Archive

Archive for the ‘Policy & Procedures’ Category

Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

Advertisements

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

IT Services Policy: Billable Hour

This is to help define what activity is billable versus non-billable activity. Beyond the obvious that activity which is for the direct benefit of a client, and that activity relates to either an hourly billable event and/or counts against a contract – that activity is considered billable. However here are some additional examples of each:

Billable

  • Company internal work which is assigned a ticket from the IT Manager
  • Client work (ticket & project) which is assigned a ticket from the IT Manager
  • On-site, remote and bench work which is billable to the client
  • In-office prep time for billable on-site time (pulling equipment for install, etc)
  • Warranty work for “completed” tickets performed by someone else
  • Travel time to/from clients, except for before/after work/lunch periods.
  • Design & Implementation meetings for clients – “here is how we are going to go about backup”.

Non-Billable

  • Training, education, conferences, etc.
  • Corporate meetings, one-to-ones, etc.
  • Warranty work for “completed” tickets performed by yourself.
  • Client “touches”: stats updates, “hi”, proposals
  • Training meetings regarding clients – “here is how you….”

Technology Policies/User Passwords

It is the general policy that the IT staff does not need to know the individual user passwords and will take every effort to ensure that we do not keep this information. As a result, whenever we need access to a users account, we will generally choose one of two options:

  1. Have the user (if available) enter in their password; or
  2. Change their password on the server, and when completed, set the password to “require change on reboot”.

It is important that after a users password has been reset, that the following process be followed to notify them of their new password:

  • A note (preferably type written) explaining that work has been completed on their system and to check their voicemail for their new password.
  • On their voicemail, leave them their password (repeat slowly twice) and inform them that they will be prompted to change it when they next log on. Additionally, if they have questions to contact the office.

Technology Policies/Network Printers

Network Assignment

To properly configure network printers initially on a windows network:

  1. Leave printers setup in DHCP
  2. Check DHCP server and use the MAC address information to establish a DHCP reservation. Remember to set the reservation in ‘all’ DHCP servers.
  3. Restart the network printer as necessary
  4. Add printer on server via TCP/IP address
  5. Deploy via Group Policy

Color Network Printers

  • Configure default color setting as “black & white” which will force the end users to choose color only when the want it.
Rationale: From experience, users will not elect to go through the extra steps required to select black & white when printing and e-mail or website, even when color is not necessary. However, these extra color pages can contribute significantly toward the number of annual color pages.
  • Color printing access: depending on the printer/MFP device, along with its drivers, there are several options to restrict color printing.
  1. Use the printer configuration for access control lists within the printer itself, which will then require a “code/password” on each client’s workstation to be setup.
  2. Create two different shared printers on the server, one of which is black & white only (color disabled) and then use windows ACL to determine who has access to which features

Technology Policies/Guest Users

We’re starting a new series on Monday called “Policy Monday” to help share common technology policies. This week we’ll start with Adding Guest Accounts to the Network.

The following is a general guideline for creating guest user accounts on Active Directory based Windows network.

  1. Create a new Guest Organizational Unit
  2. Create the guest account:
    1. If it is a role account (several temps performing the same job) then create a “role based” username
    2. If it is restricted to a single user for a short period of time, then create a “real name” based username
  3. Set the account expiry to something reasonable
  4. Set the change password on next logon and assist the user with their first logon to the desktop.
Tags: , , , ,

Magic Touch – Customer Service

magic hat and wand with clipping pathThis process known as Magic Touch relates to the customers experience and viewpoint regarding our on-site service. Specifically, it is the illusion of our ability to magically fix technology problems without panic or stress. This results in an end user perception of professionalism and experience.

However in reality, a great majority of the problems we will be asked to resolve will be relating to software, hardware or problems we have never seen before. Our professional illusion is maintained by out ability to properly handle these instances. Below, is a methodology which is common in the industry, and the terminology taken from Adrian Grigorof, B.Sc, MSCE.

Read more…