domain controller in the cloud for small office?
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@larsen161 said in domain controller in the cloud for small office?:
Ah, ok I was worried I was missing something. So it's not a HIPAA security requirement but an internal company policy created based on an addressable but not required HIPAA component.
That's kinda understating it. Addressable are required as well unless you can show a reason why you can't do it, and then also show what you're doing instead.
Can you go above and beyond?
I feel like this is a trick question.
Well, it's a trick requirement, right? HIPAA has cross purposes if they require that insecure methods be used. Are you allowed to secure the environment more than that, or does HIPAA actually require below minimum industry bar security?
Do you have an example of an insecure method being required in HIPAA? If so, please provide it. The law itself doesn't stipulate what type of password policies to have, only that you have a policy. It doesn't stipulate that you have AV, but you must have a policy about AV.
So you are saying that they have an addressable policy, meaning that they accept excuses for not having a policy?
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason. And you addressed it. Now that said, I have no idea if that type of addressing will be acceptable to the auditors or not.
But of course you can go way over the top - Installed AV on the endpoints and the edge of the network for business locations, etc.
-
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
You want a policy about why a policy isn't better than it is.. now that seams reaching. Are you saying an auditor can ask (demand really) to know why they can't afford it?
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
-
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line. If you want, I suppose a reason for this policy being what it is could be included as a note on said policy, but the reasoning itself is not part of the policy.
-
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
@scottalanmiller said in domain controller in the cloud for small office?:
@dashrender said in domain controller in the cloud for small office?:
lol - you know they do. i.e. can't afford to purchase AV, that's the reason they don't have AV - ridiculous reason, but it's a reason.
That addresses why their policy states that they don't have AV. It does not state why they can't afford to have a policy.
They do have a policy, the policy is to not have AV. Well - at least I hope they took the 5 seconds it takes to write that policy.
But that's what we were discussing, why the policy was addressable. In what condition could you excuse not having a policy?
You've lost me - HIPAA says have an AV policy - such policy exists - it states, - the company will not have AV. period, end of line.
I thought that the policy type was "addressable" meaning that they could make an excuse for not having a policy. That's what I am discussing.
-
@larsen161 said in domain controller in the cloud for small office?:
@dashrender I'm not trying to understate it, just using the HIPAA terms, it's either addressable or required. definitions of the terms
@scottalanmiller the answer on this link explains it pretty well i think