COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Transcription

1 COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy

2 Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus netwrk. As such, they are vulnerable t security breaches that may cmprmise cnfidential infrmatin and expse ur cmpany t lsses and ther risks. At Cpies FYI, Inc., security is critical t the physical netwrk, cmputer perating systems, and applicatin prgrams and each area ffers its wn set f security issues and risks. Cnfidentiality and privacy, access, accuntability, authenticatin, availability, and Infrmatin Technlgy system and netwrk maintenance are cmpnents f a cmprehensive security plan. This plan identifies key cncerns and issues faced by ur cmpany at the applicatin, hst, and netwrk level, and strives fr a balance between ur cmpany's desire t prmte and enhance the free exchange f ideas and its need fr security f critical infrmatin and systems. This dcument will: 1. Identify the elements f a gd security plicy; 2. Explain the need fr Infrmatin Technlgy security; 3. Specify the varius categries f Infrmatin Technlgy security; 4. Indicate the Infrmatin Technlgy Security respnsibilities and rles; and 5. Identify apprpriate levels f security thrugh standards and guidelines. This dcument establishes an verarching security plicy and directin fr Cpies FYI, Inc. Individual clinics, dctrs and attrney s and their firms are expected t establish standards, guidelines, and perating prcedures that adhere t and reference this plicy while addressing their specific and individual needs. 1. INFORMATION TECHNOLOGY SECURITY ELEMENTS The elements f a gd security plicy include: Cnfidentiality and Privacy Access Accuntability Authenticatin Availability Infrmatin technlgy system and netwrk maintenance plicy Cnfidentiality refers t ur cmpany's needs, bligatins and desires t prtect private, prprietary and ther sensitive infrmatin frm thse wh d nt have the right and need t btain it. Access defines rights, privileges, and mechanisms t prtect assets frm access r lss. Accuntability defines the respnsibilities f users, peratins staff, and management. Authenticatin establishes passwrd and authenticatin plicy. Availability establishes hurs f resurce availability, redundancy and recvery, and maintenance dwntime perids.

3 Page 3 f 7 Infrmatin technlgy system and netwrk maintenance describes hw bth internal and external maintenance peple are allwed t handle and access technlgy. 2. NEED FOR INFORMATION TECHNOLOGY SECURITY Our cmpany and all members f ur cmpany are bligated t respect and t prtect cnfidential data. Medical recrds, certain emplyment-related recrds, attrney-client cmmunicatins, and certain research and ther intellectual prperty-related recrds are, subject t limited exceptins, cnfidential as a matter f law. Many ther categries f recrds, including clinic and ther persnnel recrds, and recrds relating t ur cmpany's business and finances are, as a matter f cmpany plicy, treated as cnfidential. Systems (hardware and sftware) designed primarily t stre cnfidential recrds (such as the Financial Infrmatin System and all medical recrds systems) require enhanced security prtectins and are cntrlled (strategic) systems t which access is clsely mnitred. Netwrks prvide cnnectin t recrds, infrmatin, and ther netwrks and als require security prtectins. The use f Cpies FYI Infrmatin Technlgy assets in ther than a manner and fr the purpse f which they were intended represents a misallcatin f resurces and, pssibly, a vilatin f law. Guidelines fr apprpriate use f cmputer facilities and services at Cpies FYI, Inc can be fund at SECURITY CATEGORIES This plicy applies t the fllwing categries f security: Cmputer system and applicatins security: Central prcessing unit, peripherals, perating system and data. Physical security: The premises ccupied by the Cpies FYI, Inc. persnnel and equipment; which has a security system installed. Operatinal security: Envirnment cntrl, pwer equipment, peratinal activities. Prcedural security: Established and dcumented security prcesses fr infrmatin technlgy staff, vendrs, management, and individual users. Netwrk security: Cmmunicatins equipment, persnnel, transmissin paths, and adjacent areas. INFORMATION TECHNOLOGY SECURITY RESPONSIBILITIES AND ROLES Respnsibility fr guaranteeing apprpriate security fr data, systems, and netwrks is assigned t Cpies FYI, Inc management directrs, and department heads. In many cases, respnsibility fr designing, implementing, and maintaining security prtectins will be delegated t infrmatin technlgy staff, but the directr, r department head will retain respnsibility fr ensuring cmpliance with this plicy. In additin t management and infrmatin technlgy staff, the individual user is respnsible fr the infrmatin technlgy equipment and resurces under his r her cntrl. Cpies FYI, Inc., is respnsible fr: 6. Tracking technlgy and regulatry changes that may indicate r require a change r additin t the current plicy;

4 Page 4 f 7 7. Advising affected management and staff f said changes; 8. Establishing prcedures that supprt the implementatin and maintenance f the security plicy; 9. Assisting departments and clinics within Cpies FYI, Inc t develp, implement and maintain their wn security plicies that supprt and facilitate ur cmpany's enterprise plicy; and 10. Establishing and maintaining a repsitry fr Cpies FYI, Inc. s cllected security dcuments. NOLOGY STARDS AND GUIDELINES Cnfidentiality and Privacy Our cmpany and all members f ur cmpany are bligated t respect and, in many cases, t prtect cnfidential data. There are, hwever, technical and legal limitatins n ur ability t prtect cnfidentiality. Fr legal purpses, electrnic cmmunicatins are n different than paper dcuments. Electrnic cmmunicatins are, hwever, mre likely t leave a trail f inadvertent cpies and mre likely t be seen in the curse f rutine maintenance f cmputer systems. Certain areas f ur cmpany permit incidental persnal use f cmputer resurces. Our cmpany des nt mnitr the cntent f persnal web pages, r ther n-line cmmunicatins. Hwever, ur cmpany must reserve the right t examine cmputer recrds r mnitr activities f individual cmputer users (a) t prtect the integrity r security f the cmputing resurces r prtect ur cmpany frm liability, (b) t investigate unusual r excessive activity, (c) t investigate apparent vilatins f law r Cpies FYI plicy, and (d) as therwise required by law r exigent circumstances. In limited circumstances, ur cmpany may be legally cmpelled t disclse infrmatin relating t business r persnal use f the cmputer netwrk t gvernmental authrities r, in the cntext f litigatin, t ther third parties, Administratrs f Cpies FYI, department r divisin netwrks shuld ntify cmputer users if incidental persnal use is nt permitted and that ur cmpany cannt ensure the cnfidentiality f persnal cmmunicatins. Access N ne may access cnfidential recrds unless specifically authrized t d s. Even authrized individuals may use cnfidential recrds nly fr authrized purpses. Our cmpany's Cmputer Use Plicy ( requires that members f ur cmpany respect the privacy f thers and their accunts, nt access r intercept files r data f thers withut permissin, and nt use anther's passwrd r access files under false identity. Vilatrs f any f these rules are subject t discipline cnsistent with the general disciplinary prvisins applicable t ROI Specialists and staff. Technlgy assets are t be hused in an apprpriately secure physical lcatin. Technlgy assets include servers, persnal cmputers that huse systems with cntrlled access (laptps are a categry f special cnsideratin), prts (active prts in public areas), sniffing devices (PC's set up t d this fr diagnsis shuld be secure), mdems and netwrk cmpnents (cabling, electrnics, etc.).

5 Page 5 f 7 Passwrds help prtect against misuse by seeking t restrict use f Cpies FYI systems and netwrks t authrized users. Authrized users (specific individual) are assigned a unique strng passwrd that is t be prtected by that individual and nt shared with thers, is difficult t crack, is changed n a regular basis, and is deleted when n lnger authrized. ( The management fr each area will ensure that cntrls are in place t avid unauthrized intrusin f systems and netwrks and t detect effrts at such intrusin. Such cntrls may include sme cmbinatin f the fllwing: setting up base-line traffic mnitring and cmparing with netwrk lgs fr variances; implementing system cntrl mechanisms t detect unexpected data cnditins; mnitring successful and unsuccessful access t data; and, cnducting prt scans t ensure that nly authrized users are cnnected t the netwrk. Each Cpies FYI cntrlled infrmatin system must have an Access Plicy that defines access rights and privileges and prtects assets and data frm lss r inapprpriate disclsure by specifying acceptable use guidelines fr users, peratins staff and management. The Access Plicy will prvide guidelines fr external cnnectins, fr data cmmunicatins, fr cnnecting devices t a netwrk, and fr adding new sftware t systems. As part f the plicy, the respnsibility and accuntability fr its implementatin must be established. Additinally, as users are granted access t cntrlled Cpies FYI systems, they will receive written statements (specific t the individual applicatin and authred by the security administratr fr that applicatin) utlining the user's respnsibility regarding the apprpriate use f the system and data and emphasizing the cnsequences f imprper use. This statement is t be read and signed by each user. Accuntability Individual users are respnsible fr ensuring that thers d nt use their system privileges. In particular, users must take great care in prtecting their usernames and passwrds frm eavesdrpping r careless misplacement. Passwrds are never t be 'laned.' Individual users will be held respnsible fr any security vilatins assciated with their usernames. Operatins staff is respnsible fr reviewing the audit lgs and identifying ptential security vilatins. The peratins staff is respnsible fr establishing the security and access cntrl mechanisms (such as usernames, passwrds, lgging, etc.) and may be held accuntable fr any security breaches that arise frm imprper cnfiguratin f these mechanisms. Each user permitted t access a cntrlled system is t be made aware f the access plicy fr that system. Management will prvide this infrmatin t the emplyee when first granting access and make the emplyee aware f the auditing capability in place t verify cmpliance. All cntrlled systems must maintain audit lgs t track usage infrmatin t a level apprpriate fr that system. All user sessins and all failed cnnectin attempts must be lgged. Fr user sessins, the fllwing will be recrded: user, surce IP, sessin start time/date, and sessin end time/date. Fr failed cnnectin attempts, the number f attempts must als be recrded. Management has the discretin t determine whether additinal lgging is necessary. Audit lgging may als apply t netwrks. Lgging f netwrk traffic flw and access is a standard practice. If inapprpriate use f the netwrk is suspected, and management s requests, Netwrk Technlgy Services may authrize specific traffic lgging n prtins f the campus netwrk. If the peratins staff believes a security incident has ccurred, they will immediately ntify their management. Management will assess the ptential implicatins f the incident, ntify Netwrk

6 Page 6 f 7 Technlgy Services, and take any remedial and necessary actin. All audit lgs will be immediately duplicated and mved t secure media fr further analysis. Befre adding new sftware t Cpies FYI cmputers and netwrks, system defaults shuld be carefully reviewed fr ptential security hles and passwrds shipped with the sftware shuld be changed. Dwnlading sftware, particularly sftware that is nt jb-related r endrsed by the administratin, may intrduce security risks and shuld be cntrlled. Authenticatin Authenticatin and data encryptin r pint-t-pint cmmunicatin will be implemented fr all systems that send r receive sensitive data r when it is critical that bth parties knw with whm they are cmmunicating. The decisin f whether t encrypt data shuld be made by the prfessinal system administratr respnsible fr the particular applicatin being distributed, with the knwledge f the apprpriate directr, r department head. Availability Missin critical systems are expected t be available at all times during applicable business hurs. Each critical system must have a published availability statement which details redundancy and recvery prcedures, and specifies hurs f peratins and maintenance dwntime perids. It must als include cntact infrmatin fr reprting system utages. This statement must be submitted t and apprved by Netwrk Technlgy Services. Backup f data will be well-dcumented and tested. Backups f missin critical data must be maintained in secure ff site strage t guard against the impact f disasters. Infrmatin Technlgy Systems and Netwrk Maintenance In the curse f ding business, Cpies FYI, Inc Infrmatin Systems management, Netwrk Technlgy Services, and all departments may cntract fr all r sme system and netwrk lcal r remte maintenance r supprt. Representatives f these cntracted cmpanies must fllw all Cpies FYI plicies. Cpies FYI, Inc. is expected t establish apprpriate guidelines fr building, equipment and system access. It is the respnsibility f the cntracting clinic t infrm the cntractr f all apprpriate plicies and, in additin, t prvide versight f the cntractr and cntractr representatives during the time they have access t Cpies FYI resurces. Reprting Vilatins Owners r managers f cmputer, netwrk, r applicatins systems, as well as users f these systems, have the respnsibility t reprt any apparent vilatins f law, Cpies FYI plicy ( t lcal management and Netwrk Technlgy Services r Cmputing and Cmmunicatins whenever such vilatins cme t their attentin.

7 Page 7 f 7 Owners and managers f department cmputing, netwrk, and applicatins systems shall make available t management and users f the systems guidelines fr reprting security vilatins. These guidelines will prvide specific guidance n what, when, where, t whm, and within what timeframe the vilatin shuld be reprted and a cpy will be filed with Netwrk Technlgy Services r Cmputing and Cmmunicatins.