domain controller in the cloud for small office?
-
@mike-davis said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand §164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?
That's been very well known in IT for a very long time that that mass media backwards security policy was wrong. Sure, in Hollywood they are still just figuring that out, but in IT it's been understood that rapid password changes were a direct attack on security for a decade or more. Really, ever since they were first implemented. That there are things like minimum password change lengths and stuff like that are actually demonstrable proof that the system was known to be flawed in that way. So that goes back to 2000 at a minimum in the official MS documents.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
HIPAA just requires "good practice", nothing specific.
-
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
-
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
-
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason. And you addressed it. Now that said, I have no idea if that type of addressing will be acceptable to the auditors or not.
But of course you can go way over the top - Installed AV on the endpoints and the edge of the network for business locations, etc.
-
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
You want a policy about why a policy isn't better than it is.. now that seams reaching. Are you saying an auditor can ask (demand really) to know why they can't afford it?
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line. If you want, I suppose a reason for this policy being what it is could be included as a note on said policy, but the reasoning itself is not part of the policy.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line.
I thought that the policy type was "addressable" meaning that they could make an excuse for not having a policy. That's what I am discussing.
-
@larsen161 said in domain controller in the cloud for small office?:
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
@scottalanmiller the answer on this link explains it pretty well i think