General discussion

Locked

Managing Application Security

By Ksiegel ·
We (as analysts) have to assign user/password security to various clinical and financial applications at our hospital. Therefore, each analyst is assigning security in their own way (no policies). Is there any article/info. out there that explainshow to help manage security to applications (ie. policies to ensure consistency is assigning security, make sure inactivate users logins are deleted)? We are trying to establish an internal policy to handle this (as at this time we can not hire a security administrator).

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Managing Application Security

by Mr. Leopold In reply to Managing Application Secu ...

Hi,
I had the same probem once and my advice to you is to make a meeting (all of analysts) and propose some specified usersnames and passwords, and that, of course depends on how many domains of activity (applications) you have there.
So, every analysts should write in a personal notebook the usernames and the passwords and use them. You can change them from time to time (on the next meeting, maybe).
Note:
It is very possible to missunderstand your problem so, if my answer is not good, pls fogive me.
Leopold

Collapse -

Managing Application Security

by Ksiegel In reply to Managing Application Secu ...

My question is regarding setting up users and which applications/procedures they will have access to. For instance, new user comes on board and analyst will copy another user's security to the new user. This is not really based on position - whichit should be. Also, old IDs are not deleted. These are some of the type of issues we are having - and we are trying to setup an internal security policy regarding application access. Hope this clarifies the question!

Collapse -

Managing Application Security

by rachel_s In reply to Managing Application Secu ...

We created our own policy, since we were the ones managing the systems. And users are horrible at security, and don't (and won't!) let you know when employees leave. Here is what we did.
We first looked at our systems and determined how we wantedit to look when we were done. We wanted the system to be managable and secure. We determined the naming convention for our groups and based them off of the work they would be doing. The database apps could have data entry and super users, the files would have readers and writers. We then either used a department based access or group depending on the app/files.
As for the ID's we run reports to determine who has not logged in over 90 days and disable them. We are working on a policy that says 30 days disable, 90 days delete.

It will be hard, but someone is going to have to lead the effort, document it, and management will have to enforce it. You can make up your own policy based on your environment and what you want it to look like when you are finished restructuring.

Collapse -

Managing Application Security

by Ksiegel In reply to Managing Application Secu ...

Poster rated this answer

Collapse -

Managing Application Security

by mike_mds In reply to Managing Application Secu ...

If your hospital is in the US, you need to consider the HIPAA regs when implementing any security related policies on your network. A good site to start at might be
www.hipaadvisory.com. I don't work in the healthcare field, so I have no specific advice to offer you other than to gain a thorough understanding of the regs BEFORE you attempt to write/implement/enforce policy. I can tell you that the only thing worse than enforcing a security policy on a group of users is trying to changethat policy mid-stream.
Some more general sites that have info or links regarding policy creation would be:
www.infosyssec.net, www.sans.org, and searchsecurity.techtarget.com . There are a tremendous amount of resources on the web dealing with security policy, it's just a matter of searching for them.
Good luck.

Collapse -

Managing Application Security

by mike_mds In reply to Managing Application Secu ...

Also can check the white paper off the following link :
http://update.networkcomputing.com/cgi-bin4/flo?y=eD4Y0Br7ES0qh0Pb70Ar
(take spaces out of link if cutting/pasting)

It has some good links at the end of the paper also (which is kind of a sales brochure more than anything).

Collapse -

Managing Application Security

by Ksiegel In reply to Managing Application Secu ...

Poster rated this answer

Collapse -

Managing Application Security

by JMart In reply to Managing Application Secu ...

Ultimately, your organization must develop a set of policies which describes ownership of applications and data for you to be able to implement a consistent approach to security.

In anticipation of that you need to determine where your application architectures give you opportunites to administer security

For example can the users of the various systems be organized in to functional groups?

These groups can be used as a standard way of controlling access in applications. Your analsysts would then need to make users members of the appropriate groups to deliver access.

An non-technical system of applying for application access with the proper management authorization can be implemented in fairly short order. Additionally, working with the human resouces dept you can also implement a produre that notifies administrators of new hires (fill out the form) or terminations ( remove from the group )

At many companies a general policy of password expiration of 90 days seems to be the norm.

Another approach to deactivating users is to make them a member of a deactivated users group. This group is defined to the appropriate systems as having no access.

There are many books and websites dedicated to security issue. I recommend that you select according to your specific circumstances i.e. Novell Networks, SQL Servers, etc. Also if your applications were sold to you by a vendor they may be able to help you configure security based on best practices for you specific application

Collapse -

Managing Application Security

by Ksiegel In reply to Managing Application Secu ...

Poster rated this answer

Collapse -

Managing Application Security

by Ksiegel In reply to Managing Application Secu ...

This question was closed by the author

Back to Security Forum
10 total posts (Page 1 of 1)  

Related Discussions

Security Forums