Superior Healthcare Enterprise Key Management Policy
Policy Statement: All employees of Superior Healthcare must comply with the defined guidelines relating to the enterprise key management system implemented by the institution. The implementation of the enterprise key management system in the Superior Healthcare network aims to maintain data confidentiality and integrity while ensuring that the data is available and executing source authentication. Data confidentiality, integrity, availability, and source authentication should be maintained even after the migration into a web-based system (eFi). Unauthorized network users should be prevented from accessing or modifying data in transit, data at rest, and data in use. Access to the data in the Superior Healthcare network is defined by the various restrictions noted by Superior Healthcare and various local, state, and federal laws. Examples of these laws include the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Reason for Policy: The purpose of this policy is to define the guidelines that will ensure that the data in the Superior Healthcare network is not compromised by attackers. This will be achieved by making certain that the key management system is effective, which in turn prevents the cryptosystems from being compromised by attackers. The guidelines defined in this policy will address various components of the enterprise key management system. These components include the processes, the procedures, the rules of behavior, and the user and administrator training conducted in relation to the enterprise key management system. Additionally, this policy also details the Protected Health Information (PHI) and transactions conducted by Superior Healthcare and the need to protect them to adhere to the standards set by the various US laws.
Definitions:
- Protected Health Information (PHI) – Protected health information includes the information generated and used by a healthcare provider such as Superior Healthcare. The protected health information is unique to an individual and can be used to identify them. Examples of protected health information include demographic information, medical diagnosis, medical treatment, medical history, as well as medical test results.
- Encryption – The process of encoding data into a format that cannot be used by individuals who are not authorized to access it.
- Decryption – The process of decoding data back into its original format that can be used.
- Cryptography – The process of securing data using various encryption and decryption algorithms.
- Crypto period – The lifespan of a key. The key is only allowed to be used during this period.
- Key – A variable value that is used to convert data into a format that can be used from a format that cannot be used. It also converts data into a useful format from a format that cannot be used.
- Key Management – The key management process involves the creation, distribution, storage, replacement, and deletion of keys used in cryptosystems.
Responsible Executive and Office:
Responsible Executive: Chief Information Security Officer (CISO)
Responsible Office: Information Technology Department
Entities Affected by this Policy: The members and heads of different departments in the institution, as well as the management team members of the institution.
Procedures:
- Access to the Keys – The access rights to the keys are only restricted to the authorized members of Superior Healthcare. These members include those in possession of parts of the master key that are used to provide access to the storage containing the keys. The security of the keys is achieved using Shamir’s Secret Sharing algorithm, which is employed on a master key. The keys should not be kept in the same storage as the data they were used to encrypt. The keys will be stored in centralized storage secured using a 256-bit Advanced Encryption Standard.
- Key Management
- A key administrator and a key manager will take on the role of managing the keys. While a key administrator will be responsible for the implementation of a key management system and the definition of the roles of a key manager, the key manager will be responsible for the various processes involved in key management.
- The generation of the keys will be done using the 256-bit Advanced Encryption Standard.
- When the keys are no longer useful, all their copies will be destroyed when their crypto period ends.
- Immediate replacement of keys will be done once the keys are suspected to have been compromised.
- Auditing of the key management system has to be conducted to confirm that the various guidelines defined are adhered to during the management of the keys.
- Changes in the Keys – The key administrator and the key manager are responsible for any changes required in the keys used in the network. This includes cases where changes are required in individuals who possess the parts of the master key, as well as cases where the crypto period of keys has expired, and they have to be destroyed. Neither the key administrator nor the key manager should address changes in the keys without the presence of the other individual.
Reporting Violations: Violations of any of the defined policies must be reported directly to the Chief Information Security Officer.
Enforcement: Failure to adhere to the defined guidelines will result in immediate suspension, and in cases where failure to adhere to the guidelines leads to a cyber-attack, the consequences will be immediate termination from the organization.
Related Policies: None
Approved Date:
Effective Date:
Approved by:
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Using the templates and sample documents provided alongside the Project 1 instructions, develop an Enterprise Key Management Policy. The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system.
Research similar policy documents used by other organizations and adopt an appropriate example to create your policy.
In the previous course, you learned how security professionals employ cryptography, a system of algorithms that hide data. You learned systems can be unlocked with a key provided to those who need to know that data. An important part of cryptography is how to manage these keys to the kingdom. This involves learning and understanding enterprise key management systems and concepts.
Cryptography is the application of algorithms to ensure the confidentiality, integrity, and availability of data, while it is at rest, in motion, or in use. Cryptography systems can include local encryptions at the file or disk level or databases. Cryptography systems can also extend to an enterprise-wide public key infrastructure for whole agencies or corporations.
The following are the deliverables for this project:
Deliverables
- Enterprise Key Management Plan: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
- Enterprise Key Management Policy: A two- to three-page double-spaced Word document.
Project 1: Enterprise Key Management
Step 1: Identify Components of Key Management
Key management will be an important aspect of the new electronic protected health information (e-PHI). Key management is often considered the most difficult part of designing a cryptosystem.
Choose a fictitious or an actual organization. The idea is to provide an overview of the current state of enterprise key management for Superior Health Care.
Review these authentication resources to learn about authentication and the characteristics of key management.
Provide a high-level, top-layer network view (diagram) of the systems in Superior Health Care. The diagram can be a bubble chart or a Visio drawing of a simple network diagram with servers. Conduct independent research to identify a suitable network diagram.
Read these resources on data at rest, data in use, and data in motion.
Identify data at rest, data in use, and data in motion as it could apply to your organization. Start by focusing on where data are stored and how data are accessed.
Review these resources on insecure handling and identify areas where insecure handling may be a concern for your organization.
Incorporate this information into your key management plan.
In the next step, you will consider key management capabilities.
Step 2: Learn Key Management Capabilities
You have successfully examined the major components of an enterprise key management system for Superior Health Care. Enter Workspace and complete the “Enterprise Key Management” exercise. Conduct independent research on public key infrastructure as it applies to your organization.
Being able to interact with a variety of stakeholders is a skill set on which you will want to evaluate yourself and improve where necessary so that you can present that skill on paper and in person.
As an example, consider the range of stakeholders in a healthcare setting: medical techs, doctors, data entry clerks, and office and hospital administrators. Now consider the three technical domains that are interlinked in this setting: cybersecurity needs, the practice of medicine, and the legal requirements of HIPAA.
Hypothetically, which of these audiences might you need to talk to before, during, and after your team of SEs implements your plan?
In the next step, you will identify the key management gaps, risks, solutions, and challenges found in corporations.
Step 3: Identify Key Management Gaps, Risks, Solutions, and Challenges
In a previous step, you identified the key components of an enterprise key management system. In this step, you will conduct independent research on key management issues in existing organizations. You will use this research to help identify gaps in key management in each of the key management areas within Superior Health Care.
Conduct independent research to identify typical gaps in key management within organizations. Incorporate and cite actual findings within your key management plan. If unable to find data on real organizations, use authoritative material discussing typical gaps.
Identify crypto attacks and other risks to the cryptographic systems posed by these gaps. Read these resources to brush up on your understanding of crypto attacks.
Propose solutions organizations may use to address these gaps and identify necessary components of these solutions.
Finally, identify challenges, including remedies, other organizations have faced in implementing a key management system.
Include this information in your enterprise key management plan.
Provide a summary table of the information within your key management plan.
Incorporate this information into your implementation plan.
In the next step, you will provide additional ideas for the chief information security officer (CISO) to consider.
Step 4: Provide Additional Considerations for the CISO
You have satisfactorily identified key management gaps. Incorporate these additional objectives of an enterprise key management system as you compile information for the CISO.
- Explain the uses of encryption and the benefits of securing communications by hash functions and other types of encryption. When discussing encryption, be sure to evaluate and assess whether or not to incorporate file encryption, full disc encryption, and partition encryption. Discuss the benefits of using triple DES or other encryption technologies. To complete this task, review the following resources:
- Describe the use and purpose of hashes and digital signatures in providing message authentication and integrity. Review these resources on authentication to further your understanding. Focus on resources pertaining to message authentication.
- Review the resources related to cryptanalysis. Explain the use of cryptography and cryptanalysis in data confidentiality. Cryptanalysts are a very technical and specialized workforce. Your organization already has a workforce of security engineers (SEs). Cryptanalysts could be added to support part of the operation and maintenance functions of the enterprise key management system. Conduct research on the need, cost, and benefits of adding cryptanalysts to the organization’s workforce. Determine if it will be more effective to develop the SEs to perform these tasks. Discuss alternative ways for obtaining cryptanalysis if the organization chooses not to maintain this new skilled community in-house.
- Research and explain the concepts and practices commonly used for data confidentiality: the private and public key protocol for authentication, public key infrastructure (PKI), the X.509 cryptography standard, and PKI security. Read about the following cryptography and identity management concepts: public key infrastructure and the X.509 cryptography standard.
Keep in mind that sometimes it takes considerable evidence and research for organizational leaders to buy in and provide resources.
Incorporate this information into your implementation plan.
In the next step, you will provide information on different cryptographic systems for the CISO.
Step 5: Analyze Cryptographic Systems
In the previous step, you covered aspects of cryptographic methods. In this step, you will recommend cryptographic systems that your organization should consider procuring.
Independently research commercially available enterprise key management system products, discuss at least two systems, and recommend a system for Superior Health Care.
Describe the cryptographic system, its effectiveness, and its efficiencies.
Provide an analysis of the trade-offs of different cryptographic systems.
Review and include information learned from conducting independent research on the following topics:
- security index rating
- level of complexity
- availability or utilization of system resources
Include information on the possible complexity and expense of implementing and operating various cryptographic ciphers. Check out these resources on ciphers to familiarize yourself with the topic.
Incorporate this information in your implementation plan.
In the next step, you will begin final work on the enterprise key management plan.
The following exercise, Introduction to Cryptographic Tools, is to introduce you to or help you better understand some basic cryptographic concepts and tools for both encryption and decryption processes.
Step 6: Develop the Enterprise Key Management Plan
In the previous steps, you gathered information about systems used elsewhere. Using the materials produced in those steps, develop your Enterprise Key Management Plan for implementation, operation, and maintenance of the new system. Address these as separate sections in the plan.
In this plan, you will identify the key components, the possible solutions, the risks, and benefits comparisons of each solution, and proposed mitigations to the risks. These, too, should be considered as a separate section or could be integrated within the implementation, operation, and maintenance sections.
A possible outline could be:
- Introduction
- Purpose
- Key Components
- Implementation
- Operation
- Maintenance
- Benefits and Risks
- Summary/Conclusion
The following are the deliverables for this segment of the project:
Deliverables
- Enterprise Key Management Plan: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
Step 7: Develop the Enterprise Key Management Policy
The final step in this project requires you to use the information from the previous steps to develop the Enterprise Key Management Policy. The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system.
Research similar policy documents used by other organizations and adapt an appropriate example to create your policy.
Review and discuss the following within the policy:
- digital certificates
- certificate authority
- certificate revocation lists
Discuss different scenarios and hypothetical situations. For example, the policy could require that when employees leave the company, their digital certificates must be revoked within 24 hours. Another could require that employees must receive initial and annual security training.
Include at least three scenarios and provide policy standards, guidance, and procedures that would be invoked by the enterprise key management policy. Each statement should be short and should define what someone would have to do to comply with the policy.
The following is the deliverable for this segment of the project:
Deliverables
- Enterprise Key Management Policy: A two- to three-page double-spaced Word document.