COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy



Similar documents
GUIDANCE FOR BUSINESS ASSOCIATES

VCU Payment Card Policy

HIPAA HITECH ACT Compliance, Review and Training Services

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

First Global Data Corp.

Personal Data Security Breach Management Policy

How To Ensure Your Health Care Is Safe

Data Protection Policy & Procedure

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Plus500CY Ltd. Statement on Privacy and Cookie Policy

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Unified Infrastructure/Organization Computer System/Software Use Policy

Christchurch Polytechnic Institute of Technology Access Control Security Standard

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Key Steps for Organizations in Responding to Privacy Breaches

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Norwood Public Schools Internet & Cell Phone Use Agreement School Year

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices

Information Services Hosting Arrangements

To clarify terms used within these policies, the following definitions are provided:

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

TrustED Briefing Series:

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Systems Support - Extended

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Data Protection Act Data security breach management

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

EA-POL-015 Enterprise Architecture - Encryption Policy

SaaS Listing CA Cloud Service Management

ACTIVITY MONITOR. Live view of remote desktops. You may easily have a look at any user s desktop.

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

State of Wisconsin. File Server Service Service Offering Definition

How To Ensure That The Internet Is Safe For A Health Care Worker

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Technical Writing - TheUsers Visa (SHR User Accunt)

State of California California Technology Agency. Software Management Plan Guidelines

Woodstock Multimedia, INC. Software/Hardware Usage Policy

Malpractice and Maladministration Policy

expertise hp services valupack consulting description security review service for Linux

Session 9 : Information Security and Risk

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

ensure that all users understand how mobile phones supplied by the council should and should not be used.

Immaculate Conception School, Prince George Bring Your Own Device Policy for Students

New York Institute of Technology Faculty and Staff Retention Policy

Sources of Federal Government and Employee Information

Bill Payment Agreement & Disclosures

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Felician College. Computer Use Policy. Office of Information Technology 262 South Main St Lodi, NJ

AML Internet Manor Court, Manor Farm House, London Road, Derby, Derbyshire, DE72 2GR. Tel: Fax:

Change Management Process

CHANGE MANAGEMENT STANDARD

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

Chapter 7 Business Continuity and Risk Management

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Vendor Management. Federal Deposit Insurance Corporation Division of Risk Management Supervision Atlanta Regional Office.

DisplayNote Technologies Limited Data Protection Policy July 2014

IT Account and Access Procedure

Privacy and Security Training Policy (PS.Pol.051)

MigrationWiz HIPAA Compliant Migration. Focus on data migration, not regulation. BitTitan Global Headquarters: 3933 Lake Washington Blvd NE Suite 200

Information & Communications Technology ICT Security Compliance Guide (Student)

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

State Fleet Card Oversight Usage and Responsibilities

Texas Woman's University University Policy Manual

Investigative Management Program and Case Tracking System (IMPACT)

Name. Description. Rationale

The ADVANTAGE of Cloud Based Computing:

IT Help Desk Service Level Expectations Revised: 01/09/2012

Database Services - Extended

CSU STANISLAUS INFORMATION TECHNOLOGY PLAN SUMMARY

COMPREHENSIVE SAFETY ASSESSMENT INSTRUCTIONS for STUDY ABROAD PROGRAMS

NERC-CIP Cyber Security Standards Compliance Documentation

DETROIT PUBLIC SCHOOLS NETBOOK PARENT CONSENT FORM For 8 th 12 th Grade Students Only

Creating an Ethical Culture and Protecting Your Bottom Line:

In addition to assisting with the disaster planning process, it is hoped this document will also::

Unified Communications

Process of Setting up a New Merchant Account

Remote Working (Policy & Procedure)

FAYETTEVILLE STATE UNIVERSITY

Audit Committee Charter

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Employees - recruitment, records and monitoring

What Information Is Collected and How Is It Collected?

Information Security Policy

We will record and prepare documents based off the information presented

National Australia Bank Limited Group Disclosure & External Communications Policy

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

PADUA COLLEGE LIMITED ACN ABN

Cyber Security: Simulation Platform

Internet and Policy User s Guide

CUSTOMER Information Security Audit Report

Transcription:

COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy

Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus netwrk. As such, they are vulnerable t security breaches that may cmprmise cnfidential infrmatin and expse ur cmpany t lsses and ther risks. At Cpies FYI, Inc., security is critical t the physical netwrk, cmputer perating systems, and applicatin prgrams and each area ffers its wn set f security issues and risks. Cnfidentiality and privacy, access, accuntability, authenticatin, availability, and Infrmatin Technlgy system and netwrk maintenance are cmpnents f a cmprehensive security plan. This plan identifies key cncerns and issues faced by ur cmpany at the applicatin, hst, and netwrk level, and strives fr a balance between ur cmpany's desire t prmte and enhance the free exchange f ideas and its need fr security f critical infrmatin and systems. This dcument will: 1. Identify the elements f a gd security plicy; 2. Explain the need fr Infrmatin Technlgy security; 3. Specify the varius categries f Infrmatin Technlgy security; 4. Indicate the Infrmatin Technlgy Security respnsibilities and rles; and 5. Identify apprpriate levels f security thrugh standards and guidelines. This dcument establishes an verarching security plicy and directin fr Cpies FYI, Inc. Individual clinics, dctrs and attrney s and their firms are expected t establish standards, guidelines, and perating prcedures that adhere t and reference this plicy while addressing their specific and individual needs. 1. INFORMATION TECHNOLOGY SECURITY ELEMENTS The elements f a gd security plicy include: Cnfidentiality and Privacy Access Accuntability Authenticatin Availability Infrmatin technlgy system and netwrk maintenance plicy Cnfidentiality refers t ur cmpany's needs, bligatins and desires t prtect private, prprietary and ther sensitive infrmatin frm thse wh d nt have the right and need t btain it. Access defines rights, privileges, and mechanisms t prtect assets frm access r lss. Accuntability defines the respnsibilities f users, peratins staff, and management. Authenticatin establishes passwrd and authenticatin plicy. Availability establishes hurs f resurce availability, redundancy and recvery, and maintenance dwntime perids.

Page 3 f 7 Infrmatin technlgy system and netwrk maintenance describes hw bth internal and external maintenance peple are allwed t handle and access technlgy. 2. NEED FOR INFORMATION TECHNOLOGY SECURITY Our cmpany and all members f ur cmpany are bligated t respect and t prtect cnfidential data. Medical recrds, certain emplyment-related recrds, attrney-client cmmunicatins, and certain research and ther intellectual prperty-related recrds are, subject t limited exceptins, cnfidential as a matter f law. Many ther categries f recrds, including clinic and ther persnnel recrds, and recrds relating t ur cmpany's business and finances are, as a matter f cmpany plicy, treated as cnfidential. Systems (hardware and sftware) designed primarily t stre cnfidential recrds (such as the Financial Infrmatin System and all medical recrds systems) require enhanced security prtectins and are cntrlled (strategic) systems t which access is clsely mnitred. Netwrks prvide cnnectin t recrds, infrmatin, and ther netwrks and als require security prtectins. The use f Cpies FYI Infrmatin Technlgy assets in ther than a manner and fr the purpse f which they were intended represents a misallcatin f resurces and, pssibly, a vilatin f law. Guidelines fr apprpriate use f cmputer facilities and services at Cpies FYI, Inc can be fund at http://www.cpiesfyi.cm. SECURITY CATEGORIES This plicy applies t the fllwing categries f security: Cmputer system and applicatins security: Central prcessing unit, peripherals, perating system and data. Physical security: The premises ccupied by the Cpies FYI, Inc. persnnel and equipment; which has a security system installed. Operatinal security: Envirnment cntrl, pwer equipment, peratinal activities. Prcedural security: Established and dcumented security prcesses fr infrmatin technlgy staff, vendrs, management, and individual users. Netwrk security: Cmmunicatins equipment, persnnel, transmissin paths, and adjacent areas. INFORMATION TECHNOLOGY SECURITY RESPONSIBILITIES AND ROLES Respnsibility fr guaranteeing apprpriate security fr data, systems, and netwrks is assigned t Cpies FYI, Inc management directrs, and department heads. In many cases, respnsibility fr designing, implementing, and maintaining security prtectins will be delegated t infrmatin technlgy staff, but the directr, r department head will retain respnsibility fr ensuring cmpliance with this plicy. In additin t management and infrmatin technlgy staff, the individual user is respnsible fr the infrmatin technlgy equipment and resurces under his r her cntrl. Cpies FYI, Inc., is respnsible fr: 6. Tracking technlgy and regulatry changes that may indicate r require a change r additin t the current plicy;

Page 4 f 7 7. Advising affected management and staff f said changes; 8. Establishing prcedures that supprt the implementatin and maintenance f the security plicy; 9. Assisting departments and clinics within Cpies FYI, Inc t develp, implement and maintain their wn security plicies that supprt and facilitate ur cmpany's enterprise plicy; and 10. Establishing and maintaining a repsitry fr Cpies FYI, Inc. s cllected security dcuments. NOLOGY STARDS AND GUIDELINES Cnfidentiality and Privacy Our cmpany and all members f ur cmpany are bligated t respect and, in many cases, t prtect cnfidential data. There are, hwever, technical and legal limitatins n ur ability t prtect cnfidentiality. Fr legal purpses, electrnic cmmunicatins are n different than paper dcuments. Electrnic cmmunicatins are, hwever, mre likely t leave a trail f inadvertent cpies and mre likely t be seen in the curse f rutine maintenance f cmputer systems. Certain areas f ur cmpany permit incidental persnal use f cmputer resurces. Our cmpany des nt mnitr the cntent f persnal web pages, e-mail r ther n-line cmmunicatins. Hwever, ur cmpany must reserve the right t examine cmputer recrds r mnitr activities f individual cmputer users (a) t prtect the integrity r security f the cmputing resurces r prtect ur cmpany frm liability, (b) t investigate unusual r excessive activity, (c) t investigate apparent vilatins f law r Cpies FYI plicy, and (d) as therwise required by law r exigent circumstances. In limited circumstances, ur cmpany may be legally cmpelled t disclse infrmatin relating t business r persnal use f the cmputer netwrk t gvernmental authrities r, in the cntext f litigatin, t ther third parties, Administratrs f Cpies FYI, department r divisin netwrks shuld ntify cmputer users if incidental persnal use is nt permitted and that ur cmpany cannt ensure the cnfidentiality f persnal cmmunicatins. Access N ne may access cnfidential recrds unless specifically authrized t d s. Even authrized individuals may use cnfidential recrds nly fr authrized purpses. Our cmpany's Cmputer Use Plicy (http://www.cpiesfyi.cm) requires that members f ur cmpany respect the privacy f thers and their accunts, nt access r intercept files r data f thers withut permissin, and nt use anther's passwrd r access files under false identity. Vilatrs f any f these rules are subject t discipline cnsistent with the general disciplinary prvisins applicable t ROI Specialists and staff. Technlgy assets are t be hused in an apprpriately secure physical lcatin. Technlgy assets include servers, persnal cmputers that huse systems with cntrlled access (laptps are a categry f special cnsideratin), prts (active prts in public areas), sniffing devices (PC's set up t d this fr diagnsis shuld be secure), mdems and netwrk cmpnents (cabling, electrnics, etc.).

Page 5 f 7 Passwrds help prtect against misuse by seeking t restrict use f Cpies FYI systems and netwrks t authrized users. Authrized users (specific individual) are assigned a unique strng passwrd that is t be prtected by that individual and nt shared with thers, is difficult t crack, is changed n a regular basis, and is deleted when n lnger authrized. (http://www.cpiesfyi.cm) The management fr each area will ensure that cntrls are in place t avid unauthrized intrusin f systems and netwrks and t detect effrts at such intrusin. Such cntrls may include sme cmbinatin f the fllwing: setting up base-line traffic mnitring and cmparing with netwrk lgs fr variances; implementing system cntrl mechanisms t detect unexpected data cnditins; mnitring successful and unsuccessful access t data; and, cnducting prt scans t ensure that nly authrized users are cnnected t the netwrk. Each Cpies FYI cntrlled infrmatin system must have an Access Plicy that defines access rights and privileges and prtects assets and data frm lss r inapprpriate disclsure by specifying acceptable use guidelines fr users, peratins staff and management. The Access Plicy will prvide guidelines fr external cnnectins, fr data cmmunicatins, fr cnnecting devices t a netwrk, and fr adding new sftware t systems. As part f the plicy, the respnsibility and accuntability fr its implementatin must be established. Additinally, as users are granted access t cntrlled Cpies FYI systems, they will receive written statements (specific t the individual applicatin and authred by the security administratr fr that applicatin) utlining the user's respnsibility regarding the apprpriate use f the system and data and emphasizing the cnsequences f imprper use. This statement is t be read and signed by each user. Accuntability Individual users are respnsible fr ensuring that thers d nt use their system privileges. In particular, users must take great care in prtecting their usernames and passwrds frm eavesdrpping r careless misplacement. Passwrds are never t be 'laned.' Individual users will be held respnsible fr any security vilatins assciated with their usernames. Operatins staff is respnsible fr reviewing the audit lgs and identifying ptential security vilatins. The peratins staff is respnsible fr establishing the security and access cntrl mechanisms (such as usernames, passwrds, lgging, etc.) and may be held accuntable fr any security breaches that arise frm imprper cnfiguratin f these mechanisms. Each user permitted t access a cntrlled system is t be made aware f the access plicy fr that system. Management will prvide this infrmatin t the emplyee when first granting access and make the emplyee aware f the auditing capability in place t verify cmpliance. All cntrlled systems must maintain audit lgs t track usage infrmatin t a level apprpriate fr that system. All user sessins and all failed cnnectin attempts must be lgged. Fr user sessins, the fllwing will be recrded: user, surce IP, sessin start time/date, and sessin end time/date. Fr failed cnnectin attempts, the number f attempts must als be recrded. Management has the discretin t determine whether additinal lgging is necessary. Audit lgging may als apply t netwrks. Lgging f netwrk traffic flw and access is a standard practice. If inapprpriate use f the netwrk is suspected, and management s requests, Netwrk Technlgy Services may authrize specific traffic lgging n prtins f the campus netwrk. If the peratins staff believes a security incident has ccurred, they will immediately ntify their management. Management will assess the ptential implicatins f the incident, ntify Netwrk

Page 6 f 7 Technlgy Services, and take any remedial and necessary actin. All audit lgs will be immediately duplicated and mved t secure media fr further analysis. Befre adding new sftware t Cpies FYI cmputers and netwrks, system defaults shuld be carefully reviewed fr ptential security hles and passwrds shipped with the sftware shuld be changed. Dwnlading sftware, particularly sftware that is nt jb-related r endrsed by the administratin, may intrduce security risks and shuld be cntrlled. Authenticatin Authenticatin and data encryptin r pint-t-pint cmmunicatin will be implemented fr all systems that send r receive sensitive data r when it is critical that bth parties knw with whm they are cmmunicating. The decisin f whether t encrypt data shuld be made by the prfessinal system administratr respnsible fr the particular applicatin being distributed, with the knwledge f the apprpriate directr, r department head. Availability Missin critical systems are expected t be available at all times during applicable business hurs. Each critical system must have a published availability statement which details redundancy and recvery prcedures, and specifies hurs f peratins and maintenance dwntime perids. It must als include cntact infrmatin fr reprting system utages. This statement must be submitted t and apprved by Netwrk Technlgy Services. Backup f data will be well-dcumented and tested. Backups f missin critical data must be maintained in secure ff site strage t guard against the impact f disasters. Infrmatin Technlgy Systems and Netwrk Maintenance In the curse f ding business, Cpies FYI, Inc Infrmatin Systems management, Netwrk Technlgy Services, and all departments may cntract fr all r sme system and netwrk lcal r remte maintenance r supprt. Representatives f these cntracted cmpanies must fllw all Cpies FYI plicies. Cpies FYI, Inc. is expected t establish apprpriate guidelines fr building, equipment and system access. It is the respnsibility f the cntracting clinic t infrm the cntractr f all apprpriate plicies and, in additin, t prvide versight f the cntractr and cntractr representatives during the time they have access t Cpies FYI resurces. Reprting Vilatins Owners r managers f cmputer, netwrk, r applicatins systems, as well as users f these systems, have the respnsibility t reprt any apparent vilatins f law, Cpies FYI plicy (http://www.cpiesfyi.cm) t lcal management and Netwrk Technlgy Services r Cmputing and Cmmunicatins whenever such vilatins cme t their attentin.

Page 7 f 7 Owners and managers f department cmputing, netwrk, and applicatins systems shall make available t management and users f the systems guidelines fr reprting security vilatins. These guidelines will prvide specific guidance n what, when, where, t whm, and within what timeframe the vilatin shuld be reprted and a cpy will be filed with Netwrk Technlgy Services r Cmputing and Cmmunicatins.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information