VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data



Similar documents
Vendor Assessment Worksheet:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

How To Protect Your Health Care From Being Hacked

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security Alert

Our Commitment to Information Security

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

How To Write A Health Care Security Rule For A University

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Purchase College Information Security Program Charter January 2008

HIPAA Security Rule Compliance

Intel Enhanced Data Security Assessment Form

CTR System Report FISMA

Creating Stable Security & Compliance Relationships

HIPAA Compliance Guide

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

HIPAA Compliance: Are you prepared for the new regulatory changes?

FISMA Implementation Project

The Second National HIPAA Summit

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

Practical Overview on responsibilities of Data Protection Officers. Security measures

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Overview of Topics Covered

Richard Gadsden Information Security Office Office of the CIO Information Services

General HIPAA Implementation FAQ

Microsoft s Compliance Framework for Online Services

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

The CIO s Guide to HIPAA Compliant Text Messaging

When HHS Calls, Will Your Plan Be HIPAA Compliant?

The Practical Guide to HIPAA Privacy and Security Compliance

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Office of Inspector General

VMware vcloud Air HIPAA Matrix

Overview of the HIPAA Security Rule

Privacy and Security requirements, OCR HIPAA Audits and the New Audit Protocol

HIPAA Compliance Guide

Secure HIPAA Compliant Cloud Computing

Security Is Everyone s Concern:

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Technology Security Certification and Accreditation Guidelines

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

HITRUST CSF Assurance Program

Attachment A. Identification of Risks/Cybersecurity Governance

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Third Party Risk Management 12 April 2012

Bridging the HIPAA/HITECH Compliance Gap

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Understanding changes to the Trust Services Principles for SOC 2 reporting

Can Your Diocese Afford to Fail a HIPAA Audit?

HIPAA Information Security Overview

CHIS, Inc. Privacy General Guidelines

Datto Compliance 101 1

Data Processing Agreement for Oracle Cloud Services

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

CMS Information Security Risk Assessment (RA) Methodology

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

PCI Requirements Coverage Summary Table

M E M O R A N D U M. Definitions

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Information Security Program Management Standard

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CFPB Readiness Series: Compliant Vendor Management Overview

John Essner, CISO Office of Information Technology State of New Jersey

HIPAA and HITECH Compliance for Cloud Applications

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Risk Management of Outsourced Technology Services. November 28, 2000

STATE OF NEW JERSEY Security Controls Assessment Checklist

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

787 Wye Road, Akron, Ohio P F

Cloud Security Trust Cisco to Protect Your Data

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Hosted Exchange. Security Overview. Learn More: Call us at

Healthcare Management Service Organization Accreditation Program (MSOAP)

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Montclair State University. HIPAA Security Policy

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Transcription:

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data 1

Table of Contents Executive Summary... 3 Template Purpose and Instructions... 4 Vendor Information Security Plan Template... 5 Institutional Oversight Contact Information... 6 Vendor Organizational Information Security Policies... 7 Information Security Organization, and Roles and Responsibilities... 8 Systems Overview... 9 Subcontractors... 10 Information Security Controls... 11 Attribution, Sharing and Adapting... 13 Contact Us... 14 2

Executive Summary The Vendor Information Security Plan (VISP) is a template planning tool that enables institutions to evaluate the capacity of third party vendors to protect personally identifiable research data or other confidential information on behalf of an institution or its researchers. The VISP may be used alone or in conjunction with the Harvard Catalyst Vendor Assessment Worksheet. 1 Use the VISP when your institution or researchers intend to utilize a vendor or third party providing software, service or infrastructure that will hold, analyze, or otherwise persistently process research data. Institutions may present the VISP to prospective vendors for completion. Once completed, the vendor or third party returns the VISP to the institution. It is then the responsibility of the institution to undertake a review of the completed response and manage any further clarifications or negotiation of gaps in understanding of implementation requirements. The VISP is a model template developed at Partners HealthCare in collaboration with contributions from Boston Children s Hospital, Beth Israel Deaconess Medical Center, Hebrew Senior Life, and the Harvard Catalyst Data Protection Committee. 1 http://catalyst.harvard.edu/pdf/regulatory/vendor%20assessment%20worksheet.pdf 3

Purpose and Instructions Vendors or other third parties contemplating processing, storing, or accessing research data on behalf of an institution or its researchers should complete the following template. Once completed, the ISP will facilitate an institution s review of vendor organizations data safeguards and security posture including how the organization secures: The information technology resources used in the processing, transport, and storage of data; and User access to information technology resources and data. Each template must be customized to specifically address the vendor s information technology resources and overall security posture. 4

Vendor Information Security Plan (VISP) Template Vendor Version Date Please answer each section of the document, and attach supplemental diagrams, and any relevant policies, standards, and procedures, as appropriate. Answer the questions as specifically as possible, indicating controls actually used to safeguard information systems, applications, and data related to institution and its affiliated entities. 5

1. Institutional Oversight Contact Information [INSTITUTIONAL CONTACT EMAIL AND ADDRESS HERE] If you have questions, please send an email to the address above, and we will contact you. 6

2. Vendor Organizational Information Security Responsibilities Name: Title: Organization: Address: City, State, Zip: E-mail: Phone Number: Emergency Contact: (name, phone & email) Primary Information Security Contact 7

3. Information Security Organization, and Roles and Responsibilities <Provide an overview of the individuals and any sub-units with security-related responsibilities.> 8

4. Systems Overview Note: This section must be completed in its entirety. Supplemental documentation, such as SOC2 and SSAE 16 reports, are not substitutes for completing the section below. However, we welcome additional information such as the SOC, ISO and SSAE16 reports in support of your documented information security posture. <Describe at a high-level the information technology resources used for providing applications, services and data specific to [INSTITUTION] and its affiliates, or for accessing [INSTITUTION S] -provided resources or systems. As an example, describe the software, computing environment, and data processing facilities used to host a system used by [INSTITUTION], or by the vendor and its agents. Alternatively, please describe how the vendor and its agents will access resources hosted by [INSTITUTION]. Attach any relevant network diagrams illustrative of any system interconnections necessary for providing the solution. In this section be sure to document all methods by which data and documentation will be electronically accessed, or transmitted [INSTITUTION].> 9

5. Subcontractors <Please indicate whether subcontractors will be used to provide any additional services under the contract with [INSTITUTION] or its affiliates. If so, please name the subcontractors, and indicate whether the subcontractor s primary place of business or any agents perform services in locations outside the continental United States. Please indicate if the vendor has signed business associate contracts with subcontractors as required under HIPAA s Omnibus Rule.> 10

6. Information Security Controls When answering this section please erase the descriptive text below each header. If a particular section is not applicable to your relationship with [INSTITUTION], please indicate not applicable, including the reasons why. a. Access Control <Describe the technical, operational, and management controls used to provision access to systems and data. Include how user accounts and access to data is managed for an employee over time.> b. Awareness and Training <Describe organizational requirements related to workforce information security awareness and training, including how employees are trained on securing devices, accounts, applications, services and data.> c. Audit and Accountability <Describe organizational requirements related to audit information, including what events are audited, the retention of audit information, and monitoring for unauthorized information disclosure.> d. Certification, Accreditation and Security Assessments <Describe how the organization certifies the information systems used for the solution are secure. Also, describe how the organization certifies the computing environments of subcontractors.> e. Configuration Management <Describe the organization s configuration management practices for all systems, including whether baseline configuration information is recorded, and the access restrictions implemented to enforce change management.> f. Contingency Planning <Describe the organization s contingency planning practices, focusing on the contingency planning practices that will affect all services provided to [INSTITUTION].> g. Identification and Authentication <Describe the organization s identity and authentication policy, standards and procedures, including how users access [INSTITUTION] services, Systems, data and how those users are identified and authenticated.> h. Incident Response <Describe the organizations incident response capabilities, including incident response, monitoring and reporting capabilities.> i. Maintenance <Describe the organization s system maintenance policy and procedures, including requirements related to any remote system maintenance performed by third parties.> j. Media Protection <Describe organizational requirements for securing storage media, including back-up tapes, failed hard drives, and other storage media.> 11

k. Physical and Environmental Protection <Describe organizational requirements for securing data processing facilities, including data centers, and the computing environments of individuals.> l. Planning <Describe how information security planning activity is incorporated into overall business planning, including whether system security plans are documented for systems and services.> m. Personnel Security <Describe the organization s personnel security controls, including employee screening, access agreements, and termination procedures.> n. Risk Assessments <Describe the organization s approach for assessing risk, including whether formal risk analysis are performed, and whether vulnerability assessments are performed for the information technology resources used for the solution.> o. System and Services Acquisition <Describe how information security is part of the organization s acquisition of information systems and services.> p. System and Communications Protection <Describe the organization¹s communication security policies, standards and procedures, including the organization¹s secure transmission capabilities, and how the organization secures the information technology resources from external threats. This section should also describe the controls implemented to secure data and documentation as it is transmitted over untrusted networks (e.g., the internet).> q. System and Information Integrity <Describe how the systems ensure the integrity of data, including malicious code protection, input validation, and other related techniques. > 12

ATTRIBUTION, SHARING AND ADAPTING We encourage broad dissemination of this guidance document, and incorporation of these practices into clinical trial operations. We would also appreciate feedback and additional contributions so that we can continuously improve this work product. We encourage you to: request email us and request the materials share copy, distribute, and transmit the work adapt adapt the work to suit your needs Under the following conditions: Attribution: In freely using the materials, we require that you acknowledge Harvard Catalyst as the publisher and that you give appropriate credit to any named individual authors. Suggested citation: This material is the work the Harvard Catalyst Data Protection Taskforce and subcommittee of the Regulatory Foundations, Ethics, and Law Program. This work was conducted with support from Harvard Catalyst The Harvard Clinical and Translational Science Center (National Center for Research Resources and the National Center for Advancing Translational Sciences, National Institutes of Health Award 1UL1 TR001102-01 and financial contributions from Harvard University and its affiliated academic health care centers). The content is solely the responsibility of the authors and does not necessarily represent the official views of Harvard Catalyst, Harvard University and its affiliated academic health care centers, or the National Institutes of Health. With the understanding that: We might contact you: We are interested in gathering information regarding who is using the material and how they are using it. We may contact you by email to solicit information on how you have used the materials or to request collaboration or input on future activities. When reusing or distributing, make clear the above terms: For any reuse or distribution, you must make clear to others the terms of this work. The best way to do this is with a link to the web page containing this guide. When adapting: Please share improvements to the tool back with us so that we may learn and improve our materials as well. 13

CONTACT US Copies of all materials are freely available. Please send your requests, questions and comments to regulatory@catalyst.harvard.edu and visit the Harvard Catalyst Data Protection Subcommittee web page. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information