Subject Matter Corner

White Papers

Zero Trust Multi-Cloud

“As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt zero trust architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture. The Secretary of Homeland Security acting through the Director of CISA, in consultation with the Administrator of General Services acting through the FedRAMP within the General Services Administration, shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.” 

A Plausible Pre-History of Cryptography

Cryptography evolved through stages as cryptographic primitives were discovered and used. The pre-historical and historical records of a number of civilizations demonstrate the precursors of cryptography from which HTA Technology Security Consulting has formed an evolutionary hypothesis presented herein.

Original Article Best practice of Rendering CDA in a Cross Enterprise Document Sharing Environment

While much has been written about the clinical document architecture and the challenges on semantic interoperability, the modelling of content and the implementation, little attention has been paid to the representation of the medical payload in CDA documents and its implications on usability and accessibility. The authors compare different methods to display CDA documents in a cross enterprise environment on the example of the Austrian national patient health record system. Strategies and decisions as well as technological approach and security implications are presented.

Method And Apparatus for Extracting Anchorable Information Units From Complex PDF Documents

Method and apparatus for extracting anchorable information units from complex PDF documents.

A Study of Qualitative Dimensions in Authorization Infrastructures

The problem of insider threat is drawing more and more attention because of the great impact that it causes to organizations of different sizes. The greater threat is the result of the risk posed by trusted insiders’ access rights and the knowledge of information systems and security measures put in place, which, collectively, make distinguishing between insiders’ non-threatening activities and malicious ones a very difficult task. This project addresses this problem by providing a background study on key aspects of the insider threat problem, such as, definition of insider and insider threat, motivations behind committing such crimes, and possible mitigation controls proposed by different researchers.

A Standard for Software Architecture
HTA Technology Security Consulting

Today’s Chief Information Officers (CIOs) are faced with the important challenge of Information Technology governance. Governance is a key to providing efficiencies and effectiveness for the purchase, management, development, and retirement of information technology, and may also provide a means to direct technology toward a desired business end-state or future architecture. Many CIOs have issued Life Cycle Management Directives (LCMDs) as a basis for governance. A LCMD is a corporate policy containing definitions of required processes and documentation items that are aimed at providing significant direction to developers, maintainers, and users throughout the life cycle of IT systems. LCMDs generally establish one or more review boards that watch the progress of projects ensuring that LCMD standards are followed and establish benchmarks at which projects must appear before these boards to argue compliance prior to moving on. Many CIOs have wisely based their Life Cycle Management Directives on engineering and management standards produced by recognized standards bodies such as the Institute of Electrical and Electronic Engineers (IEEE). There are many such standards; some of those related to software architecture are listed in appendix B of this work. These standards are highly regular and consistent, and form a robust set of guidelines that are particularly well constructed and useful for governance purposes.

Software Design
HTA Technology Security Consulting

Software Design is concerned with analysis of software requirements, to produce a description of the component structure of software that will serve as the basis for software construction. The previous white paper spoke of software requirements. The careful reader will recognize that there is overlap between the design description given here and the software requirements description given there. It is the case that these areas overlap in the real world and it is not possible to say exactly where requirements stop and design begins. Some advice from Professor Al Davis given several years ago is as follows: The requirements analyst is responsible to state each requirement at an appropriate level to ensure that design decisions are made appropriately; if the requirement is very specific it will constrain the designer’s ability to make design decisions, if it is very loose, the designer’s latitude is wider, but he may make decisions that are inappropriate. Requirements constraints should be carefully tailored to the problem to be solved. The IEEE has provided five standards that deal with software design that are listed at the end of this work . This paper attempts to bring those standards together into a single document to promote better understanding across the scope of the five design standards documents.

Software Requirements
HTA Technology Security Consulting

Software Requirements is concerned with the elicitation, analysis, specification, and validation of software requirements. The IEEE has provided ten standards that deal with software requirements that are listed at the end of this work . This paper attempts to bring those requirements together into a single document to promote better understanding across the scope of the ten requirements standards documents.

Understanding FISMA Reporting Requirements
HTA Technology Security Consulting

The Government Information Security Act of 2000 (GISRA) combined existing IT security requirements in previous legislation; the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger-Cohen). After GISRA expired in November 2002, The Federal Information Security Management Act (FISMA) was passed by Congress and signed into law by the President as part of the Electronic Government (E-Government) Act of 2002. FISMA includes new requirements targeted at further strengthening information and system security. Because FISMA applies to information and information systems used by the agency, contractors, and other organizations, it has a wider applicability than previous security laws. It applies to all organizations which possess or use Federal information, or which operate, use, or have access to Federal information systems, on behalf of a Federal agency, including contractors, state and local governments, and industry partners.

Wireless Security Basics
HTA Technology Security Consulting

Networking computers, printers, personal desktop assistants (PDA) and other networks together wirelessly provides for a mobile environment at home or in the workplace. Organizations worldwide are realizing that this mobile environment has an associated cost. In some instances, even with the proper security, the cost to the respective organization could be the loss of sensitive information.

IT Business Case Template: Voice over Internet Protocol (VoIP) Solutions
ZDNet Makes the Case Series

Voice over Internet Protocol (VoIP) is one benefit of the convergence between data and telecommunications. Companies today are seeing the value of transporting voice over IP networks to reduce telephone and facsimile costs and to set the stage for advanced multimedia applications and services such as unified messaging, in which voice, fax, and e-mail are all combined.

IT Business Case Template:Virtual Private Network (VPN)
ZDNet Make the Case Series

Virtual Private Network (VPN) has attracted the attention of many organizations looking to both expand their networking capabilities and reduce their costs. As companies become more decentralized, they find themselves with employees all over the country and around the world. Increasingly, these workers need the same access to corporate information as those still at headquarters. Enterprises are finding benefits in enabling skilled employees to telecommute. With the increased use of remote access, site-to-site connectivity and extranets, and the interest in extending the enterprise on the upswing, it is clear that VPNs can potentially provide many benefits.

This business case explores the opportunities and benefits that can be realized in the deployment of VPN product(s) or solution(s), as well as the costs and associated risks involved. However, the template may need customization. Each organization is likely to have unique challenges and opportunities that the business case should address.

Security Services for Windows 2000
Microsoft Service Providers

Security services are an essential part of a modern network operating system. They have a deep impact on the future of your infrastructure, your system administration practices, and the overall user experience of your company’s information systems.

Fast Path to Security Incident Response and Recovery
Microsoft TechNet
Microsoft Fast Track

Fast Path to Security Incident Response and Recovery. Every network will eventually be the victim of a computer security incident. System administrators need to be prepared for security incidents and respond quickly to minimize and repair the damage.

Security and Privacy Workgroup
Donna Steele and Michelle Chaudry
WEDI – SNIP Security and Privacy Workgroup

Donna Steele, Deidentification Sub-group Chairman
Comdisco Healthcare Group

Michelle Chaudry HTA Technology Security Consulting

WEDI – Strategic National Implementation Process (SNIP) De-identification and Limited Data Set White Paper SNIP De-identification …

Need additional Information?

Learn more about making your mission a success