444 A Practical Guide to Security Assessments
6. When users require passwords reset, is this done in a secure manner?
Guidance: In an attack scenario, password resets are one of the social en-
gineering tools often used to gain unauthorized access to critical systems
and data. Support desks or people handling the support function should
properly authenticate people asking for password resets. In a small envi-
ronment, most people know each other and that knowledge of someone is
used to authenticate a person. Although this might be a valid method, it can
be a problem in environments where there is significant turnover. It is best
to have a secure method for doing password resets regardless of the size of
the environment.
Client Response:
ii. Workforce Clearance Procedures
“Implement procedures to determine that the access of a workforce member to elec-
tronic protected health information is appropriate.”
9
This specification is relevant once it is determined that someone needs access to
electronic protected health information. It requires that access to electronic protected
health information be given on a “need to have” basis. Below are some questions
to help determine compliance with this requirement.
1. Are roles and responsibilities and job descriptions clearly defined so that
access can be provided to personnel on a “need to have” basis?
Guidance: Assigning access is dependent on knowing what a person does
in the company and what that person will need to access to do his or her
job. Roles and responsibilities are not always clearly defined, and this may
cause problems when providing access. When performing a security as-
sessment, lack of clear roles and responsibilities should be flagged as a
weakness as this has a ripple effect on many other security processes such
as user ID administration, incident management, and terminations.
Client Response:
2. How granular is the access control to electronic protected health infor-
mation? Is this functionality used in providing personnel access to only
what is required?
AU1706_book.fm Page 444 Tuesday, August 17, 2004 11:02 AM