DOH IT STAFFALL HANDSMEETING
ENHANCED SECURITY ACCESS
Department of Health05/31/2017
1
Agenda Introduction Current State Future State HIPAA Security Policy / Password Tips Summary Reset / Renew Password Register for Self Service Password Maintenance Self Service Password Reset / Forget Password Self Service Change Password Multi Factor Authentication Questions and Answers
Introduction
Objective Improve Security Access to DOH Resources
Office 365 (Email, OneDrive, SharePoint, etc.)Application Systems (EMR, Financial, Personnel)
Why? Active Directory: Vulnerable to hackers DOH email Impossible Travel Security Alerts DOH email accounts appearing on Dark Web ETS Directive on Hardening Password Policy ETS Implementation of Multi‐factor Authentication
Current State
Current Security Access to Resources
Who Are You (Email Address)
What do you know (password) User choice – Length and Character String Permanent – Does not require changing
Too Vulnerable and not Secure Enough
Future State
Improve Security Access Who Are You (Email Address) – No Change What do you know
Password Amended Security Password Policy SP 03.11 Account locks (for 15 minutes) after 5 invalid logon attempts
Security Questions – (3 out of 5)
What do you own (code –> text, email, voice) Smartphone / Desk Phone Email address
HIPAA Security Policy Amending Security Policy ‐ SP 03.11 Change will include new parameters for password security: 10 characters minimum (lowercase/uppercase alphabet, numbers, and special characters).
Change every 90 days. 6 unique passwords before reusing a password.
Examples: DOH!sth3BE5t, Let5B3S@fe&
6
Password Tips DO
Use a passphrase to remember long passwords. Substitute letters with special characters (i.e., a to @). Protect your password like you would the keys to your house.
DON’T Use single dictionary words, sports teams, or popular names (such as Star Wars).
Use personal information. Use anything you would put on social media. Use a “one‐upped” password which means only changing your password by one character.
7
Summary ‐ Reset / Renew Password Register for Self Service Password Maintenance
http://aka.ms/ssprsetup
Self Service Password Reset / Forget Password http://portal.office.com Click on Can’t access your account
Self Service Change Password http://portal.office.com Go to Settings Click on Change your password
Central Reference Web Site
http://password.doh.hawaii.gov From a Browser No log in Required
Web Site URL for Registration and Self‐Service Functions Detailed Step by Step instructions
Register Self Service Password Maintenance http://aka.ms/ssprsetup
Setup 2 of the 3 options: Office Phone
Extensions not supported
Authentication Phone Security Questions
Self Service Password Reset / Forget Password Self Service Password Reset / Forget Password
http://portal.office.com Click on Can’t access your account Verify using options setup in registration (2 out of 3)
Office Phone Authentication Phone Security Questions
Reset your password
Self Service Change Password
Self Service Change Password http://portal.office.com Go to Settings Click on Change your password
OR
Domain computer – Ctrl + Alt + Delete
Multi‐Factor Authentication (MFA)
User signs in from any device Using existing username/password
Users must also authenticate using an email account, landline phone, mobile device, or authenticator app before access is granted Code is Requested by sign on process Code sent to Registered device or authenticator app (i.e. –Microsoft Authenticator or Google Authentiator) Text, email, Voice
Code entered in sign on process
Plan and Timetable May – Informational Briefings
DEC DOH IT Staff Distribution of Documentation to all DOH Staff
June Staff Registration Period Training and Hands on Support System Configuration
July Activate Enhanced Password Multi Factor Authentication Planning and Activation
Questions ??
15