Health Insurance Portability and Accountability Act - Essay Example

HW Questions HW Questions Question One The 1996 regulation HIPAA (Health Insurance Portability and Accountability Act) affects auditing requirements by ordering organizations to conduct privacy risk evaluations and training their workers in confidentiality protocols. These evaluations and training call for changes in auditing requirements by the respective organizations (Natan, 2005, p. 329). The 1999 regulation GLBA (Gramm-Leach-Bliley Act) affects auditing requirements by demanding the guarantee of the protection and confidentiality of customer data. When accessing customer data that requires compliance with mandates from this regulation, organizations will have to consider and include auditing requirements (Natan, p. 332). SOX (Sarbanes-Oxley Act) demands the recording of the system used by management in an effort to evaluate its efficiency and announce any errors or weaknesses. This documentation is always subject to auditing requirements that may require constant revision (Natan, p. 333). Lastly, the 1386 regulation California Senate Bill mandates the proper requirements and abilities to be aware of any access to private California resident data by unauthorized parties. Identifying any such breaches requires the business to base its auditing requirements on effective privacy measures (Natan, p. 335). Question Two Auditing should include schema, stored procedures or activators, user freedoms, and other DDL changes. From protection, compliance, structure management, and procedural perspectives, these factors are vital collectively (Natan, p. 357). DDL instructions are most likely the most destructive instructions today and allow intruders to compromise any network with absolution from a security point of view. Numerous regulations made organizations and individual data users audit all changes to data configurations from a compliance point of view. Compliance requisites for schema modifications during auditing are frequently the same as the requisites characterized as under structural management and IP administration initiatives. As a result, an external party will be able to maliciously alter, utilize, and roll back schema to its original form. These functions can occur without the authorized user noticing, particularly when the entire process occurred within less than 24 hours (Natan, p. 358). Question Three The DML audit trails discussed in Section 12.9 reveal how one can selectively determine the items and instructions that need auditing. This determination comes about through unsophisticated and rough calculations. More specifically, Ben Natan anticipates DML audit trails by choosing to form them for a subsection of the database tables presented and given login details (Natan, 2005, p. 370). In his essay, Abrams uses a new model that appears to be an ingredient in an oversimplified database structure. This structure accommodates the promise for an ideal rational organization of previous, current, and future information (Jajodia, Gadia, and Bhargava, n.d., p. p. 595). In Section 12.9, every bitemporal association facilitates the maintenance of an “Update-Store Relation” by Natan’s database activity model (Natan, 2005, p. 371). In contrast, Abrams’ Essay 25 exploits its simplified model to enable further the automatic production and analysis of incidents that take place in the database structure. Consequently, Abrams identifies and dissuades security breaches (Jajodia et al., n.d. p. 590). Question Four One technique for auditing selection is random sampling, which entails the choosing of items from a sample so that every item has an even opportunity for selection. Random sampling needs the usage of arbitrary and figure tables or computer software to assure that every population sample has an even opportunity for selection (Natan, p. 394). Auditing selection can also occur through methodical sampling, which entails choosing of each consecutive item from a sample following an arbitrary beginning. Haphazard sampling is the auditing selection of items from a given sample without considering any recognized features of any of these items. This technique is mostly useful in auditing selection when the user wants to rid of any conscious bias during the process. The fourth technique is block sampling, which entails the choosing of items from a given sample in connecting blocks. Lastly, purposive or fixed sampling is another technique for auditing selection that entails the choosing of items from a given sample using some predetermined standard (Natan, p. 396). Therefore, the auditor has to choose audit books receivable for verification centered on the scale of due balance. Question Five Extensions to auditing that are essential to support non-repudiation include the double hyphen (--) sign alternative, PGP (Pretty Good Privacy), GPG (Good Privacy Guard), and DBA (Database Auditing) systems (Natan, p. 391). The -- sign alternative puts a signature generated with the user’s confidential key inside the encoded files to support non-repudiation requisites. PGP applies the RSA (Rivest-Shamir-Adleman) open-key cryptosystem to come up with a solution for the requirement of confidential information and between parties over a digital channel (Natan, p. 395). GPG is the same as the PGP but applies an open-source cryptosystem. PGP and GPG extensions are useful for auditing by ratifying files and documents for non-repudiation purposes. Lastly, DBA systems serve as extensions with a security placement enables them to reserve an audit trail (Natan, p. 395). This ability is possible through repudiation features that different users can modify or remove. Question Six I support the claim that monitoring all database activity is insufficient to ensure security. Monitoring all incoming and outgoing requests requires tracking and reporting. Monitoring alone cannot impose adequate pressure on the surveillance of a database system by security providers and users. Unsuccessful attempts to escalate privileges is a strong sign that an intrusion is ongoing. Monitoring cannot notes attempts to escalate privileges, especially by external parties. In this case, logging is essential for identifying such attempts. Like logging, reporting errors or failed attempts employs a series of standards and the data that is easily accessible for developing a starting point for ensuring security in a given database (Natan, p. 347). The solution to ensuring security in a given database is through privacy. Organizations that attempt to monitor all database activity cannot guarantee the security of private data and risk humiliation, fines, and occasional losses. Question Seven An auditing system should automatically provide remediation. Databases require an auditing mechanism that enables the automatic fixing of problems. Remediation is a design solution that does not just audit. Remediation also characterizes and applies a policy that assists in problem-solving processes (Natan, p. 391). Databases with remediation often identify these problems through auditing activities, which I think is better than a separate auditing framework. Automatically fixing problems should be integral in database security since it is far more proficient when an organization delivers and enforces it in cycles. References Jajodia, S., Gadia, S. K., and Bhargava, G. (n.d.). Logical Design of Audit Information in Relational Databases. Essay 25, Logical Design of Audit Information in Relational Databases, 585-95. Natan, R. B. (2005). Implementing Database Security and Auditing. New York, NY: Elsevier Inc. Read More