Foresight Security Policy SOP-018

Size: px
Start display at page:

Download "Foresight Security Policy SOP-018"

Transcription

1 SOP-018 Version: 2.0 Effective Date: 15-Feb-2013

2 Table of Contents 1. DOCUMENT HISTORY APPROVAL STATEMENT PURPOSE SCOPE ABBREVIATIONS PROCEDURES PHYSICAL SECURITY - OFFICES PHYSICAL SECURITY DATACENTER LOGICAL SECURITY Virtual Private Network (VPN) Screensavers Firewall Domain Password Parameters AND PORTAL SYSTEMS LAPTOPS FOR EMPLOYEES COMPUTERS FOR CONTRACTORS MOBILE MESSAGING DEVICES VIRUS PROTECTION BACKUP AND RESTORE TERMINATION AUDIT HIPAA (HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY)... 9 File: SOPS Security Policy.doc Page 2 of 10

3 1. Document History Version Issue Date Author Summary of Changes Sep-2008 Eric Stroud First issuance Feb-2013 Eric Stroud Revised to reflect new processes for QTS, use of ESET antivirus, VPN use, and references to new firewall and backup/restore procedures Author Date 2. Approval Statement The undersigned agree that the information detailed in this document accurately depicts the requirements and procedures for Security Policy. Partner In Charge of Security Date Partner in Charge of Computer Systems / CIO Date Partner in Charge of Quality Date File: SOPS Security Policy.doc Page 3 of 10

4 3. Purpose The purpose of this SOP is to provide procedures that guard and protect Foresight computerized systems and physical structure against loss, corruption and unauthorized access. 4. Scope This security policy document defines a standardized approach to computerized system security. This policy also addresses security issues pertaining to computerized systems used to create, modify, maintain, archive, retrieve, or transmit clinical data intended for submission to the Food and Drug Administration (FDA). This SOP is written in accordance with the Code of Federal Regulations (CFR) Title 21 Part 11, Electronic Records, Electronic Signatures Regulations; Guidance for Industry, Computerized Systems used in Clinical Trials, US Dept. of Health and Human Services, April 1999; and ICH regulatory guidelines for Good Clinical Practice (GCP) (E6) and Statistical Principles for Clinical Trials (E9). 5. Abbreviations Abbreviation AD CFR FDA GCP ICH ID IP NTFS PIC-Sec QTS VM VPN Definition Active Directory (United States) Code of Federal Regulations Food and Drug Administration Good Clinical Practice International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use Identification Internet Protocol (Microsoft ) New Technology File System (Foresight) Partner in Charge of Security Quality Technology Services Virtual Machine Virtual Private Network 6. Procedures Foresight hardware, software and data (local or remote) must be protected against loss, corruption and unauthorized access. This SOP defines the physical and logical security procedures that are designed to protect all company computerized hardware and software from accidental or malicious access, use, modification, destruction, or disclosure. Security, for File: SOPS Security Policy.doc Page 4 of 10

5 the purposes of this document, also pertains to personnel, data, communications, and the physical protection of computer systems from violence, viruses, and other compromises. Highlevel network security is achieved through user validation, NTFS security and password protection on files and other objects, and by securing the network itself. In some cases, systems are completely isolated, which mitigates risks from internal network users external exploitations. 6.1 Physical Security - Offices 1. Access to Foresight s office is limited to employees or contractors (Foresight resources) who have been granted ID cards and/or keys to access the Foresight office by the partner in charge of security (PIC-Sec) or designee. 2. Physical access requests are documented using FRM-700 Access Request. 3. Visitors to the Foresight office must sign-in at the building security. 4. First-time visitors to the Foresight office must be met by a Foresight resource in the lobby and escorted to the office. 5. PIC-Sec or designee will maintain a log of all resources with key cards and keys to the Foresight office. 6.2 Physical Security Datacenter 1. Foresight follows the physical security process at QTS, its co-location vendor. 2. QTS s operating practices for clients and visitors require that permission or approval to conduct any activities within the organization must follow a structured, regimented process (ref. QTS SSAE 16). 3. The PIC-Sec, CIO or IT Manager is responsible for supplying QTS with the list of Foresight resources that have permission to perform work at the datacenter. 4. All Foresight resources approved for QTS access by the PIC-Sec must conform to the background check and security verification processes imposed by QTS. 6.3 Logical Security Logical security features prevent unauthorized access to software applications and data. Logical security access requests are documented using FRM-700 Access Request. Logical security features include restricted access audits and procedures; secure use of electronic mail systems, virus protection software, and remote access control policies. Foresight uses the following safeguards in place to ensure that access to the software and to the data is restricted to authorized personnel only (section ): Virtual Private Network (VPN) 1. The Foresight Virtual Private Network uses a Cisco IP set VPN configuration with encryption (refer to the Foresight Network Diagram 2. The VPN authenticates a user s login information to an Active Directory (AD) via a Radius service (hosted on the AD server). A running access log is maintained in the AD security event viewer. Access is only granted when the following conditions are met: a) The supplied user credentials are correct; b) The correct VPN group has been selected; and, File: SOPS Security Policy.doc Page 5 of 10

6 c) The user account is active (not locked or inactivated). 3. Foresight VPN access may be restricted by IP address range. For example, The Jersey City, NJ office is within a specifically-allowed IP address range for the VPN Screensavers Firewall 1. Foresight requires that password-protected screen saver activates after 10 minutes of inactivity on any of its Foresight-owned/issued laptops and desktops. This prohibits unauthorized access and prevents data manipulation by anyone other than the appropriate user. 1. The Foresight firewall is maintained and controlled in accordance with procedure SOPS-023 Firewall and Switch Management Domain Password Parameters Domain passwords are used for authentication to the Foresight VPN. A domain password has the following parameters: 1. Maximum password age is 42 days; 2. Minimum length is 6 characters; and, 3. Password must meet complexity requirements as follows: a. Not contain the user's account name or parts of the user's full name that exceed two consecutive characters; and, b. Contain characters from three of the following four categories: i. English uppercase characters (A through Z) ii. English lowercase characters (a through z) iii. Base 10 digits (0 through 9) iv. Non-alphabetic characters (for example,!, $, #, %) v. Complexity requirements are enforced when passwords are changed or created and Portal Systems 1. Foresight is provided through Apptix. 2. The Foresight Shareweb is provided through sherweb. 3. A Foresight account and Sherweb account are provided to Foresight resources at the start of the resource s employment or engagement by the Foresight IT Manager. 4. Initial passwords for each system will be set by a password generation system or the Foresight IT manager. 5. Initial passwords will be unique each time a new password is generated. 6. Initial passwords will be distributed by separate s or are communicated directly via phone. 7. Users must change the initial password after successfully being authenticated into the system. This is procedural and not an automatically prompted change. File: SOPS Security Policy.doc Page 6 of 10

7 6.5 Laptops for Employees 1. Depending on their job role and project responsibilities, a Foresight employee may be issued a company laptop. 2. All Foresight issued laptops will include anti-virus product. a) Employees must keep the anti-virus product active when the laptop is powered. b) If a virus is detected on the laptop, the employee must inform his Foresight manager and the PIC-Sec within 24 hours using an un-infected facility. 3. Employees must set a password with at least the following characteristics for access to the laptop: d) Minimum 8 character length e) Include at least one upper case character f) Include at least one lower case character g) Include one or more special characters (! #? * ( ) ^ h) Include one or more digits 4. Employees must set the idle time-out on the laptop to be no more than 10 minutes requiring re-authentication. 5. Employees are requested to backup their Foresight issued laptops at least monthly or to keep all documents on the Foresight Shareweb portal. 6. Each employees must complete and sign FORM Annual Security Policy Acknowledgment indicating that they understand their requirements related to this SOP and the securing their laptops. 7. PIC-Sec or designee may conduct audits of employees to verify compliance. 6.6 Computers for Contractors 1. Generally, Foresight does not issue company laptops to its contractors. On occasion, contractors are issued laptops by Foresight s clients for whom the contractor is engaged. 2. If a contractor is issued a Foresight laptop, the contractor is obligated to follow the practices of an employee who is issued a laptop by Foresight. 3. If a contractor is using his/her computer for Foresight business, the contractor must: a. Set the idle time-out to be the same as the idle timeout for a Foresight employee. b. Use a current anti-virus product. c. Report an intrusions or viruses on the computer to the Foresight manager within 24 hours of detection using an un-infected facility. d. Complete FORM Annual Security Policy Acknowledgment indicating that s/he understands his/her requirements related to this SOP and securing his/her computer. 6.7 Mobile Messaging Devices 1. Foresight may issue mobile messaging devices to employees. 2. Employees who have a mobile device with connections to Foresight systems must require power-on authentication to prevent unauthorized access to the device. File: SOPS Security Policy.doc Page 7 of 10

8 3. Employees who have a mobile device with connections to Foresight systems must set an idle timeout of no longer than 10 minutes requiring authentication. 4. Foresight provides support for its employees with their own phones with configuring ActiveSync. 5. In the event that a mobile device is lost or stolen, ActiveSync is disabled to prevent access to company . This feature is activated by the Foresight IT Manager following a notification by an employee. 6.8 Virus Protection Foresight uses ESET NOD 32 Antivirus for the detection and viruses, malware, and trojans. Active scanning is performed, and inbound and outbound s are scanned. ESET runs on all Foresight-issued machines. ESET automatically looks for virus signature database updates and applies these automatically. Additionally, 1. All Foresight networked servers are required to run the ESET Anti-virus product for server installations. 2. If a virus is detected on a server it is immediately dealt with either by trying to clean the virus out of the infected medium or by removing the virus and quarantining it for submittal to the anti-virus vendor for examination. 3. Foresight users with a company issued machine must accept any updates detected by ESET to remain current with virus signatures. 6.9 Backup and Restore 1. Backup and restore processes for Foresight infrastructure are performed and monitored in accordance with procedure SOPS-025 Backup and Restore. 7. Termination To limit liability Foresight reserves the right to discontinue system access immediately if deemed necessary but can also allow continued access to the remainder of termination notice effective date. 1. Employees must return Foresight equipment, software, project related information or Intellectual Property, and all items that were purchased by, or expensed to, Foresight. 2. Employees must return key cards and physical keys 3. PIC-Sec or designee must inform building security of the employees termination and to deny access to the building 4. Employees must complete and sign FORM FORM Termination - Return of Foresight Assets associated with the termination indicating that all equipment has been returned 5. All accounts must be deactivated by the IT Manager (e.g. AD, portal, and ). 6. PIC-Sec, CIO or designee may decide to review the contents of the returned equipment. File: SOPS Security Policy.doc Page 8 of 10

9 7. Foresight equipment that is issued to another Foresight resource must be purged before being reissued. 8. Audit Qualified Foresight infrastructure will be periodically audited to identify attempts for unauthorized access. 1. Server security and event logs on qualified Foresight infrastructure may be audited on demand by a request from the PIC-Sec or CIO. 2. Any failures in the event logs and security logs must be analyzed for patterns of attempted security breaches or ineffective security practices. When appropriate, the IP address used to gain access to a network appliance should be identified, along with the dates and times of the access attempts. 3. The IT Manager or designee will update the PIC-Sec and CIO on any findings from the audit. This update may be performed verbally in a scheduled meeting, or may be a private memorandum. 9. HIPAA (Healthcare Insurance Portability and Accountability) The HIPAA Privacy Rule (45 CFR (b)(1) requires training and holds organizations accountable for regulatory compliance, security, and the behavior of employees. Foresight has implemented a system for certifying that any Foresight resource exposed to Protected Health Information (PHI) receives a Foresight-owned system training on privacy. Required training includes the vulnerabilities of protected health information, procedures implemented to protect that information. 1. Any Foresight resource that has or will come into contact with PHI on a Foresight-owned system must undergo HIPAA awareness training. The Training Manager and/or the resource are responsible for identifying the need for HIPAA awareness training. 2. If Foresight resources are contracted by another company wherein PHI is available, the company contracting Foresight resources is responsible for providing HIPAA training. 3. HIPAA awareness training may be provided by an external training resource or guided self-study. 4. Foresight will ensure that the following subjects will be included in the HIPAA awareness training: a. Key HIPAA components i. Federal laws, State laws, regulations ii. Patient rights: access, amend, accounting of disclosures, confidential communication iii. Notice of Privacy iv. Authorizations for Use and Disclosure v. Re-disclosure vi. Informed Consent Requirements vii. De-identification viii. Exclusions File: SOPS Security Policy.doc Page 9 of 10

10 ix. Transition Requirements x. Privacy and Security Requirements xi. Record Retention Requirements xii. HIPAA References xiii. Any changes or updates 5. Training will be documented in accordance with SOPS-011 Training Procedure. File: SOPS Security Policy.doc Page 10 of 10

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

WORKSTATION SECURITY STANDARD

WORKSTATION SECURITY STANDARD WORKSTATION SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Standard Improperly configured computer systems

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Network & Information Security Policy

Network & Information Security Policy Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

IT Security Procedure

IT Security Procedure IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure

More information

Print4 Solutions fully comply with all HIPAA regulations

Print4 Solutions fully comply with all HIPAA regulations HIPAA Compliance Print4 Solutions fully comply with all HIPAA regulations Print4 solutions do not access, store, process, monitor, or manage any patient information. Print4 manages and optimize printer

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

Desktop and Laptop Security Policy

Desktop and Laptop Security Policy Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Odessa College Use of Computer Resources Policy Policy Date: November 2010 Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

MICHIGAN JEWISH INSTITUTE Policy and Procedure Manual

MICHIGAN JEWISH INSTITUTE Policy and Procedure Manual MICHIGAN JEWISH INSTITUTE Policy and Procedure Manual ב "ה Functional Area: ELECTRONIC ASSETS MANAGEMENT Policy No. EAM 1020 Title: IT Security, A Manual Effective Date: January 1, 2013 Page No. 1 of 1

More information

Policies and Procedures

Policies and Procedures Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,

More information

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for

More information

HIPAA Compliance Evaluation Report

HIPAA Compliance Evaluation Report Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations

More information

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004) Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

IT Security Standard: Remote Access to Bellevue College Systems

IT Security Standard: Remote Access to Bellevue College Systems IT Security Standard: Remote Access to Bellevue College Systems Introduction This standard defines the specific requirements for implementing Bellevue College policy # 5250: Information Technology (IT)

More information

All Users of DCRI Computing Equipment and Network Resources

All Users of DCRI Computing Equipment and Network Resources July 21, 2015 MEMORANDUM To: From Subject: All Users of DCRI Computing Equipment and Network Resources Eric Peterson, MD, MPH, Director, DCRI Secure System Usage The purpose of this memorandum is to inform

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate

More information

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed) 01.1 Purpose

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

HIPAA and Cloud IT: What You Need to Know

HIPAA and Cloud IT: What You Need to Know HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business

More information

Network and Workstation Acceptable Use Policy

Network and Workstation Acceptable Use Policy CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

System Security Plan University of Texas Health Science Center School of Public Health

System Security Plan University of Texas Health Science Center School of Public Health System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many

More information

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Security Considerations

Security Considerations Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com

Hosted Exchange. Security Overview. Learn More: Call us at 877.634.2728. www.megapath.com Security Overview Learn More: Call us at 877.634.2728. www.megapath.com Secure and Reliable Hosted Exchange Our Hosted Exchange service is delivered across an advanced network infrastructure, built on

More information

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive. SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Online (Internet) Banking Agreement and Disclosure

Online (Internet) Banking Agreement and Disclosure Online (Internet) Banking Agreement and Disclosure This Online (Internet) Banking Agreement and Disclosure ( the Agreement") explains the terms and conditions governing the basic Online Banking services

More information

U.S. Securities and Exchange Commission. Easy Lobby PRIVACY IMPACT ASSESSMENT (PIA)

U.S. Securities and Exchange Commission. Easy Lobby PRIVACY IMPACT ASSESSMENT (PIA) U.S. Securities and Exchange Commission Easy Lobby PRIVACY IMPACT ASSESSMENT (PIA) September 30, 2013 General Information 1. Name of Project or System. Easy Lobby v10.0.8 Upgrade: Administrator and SVM

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9 1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Supplier IT Security Guide

Supplier IT Security Guide Revision Date: April 28, 2016 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL REQUIREMENTS... 3 4. ACCESS REQUIREMENTS... 3 5. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION...

More information

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT Name of System/Application: LAN/WAN PRIVACY IMPACT ASSESSMENT U. S. Small Business Administration LAN/WAN FY 2011 Program Office: Office of the Chief Information Officer A. CONTACT INFORMATION 1) Who is

More information

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS U.S. Department of Health and Human Services Food and Drug Administration Center for Biologic Evaluation and Research (CBER) Center for

More information

Guidance for Industry Computerized Systems Used in Clinical Investigations

Guidance for Industry Computerized Systems Used in Clinical Investigations Guidance for Industry Computerized Systems Used in Clinical Investigations U.S. Department of Health and Human Services Food and Drug Administration (FDA) Office of the Commissioner (OC) May 2007 Guidance

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

Research Information Security Guideline

Research Information Security Guideline Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure E-Mail User Guide. Version 1.0.

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure E-Mail User Guide. Version 1.0. Pennsylvania Department of Public Welfare Bureau of Information Systems Secure E-Mail User Guide Version 1.0 August 30, 2006 Table of Contents Introduction... 3 Purpose... 3 Terms of Use Applicable to

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

ITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services

ITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY

More information

ADM:49 DPS POLICY MANUAL Page 1 of 5

ADM:49 DPS POLICY MANUAL Page 1 of 5 DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

WORKSTATION MANAGEMENT STANDARD PROCEDURES

WORKSTATION MANAGEMENT STANDARD PROCEDURES OFFICE OF THE VICE PRESIDENT FOR INFORMATION TECHNOLOGY POST OFFICE BOX 8122 STATESBORO, GEORGIA 30460-8122 TELEPHONE (912) 478-1294 FAX (912) 478-7720 WORKSTATION MANAGEMENT STANDARD PROCEDURES I. Authorization

More information

White paper inforouter in the Life Sciences Industry: 21 CFR Part 11 Compliance

White paper inforouter in the Life Sciences Industry: 21 CFR Part 11 Compliance White paper inforouter in the Life Sciences Industry: 21 CFR Part 11 Compliance Overview of 21 CFR Part 11 The final version of the 21 CFR Part 11 regulation released by the FDA in 1997 provides a framework

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

REGULATIONS COMPLIANCE ASSESSMENT

REGULATIONS COMPLIANCE ASSESSMENT ALIX is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. REGULATIONS COMPLIANCE ASSESSMENT BUSINESS

More information

Version 1.0 (updated March 2015)

Version 1.0 (updated March 2015) BRIGHT HORIZONS BASELINE THIRD PARTY SECURITY REQUIREMENTS Version 1.0 (updated March 2015) Contents SECTION 1:... 3 REQUIREMENTS INTRODUCTION AND BACKGROUND... 3 1. SUMMARY... 3 2. DEFINITIONS... 3 3.

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Network Security Policy

Network Security Policy Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

More information

University of Northern Colorado. Data Security Policy for Research Projects

University of Northern Colorado. Data Security Policy for Research Projects University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information