INFORMATION TECHNOLOGY POLICY



Similar documents
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

INFORMATION TECHNOLOGY POLICY

Security Control Standard

INFORMATION TECHNOLOGY POLICY

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

CSB Needs Better Security Controls to Protect Critical Data Stored on Its Regional Servers

EPA Classification No.: CIO P-11.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Fire Alarm and Protection Impairment Policy and Procedures

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

HIPAA Security Alert

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

REQUEST FOR BOARD ACTION

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Administrative Procedure

Security Policy JUNE 1, SalesNOW. Security Policy v v

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

CHAPTER 71. Regulations governing systems False alarm charges; violations and penalties.

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

LogRhythm and HIPAA Compliance

HIPAA PRIVACY AND SECURITY AWARENESS

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

HIPAA Information Security Overview

Data Management Policies. Sage ERP Online

Information Security for Managers

Security Whitepaper: ivvy Products

Service Organization Control (SOC 3) Report on a Description of the Data Center Colocation System Relevant to Security and Availability

INFORMATION TECHNOLOGY STANDARD

Information Security Program Management Standard

DHHIT Network Security Standards and Procedures

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

The Commonwealth of Massachusetts

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Austin Independent School District Police Department Policy and Procedure Manual

CORPORATE PROCUREMENT UNIT SITE & SECURITY PROCEDURES BOSTON SPA VERSION 9 SEPT12

Office of Inspector General

Information Resources Security Guidelines

Appendix A: Rules of Behavior for VA Employees

ALARM SYSTEMS Ord. No Adoption Date: September 9, 2008 Publication Date: September 17, 2008 Effective Date: October 16, 2008

Information Security Program

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Risk and its Impact to(insert company name here) Risk AFTER Mitigation. Objective (A-D)

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Network and Workstation Acceptable Use Policy

Data center solutions from Siemens. For the factories of the 21 st century. siemens.com/datacenters

Retention & Destruction

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

PBGC Information Security Policy

System Security Plan University of Texas Health Science Center School of Public Health

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

CHIS, Inc. Privacy General Guidelines

Business Associate Agreement

SMITH COLLEGE EMERGENCY PLANNING SUMMER PROGRAMS EMERGENCY PLAN

State of Vermont. Physical Security for Computer Protection Policy

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Information Security Operational Procedures Banner Student Information System Security Policy

REVIEWED ICT DATA CENTRE PHYSICAL ACCESS AND ENVIROMENTAL CONTROL POLICY

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

DHHS Information Technology (IT) Access Control Standard

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

NMSU FIRE DEPARTMENT Commercial Kitchen Fire Suppression Worksheet

IT - General Controls Questionnaire

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

HIPAA BUSINESS ASSOCIATE AGREEMENT

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

HIPAA Employee Training Guide. Revision Date: April 11, 2015

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

Summary of CIP Version 5 Standards

SOC 2 Report Seattle, WA (SEF)

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Sample audit - A Review of the IT Department (PCDA)

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

HIPAA Security COMPLIANCE Checklist For Employers

Hosted Testing and Grading

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Section 2. A new Chapter 8.38 is hereby added to Title 8 of the Brea City Code to read as follows: CHAPTER 8.38: REGULATION OF ALARM SYSTEMS

Metropolitan Washington Airports Authority Office of Public Safety Fire & Rescue Department. Fire Code Enforcement Division

Encryption Security Standard

SITECATALYST SECURITY

ECSA EuroCloud Star Audit Data Privacy Audit Guide

HIPAA Compliance with LT Auditor+

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

HIPAA Privacy Summary for Fully-insured Employer Groups

I. U.S. Government Privacy Laws

Banking and Financial Institutions (Physical Security Measures) THE BANKING AND FINANCIAL INSTITUTIONS (PHYSICAL SECURITY MEASURES) REGULATIONS, 2008

Rotherham CCG Network Security Policy V2.0

Environment of Care Fire Safety Management Plan 2014

Transcription:

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE INFORMATION TECHNOLOGY POLICY Name Of Policy: Physical and Environmental Security Policy Domain: Security Date Issued: 06/09/11 Date Revised: 10/11/13 Number: POL-SEC008 Category: Issued By Direction Of: Sandra Patterson, CIO Bureau of Information Systems

Table of Contents 1 Introduction... 3 1.1 Purpose... 3 1.2 Scope... 3 1.3 Compliance... 3 1.4 Exemptions... 3 1.5 Policy Review and Update... 3 2 Physical and Environmental Security Policy... 3 2.1 Fire Protection, Temperature and Humidity Controls... 3 2.2 Emergency Shutoff / Power... 5 3 Appendix... Error! Bookmark not defined. 3.1 References... 5 Document History Version Date Author Status Notes 1.0 06/09/2011 David Johnson Draft Initial creation 2.0 06/23/2011 David Johnson Draft Revised per Tom Zarb review 2.1 10/11/2013 Pamela Skelton Baseline Revised per Pamela Skelton review Department of Public Welfare Page 2

1 Introduction 1.1 Purpose This policy establishes requirements for the implementation of physical and environmental safeguards to adequately protect Department of Public Welfare (DPW) personnel, property and information resources from unauthorized physical intrusion and other physical threats. This policy also addresses compliance with applicable DPW, Commonwealth of Pennsylvania (CoPA) and federal requirements. 1.2 Scope All DPW employees, contractors and business partners are responsible for understanding and complying with this policy. 1.3 Compliance All DPW employees, contractors and other stakeholders are expected to be familiar with and comply with this policy. Violations of this policy may lead to revocation of system privileges and/or disciplinary action. DPW employees who knowingly and willfully violate DPW, Commonwealth or federal law addressing improper use or disclosure of an individual s information may be subject to criminal investigation and prosecution or civil monetary penalties. 1.4 Exemptions Requests for exemption to the policy should be submitted to the Chief Information Security Officer (CISO). Any exceptions granted will be issued a policy waiver for a defined period of time. 1.5 Policy Review and Update This document, and its supporting standards and procedures, will be reviewed annually, and updated as needed. 2 Physical and Environmental Security Policy Physical security represents the first line of defense against intruders and adversaries attempting to gain access to DPW facilities and/or information systems. Physical security restricts the entry and exit of personnel from protected areas, and protects sensitive data and systems. Environmental safety and security provides safeguards for fire safety, building environment, utilities, and other safeguards for the protection of DPW personnel, facilities and information resources. a. The physical security of DPW facilities, including facilities containing information resources, shall be managed per the following Commonwealth and DPW policies and standards: : Willow Oak Building Security. CoPA Policy: General Order 41, Security for Commonwealth Owned/Controlled Buildings, Property, Employees and Visitors CoPA Standards: Minimum Standards for Improving Physical Security Access (ITB-SEC029) 2.1 Physical Access Physical Access is the enforcement of a set of rules that govern physical access authorizations at DPW. Effective physical access control is critical to verifying individual access authorizations before granting access to DPW facilities. Department of Public Welfare Page 3

a. DPW shall authorize physical access to the facility where the information system resides based on roles and responsibilities. b. DPW shall require two (2) approved forms of identification before granting access to the facility where the information system resides. c. The organization shall restrict unescorted access to the facility where the information system resides to personnel lacking sufficient security clearances and / or appropriate credentials. d. Physical access authorizations shall be enforced to the information system in addition to physical access controls to DPW facilities. e. Every physical access point to DPW facilities shall be equipped with at least alarms and/or guards where the information system resides, twenty-four (24) hours per day, seven (7) days per week. f. DPW shall monitor physical intrusion alarms and surveillance equipment and employ centralized mechanisms to recognize the types of intrusions and initiate appropriate response actions. 2.2 Power Equipment and Cabling Power equipment and cabling relate to the types of protection necessary to effectively protect equipment and cabling both internal and external to organizational facilities and environments of operation against damage and destruction. a. DPW shall employ power cable redundancy paths that are physically separated and automatic voltage controls for critical information system components. 2.3 Fire protection, Water damage protection and Temperature and humidity Controls Fire protection, water damage protection and temperature and humidity controls represents the minimum requirements needed to protect DPW information system and its personnel against fire, water damage and temperature and humidity abnormal levels. Fire Protection a. DPW Information system shall employ and maintain fire suppression and detection systems supported by an independent source of energy (e.g., handheld fire extinguishers, smoke detectors, sprinkler systems and fixed fire hose wheels) b. In the event of a fire, those fire suppression and detection systems shall be activated automatically to notify the organization and proper emergency responders. c. DPW shall employ automatic fire suppression capability when the facility is not staffed on a continuous basis. Water Damage Protection a. DPW shall employ automated centralized mechanisms to detect the presence of water in the information system and alerts the CISO. Temperature and Humidity Controls a. DPW shall define the acceptable temperature and humidity levels within the facility where the information system resides b. The frequency to monitor temperatures and humidity levels shall be defined. c. The organization shall then monitor the temperature and humidity with the organization-defined frequency Department of Public Welfare Page 4

2.4 Emergency Shutoff / Power / Lighting DPW information system has established appropriate controls in the event of a primary power source loss or power outage / disruption. Emergency Shutoff a. In emergency situations, DPW shall provide the capability of shutting off power to either the information system or individual system components. Emergency Power a. In the event of a primary power source loss, DPW organization shall provide the following: A short-term uninterruptible power supply to facilitate an eventual orderly shutdown of the information system. A long-term self-contained, alternate power supply for the information system that is capable of maintaining minimally required operational capability Emergency Lighting a. In the event of a power outage or disruption, DPW Information system shall employ and maintain an automatic emergency lighting to cover emergency exits and evacuation routes within DPW facilities. 2.5 Monitoring Physical Access a. DPW shall review physical access logs every at least once every two (2) months. 3 Appendix 3.1 References Document DPW Web Application Privacy Standard Health Insurance Portability and Accountability Act (HIPAA) Privacy Implementation Handbook Source DPW DPW Department of Public Welfare Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information