Security Basics
Re: Windows Active Directory Domains Jul 14 2014 02:23PM
Kurt Buff (kurt buff gmail com) (1 replies)
RE: Windows Active Directory Domains Jul 14 2014 03:02PM
Mikhail A. Utin (mutin commonwealthcare org) (1 replies)
Quote: One might argue that the possibility of jail time because of HIPAA provisions or other laws might provide extra incentive, but I haven't seen much of those kinds of penalties - yet

Here is well-known example of MGH (Mass General Hospital) case, which paid to feds around $1M after a loss of a memory stick with a few hundred EPHI records. Monetary, even a small organization can sustain such DATA loss, but the cost of conflicting with DHHS/CMS on that matter costs much more than a fine of $1M. There is an estimate that one case of data loss in around $5M. And the most comes from legal part and various matters dealing with federal authorities. Amount of data matters but as you see in MGH case, not too much. What matters is non-compliance. I would not discuss millions of credit cards records losses (AFAIC last were Target, and eBay accounts' info as well) as DSS is commercial and not about legal part, fines, etc. Compliance is also an issue but can be easy fixed by an external audit. Big guys can easy deal with such cases. If US had a law and penalties for commercial data loss, we would see bullion-level fines.

Shortly: if feds are involved, all depends on Uncle Sam's will, and pretty innocent loss could cause a business loss.

Regards

Mikhail

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Kurt Buff

Sent: Monday, July 14, 2014 10:24 AM

To: security-basics (at) securityfocus (dot) com [email concealed]

Subject: Re: Windows Active Directory Domains

Going bankrupt because of regulatory fines (or just paying a big fine) vs. going bankrupt (or losing lots of money) because of theft of IP or hacked bank accounts isn't much of a choice. They both are outcomes to be avoided by exercising due care. One might argue that the possibility of jail time because of HIPAA provisions or other laws might provide extra incentive, but I haven't seen much of those kinds of penalties - yet. And, if you can achieve the same level of security without the complexity of extra configuration, or the expense of extra staff, then your course is pretty clear.

Kurt

On Mon, Jul 14, 2014 at 7:12 AM, Mikhail A. Utin <mutin (at) commonwealthcare (dot) org [email concealed]> wrote:

> Hello,

> Quote: HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.

>

> Not really right as HR deals with personal identifiable information. See, for instance US MA 201 CMR 17.00, or similar. PI, i.e. legally protected personal information, is at least one record having any number (like SSN or a license) and full name. HR has a plenty of such information.

>

> In any case when you think of protecting data, you need to clarify if any compliance is required. If do, then you need to check the regulation(s) what it exactly requires. You may build up numerous expensive and technically correct solutions, but in a case of something goes wrong and protected (in legal context) data is acquired, your incompliance will be considered first and your efforts as secondary.

>

> I would remind that there are two parts in information security - legal (including compliance) and technical. First is more important as relates to the business directly. If there is no such matter of a compliance in your organization (there is no federal, state, local, industry regulation), then you are lucky person and have free hands.

>

> Regards

>

> Mikhail Utin, CISSP

>

> -----Original Message-----

> From: listbounce (at) securityfocus (dot) com [email concealed]

> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Kurt Buff

> Sent: Wednesday, July 09, 2014 10:22 AM

> To: security-basics (at) securityfocus (dot) com [email concealed]

> Subject: Re: Windows Active Directory Domains

>

> Some questions:

>

> Who administers the firewalls separating the HR domain from the other domain?

> Do the firewall admins also administer either domain?

> Are the firewalls between domains even more restrictive of web browsing and other online activity for HR than for the other staff?

> Who administers the HR domain, and why are they more trusted than those who administer the larger domain?

>

> As you probably gather, the situation seems (to me) fraught with redundancy and possibility for error. HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.

>

> Kurt

>

> On Tue, Jul 8, 2014 at 1:48 PM, <joeb1kenobe (at) gmail (dot) com [email concealed]> wrote:

>> I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.

>>

>> We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.

>>

>> The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.

>>

>> My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.

>>

>> Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.

>>

>> Thanks

>>

>> Joe Brown

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1

------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential

and privileged information for the use of the designated recipients named above. If you are

not the intended recipient, you are hereby notified that you have received this communication

in error and that any review, disclosure, dissemination, distribution or copying of it or its

contents is prohibited. If you have received this communication in error, please reply to the

sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication

and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,

please visit our Internet web site at http://www.commonwealthcare.org.

[ reply ]
Re: Windows Active Directory Domains Jul 15 2014 04:07PM
Tracy Reed (treed ultraviolet org) (1 replies)
Re: Windows Active Directory Domains Jul 21 2014 08:22PM
Tracy Reed (treed ultraviolet org) (1 replies)
Re: Windows Active Directory Domains Jul 21 2014 08:54PM
Kurt Buff (kurt buff gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus