Terminal Services Notes
Disaster and Recovery Planning Resources
http://www.utoronto.ca/security/drp.htm University of Toronto Computer and Network Servces - Disaster recovery Planning
NIST Contingency Planning Templates
Google Search for \'Business Continuity Templates \'
http://csrc.nist.gov/publications/nistpubs - Computer Security Resource Center - National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf - National Institute of Standards and Technology - Contingency Planning Guide for Information Technology Systems: PDF - Extremely In-Depth Guide Protecting IT Infrastructure
http://www.drj.com/new2dr/samples.htm - Sample Plans, Outlines and other Plan writing resources
http://gita.state.az.us/policies_standards/html/p800_s865_bcdr.htm - State of Arizona - Guidelines for creating
Hospital-Health Care or PACS specific contingency planning:
The Year 2000 Threat: Preparing Radiology for Nine Realms of Risk - http://radiology.rsnajnls.org/cgi/content/full/210/1/17
Note: The nine "realms of risk" is intersting
Computer Crash — Lessons from a System Failure - http://content.nejm.org/cgi/content/full/348/10/881
Correspondence to the JAMA editors about the above event Note the comments from doctors blaming the "lack of credentials" of IT profesionals. What about the lack of involvement and or engagement of the physicians?
http://www.sans.org/rr/papers/index.php?id=891 - "HIPAA-compliant configuration guidelines for
Information Security in a Medical Center environment" by Robert Grenert, GSEC March 12, 2003
http://www.sans.org/rr/papers - System Administration and Network Security (SANS) Reading Room
http://www.csrc.nist.gov/publications/nistpubs/ - Computer Security Resource Center (CSRC) of The National Institute for Standards and Technology (NIST)
http://msdn.microsoft.com/msdnmag/issues/02/09/SecurityTips/default.aspx - Security Tips: Defend Your Code with Top Ten Security Tips Every Developer Must Know -- MSDN Magazine, September 2002:
http://msdn.microsoft.com/msdnmag/issues/01/11/security/default.aspx - Security Briefs: ASP .NET Security Issues -- MSDN Magazine, November 2001:
http://www.develop.com/kbrown/book/html/whatis_polp.html - A .NET Developer's Guide to Windows Security: Item 4: What is the principle of least privilege?:
http://www.develop.com/kbrown/book/html/whatis_anonprivilegeduser.html A .NET Developer's Guide to Windows Security: Item 8: What is a non privileged user?:
http://www.develop.com/kbrown/book/html/howto_runasnonadmin.html - A .NET Developer's Guide to Windows Security: Item 9: How to develop code as a non-admin:
- Developing Software in Visual Studio .NET with Non-Administrative Privileges by Lars Bergstrom, Visual Studio Core Team, Microsoft Corporation, December 2003
The Importance of the Principle of Least Privilege - An excellent opening paragraph on this article summarizes the reasons for NOT developing code with an administrative account
"..The most important reason for limiting the security privileges your code requires to run is to reduce the damage that can occur should your code be exploited by a malicious user. If your code only runs with basic user privileges, itâ€™s difficult for malicious users to do much damage with it. If you require users to run your code using administrator privileges, then any security weakness in your code could potentially hand control of that machine (and potentially other connected machines) to malicious code that exploits that weakness."
"The Protection of Information in Computer Systems" by JEROME H. SALTZER, SENIOR MEMBER, IEEE, AND
MICHAEL D. SCHROEDER, MEMBER, IEEE. from Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp. 1278-1308
Manuscript received October 11, 1974; revised April 17. 1975. Copyright Â© 1975 by J. H. Saltzer.
The authors are with Project MAC and the Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology Cambridge, Mass. 02139.
http://www.whitehouse.gov/pcipb/ - “A National Strategy to Secure Cyberspace” published by President George W. Bush’s “Critical Infrastructure Protection Board” September 2002
HIPAA Specific references:
"HIPAA and Its Legal Implications for Health Care Information
Technology Solution Providers",
by The Rotbert Law Group LLC and the Information Technology Association
The paper provides an overview of HIPAA's legal implications for health
care IT solution providers such as software vendors, application
services providers, outsourcers and system integrators. It focuses on
information technology law including HIPAA privacy and security.
"Preparing for HIPAA: Privacy and Security Issues to be Considered",
by Sherry Fischer
This white paper attempts to answer the question, "Given that faculty
are involved in education, research and clinical practice at a variety
of affiliated medical and research institutions, and data containing
personal health information (PHI) resides in a distributed fashion in
a variety of platforms, what are some of the ways that a large medical
school can begin to implement HIPAA's controls and overcome the many
potential barriers to compliance?"