Q&A on IT/HR collaboration with Volodymyr Styran

VPN Haus spoke with Volodymyr Styran, a security expert, about ways IT professionals can work more closely with HR on issues like provisioning. VPN Haus has long advocated for IT departments to make user provisioning a higher priority and Stryan has some ideas on how this collaboration can be turned into reality. VPN Haus:  Let’s start with basic tampering. How can IT administrators prevent users, especially ones who are tech-savvy themselves, from tampering with settings? Styran:  I’d suggest application of strong organizational policies and thorough logging of user actions. Changes to local policies are usually reflected in [programs like] Eventlog. Collect it centrally in a separate log management facility, review the logs regularly, and follow up the findings via disciplinary action. This may sound a bit aggressive, and is rather reactive than preventive, but in my opinion this is the most effective approach. VPN Haus:  What’s the greatest enforcement challenge? Stryan: The greatest enforcement challenge is making HR execute disciplinary action. Punishing is not their favorite part of the job, because it affects image…So, when it comes to HR, one has to present and explain every bit of risk and harm introduced by a violation. And all this definitely makes little sense unless strong administrative policies are established beforehand. VPN Haus:  Can you provide 3 – 5 tips on how IT departments could work more closely with HR to foster better communication between the departments? Stryan:  Sure. – Be friendly, while being firm when needed. – Make it formal, while maintaining good relationships. Write your policies firm and strict, but socialize with HR in a positive manner. – Pay...

Q&A on IT/HR collaboration with Volodymyr Styran

VPN Haus spoke with Volodymyr Styran, a security expert, about ways IT professionals can work more closely with HR on issues like provisioning. VPN Haus has long advocated for IT departments to make user provisioning a higher priority and Stryan has some ideas on how this collaboration can be turned into reality. VPN Haus:  Let’s start with basic tampering. How can IT administrators prevent users, especially ones who are tech-savvy themselves, from tampering with settings? Styran:  I’d suggest application of strong organizational policies and thorough logging of user actions. Changes to local policies are usually reflected in [programs like] Eventlog. Collect it centrally in a separate log management facility, review the logs regularly, and follow up the findings via disciplinary action. This may sound a bit aggressive, and is rather reactive than preventive, but in my opinion this is the most effective approach. VPN Haus:  What’s the greatest enforcement challenge? Stryan: The greatest enforcement challenge is making HR execute disciplinary action. Punishing is not their favorite part of the job, because it affects image…So, when it comes to HR, one has to present and explain every bit of risk and harm introduced by a violation. And all this definitely makes little sense unless strong administrative policies are established beforehand. VPN Haus:  Can you provide 3 – 5 tips on how IT departments could work more closely with HR to foster better communication between the departments? Stryan:  Sure. – Be friendly, while being firm when needed. – Make it formal, while maintaining good relationships. Write your policies firm and strict, but socialize with HR in a positive manner. – Pay...

Healthcare Provisioning: Q&A with Marshall Maglothin

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data. VPN Haus: What are the basics for provisioning employees at healthcare organizations? Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting. VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records? Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time. The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in! VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of? Maglothin: There’s the error of excessive credulity. An example would be a...

Healthcare Provisioning: Q&A with Marshall Maglothin

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data. VPN Haus: What are the basics for provisioning employees at healthcare organizations? Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting. VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records? Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time. The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in! VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of? Maglothin: There’s the error of excessive credulity. An example would be a...

No hard and fast rule for provisioning

VPN Haus contributor Ben Ruset posted some food for thought on his blog about employee provisioning. Some people assume the best course of action is to immediately provision departing employees off the network. But Ruset brings up some good reasons why this approach isn’t always best. This presents a problem because if IT takes it upon itself to delete a user that it thinks should be deleted there’s a risk that important data could be lost, or that the user has a legitimate need to retain access for one reason or another. On the other hand, if IT decides to do nothing, there’s a vector for attack where, depending on the circumstances of the employees departure, they might have a motive to use the enterprises resources maliciously. We agree with Ruset’s solution – “have strong policies in place that dictate the workflow of a user request. This is a policy that both HR and IT need to agree to, and it needs to be efficient, effective, and enforceable.” But he points out, this policy is often not created or simply not enforced. We understand that provisioning isn’t the sexiest part of an IT person’s job, but that’s not a good enough reason to let provisioning fall to the wayside. Ruset points out: HR should notify IT that there’s a departure and fill out a request to have the account disabled. Depending on the circumstances of the departure it might be necessary to escalate that to a higher priority level, or let IT know about any special requests (ie: do not delete but disable the account, forward email somewhere, etc.)...