CyberSecurity Jeopardy

Account and Access Management

Audit and Compliance

PHI and EPHI

Potpourri

Stuff You Should Know

100

These people are responsible for employees’ access to company systems and data.

Who are managers and leaders?

100

This is required if a legitimate business need exists for employees not to comply with security policies or standards.

What is a Security Deviation?

100

This always must be done to a workstation before it is left unattended.

What is lock, logoff, or Secure Epic?

100

View email.

What is spam or phishing email?

100

This must be carried out before providing network access to external parties?

What is a risk assessment?

200

This is who passwords should be shared with.

Who is no one?

200

Leaders are responsible for this, specific to their workforce members' roles and responsibilities.

What is knowing and communicating current security policies and procedures?

200

An example of where Protected Information should NOT be stored.

What is a public network drive, the C drive of a workstation, or any other personal device not company-managed, such as a home computer?

200

This can happen to employees who fail to comply with the company’s security policies, standards and procedures.

What is appropriately disciplined?

200

Never leave these devices unsecured and unattended, e.g. in a vehicle. Take them with you or lock them up.

What are mobile devices that are company-owned (e.g. laptops, iPads, etc.) or company-managed (e.g. personal smartphones, tablets etc.)?

300

This policy defines processes that specifies management of accounts. Account creation, account access, account changes and terminations must be controlled and managed.

What is SEC-100-5 Account and Access Management policy?

300

This policy ensures that a department follows all security policies, standards, and procedures correctly within their area of responsibility and take corrective action if found in non-compliance.

What is SEC-100-5, Compliance with Security Policies and Standards policy?

300

Electronic Protected Information can only be stored on these two types of mobile devices.

What are company-owned or company-managed devices?

300

These employees are responsible for reporting security incidents and vulnerabilities relating to external parties as well as communicating security requirements.

What are contract relationship owners?

300

This must happen prior to disposal of cmopany hardware and media.

What is it must be inspected by IS&T for company data or software?

400

All accounts need to be assigned to one of these.

What is an owner?

400

One way (example) leaders can make sure staff know and follow security policies and standards.

What are: i) ensure staff complete privacy and security online and in-person training, ii) ensure staff are security aware relevant to their roles and responsibilities, or iii) ensure staff are properly briefed on their security roles and responsibilities prior to being granted access to sensitive or protected data or information systems.

400

This must be managed, audited, and limited to the minimum amound necessary to perform a job, and is based on an employees role.

What is employee access to Protected Information, PHI or ePHI?

400

These are 3 of the 5 key Protected Information highlighted topics.

What are Access, Encryption, Removable media, Visibility, or Storage?

400

This, specific to their employees technology equipment (e.g. computers, laptops, iPads etc.) is required by management and leaders.

What is an inventory of the IT assets owned or utilized by employees in their area?

500

The same passwords must not be used for these two purposes.

What are business and non-business purposes?

500

This is one example of a Security Awareness item that can help maintain or improve the level of security awareness for you and your staff.

What is: Receiving the Security Awareness Monthly Newsletters, Attending a Security Awareness In-Person Training Session, Becoming a Security Awareness Ambassador, or Visiting and Reading information on the myPartner or Facets IS&T Security page?

500

Protected Information must be encrypted when it is in these three states.

What is at storage, at rest and in transit (outside of the HealthPartners' network)?

500

This is used to evaluate performance and effectiveness of security controls.

What is a measurement system?

500

This policy states that management must require their workforce to apply security in accordance with established policies, standards and procedures of the organization. Staff must complete the privacy and security online and in-person training.

What is SEC-100-12, Security Awareness Education and Training policy?