Using the templates and sample documents provided alongside the Project 1 instructions, develop an Enterprise Key Management Policy. The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system. Superior Healthcare Enterprise Key Management Policy Superior Healthcare Enterprise Key Management Policy Research similar policy documents used by other organizations and adopt an appropriate example to create your policy. In the previous course, you learned how security professionals employ cryptography, a system of algorithms that hide data. You learned systems can be unlocked with a key provided to those who need to know that data. An important part of cryptography is how to manage these keys to the kingdom. This involves learning and understanding enterprise key management systems and concepts. Cryptography is the application of algorithms to ensure the confidentiality, integrity, and availability of
Superior Healthcare Enterprise Key Management Policy
Policy Statement: All employees of Superior Healthcare must comply with the defined guidelines relating to the enterprise key management system implemented by the institution. The implementation of the enterprise key management system in the Superior Healthcare network aims to maintain data confidentiality and integrity while ensuring that the data is available and executing source authentication. Data confidentiality, integrity, availability, and source authentication should be maintained even after the migration into a web-based system (eFi). Unauthorized network users should be prevented from accessing or modifying data in transit, data at rest, and data in use. Access to the data in the Superior Healthcare network is defined by the various restrictions noted by Superior Healthcare and various local, state, and federal laws. Examples of these laws include the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Reason for Policy: The purpose of this policy is to define the guidelines that will ensure that the data in the Superior Healthcare network is not compromised by attackers. This will be achieved by making certain that the key management system is effective, which in turn prevents the cryptosystems from being compromised by attackers. The guidelines defined in this policy will address various components of the enterprise key management system. These components include the processes, the procedures, the rules of behavior, and the user and administrator training conducted in relation to the enterprise key management system. Additionally, this policy also details the Protected Health Information (PHI) and transactions conducted by Superior Healthcare and the need to protect them to adhere to the standards set by the various US laws.
Definitions:
- Protected Health Information (PHI) – Protected health information includes the information generated and used by a healthcare provider such as Superior Healthcare. The protected health information is unique to an individual and can be used to identify them. Examples of protected health information include demographic information, medical diagnosis, medical treatment, medical history, as well as medical test results.
- Encryption – The process of encoding data into a format that cannot be used by individuals who are not authorized to access it.
- Decryption – The process of decoding data back into its original format that can be used.
- Cryptography – The process of securing data using various encryption and decryption algorithms.
- Crypto period – The lifespan of a key. The key is only allowed to be used during this period.
- Key – A variable value that is used to convert data into a format that can be used from a format that cannot be used. It also converts data into a useful format from a format that cannot be used.
- Key Management – The key management process involves the creation, distribution, storage, replacement, and deletion of keys used in cryptosystems.
Responsible Executive and Office:
Responsible Executive: Chief Information Security Officer (CISO)
Responsible Office: Information Technology Department
Entities Affected by this Policy: The members and heads of different departments in the institution, as well as the management team members of the institution.
Procedures:
- Access to the Keys – The access rights to the keys are only restricted to the authorized members of Superior Healthcare. These members include those in possession of parts of the master key that are used to provide access to the storage containing the keys. The security of the keys is achieved using Shamir’s Secret Sharing algorithm, which is employed on a master key. The keys should not be kept in the same storage as the data they were used to encrypt. The keys will be stored in centralized storage secured using a 256-bit Advanced Encryption Standard.
- Key Management
- A key administrator and a key manager will take on the role of managing the keys. While a key administrator will be responsible for the implementation of a key management system and the definition of the roles of a key manager, the key manager will be responsible for the various processes involved in key management.
- The generation of the keys will be done using the 256-bit Advanced Encryption Standard.
- When the keys are no longer useful, all their copies will be destroyed when their crypto period ends.
- Immediate replacement o