IT Security Procedure



Similar documents
Information Security Policy

Information Technology Security Procedures

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Procedure Title: TennDent HIPAA Security Awareness and Training

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy

Network Security Policy

HIPAA Information Security Overview

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

CHIS, Inc. Privacy General Guidelines

Estate Agents Authority

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Network Security Policy

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Policy Title: HIPAA Security Awareness and Training

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Technology Cyber Security Policy

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

HIPAA Security Alert

Wellesley College Written Information Security Program

HIPAA Security COMPLIANCE Checklist For Employers

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

DHHS Information Technology (IT) Access Control Standard

Guide to Vulnerability Management for Small Companies

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Policies and Procedures

Remote Deposit Terms of Use and Procedures

SUPPLIER SECURITY STANDARD

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Introduction. PCI DSS Overview

CloudDesk - Security in the Cloud INFORMATION

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Supplier Information Security Addendum for GE Restricted Data

PCI DSS Requirements - Security Controls and Processes

Physical Protection Policy Sample (Required Written Policy)

Network and Workstation Acceptable Use Policy

Network & Information Security Policy

Cyber Self Assessment

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Data Management Policies. Sage ERP Online

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

USFSP Network Security Guidelines

Fortinet Solutions for Compliance Requirements

IT Security Standard: Computing Devices

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ICT USER ACCOUNT MANAGEMENT POLICY

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

SECURITY POLICIES AND PROCEDURES

Enterprise K12 Network Security Policy

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

USM IT Security Council Guide for Security Event Logging. Version 1.1

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Policies and Compliance Guide

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Supplier IT Security Guide

Cybersecurity Health Check At A Glance

St. Johns River State College

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

GFI White Paper PCI-DSS compliance and GFI Software products

Online (Internet) Banking Agreement and Disclosure

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SECURITY RULE POLICIES AND PROCEDURES

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

California State University, Sacramento INFORMATION SECURITY PROGRAM

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Transcription:

IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure is to be followed by all staff members of the WCDHB. 3. Definitions For the purposes of this Procedure: User is taken to mean any individual having authorised access to WCDHB Information Systems, whether internally or externally, and includes both staff members and contractors. Information Systems is taken to mean any networked, stand alone, or portable workstation or personal computer and any peripheral devices attached to such a machine (e.g. printer, scanner) Data is taken to mean any information stored electronically in any format. Information Security is taken to mean protection of the WCDHB's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction. iaccess is the electronic system available on the intranet, under IT Services which allows requests for IT access, changes and deactivations. 4. Responsibilities For the purposes of this Procedure: Chief Information Officer is required to: - ensure this Procedure is reviewed and updated on an annual basis and published as appropriate.; - ensure appropriate training is provided to data owners, network and system administrators, and users; - appoint a staff member to be responsible for security implementation, incident response, periodic user access reviews, and education. All Information Systems Users are required to: - ensure they abide by the requirements of this Procedure. 5. Resources Required This Procedure requires no specific resources. IT Security Procedure Page 1 of 1 1

6. Process 1.00 Introduction 1.01 The WCDHB will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of the WCDHB s data, network and system resources. 1.02 Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a annual basis. These reviews must include monitoring access logs and results of intrusion detection software, where it has been installed. 1.03 Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. Ideally, testing should be performed annually, but this should depend on the sensitivity of the information secured. 1.04 Security awareness training should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual users. 2.00 Access Control 2.01 Where possible and financially feasible, more than one person must have full rights to any WCDHB owned server storing or transmitting high risk data. 2.02 Access to the network and servers and systems should be achieved by individual and unique logins, and should require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication. 2.03 As stated in the current WCDHB IT Procedures on appropriate and acceptable use, users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. 2.04 All users must secure their username or account, password, and system access from unauthorized use by non disclosure of their password information either in written or verbal form, by securing their computer workstation when they are not present. 2.05 All users of systems that contain high risk or confidential data must have a strong password. 2.06 Empowered accounts, such as administrator or supervisor accounts which are not part of password aging, must be changed annually. 2.07 Passwords must not be placed in emails unless they have been encrypted. 2.08 Default passwords on all systems must be changed after installation. All administrator or supervisor accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured. 2.09 The gold standard for computer systems should be standardised where possible and financially practical on the below set of policies: i. Password cannot repeat any of your previous 10 passwords ii. Current password must be at least 2 days old before changing iii. Password must contain at least 8 characters iv. Password must contain at least 1 numeric characters v. Password must contain at least 2 upper and lower case characters vi. Password cannot match any word from a list of dictionary words vii. Password should be changed every aging 90 days IT Security Procedure Page 2 of 1 2

viii. Account life 120 days. So if password is expired and not changed within 30 days, account is automatically disabled. ix. Unlimited maximum period of inactivity on account (Will be disabled in 120 days due to password age) x. No maximum password length xi. 5 unsuccessful login tries before account is locked, only administrator or oncall/helpdesk IT staff can unlock 2.10 Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure. 2.11 Terminated staff members access must be reviewed monthly and adjusted as found necessary. Terminated staff members should have their accounts disabled upon transfer or termination. It is the responsibility for the relevant HOD or hiring manager through the iaccess system to notify IT of the staffs departure and what should be done with data within their home folder and email account. IT will also disable accounts (not remove) as soon as payroll has notified them of terminations on a monthly basis. IT will also audit inactive Active Directory accounts that have been inactive for more than 90 days on a monthly basis to determine if these accounts can be removed. 2.12 Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted mostly through IT account auditing. 2.13 Monitoring should be implemented on key systems including recording logon attempts and failures, successful logons and date and time of logon and logoff. There should be a documented procedure for reviewing system logs. 2.14 Activities performed as administrator or Super User must be logged where it is feasible to do so. 2.15 Staff members who have administrative system access should use other less powerful accounts for performing non-administrative tasks. 3.00 Virus Protection 3.01 The willful introduction of computer viruses or disruptive/destructive programs into the WCDHB environment is prohibited, and violators may be subject to prosecution. 3.02 All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations. 3.03 All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor's recommendations. 3.04 Headers of all incoming data including electronic mail must be scanned for viruses by the email server where such products exist and are financially feasible to implement. 3.05 Outgoing electronic mail should be scanned where such capabilities exist. 3.06 Where feasible, system or network administrators should inform users when a virus has been detected. 3.07 Virus scanning logs must be maintained whenever email is centrally scanned for viruses. 4.00 Intrusion Detection 4.01 Intruder detection must be implemented on the firewall and where possible/practical servers and workstations containing data classified as high risk. IT Security Procedure Page 3 of 1 3

4.02 Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled. 4.03 Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected. 4.04 Intrusion tools should be installed where appropriate and checked on a regular basis. 5.00 Internet Security 5.01 All connections to the Internet must go through a properly secured connection point to ensure the network is protected when the data is classified high risk. 5.02 All connections to the Internet should go through a properly secured connection point to ensure the network is protected when the data is classified confidential. 6.00 System Security 6.01 All systems connected to the Internet should have a vendor supported version of the operating system installed. 6.02 All systems connected to the Internet must be current with security patches. 6.03 All servers should have security patches applied on a periodic basis, monthly in most instances. 6.04 System integrity checks of host and server systems housing high risk WCDHB data should be performed where practical. 6.05 Where possible and practical logins into computer systems should be standardised as firstname.lastname. 6.06 Where possible systems should be integrated into Microsoft Active Directory 7.00 Acceptable Use 7.01 WCDHB computer resources must be used in a manner that complies with WCDHB policies and relevant laws and regulations. 7.02 It is against WCDHB policy to install or run software requiring a license on any WCDHB computer without a valid license. 7.03 Use of the WCDHB's computing and networking infrastructure by WCDHB staff members unrelated to their WCDHB positions must be limited in both time and resources and must not interfere in any way with WCDHB functions or the staff member's duties. 7.04 Uses that interfere with the proper functioning or the ability of others to make use of the WCDHB's networks, computer systems, applications and data resources are not permitted. 7.05 Use of WCDHB computer resources for personal profit is not permitted except as addressed under other WCDHB policies. 7.06 Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. IT Security Procedure Page 4 of 1 4

7.07 Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization from the Chief Information Officer. 8.00 Exceptions 8.01 In certain cases, compliance with specific procedure requirements may not be immediately possible. Reasons include, but are not limited to, the following: xii. Required commercial or other software in use is not currently able to support the required features; xiii. Legacy systems are in use which do not comply, but near-term future systems will, and are planned for; xiv. Costs for reasonable compliance are disproportionate relative to the potential damage. 7. Precautions And Considerations Security reviews of servers, firewalls, routers and monitoring platforms must be conducted on a regular basis. Vulnerability and risk assessment tests of external network connections should be conducted on a regular basis. Education should be implemented to ensure that users understand data sensitivity issues, levels of confidentiality, and the mechanisms to protect the data 8. References There are no references associated with this Procedure 9. Related Documents WCDHB Access To Information Systems Procedure WCDHB Email Use Procedure WCDHB Health Intranet Connection Procedure WCDHB Information Systems Procedure WCDHB Internet Use Procedure WCDHB Portable Data Storage Devices Use Procedure Collection, Collation, Correction & Alteration Of Personal Health Information/Medical Records Procedure IT Security Procedure Page 5 of 1 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information