Archive

Posts Tagged ‘policy’

Any user can unlock now with this custom GINA

From the folks over at Paralint, there is now a utility to help you with shared computered access. Often you will have a shared computer in an office space, and the problem is that you want each user to have their own username and password, however, that doesn’t always workout so well. Once you add a password locked screen saver, and that user forgets to logoff, that computer is now unusable to any other normal user.

What are your options…. Typically we have be forced into one of the following options:
1) Users know eachothers passwords;
2) Reduce the security by removing the password requirement or granting other users administrator permissions;
3) Users simply power off/on the machine to work around the issue;
4) Or they can use the windows based “winexit.scr” which will effectively forcefully logoff the user when the screen saver kicks on.

However, now with this custom GINA, you can now enable any user to logoff that offending user without requiring administrative permissions or changing your security routine. Aucun is a replacement GINA that wraps Microsoft’s own MSGINA.DLL to allow any given group of users to unlock or force logoff a locked session on a Windows machine, unless the currently loggon on user is a member of a group you specify.

I created this for a friend that needed an unlock feature. By popular demand, I added force logoff and warning display. Here is a more detailed feature list:

 

  • GUI provided by original MSGINA.DLL (no training of end user required)
  • Allows any member of a given group to force logoff a locked session
  • Allows any member of a given group to unlock a locked session
  • Support a exclusion group (to prevent unlocking administrators by regular users)
  • Allows to display a custom message when the workstation is locked
  • Supports 64 bits versions of Windows
  • Supports international versions of Windows
  • Allows chaining multiple Gina’s together

You can learn more about this and download here: http://www.paralint.com/projects/aucun/

Advertisements

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

Encrypted E-mail Solutions

Here is some information on setting up secure e-mail encryption with outside parties. There are basically two options available. Prices can vary based on the selected vendor and the information provided is for very general planning purposes and we would need to formally quote these before going forward. The major difference is how widely you intend on sending encrypted e-mail, and cost.

S/MIME:

This method is the simplest form of transmitting data between two trusted partners or individuals.

  • Pros: This security is built directly into Microsoft Outlook and it’s use is seamless for the sender and receiver. Meets HIPPA requirements for PHI. Best solution for a small number of users. Fastest method to receive encrypted e-mail. Lowest start up costs for a small number of users.
  • Cons: This requires a Digital Certificate to be purchased, renewed periodically and installed on both the sender and receiver systems. There is a degree of configuration required for all parties. Apex can provide support to other business with their permission and for an additional cost. E-mail is only encrypted when sent to recipients with Digital Certificates, you can accidentally send PHI or confidential information to the wrong person. Both users need to be configured before you can send encrypted e-mail.
  • Best Fit: When you’re exchanging secure e-mail with a well defined set of outside businesses and individuals which will not subject to change frequently.
  • Costs: $100 per user who will be receiving encrypted e-mail (reoccurring every 3 years); and $200 per user at an outside company who will be receiving encrypted e-mail (reoccurring costs every 3 years) – price include the rough estimate for labor and the Digital Certificate.

E-Mail Gateway:

This method will use a set of rules defined on the server to automatically determine PHI, such as sender/receipient/subject/content/etc. The system will automatically convert those e-mails into an encrypted format and send them to the recepient. There is no special software or configuration requirements for the sender or recipient.

  • Pros: This is good when the list of senders or recpients is not well define or may include home users. Automatically protects all PHI to avoid accidentally sending PHI in an unencrypted format, regardless of the recpient. On-the-fly encryption to anyone, which doesn’t require pre-configuration. 
  • Cons: It may require the recipient to go to a website to download the attachment, which makes frequent use of this method a slower method. Additional server hardware, software and maintenance is required.
  • Best Fit: If you’re exchanging e-mail with a diverse group of not-well-defined individuals, who may not have the ability or knowledge to work with Digital Certificates.
  • Costs: Around $3,000 per three year term, plus hardware around $1000 and installation labor and ongoing support. Pricing is subject to change, this was based on old pricing before Symantec Acquired the product from PGP. Another solution is the Cisco IronPort E-mail Security Appliance.

Hosted E-Mail Gateway:

Basically the same as the E-Mail Gateway from a security standpoint, with the only difference of the costs of implementation. The hosted solution doesn’t require a server nor the related hardware, software and support costs. However, it does have a higher ongoing service fee.

  • Pro/Con/Fit is the same as “E-Mail Gateway” above.
  • Costs: McAfee Email Encryption is $4,930 for a three year term for 100 users (again we need to do the entire company); or one year for $2,055.00 Other providers are McAfee/MXLogic Hosted Solution

IT Services Policy: Billable Hour

This is to help define what activity is billable versus non-billable activity. Beyond the obvious that activity which is for the direct benefit of a client, and that activity relates to either an hourly billable event and/or counts against a contract – that activity is considered billable. However here are some additional examples of each:

Billable

  • Company internal work which is assigned a ticket from the IT Manager
  • Client work (ticket & project) which is assigned a ticket from the IT Manager
  • On-site, remote and bench work which is billable to the client
  • In-office prep time for billable on-site time (pulling equipment for install, etc)
  • Warranty work for “completed” tickets performed by someone else
  • Travel time to/from clients, except for before/after work/lunch periods.
  • Design & Implementation meetings for clients – “here is how we are going to go about backup”.

Non-Billable

  • Training, education, conferences, etc.
  • Corporate meetings, one-to-ones, etc.
  • Warranty work for “completed” tickets performed by yourself.
  • Client “touches”: stats updates, “hi”, proposals
  • Training meetings regarding clients – “here is how you….”

Technology Policies/User Passwords

It is the general policy that the IT staff does not need to know the individual user passwords and will take every effort to ensure that we do not keep this information. As a result, whenever we need access to a users account, we will generally choose one of two options:

  1. Have the user (if available) enter in their password; or
  2. Change their password on the server, and when completed, set the password to “require change on reboot”.

It is important that after a users password has been reset, that the following process be followed to notify them of their new password:

  • A note (preferably type written) explaining that work has been completed on their system and to check their voicemail for their new password.
  • On their voicemail, leave them their password (repeat slowly twice) and inform them that they will be prompted to change it when they next log on. Additionally, if they have questions to contact the office.

Technology Policies/Network Printers

Network Assignment

To properly configure network printers initially on a windows network:

  1. Leave printers setup in DHCP
  2. Check DHCP server and use the MAC address information to establish a DHCP reservation. Remember to set the reservation in ‘all’ DHCP servers.
  3. Restart the network printer as necessary
  4. Add printer on server via TCP/IP address
  5. Deploy via Group Policy

Color Network Printers

  • Configure default color setting as “black & white” which will force the end users to choose color only when the want it.
Rationale: From experience, users will not elect to go through the extra steps required to select black & white when printing and e-mail or website, even when color is not necessary. However, these extra color pages can contribute significantly toward the number of annual color pages.
  • Color printing access: depending on the printer/MFP device, along with its drivers, there are several options to restrict color printing.
  1. Use the printer configuration for access control lists within the printer itself, which will then require a “code/password” on each client’s workstation to be setup.
  2. Create two different shared printers on the server, one of which is black & white only (color disabled) and then use windows ACL to determine who has access to which features

Exchange Mailboxes and Disabled AD Accounts

We have all had the issue for a client where an employee leaves and their account should be disabled and usually someone would like to receive email on their behalf…

 Be aware in Exchange 2007 if a Domain account is disabled the mailbox can still receive emails.  This was not the default behavior in Exchange 2000 or 2003.  Exchange 2003 however did have a hot-fix which changed its behavior to that of 2007.  Please see the link below for more information on this.  The point here is to make sure everyone is aware disabling an AD account will not necessarily stop email from being delivered to a mailbox.

http://blogs.technet.com/benw/archive/2007/07/09/exchange-2003-and-disabled-user-accounts.aspx