Certification and compliance with FFM including computer and internet security.

A potential client, and insurance agent, with two computers and an Internet connection has approached me about upgrading to better computers (they're ten years old on XP) as he is going to participate in a private healthcare exchange. I'm good on the computer upgrades and software, but I'm stumped on his email needs.

He tells me he needs secure email that complies with the following statement: "Certification and compliance with FFM including computer and internet security." FFM is "Federally Facilitated Marketplace" (the exchange, I presume).

Anyone know what I need to do re his email and other security?
LVL 1
Bruce CorsonPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cris HannaSr IT Support EngineerCommented:
I would ask the customer if he has a link, reference, etc.   Goggle has nothing.
How does he get his email now?   POP3 from an ISP?
0
btanExec ConsultantCommented:
You should check the "Privacy Standards and Issues" and "Information security" below where by the secure email will ensure Confidentiality, Availability and Integrity using the upgraded machine.

E.g. machine is hardened with latest Windows OS that is more secure than XP which is going end of support by Apr 2014, the security application such as host intrusion prevention s/w can be installed that make up the firewall and AV to ensure and detect malicious intrusion so as to maintain clean slate of security health and integrity. Information exposure is to be reduced with device control with locked down on unnecessary ports such as USB or WIFI or Bluetooth (unless needed) using the OS security local policy (or GPO if it is domain joined). Windows 7 Professional above has Bitlocker, Applocker that can encrypt the harddisk to ensure theft of HDD will maintain secure data at rest, also allowing authorised application to run when configured respectively.

E.g. Importantly, secure email is supported in Outlook using SMIME with digital ID personalised using your certificate or credential identifying it is the real you when communicating with other parties. It can encrypt and signed email.

http://www.cms.gov/CCIIO/Programs-and-Initiatives/Health-Insurance-Marketplaces/Downloads/agent-broker-ffm-training-summary.pdf

There are three key elements to protecting information:
o Confidentiality: Protecting information from unauthorized disclosure to people or process.
o Availability: Defending information systems and resources from malicious, unauthorized users to
ensure accessibility by authorized users.
o Integrity: Assuring the reliability and accuracy of information and IT resources.

Agents and brokers can apply certain controls – policies, procedures, and practices that manage risk and
protect IT assets – to protect information within the Marketplaces.
• There are steps agents and brokers can take to help promote information security in the Marketplaces.
Most importantly, NEVER share your password.
0
Bruce CorsonPresidentAuthor Commented:
ChrisHanna_MVP, thank you for your thoughts. I of course have asked him, he has nothing to help, and as he is my client I have opted not to point out this shortcoming. Current email is web-based Yahoo...one of the most insecure I know.

Breadtan, thank you ever so much. It looks like there's an answer in there but I need a couple days to study this. I will respond as soon as I can.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

btanExec ConsultantCommented:
Since he is using yahoo web email, it wouldnt be the most secure. I dont think it support SMIME, probably need to encrypt attachement or do PGP but can be hassle. Maybe can consider hushmail (or even the business subscription)
 @ https://www.hushmail.com/services/hushmail/features/
(it can Send PGP encrypted email to anyone. All web access uses SSL.)
It even has security analysis done up, though not the most perfect but good enough
 @ https://help.hushmail.com/entries/245155-security-analysis
 @ https://www.hushmail.com/about/technology/security/

one interesting note is Secure web contact forms - anyone with a Hushmail account can collect confidential information on the web from their friends, family and customers.  It’s easy to set up, free (with a paid option), and secure. e.g. The information your website visitors enter into your web forms, including file uploads, will be encrypted and delivered to your Hushmail Inbox. May be good for survey and collection of info from customers
0
Bruce CorsonPresidentAuthor Commented:
Thanks to both of you for comments. However, nowhere in what I've read from above does it say what the government is defining as secure. Why can't these dweebs define it so we don't run afoul of the law?
0
btanExec ConsultantCommented:
Understand your challenge as there is no stamping of any official secure email for FFM is I read it right. For public folks to declare secure it would have to go through stringent evaluation (reaching their own national security standard and crtierias) and complied with them. Each country has their evaluation body and evolved from industry best practices...like US has FISMA and NIST as the standard body. UK has CESG for evaluation and standard.

e.g. NIST has Guidelines on Electronic Mail Security - check out the Appendix for list of tools, resources and checklist. But i see no FFM specific. But security posture should not be worst off and doubt FFM go below
http://csrc.nist.gov/publications/nistpubs/800-45-version2/SP800-45v2.pdf

the checklist is good start from this well recognised body an the "Securing Mail Clients" worth sharing. Microsoft has their "Secure Mail" article too
http://technet.microsoft.com/en-us/library/cc962043.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bruce CorsonPresidentAuthor Commented:
All helpful information, does not indicated the real answer, but I'm going to comply with HIPAA requirements until the client can find the actual requirements. Government, geez.

Pls don't misinterpret...all of this information was helpful. Think I may use hushmail.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.