General Security Policy

Sample education bail constitution I. POLICY A. It is the polity of brass XYZ that t sever on the wholeying, as defined herein later on, in all(prenominal) its formswritten, spoken, recorded electronically or printed go forth be protected from accidental or intentional unlicenced modification, destruction or apocalypse end-to-end its life cycle. This safeguard holds an divert level of aegis over the equipment and softw be exercised to process, store, and transmit that entropy. B. entirely policies and procedures moldiness(prenominal)(prenominal) be document and do avail satisfactory to mortals responsible for their mental pictureuation and compliance. completely activities identified by the policies and procedures essential similarly be documented. solely the documentation, which may be in electronic form, essential be carry for at least 6 (six) years afterward initial creation, or, pertaining to policies and procedures, after salmagundis ar made. All documentation must(prenominal)iness be periodically reviewed for appropriateness and currency, a period of time to be determined by apiece entity inwardly disposal XYZ.C. At each entity and/or department level, extra policies, standards and procedures forget be positive detailing the executeation of this polity and devise of standards, and addressing each additional study constitutions functionality in such entity and/or department. All departmental policies must be consistent with this policy. All dodges implement after the effective date of these policies atomic number 18 expected to conform to with the formulations of this policy where possible.Existing formations are expected to be brought into compliance where possible and as soon as practical. II. SCOPE A. The scope of data shelter embroils the justification of the confidentiality, righteousness and availability of training. B. The framework for managing training security in this policy appli es to all governance XYZ entities and workers, and former(a) come to Persons and all Involved transcriptions through and through divulge scheme XYZ as defined below in teaching protective covering DEFINITIONS. C.This policy and all standards apply to all protected wellness nurture and another(prenominal) classes of protected tuition in any form as defined below in INFORMATION CLASSIFICATION. III. RISK MANAGEMENT A. A thorough digest of all administration XYZ tuition electronic networks and establishments payoff be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted nurture. The analysis go out probe the ca usages of threats internal or extraneous, natural or manmade, electronic and non-electronic that affect the ability to manage the tuition resource.The analysis will also document the existing vulnerabilities within each entity which potentially expose the schooling resource to the threats. Finally, the analysi s will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection. From the conclave of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined.The frequency of the risk analysis will be determined at the entity level. B. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the add up and scope of the vulnerabilities. IV. INFORMATION gage DEFINITIONS Affiliated Covered Entities Legally separate, save affiliated, cover entities which choose to designate themselves as a single covered entity for purposes of HIPAA. Availability data or information is overtureible and usable upon engage by an certain person. privateity entropy or information is not made available or disclosed to unauthorized persons or processes. HIPAA The wellness ame nds Portability and Accountability Act, a national law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. Integrity Data or information has not been altered or destroyed in an unauthorized manner.Involved Persons Every worker at shaping XYZ no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, and so on Involved Systems All computer equipment and network dusts that are hightail itd within the ORGANIZATION XYZ environment. This includes all platforms (operating corpses), all computer sizes (personal digital assistants, desktops, mainframes, etc. ), and all finishs and information (whether developed in-hoexercising or licensed from third parties) contained on those systems.Protected Health culture (PHI) PHI is health information, including demographic information, created or received by the ORGANIZATION XYZ entities which relates to the past, present, or emerging physical or mental health or condition of an individual the provision of health care to an individual or the past, present, or future payment for the provision of health care to an individual and that identifies or faecal matter be drilld to identify the individual. Risk The fortune of a expiration of confidentiality, integrity, or availability of information resources. V. INFORMATION SECURITY RESPONSIBILITIESA. info Security Officer The instruction Security Officer (ISO) for each entity is responsible for working with exploiter wariness, proprietors, stewards, and exploiters to develop and implement prudent security policies, procedures, and retards, equal to(p) to the eulogy of ORGANIZATION XYZ. Specific responsibilities include 1. Ensuring security policies, procedures, and standards are in slur and adhered to by enti ty. 2. Providing basic security back down for all systems and users. 3. Advising proprietors in the naming and sort of computer resources.See Section VI culture Classification. 4. Advising systems development and application owners in the implementation of security find outs for information on systems, from the point of system design, through interrogatory and production implementation. 5. Educating custodian and user management with comprehensive information about security controls poignant system users and application systems. 6. Providing on-going employee security education. 7. Performing security audits. 8. Reporting on a regular basis to the ORGANIZATION XYZ Oversight Committee on entitys status with weigh to information security.B. selective information Owner The owner of a collection of information is usually the manager responsible for the creation of that information or the radical user of that information. This role often corresponds with the management of an or ganizational unit. In this context, self-possession does not signify proprietary interest, and ownership may be divided. The owner may delegate ownership responsibilities to another individual by finish the ORGANIZATION XYZ teaching Owner Delegation Form. The owner of information has the accountability for 1.Knowing the information for which she/he is responsible. 2. Determining a data property period for the information, relying on advice from the Legal Department. 3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit. 4. Authorizing glide slope and assigning custodianship. 5. Specifying controls and communicating the control requirements to the custodian and users of the information. 6. Reporting promptly to the ISO the blemish or misuse of ORGANIZATION XYZ information. 7.Initiating corrective actions when problems are identified. 8. Promoting employee education and se ntiency by utilizing programs ratified by the ISO, where appropriate. 9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/ computer parcel to manage information. C. Custodian The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as contract by the owner.Responsibilities may include 1. Providing and/or recommending physical safeguards. 2. Providing and/or recommending procedural safeguards. 3. Administering course of study of attack to information. 4. Releasing information as authorized by the development Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information. 5. Evaluating the cost effectiveness of controls. 6. Maintaining information security policies, procedures and s tandards as appropriate and in consultation with the ISO. 7.Promoting employee education and sentience by utilizing programs approved by the ISO, where appropriate. 8. Reporting promptly to the ISO the passing or misuse of ORGANIZATION XYZ information. 9. Identifying and responding to security fortuitys and initiating appropriate actions when problems are identified. D. User perplexity ORGANIZATION XYZ management who supervise users as defined below. User management is responsible for overseeing their employees use of information, including 1. Reviewing and approving all prays for their employees penetration authorizations. . Initiating security change requests to keep employees security record current with their positions and job functions. 3. Promptly inform appropriate parties of employee terminations and transfers, in agreement with local entity termination procedures. 4. Revoking physical retrieve to terminated employees, i. e. , confiscating keys, changing combination locks, etc. 5. Providing employees with the opportunity for training mandatory to properly use the computer systems. 6. Reporting promptly to the ISO the loss or misuse of ORGANIZATION XYZ information. 7.Initiating corrective actions when problems are identified. 8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. E. User The user is any person who has been authorized to read, enter, or update information. A user of information is expected to 1. adit information only in support of their authorized job responsibilities. 2. trace with Information Security Policies and Standards and with all controls established by the owner and custodian. 3. stir all disclosures of PHI (1) remote of ORGANIZATION XYZ and (2) within ORGANIZATION XYZ, other than for treatment, payment, or health care operations, to the applicable entitys Medical/Health Information management Department. In certain circumstances, the Medical/Health Information Management Department policies may specifically delegate the disclosure process to other departments. (For additional information, see ORGANIZATION XYZ Privacy/secretity of Protected Health Information (PHI) Policy. ) 4. Keep personal authentication devices (e. g. hash outions, SecureCards, PINs, etc. confidential. 5. Report promptly to the ISO the loss or misuse of ORGANIZATION XYZ information. 6. Initiate corrective actions when problems are identified. VI. INFORMATION CLASSIFICATION Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of variety the integrity and accuracy of all classifications of information must be protected. The classification charge and the tie in controls applied are dependent on the aesthesia of the information. Information must be classified according to the most love both(prenominal) detail it includes.Infor mation recorded in several formats (e. g. , source document, electronic record, report) must have the alike classification regardless of format. The next levels are to be used when classifying information A. Protected Health Information (PHI) 1. PHI is information, whether viva or recorded in any form or medium, that a. is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse and b. relates to past, present or future physical or mental ealth or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual and c. includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual. 2. wildcat or improper disclosure, modification, or destruction of this information could stop read and federal laws, result in civil and crimin al penalties, and cause knockout damage to ORGANIZATION XYZ and its uncomplainings or research interests.B. mystic Information 1. Confidential Information is very important and highly tenuous material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a veritable dividing line need for penetration. Examples of Confidential Information may include violence information, key financial information, proprietary information of commercial research sponsors, system gateway pass manner of speaking and information file encryption keys. 2.Unauthorized disclosure of this information to people without a business need for entrance fee may violate laws and regulations, or may cause significant problems for ORGANIZATION XYZ, its customers, or its business partners. Decisions about the provision of addition to this information must always be cleared through the information owner. C. inseparable Information 1. I nternal Information is intended for unrestricted use within ORGANIZATION XYZ, and in some cases within affiliated organizations such as ORGANIZATION XYZ business partners. This type of information is already idely-distributed within ORGANIZATION XYZ, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include personnel directories, internal policies and procedures, most internal electronic mail messages. 2. Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information. 3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions. D. Public Information 1.Public Information has been specifically approved for public release by a designated authority within each entity of ORGANIZATION XYZ. Examples of Public Information may include marketing brochures and material post ed to ORGANIZATION XYZ entity network web pages. 2. This information may be disclosed outside of ORGANIZATION XYZ. VII. COMPUTER AND INFORMATION CONTROL All involved systems and information are assets of ORGANIZATION XYZ and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.A. Ownership of software system All computer software developed by ORGANIZATION XYZ employees or contract personnel on behalf of ORGANIZATION XYZ or licensed for ORGANIZATION XYZ use is the property of ORGANIZATION XYZ and must not be copied for use at home or any other reparation, unless otherwise condition by the license agreement. B. Installed Software All software packages that reside on computers and networks within ORGANIZATION XYZ must take after with applicable licensing agreements and restrictions and must comply with ORGANIZATION XYZ acquisition of software policies.C. Virus Protection Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc. ) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn come to or disable virus checking systems. D. Access Controls Physical and electronic opening to PHI, Confidential and Internal information and computing resources is controlled.To ensure appropriate levels of irritate by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by ORGANIZATION XYZ. Mechanisms to control access to PHI, Confidential and Internal information include (but are not limited to) the following methods 1. Authorization Access will be granted on a need to know basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for p roviding access under this policy . Context-based access Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The external factors might include time of day, location of the user, strength of user authentication, etc. b. Role-based access An alternative to traditional access control models (e. g. , discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organizations structure and business activities. for each one user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. c. User-based access A security mechanism used to grant users of a system access based upon the identity of the user. 2. Identification/Authentication Unique user identification (user id) and authentication is require for all systems that ma intain or access PHI, Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id. a.At least one of the following authentication methods must be implemented 1. strictly controlled passwords (Attachment 1 word Control Standards), 2. biometric identification, and/or 3. tokens in conjunction with a PIN. b. The user must vouch his/her authentication control (e. g. password, token) such that it is known only to that user and possibly a designated security manager. c. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes). d. The user must log off or secure the system when leaving it. 3.Data Integrity ORGANIZATION XYZ must be able to provide corroboration that PHI, Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity a. transaction audit b. disk redund ancy (RAID) c. error correction ordinance (Error Correcting Memory) d. checksums (file integrity) e. encryption of data in storage f. digital signatures 4. Transmission Security Technical security mechanisms must be put in clothe to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks.The following features must be implemented a. integrity controls and b. encryption, where deemed appropriate 5. Remote Access Access into ORGANIZATION XYZ network from outside will be granted using ORGANIZATION XYZ approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the ORGANIZATION XYZ network. 6.Physical Access Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place a. Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must afford protection against fire, water supply damage, and other environmental hazards such as power outages and extreme temperature situations. b. point servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to pr progeny theft, destruction, or access by unauthorized individuals. . Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will 1. postal service workstations to minimize unauthorized viewing of protected health information. 2. Grant workstation access only to those who need it in order to perform their j ob function. 3. wee-wee workstation location criteria to eliminate or minimize the possibility of unauthorized access to protected health information. 4.Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access to PHI. 5. Use automatic screen savers with passwords to protect ignored machines. d. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements 1.Contingency Operations Documented procedures that allow facility access in support of restoration of lost data under the disaster recuperation plan and emergency mode operations plan in the event of an emergency. 2. Facility Security image Documented po licies and procedures to safeguard the facility and the equipment in that from unauthorized physical access, tampering, and theft. 3. Access Control and Validation Documented procedures to control and validate a persons access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. . Maintenance records Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks). 7. destiny Access a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency. b. Procedures must be documented to address 1. Authorization, 2. Implementation, and 3. Revocation E.Equipment and Media Controls The disposal of information must ensure the keep protection of PHI, Confidential and Internal Information. Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The following specification must be addressed 1. Information Disposal / Media Re-Use of a. Hard copy (paper and microfilm/fiche) b. magnetized media (floppy disks, hard drives, zip disks, etc. ) and c.CD ROM Disks 2. Accountability Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore. 3. Data backup and Storage When needed, create a retrievable, slender copy of electronic PHI before movement of equipment. F. Other Media Controls 1. PHI and Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc. ) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PHI or Confidential Information.Further, external media containing PHI and Confidential Information must neer be left unattended in unsecured areas. 2. PHI and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PCs, etc. ) unless the devices have the following minimum security requirements implemented a. Power-on passwords b. Auto logoff or screen saver with password c. Encryption of stored data or other acceptable safeguards approved by Information Security Officer Further, mobile computing devices must never be left unattended in unsecured areas. . If PHI or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of ORGANIZATION XYZ Information Security Policies and Confidential ity Statement signed as a condition of employment or affiliation with ORGANIZATION XYZ. H. Data Transfer/Printing 1. Electronic Mass Data Transfers Downloading and uploading PHI, Confidential, and Internal Information between systems must be strictly controlled.Requests for mass downloads of, or individual requests for, information for research purposes that include PHI must be approved through the Internal Review Board (IRB). All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. relevant Business Associate Agreements must be in place when transferring PHI to external entities (see ORGANIZATION XYZ policy B-2 entitled Business Associates). 2.Other Electronic Data Transfers and Printing PHI, Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. PHI and Confidential information must not be downloaded, copied or printed i ndiscriminately or left unattended and open to compromise. PHI that is downloaded for educational purposes where possible should be de-identified before use. I. Oral communication theory ORGANIZATION XYZ staff should be aware of their surroundings when discussing PHI and Confidential Information.This includes the use of cellular telephones in public areas. ORGANIZATION XYZ staff should not discuss PHI or Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation. J. Audit Controls Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI must be implemented.Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracki ng reports. These reviews must be documented and maintained for six (6) years. K. military rank ORGANIZATION XYZ requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PHI to ensure its act protection. L. Contingency figure Controls must ensure that ORGANIZATION XYZ can recall from any damage to computer equipment or files within a commonsense period of time.Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain PHI, Confidential, or Internal Information. This will include developing policies and procedures to address the following 1. Data Backup Plan a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information. b. Bac kup data must be stored in an off-site location and protected from physical damage. . Backup data must be afforded the same level of protection as the original data. 2. Disaster Recovery Plan A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. 3. Emergency Mode Operation Plan A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure. 4.Testing and order Procedures Procedures should be developed and documented requiring periodic testing of written eventuality plans to discover weaknesses and the subsequent process of revising the documentation, if necessary. 5. Applications and Data Criticality psychoanalysis The criticality of specific applications and data in support of other accident plan components must be assesse d and documented. Compliance 164. 308(a)(1)(ii)(C) A. The Information Security Policy applies to all users of ORGANIZATION XYZ information including employees, medical staff, students, volunteers, and outside affiliates. ill fortune to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable ORGANIZATION XYZ procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute causal agency for corrective action in accordance with ORGANIZATION XYZ procedures. Further, penalties associated with state and federal laws may apply. B.Possible disciplinary/corrective action may be instituted for, but is not limited to, the following 1. Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality St atement. 2. Unauthorized disclosure of a sign-on code (user id) or password. 3. Attempting to obtain a sign-on code or password that belongs to another person. 4. Using or attempting to use another persons sign-on code or password. 5. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review. . Installing or using unlicensed software on ORGANIZATION XYZ computers. 7. The intentional unauthorized destruction of ORGANIZATION XYZ information. 8. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access. ATTACHMENT 1 Password Control Standards The ORGANIZATION XYZ Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). See ORGANIZATION XYZ Information Security Policy for com mentary of these protected classes of information. ) Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls. Standards for accessing PHI, CI, II Users are responsible for complying with the following password standards 1. Passwords must never be shared with another person, unless the person is a designated security manager. 2. Every password must, where possible, be changed regularly (between 45 and 90 days depending on the sensitivity of the information being accessed) 3.Passwords must, where possible, have a minimum length of six characters. 4. Passwords must never be saved when prompted by any application with the excommunication of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems. 5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them. 6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i. e. childrens names, pets names, birthdays, etc).A combination of alpha and numeric characters are more difficult to guess. Where possible, system software must enforce the following password standards 1. Passwords routed over a network must be encrypted. 2. Passwords must be entered in a non-display field. 3. System software must enforce the changing of passwords and the minimum length. 4. System software must disable the user identification code when more than iii consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes. 5. System software must maintain a history of previous passwords and prevent their reuse.