensure system viability during system outages.
  System dependencies must be taken in to account
  for all critical systems.
• System owners of non-critical systems must know
  their systems dependencies on other systems and
  develop contingency plans.
• System owners must complete a Business Impact
  Analysis (BIA) to show the above requirements.

30
Audits

• UW Medicine cooperates with all external audit
  requests
• UW Internal Audit conducts random security audits
  at UW Medicine
• Annual Enterprise Audit conducted by either UW
  Internal Audit and/or UW Medicine Compliance
  department
• All audit questions should be directed to the UW
  Medicine Compliance department

31
Incident Response

• All UW Medicine workforce members must report
  security incidents
• All incidents will be investigated
• Sanctions will be applied when workforce members
  are involved
• UW Medicine leadership will be involved if there
  is potential for a significant impact to UW
  Medicine

32
Policy Exemptions

• If it is not feasible or cost-effective to comply
  with a security policy or standard an exemption
  may be granted
• UW Medicine CIO must approve exemption request
• Approval process
• Security Policy and Compliance Specialist
• UW Medicine Director, Network Security
• Confidentiality and Access Steering Committee
• UW Medicine Chief Information Security Officer

33
Threats to Systems and Data

• Authorized but untrustworthy people (The threat
  from within)
• People acting in an insecure way (sharing IDs and
  passwords, leaving screens open, etc.)
• Use of weak or published passwords
• Open Windows file shares
• Theft of laptops or media
• Opening malicious email attachments (more
  generally, viruses in email)
• Browsing malicious web sites
• Downloading or otherwise installing infected
  programs
• Network vulnerabilities (buffer overflows, denial
  of service attacks, X keystroke logging, DNS, . .
  . )

34
Final Responsibility

• Read the UW Medicine Information Security
  Policies
• You can find them at
• http//security.uwmedicine.org/policies/sec_polici
  es.asp
• It will only take an hour
• It should answer any questions you have

35
Conclusion

• Brad Peda
• bpeda_at_u.washington.edu
• 206-616-5829
• Security Program Website
• http//security.uwmedicine.org