Policies
Technical Controls Security Standard
Technical Controls
This standard provides guidance on the management of networks, applications and systems, and the use of encryption, data backup, configuration management, access control and audit controls.
- Access Requirements
- Must include a User ID and password
- Network level (firewalls, network login)
- System level (operating system)
- Application level (database) (as applicable)
- Access Controls
- Automatic Logoff (after session is idle 15 minutes or more)
- Remote Access
- Multi-factor Authentication (Cardholder Data Environment (CDE))
- Vendor Support Restrictions
- Individual User Dial-Up Connections (Modems) Restrictions
- Systems Accepting In-Coming Dial-Up Connections Restrictions
- Access Restrictions
- Must not be open to “Public,” “Guest” or “World” access unless specified to allow public access
- Back Door Installs
- Must not install “back doors” to get around access control mechanisms
- Must include a User ID and password
- Network level (firewalls, network login)
- System level (operating system)
- Application level (database) (as applicable)
- Access Controls
- Automatic Logoff (after session is idle 15 minutes or more)
- Remote Access
- Multi-factor Authentication (Cardholder Data Environment (CDE))
- Vendor Support Restrictions
- Individual User Dial-Up Connections (Modems) Restrictions
- Systems Accepting In-Coming Dial-Up Connections Restrictions
- Access Restrictions
- Must not be open to “Public,” “Guest” or “World” access unless specified to allow public access
- Back Door Installs
- Must not install “back doors” to get around access control mechanisms
- Creation of User IDs
- Each User ID must be unique to each User
- Generic User IDs
- Generic User IDs are only allowed for network/desktop access in shared environments
- No access to Confidential/Proprietary Information
- User uses own unique User ID to access applications on that workstation
- Application User IDs
- User ID must contain information related to the name of the application
- System User IDs
- System User IDs can be either interactive or non- interactive
- User IDs loaded by the vendor pose a security risk
- Must be disabled and/or renamed before using in production
- Must be restricted to their specific job function
- Must be documented, logged, monitored and audited regularly
- Concurrent Logons
- More than three concurrent logons for a single User ID is not allowed
- More than three concurrent logons require approval from Information Security Officer
- Password Configuration
- Active Directory or Network/Domain Level Passwords
- Passwords must be at least eight (8) characters long
- Passwords must contain three (3) of the four (4) following characteristics
- At least one upper-case alphabetic character (A-Z)
- At least one lower-case alphabetic character (a-z)
- At least one numeric character (0-9)
- At least one special character (e.g., “@”, “#”, “$”,”%”, “>”, “<”, “!”, “*”, and “?”)
- Users cannot use the prior five passwords used
- Other Systems
- Recommended password configuration same as Active Directory
- Password Expiration
- Active Directory or Network/Domains
- Passwords must expire at least every 90 days
- Other Systems
- Recommended to expire every 90 days
- Applications that are accessed via Active Directory can expire every 180 days
- Password Changes
- Password is lost or stolen
- Password is provided to System Administrators or the Helpdesk
- Passwords for generic accounts must be manually changed every 180 days
- Password Security
- Consecutive attempts to enter an incorrect password is limited
- Failed attempts are logged
- Passwords are encrypted when held in storage or when transmitted over networks
- Password storage files must not be retrievable by unauthorized Users
- Immediate change of every password must be done when system is compromised
- Strong passwords/pass-phrases are used with all vendor supplied default UserIDs
- Responsibilities Concerning Passwords
- Administrators must verify the identification of anyone requesting to change a password
- Users requesting password changes must prove their identity to the service desk
- Request for password change will be refused if user cannot provide proper identification
- Initial passwords are valid only for the initial logon session
- Each password reset requires a unique password
- Do not create an account without a password or with a password matching the UserID
- Active Directory or Network/Domain Level Passwords
- Passwords must be at least eight (8) characters long
- Passwords must contain three (3) of the four (4) following characteristics
- At least one upper-case alphabetic character (A-Z)
- At least one lower-case alphabetic character (a-z)
- At least one numeric character (0-9)
- At least one special character (e.g., “@”, “#”, “$”,”%”, “>”, “<”, “!”, “*”, and “?”)
- Users cannot use the prior five passwords used
- Other Systems
- Recommended password configuration same as Active Directory
- Password Expiration
- Active Directory or Network/Domains
- Passwords must expire at least every 90 days
- Other Systems
- Recommended to expire every 90 days
- Applications that are accessed via Active Directory can expire every 180 days
- Password Changes
- Password is lost or stolen
- Password is provided to System Administrators or the Helpdesk
- Passwords for generic accounts must be manually changed every 180 days
- Password Security
- Consecutive attempts to enter an incorrect password is limited
- Failed attempts are logged
- Passwords are encrypted when held in storage or when transmitted over networks
- Password storage files must not be retrievable by unauthorized Users
- Immediate change of every password must be done when system is compromised
- Strong passwords/pass-phrases are used with all vendor supplied default UserIDs
- Responsibilities Concerning Passwords
- Administrators must verify the identification of anyone requesting to change a password
- Users requesting password changes must prove their identity to the service desk
- Request for password change will be refused if user cannot provide proper identification
- Initial passwords are valid only for the initial logon session
- Each password reset requires a unique password
- Do not create an account without a password or with a password matching the UserID
- Email Encryption
- Emails sent between Tenet email addresses are secure transmissions
- Encrypted emails and their attachments are secure transmissions
- Tenet Email
- Emails sent between tenethealth.com or other Tenet managed email addresses are secure transmissions
- External Email
- Emails sent from tenethealth.com or other Tenet managed domains addresses to external email accounts must be encrypted
- Data Encryption
- Data must be encrypted for storage or transmission
- Proven encryption technologies that apply standard algorithms (i.e., AES, RSA) that represent the actual cipher used for an approved application
- Proprietary algorithms are not considered an acceptable method
- Symmetric cryptosystem key lengths must be greater than 128 bits
- Asymmetric cryptosystem keys must be a length that yields equivalent strength
- Password-protected files may be used only if encryption could not be done
- The transmission of data from Tenet information assets must be protected against unauthorized access and modification.
- Transmissions
- Within the Tenet trusted network is secured
- Outside the trusted network is only secure when safeguards are implemented
- Dedicated Circuits
- Data transfer between Tenet trusted network and a third party with signed Information Security Agreement is a secure transmission method
- Tunnel Connections
- VPN and other tunnel connections between Tenet trusted network and third party are secure transmission methods
- Secure File Transfer Methods
- Transmission may be secure if a secure file transfer method is used and user authentication complies with this security standard
- Dial Up Connections
- Dial-up connections are only secure if confidential information is sent using another secure transmission method
- Hard Disk Encryption
- Full disk encryption technologies to encrypt the entire hard disk
- Must include pre-boot authentication
- Provide complete power off protection
- Cryptosystem key lengths must be 128 bits (256-bit encryption or above is recommended)
- Virtual disk encryption technologies to encrypt a portion of the hard disk
- Use only when full disk encryption is not feasible
- Ensure operating system passwords meet guidelines
- Cryptosystem key lengths must be128 bits (256-bit encryption or above is recommended)
- Media Encryption
- Standard/approved software solution to encrypt data on removable media devices
- Wireless Encryption
- Encryption must be enabled for wireless transmissions
- 802.11 standard is the preferred security architecture for wireless
- WPA2 may be used when 802.11 is not feasible (preferably with application layer Virtual Private Network (IPSEC VPN or SSL VPN))
- Minimum 128-bit key strength must be implemented
- Unique key encryption per individual must be implemented
- Emails sent between Tenet email addresses are secure transmissions
- Encrypted emails and their attachments are secure transmissions
- Tenet Email
- Emails sent between tenethealth.com or other Tenet managed email addresses are secure transmissions
- External Email
- Emails sent from tenethealth.com or other Tenet managed domains addresses to external email accounts must be encrypted
- Data Encryption
- Data must be encrypted for storage or transmission
- Proven encryption technologies that apply standard algorithms (i.e., AES, RSA) that represent the actual cipher used for an approved application
- Proprietary algorithms are not considered an acceptable method
- Symmetric cryptosystem key lengths must be greater than 128 bits
- Asymmetric cryptosystem keys must be a length that yields equivalent strength
- Password-protected files may be used only if encryption could not be done
- The transmission of data from Tenet information assets must be protected against unauthorized access and modification.
- Transmissions
- Within the Tenet trusted network is secured
- Outside the trusted network is only secure when safeguards are implemented
- Dedicated Circuits
- Data transfer between Tenet trusted network and a third party with signed Information Security Agreement is a secure transmission method
- Tunnel Connections
- VPN and other tunnel connections between Tenet trusted network and third party are secure transmission methods
- Secure File Transfer Methods
- Transmission may be secure if a secure file transfer method is used and user authentication complies with this security standard
- Dial Up Connections
- Dial-up connections are only secure if confidential information is sent using another secure transmission method
- Hard Disk Encryption
- Full disk encryption technologies to encrypt the entire hard disk
- Must include pre-boot authentication
- Provide complete power off protection
- Cryptosystem key lengths must be 128 bits (256-bit encryption or above is recommended)
- Virtual disk encryption technologies to encrypt a portion of the hard disk
- Use only when full disk encryption is not feasible
- Ensure operating system passwords meet guidelines
- Cryptosystem key lengths must be128 bits (256-bit encryption or above is recommended)
- Media Encryption
- Standard/approved software solution to encrypt data on removable media devices
- Wireless Encryption
- Encryption must be enabled for wireless transmissions
- 802.11 standard is the preferred security architecture for wireless
- WPA2 may be used when 802.11 is not feasible (preferably with application layer Virtual Private Network (IPSEC VPN or SSL VPN))
- Minimum 128-bit key strength must be implemented
- Unique key encryption per individual must be implemented
- Confidential information transmissions require digital certificates
- Must be issued by certificate authority approved by Corporate Information Security Department
- Employed with standard technologies (e.g., Transaction Layer Security (TLS))
- Digital certificates stored on personal computers must be password protected
- Digital certificate private keys must be 16 characters or more in length and meet minimum complexity standards for password creation
- Must be issued by certificate authority approved by Corporate Information Security Department
- Employed with standard technologies (e.g., Transaction Layer Security (TLS))
- Digital certificates stored on personal computers must be password protected
- Digital certificate private keys must be 16 characters or more in length and meet minimum complexity standards for password creation
- The hardware used at Tenet must be properly accounted for using the following guidelines:
- All information asset hardware must be inventoried on an annual basis (including non-capital items).
- A Tenet property sticker must be applied to all hardware assets over $500, containing Tenet PHI/PII/PCI, or where required by applicable law.
- Loss or theft of information assets must be reported to site security and to Corporate Security Operations in accordance with Corporate Security policy CS 2.42 Reporting of Theft of Assets and Property.
- Loss or theft of information assets that may contain confidential material must be handled according to the EC.PS.01.01 Information Privacy Security Incident Handling Standard.
- Only IT staff designated by the Tenet Entity Security Officer are approved/authorized to move or relocate computer equipment (PCs, LAN servers, etc.) to a different user or Entity. Such requests must be documented and logged accordingly when said IT staff performs the move.
- All information asset hardware must be inventoried on an annual basis (including non-capital items).
- A Tenet property sticker must be applied to all hardware assets over $500, containing Tenet PHI/PII/PCI, or where required by applicable law.
- Loss or theft of information assets must be reported to site security and to Corporate Security Operations in accordance with Corporate Security policy CS 2.42 Reporting of Theft of Assets and Property.
- Loss or theft of information assets that may contain confidential material must be handled according to the EC.PS.01.01 Information Privacy Security Incident Handling Standard.
- Only IT staff designated by the Tenet Entity Security Officer are approved/authorized to move or relocate computer equipment (PCs, LAN servers, etc.) to a different user or Entity. Such requests must be documented and logged accordingly when said IT staff performs the move.
- The software used by Tenet information assets must be properly licensed according to the license agreements.
- Tenet must comply with all legislation, laws and regulations concerning the licensing of the software used in Tenet’s business practices. See also EC.PS.04.02 User Security and User Conduct Standard.
- Illegal copies of software must be removed from Tenet information assets or the proper licenses for the software must be obtained.
- Tenet must comply with all legislation, laws and regulations concerning the licensing of the software used in Tenet’s business practices. See also EC.PS.04.02 User Security and User Conduct Standard.
- Illegal copies of software must be removed from Tenet information assets or the proper licenses for the software must be obtained.
- Information Assets Managed by Application Teams
- Install software and security patches
- Upgrade or downgrading software to another version
- Increase existing hardware capabilities and capacities
- Minor modifications to existing applications
- Replace existing or installing new hardware
- Change Management Approvals
- Peer review
- Manager approval
- CAB approval
- Hospital management approval(system downtime)
- Additional Security Review for Change Control
- New Applications (developed internally or purchased from third party)
- Operating Systems (changes, extensions, modifications, or replacements)
- Network Hardware (Servers, firewalls, routers, switches, etc.)
- Downtime of group of systems (network downtime) requires Corporate Office approval
- Complete Testing
- Include users in testing group
- Perform in a production environment
- Do not use live data for testing
- Validate data before performing queries or updates on databases
- Employ parity checks, check-sums and error detection data validation techniques
- Review Test Results
- Evaluate test results, review proposed changes and revised production schedule
- Ensure back-out process is complete and tested
- Gain approval for all implementations prior to their deployments
- Open change management ticket and reviews in change or incident management system
- Move Software from Development to Production
- Do not move any software into the production-processing environment
- Review testing results and recompilation activities
- Do not use automatic software updates via “push” technology unless it has been tested
- Develop “back-out” procedures and documented changes to production
- Store configuration information, applications and data back-ups separately
- Review change to ensure it was implemented properly
- Ensure system level firewall software is enabled for laptops connected to public internet
- Define and specify required configuration of software to include authorized connections
- Ensure software is actively running and not modifiable by a user
- Move Hardware and Electronic Media
- Create aretrievable, exact copy of the information onthe hardware or media before moving equipment
- Maintain records of moving hardware and media (equipment description, Tenet property sticker identification number, date and time of the movement, and responsible person)
- Include users in testing group
- Perform in a production environment
- Do not use live data for testing
- Validate data before performing queries or updates on databases
- Employ parity checks, check-sums and error detection data validation techniques
- Review Test Results
- Evaluate test results, review proposed changes and revised production schedule
- Ensure back-out process is complete and tested
- Gain approval for all implementations prior to their deployments
- Open change management ticket and reviews in change or incident management system
- Move Software from Development to Production
- Do not move any software into the production-processing environment
- Review testing results and recompilation activities
- Do not use automatic software updates via “push” technology unless it has been tested
- Develop “back-out” procedures and documented changes to production
- Store configuration information, applications and data back-ups separately
- Review change to ensure it was implemented properly
- Ensure system level firewall software is enabled for laptops connected to public internet
- Define and specify required configuration of software to include authorized connections
- Ensure software is actively running and not modifiable by a user
- Move Hardware and Electronic Media
- Create aretrievable, exact copy of the information onthe hardware or media before moving equipment
- Maintain records of moving hardware and media (equipment description, Tenet property sticker identification number, date and time of the movement, and responsible person)
- Standard Malicious Software Detection Software
- Install anti-malware scanning software on Tenet assets
- Update periodically or when new malicious software threats are reported
- Update software when new version or patch is released
- Disabling or removing anti-malware detection software is prohibited
- Software media must be scanned for malware prior to installation
- Assets must have a Fast and Full Scan run at regular intervals
- Assets must have SMTP and FTP blocked by default
- Issuance of Warnings
- Malware must be confirmed before warnings are issued
- Notify Users that malware may have infected their system
- Inform Users how to check if their system was infected and how to remove the malware
- Core Software Protection
- Configure anti-malware protection software to prevent unauthorized modifications
- Malware Scanning Logs
- Record malware scanning logs and make them available for review at request
Tenet Asset Security Requirements
Device Encryption Control Procedure
Remote Vendor Support Procedure
EC.PS.04.02 User Security and Conduct Standard
EC.PS.04.00 Information Security Policy
EC.PS.01.01 Information Privacy and Security Incident Handling Standard
EC.PS.01.00 Information Privacy Security Administration Policy