Professional Documents
Culture Documents
OVERVIEW:______________________________________________________ 3
Introduction _______________________________________________________ 3 Mission Statement __________________________________________________ 4 Vision Statement ___________________________________________________ 5 Scope ______________________________________________________________ 6 Values Statement ___________________________________________________ 7 Goals ______________________________________________________________ 8 Objectives _________________________________________________________ 9 Information Security Awareness & Training _________________________ 10 Company Roles and Responsibilities ________________________________ 11 Responsibilities of Owners, Custodians, and Users _________________ 13 Management of the Policy __________________________________________ 14
Access Control________________________________________________ 21
General ___________________________________________________________ 21 Telecommuting Arrangements ________________________________________ 30 Physical Security _________________________________________________ 33 Building Access Records ___________________________________________ 38 Handling Visitors _________________________________________________ 40 Restricted Access to Computer Facilities __________________________ 42 Computer Location and Facility Construction _______________________ 44 Clear Desk Policy _________________________________________________ 49 Management Section ________________________________________________ 50 Granting Access to Sensitive Data _________________________________ 53
Network_______________________________________________________ 55
Making Network Connections ________________________________________ 55 Violations ________________________________________________________ 61
Encryption____________________________________________________ 62
When to Use Encryption ____________________________________________ 62 Encryption Key Management _________________________________________ 64
One-Health Hospital
Page 1
Revised 6/10/2009
Privacy_______________________________________________________ 75
Disclosure ________________________________________________________ 75
Contingency Planning__________________________________________ 96
Purpose ___________________________________________________________ 96 Applicability _____________________________________________________ 96 Operations ________________________________________________________ 97 Activation ________________________________________________________ 98 Recovery Operations _______________________________________________ 98 Return to Normal Operations _______________________________________ 98 Plan Appendices ___________________________________________________ 99
One-Health Hospital
Page 2
Revised 6/10/2009
OVERVIEW:
Introduction
One-Health Hospital has taken many steps to ensure the confidentiality, integrity, and availability of our systems and information. This document serves as a blueprint to achieve this. This policy handbook is ever changing, and as the industry evolves, adaptations will be required. The outlined policies stipulated here provide a foundation for future procedures to be developed. It is every employees responsibility to adhere to this document.
One-Health Hospital
Page 3
Revised 6/10/2009
Mission Statement
One-Health Hospital provides affordable and exceptional health-care services to the neighbors and surrounding communities. One-Health Hospital strives to offer medical and professional services that include the utmost respect and care to our patients.
One-Health Hospital
Page 4
Revised 6/10/2009
Vision Statement
One-Health Hospital will be the leader in patient care practices in the state of Michigan, implementing the latest technological advances and research the scientific community offers. Our medical professionals will be leaders in their respective fields, setting new standards of medical excellence.
One-Health Hospital
Page 5
Revised 6/10/2009
Scope
The span of this policy for the One-Health Hospital is its assets. The assets are the computer, mobile, network, peripheral, and wireless devices, personnel, building, and data. This policy extends to any external companies devices, system and building access, and data.
One-Health Hospital
Page 6
Revised 6/10/2009
Values Statement
Oneness We believe in one health for all and we will protect it for every patient. Numbers We cost-effectively operate without compromising the quality of care. Excellence We set a high standard and remain as close as possible at every point of the hospital to maintain a successful partnership with the patient. Health We strive in assisting the patient to have all the tools and knowledge available beyond the purpose of their visit. Equality We recognize all individuals as an equal and treat them with the respect and dignity they deserve as a person. Awareness We keep an eye on the region to ensure that we are adhering to the demands of the community. Links We are linked to other hospitals and to the community in the case of any type of medical disaster occurring. Teamwork We believe in collaboration professionally for results of efficiency, institutional growth, and creative research. Hospital We are more than a building structure and a foundation of the communities mental and health stability.
One-Health Hospital
Page 7
Revised 6/10/2009
Goals
Operational: Maintain system backups. Monitor the network. Secure the data with access controls. Perform account access cleanup. Tactical: Upgrade software and hardware. Audit the computers, servers, and network. Have training and awareness education. Strategic: Customer satisfaction, expand the hospital information technology in other parts of the hospital functions, profit by using the most modern information technologies in the hospital.
One-Health Hospital
Page 8
Revised 6/10/2009
Objectives
Confidentiality: Data that the hospital has in its possession is available to those with a need to know. This can be and is not limited to the patient, patient family member, health care worker, legal representation, and government official. Integrity: Auditing in place ensures data on the hospital network not altered or compromised during storage, access, or transmission. Availability: Monitoring the network communication, mobile devices, and computer data provides high up-time percentage for the users.
One-Health Hospital
Page 9
Revised 6/10/2009
Information security and password tips How to identify security and report incidents
All new employees will have orientation training for use of the hospitals computers and upon completion, each person is required to sign a statement they have read, understand, and agree to comply with the General Computer Use Policies: Organizational security policy - computing users receive a copy of the General Computer Use Policies. Security operating procedures - computing users get instructions in the proper use of the hospital systems available. Access control procedures - first-time employees using the corporate computing facilities receive instruction in the proper use and protection of password Roles and Responsibilities.
One-Health Hospital
Page 10
Revised 6/10/2009
One-Health Hospital
Page 11
Revised 6/10/2009
establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. Compliance checking to ensure that organizational units are operating in a manner consistent with these requirements is the responsibility of the EDP Audit Unit within the Internal Audit Department. Investigations of system intrusions and other information security incidents is the responsibility of the Information Security Department.
One-Health Hospital
Page 12
Revised 6/10/2009
One-Health Hospital
Page 13
Revised 6/10/2009
These policies are technology neutral and apply to all aspects of information technology. Emerging technologies or new legislation however, will impact these practice standards over time.
Ownership and Approval
The One-Health Hospital Information Resources Manager (IRM) owns the security policies. IRM, or designate, is the only authority that can approve modifications to the security policies.
Change Drivers
A number of factors could result in the need or desire to change the security policies. These factors include, but are not limited to the following: Review schedule New legislation Newly discovered security vulnerability New technology Audit report Business requirements Cost/benefit analysis
One-Health Hospital
Page 14
Revised 6/10/2009
Cultural change
Change Process
Updates to the One-Health Hospital information policies, which include establishing new policies, modifying existing policies, or removing policies, can result from three different processes: At least annually, the Information Security Officer (ISO), or designate, will review the policies for possible addition, revision, or deletion. An addition, revision, or deletion is created if it is deemed appropriate. Every time new Information Resources (IR) technology is introduced into One-Health Hospital a security assessment must be completed. The result of the security assessment could necessitate changes to the security policies before the new technology is permitted for use at One-Health Hospital. Any User may propose the establishment, revision, or deletion of any practice standard at any time. These proposals should be directed to the ISO who will evaluate the proposal and make recommendations to the IRM.
Once a change to the security policies has been approved by the IRM, or designate, the following steps will be taken as appropriate to properly document and communicate the change: The appropriate IR Security web pages will be updated with the change Training and compliance materials will be updated to reflect the change The changes will be communicated using standard One-Health Hospital communications methods such as internal cable TV system, announcements web page, newsletters, and communications meetings.
One-Health Hospital
Page 15
Revised 6/10/2009
One-Health Hospital
Page 16
Revised 6/10/2009
Need for Information Technology Security All systems within One-Health Hospital and the data that is contained and transmitted on/by them are property of One-Health Hospital. To ensure the proper management of this property, One-Health Hospital reserves the right to monitor, record, and examine all data traveling its networks with or without consent or warning. One-Health Hospital technological systems should be used for appropriate academic and business purposes only. In addition, most files and documents maintained by One-Health Hospital are subject to public review under the Georgia Open Records Act. This includes computer files and other data regardless of the medium of storage. For these reasons faculty, staff, students, contractors, agents, or other individuals should have no expectation of privacy associated with the information they store in or send through these systems. These systems exist to support mission critical Academy activities and goals. Review Schedule The CIO, Network, and Security Managers will review the Enterprise Information Security policy annually. Authority Authority to establish and enforce this policy and associated security policy documents held by the CIO, Network, and Security Managers.
One-Health Hospital
Page 17
Revised 6/10/2009
P o lic y C h a n g e P ro c e s s
C h a n g e trig g e r
R e v ie w p ro p o sa l
A cce p t P ro p o s a l?
No
N o tify o rig in a to r
S to p
Yes
Yes
No
F in a l a p p ro va l b y IR M o r d e le g a te .
P ro p o sa l A cce p te d b y th e IR M o r d e le g a te ?
Yes
P u b lish a n d C o m m u n ica te
S to p M ay 18, 2009
One-Health Hospital
Page 18
Revised 6/10/2009
The One-Health Hospital security practice standards provide the techniques and methodology to protect One-Health Hospital IR assets. While these policies are technology independent they are more closely linked to the technology than the policy standards and are hence more likely to be impacted by changing technology, legislation, and business requirements. An exception is a method used to document variations from the rules. Examples are: Allowing a desktop modem when the practice standard states desktop modems are not permitted Giving an individual elevated privileges in comparison to another individual with similar responsibilities
Any User of One-Health Hospital Information Resources may apply for an exception.
One-Health Hospital
Page 19
Revised 6/10/2009
Exception Process
The steps for permitting and documenting an exception are: A request for an exception is received by the ISO along with a business case for justifying the exception The ISO analyzes the request and the business case and determines if the exception should be accepted, denied, or if it requires more investigation If more investigation is required the ISO and IR technical staff determines if there is a cost effective solution to the problem that does not require an exception If there is not an alternate cost effective solution, and the risk is minimal, the exception may be granted Each exception must be re-examined according to its assigned schedule. The schedule can vary from 3 months to 12 months depending on the nature of the exception Any exception request that is rejected may be appealed to the IRM.
One-Health Hospital
Page 20
Revised 6/10/2009
Access Control
General
Where to Use Computer System Access Controls Policy: All computer-resident information, which is sensitive, critical, or valuable, must have system access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. Commentary: The intention of this policy is to require that the information, which needs it, will indeed be properly protected. Ideally, security measures are designed in consistent manner, such that information is properly protected wherever it travels and whatever form it takes. This policy mandates the use of access controls to support that notion. Four Category Data Classification Scheme Policy: Data must be broken into four sensitivity classifications with separate handling requirements: protected, sensitive, private, and public. This standard data sensitivity classification system must be used throughout One-Health Hospital. The classifications defined as follows: Protected: This classification applies to the most sensitive business information, which is intended strictly for use within One-Health Hospital. Its unauthorized disclosure could seriously and adversely impact One-Health Hospital, its stockholders, its business partners, and/or its customers. Sensitive: This classification applies to all individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law as well as less sensitive business information, which is intended for use within One-Health Hospital. Its unauthorized disclosure could adversely impact One-Health Hospital, its patients, staff, stockholders, its business partners, and/or its customers. Private: This classification applies to personal information, which is intended for use within One-Health Hospital. Its unauthorized disclosure could seriously and adversely impact One-Health Hospital and/or its employees. Public: This classification applies to all other information which does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact One-Health Hospital, its employees, its stockholders, its business partners, and/or its customers.
One-Health Hospital
Page 21
Revised 6/10/2009
All Software Must Be Regulated By Access Control Systems Software Policy: All software installed on One-Health Hospital multi-user systems must be regulated by approved access control systems software. This means that the approved access control systems software must initially control a users session, and if defined permissions then allow it, control will be passed to the separate installed software. Commentary: This policy attempts to prevent the installation of software that cannot be regulated by an access control system. Systems Requiring Password-Based Access Control Package Policy: If a small system (PC, LAN, etc.) handles either critical or sensitive information, the system must also utilize a properly maintained version of an approved password-based access control system. Commentary: The intention of this policy is to provide managers of small systems with a specific rule-of-thumb that can be used to determine whether they should employ a password-based access control system. Those systems, which do not contain either critical or sensitive information, are, by default, not required to have access control systems. Privilege Restriction Based on the Need-to-Know Policy: The computer and communications system privileges of all users, systems, and programs must be restricted based on the need-to-know. Commentary: The intention of this policy is to prevent the granting of excessive privileges to users. Excessive privileges often allow users to perform abusive and unauthorized acts, such as viewing private information belonging to other users. Excessive privileges may also allow users to commit errors that have serious consequences, such as bringing a communications server down during business hours. Borrowed from the military, the need-toknow approach is a fundamental idea underlying nearly all commercial access control systems.
One-Health Hospital
Page 22
Revised 6/10/2009
No Read up Permissions to Access Sensitive Information Policy: Workers who have authorization to view information classified at a certain sensitivity level must be permitted to access only the information at this level and at less sensitive levels. Commentary: The intention of this policy is explicitly instruct system administrators and others who set access control privileges, to prevent users from gaining unauthorized access to information. For example, if a person has authorization to view protected information, he or she may also view sensitive and public information because these are less sensitive than protected information. This person, however, may not view PROTECTED information unless specific authorization has been granted. This approach is sometimes called "read down" or "no read up" because the user is only given permission to read at his or her classification level and those levels down (progressively getting less sensitive). This policy applies to all levels of data, no matter how many levels there are in a classification system. No Write Down Permissions to Access Sensitive Information Policy: Workers must never have authorization to move information classified at a certain sensitivity level to a less sensitive level unless this action is a formal part of an approved declassification process. Commentary: This policy is intended to prevent users from moving data from one classification level to another to be able to gain unauthorized access to it. For instance, if an individual could copy "protected" information and then write it to a "sensitive" (less sensitive) system, he, or she may be able to gain access to the information while access was not otherwise available. The process of "writing [information] down" to a less sensitive classification level can also be considered to be effectively declassifying the information so that unauthorized parties may then access it. Time Dependent Access Control Policy: All multi-user systems must employ user-IDs and passwords to control access to both data and programs. Beyond this basic access control, user activities must be restricted by time of day and day of the week. Commentary: The default access control found on many systems is based on files, i.e., on various types of access to data and/or programs. Organizations wishing to bolster this control environment can mandate additional restrictions based on time as mentioned in this policy. The policy's intent is to require more than simple access controls, normally based on user-IDs and passwords. Note that more than the ordinary user-IDs and passwords need not mean smart cards, biometrics, or some of the more expensive and esoteric technologies.
One-Health Hospital
Page 23
Revised 6/10/2009
Unbecoming Conduct and the Revocation of Access Privileges Policy: One-Health Hospital management reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of One-Health Hospital information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted. Commentary: The intention of this policy is to put users on notice that they jeopardize their status as authorized users if they engage in the activities described. For example, crashing the system could reasonably be expected to be harmful to other users, and would accordingly subject the perpetrator to disciplinary action including privilege revocation. Prohibition against Testing Information System Controls Policy: Workers must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Manager of the Information Security Department. Commentary: When users attempt to break controls, this fosters an "attack ethic, i.e., an environment where it is acceptable for workers to attempt to break system controls. This policy eliminates an often-invoked excuse for computer crimes, as the perpetrators may say that they were merely "testing the control system so as to be able to improve it. Of course, internal auditors already have this approval (in their departmental mission statement), and they should continue to test controls. Prohibition against Exploiting Systems Security Vulnerabilities Policy: Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have authorization to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Manager of Information Security. Commentary: The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things he or she would otherwise not be able to perform.
One-Health Hospital
Page 24
Revised 6/10/2009
Requests for One-Health Hospital Information Referred to Public Relations Policy: Unless authorized by management, all requests for information about One-Health Hospital and its business must be referred to the Public Relations Department. These requests include questionnaires, surveys, newspaper interviews, and the like. This policy does not apply to sales and marketing information about One-Health Hospital products and services, nor does it pertain to customer support calls. Commentary: The intention of this policy is to prevent workers, many of whom have only the best of intentions, from disclosing sensitive information to the press, market researchers, competitors, industrial spies, system crackers/hackers, and others. Effectively this policy says that only the Public Relations Department is authorized to disclose information about OneHealth Hospital and its business. By funneling disclosures through Public Relations, an organization is also able to present a coordinated and orderly image to the public.
Approval Required Prior to Release of One-Health Hospital Information Policy: Permission to disclose any internal One-Health Hospital information to the news media or to other third parties must be obtained from One-Health Hospital senior management prior to release. Commentary: The intention of this policy is to prevent workers from disclosing sensitive information to the press, market researchers, competitors, industrial spies, system crackers/hackers, and others. Without explicit approval, disclosure is forbidden. Public Representations about Future Earnings or New Product Prospects Policy: To avoid shareholder class-action lawsuits, workers are forbidden from making any public representations about One-Health Hospital future earnings or the prospects for new products. Commentary: The rash of recent class-action lawsuits (many of which are frivolous) has made senior management at many American organizations worry about the repercussions of making any future projections. This policy accordingly prohibits any public statement along these lines.
One-Health Hospital
Page 25
Revised 6/10/2009
Waiting Period Prior to External Disclosure of Requested Information Policy: If One-Health Hospital has received an outsider's request for internal information that is not of a sales, marketing, or public relations nature, then the following process must be followed. The information's owner and the corporate counsel must each be given five (5) business days to evaluate the merits of the request. If no objection is received from either the owner or the corporate counsel, then the information may be released. All requesters should be charged for the direct costs incurred in the process of fulfilling their requests. Commentary: The intention of this policy is to define the ways to handle external requests for internal information that may be of a sensitive nature. This policy is used by the State of Michigan, and the information involved is assumed to be public (under "freedom of information" laws or the equivalent thereof). This assumption warrants the relatively lenient attitude about disclosure. The requested information might invade the privacy of a certain party, it might be national defense information, it might be needed by law enforcement for an investigation in process, or for some other reason might not be appropriate to disclose. The possibility that it might be sensitive warrants the five-day review period. Established Procedure for Review of Information Released to Public Policy: All information to be released to the public must have first have been reviewed by management according to an established and documented process. Commentary: The intention of this policy is to require management to establish and observe a formal procedure for the review of information before it is released to the public. Beyond requiring such a procedure be used, this policy also requires the procedure to be documented. The policy could be expanded to require that documentation reflecting each request be generated. The most important part of the latter type of documentation is the specific approvals provided (signatures, dates, etc.). The existence of documentation is likely to have a sobering effect, such that conservative and well-reasoned decisions are more likely to be made.
One-Health Hospital
Page 26
Revised 6/10/2009
Prior Review for Speeches, Presentations, Technical Papers, Etc. Policy: Every speech, presentation, technical paper, book, or other communication to be delivered to the public must first have been approved for release by the involved employee's immediate manager. This policy applies if the involved employee will represent One-Health Hospital, if the employee will discuss One-Health Hospital affairs (even if only generally), or if the communication is based on information obtained in the course of One-Health Hospital duties. If new products, research results, corporate strategies, customer information, or marketing approaches are to be divulged, prior approval of the director of R&D and the director of the Legal Department must also be obtained. Commentary: This policy requires that employees always obtain approval from their managers prior to delivering a speech, presentation, technical paper, or other communication. It thus helps prevent unauthorized (ofteninadvertent) disclosure of sensitive information. Additionally, the policy helps make sure that employees representing the organization will do a polished and professional job. The policy does not apply to personal matters, such as when an employee writes a paper on political matters or when he or she gives a speech at church. Nonetheless, if an employee discussed the general state of the industry in which One-Health Hospital offered products or services, this too would need to be approved. Conditions for Acceptance of Third Party Sensitive Information Policy: If an agent, employee, consultant, or contractor is to receive protected or sensitive information from a third party on behalf of One-Health Hospital, this disclosure must be preceded by the third party's signature of a release form approved by the Legal Department. Commentary: This policy is intended to prevent One-Health Hospital from being obliged to pay royalties or other compensation to third parties if, subsequent to this disclosure, One-Health Hospital releases a product or service which is related to the ideas disclosed by the third party. A release form should make it clear that One-Health Hospital is under no obligation to pay any such royalties or other compensation, and that receipt of the information does not imply any contractual arrangement whatsoever.
One-Health Hospital
Page 27
Revised 6/10/2009
Signing Third Party Confidentiality Agreements without Approval Policy: Workers must not sign confidentiality agreements provided by third parties without the advance authorization of One-Health Hospital legal counsel designated to handle intellectual property matters. Commentary: In an effort to expedite discussions with suppliers, customers, and potential strategic partners, many workers will sign third party confidentiality agreements without thinking about it. They may thereby obligate their organization to pay royalties, should the organization later come out with a similar product or service. Similarly, they may prevent their organization from introducing a similar product or service. To avoid these and other unfortunate and detrimental outcomes, this policy requires all confidentiality agreements to route through internal legal counsel (or designated external legal counsel). Confidentiality Agreements and Disclosures of Sensitive Information Policy: All disclosures of protected, sensitive, or private One-Health Hospital information to third parties must be accomplished via a signed confidentiality agreement that includes restrictions on the subsequent dissemination and usage of the information. Commentary: The intention of this policy is to prevent unauthorized uses of One-Health Hospital information including what is called "secondary dissemination. "When secondary dissemination takes place, the recipient of information passes it on to some other person, and this other person then has no agreements with the information's source about how the information should be handled. This policy prohibits additional distribution without the information owner's consent. Specific Handling Instructions for Recipients of Sensitive Information Policy: An explicit statement describing exactly what information is restricted and how this information may and may not be used must accompany all disclosures of protected, sensitive, or private One-Health Hospital information to third parties. Commentary: This policy can be used to address "secondary dissemination" issues, unauthorized use, and related abuses of restricted information after it has left One-Health Hospital. An "explicit statement" may be part of a non-disclosure agreement signed by a third party receiving the information, or simply given in narrative or verbal form at the time of disclosure.
One-Health Hospital
Page 28
Revised 6/10/2009
Disclosure of Privacy Related Information Security Policies & Procedures Policy: Generally, information security policies and procedures should reveal only to One-Health Hospital workers and selected outsiders (such as auditors) who have a legitimate business need for this information. A notable exception involves private data about individuals. In these cases, One-Health Hospital has a duty to communicate the information security policies and procedures employed. In addition, One-Health Hospital has a duty to disclose the existence of systems containing private information and the ways this information is used. Commentary: This policy addresses a dichotomy that has many people confused. On one hand, information about security should be restricted to insiders only, but on the other hand, it should be revealed to outsiders. Browsing on One-Health Hospital Systems and Networks Prohibited Policy: Workers must not browse through One-Health Hospital computer systems or networks. For example, curious searching for interesting files and/or programs in the directories of other users is prohibited. Steps taken to legitimately locate information needed to perform ones job are not considered browsing. Commentary: The intention of this policy is to prohibit hacking, cracking, and related activities. In many instances, the perpetrators of computer abuse are simply seeking thrills and are curious rather than deliberately malicious.
One-Health Hospital
Page 29
Revised 6/10/2009
Telecommuting Arrangements
Permissible Equipment for Telecommuting Policy: Employees working on One-Health Hospital business at alternative worksites must use One-Health Hospital-provided computer and network equipment. An exception will be made only if other equipment has been approved as compatible with One-Health Hospital information systems and controls. Commentary: The intention of this policy is to make sure that telecommuting workers do not use information systems that could: (a) cause malfunctions or damage to One-Health Hospital systems or information, or (b) insufficiently protect One-Health Hospital information. The latter might for instance, occur if telecommuting equipment was not able to encrypt sensitive information stored on a computer at an employee's home. A burglary could then lead to unauthorized disclosure of this sensitive information. Alteration/Expansion of Computers Provided by One-Health Hospital Policy: Computer equipment provided by One-Health Hospital must not be altered or added to in any way (e.g., upgraded processor, expanded memory, or extra circuit boards) without departmental management knowledge and authorization. Commentary: The intention of this policy is to ensure that users know that they must not tamper with One-Health Hospital provided equipment. Such tampering could inadvertently cause any of various security measures to malfunction; for example, a boot protection system (which requires a password when the system is turned on) could lock a user out of a computer altogether. Tampering could also be used to deliberately circumvent security measures. In addition, in an indirect way, the policy prohibits theft of internal components like memory chips. Furthermore, the policy helps to ensure the equipment issued to a user is the equipment that will be delivered when the user is no longer employed at One-Health Hospital. Reporting of Damage to One-Health Hospital Off-Site Systems Policy: Workers must promptly report to their manager any damage to or loss of One-Health Hospital computer hardware, software, or information that has been entrusted to their care. Commentary: The intention of this policy is to make sure that telecommuting workers, as well as those workers with mobile computers, report all damages or losses promptly. This will in turn allow remedial measures, such as the replacement of a portable computer, to take place expediently to minimize the impact on business activity.
One-Health Hospital
Page 30
Revised 6/10/2009
Protection of One-Health Hospital Property at Alternative Worksites Policy: The security of One-Health Hospital property at an alternative worksite is just as important as it is at the central office. At alternative worksites, reasonable precautions must be taken to protect One-Health Hospital hardware, software, and information from theft, damage, and misuse. Commentary: The intention of this policy is to impress telecommuters (and others working with One-Health Hospital information systems at locations other than a central office) that the same security measures apply no matter where they are located. In some respects, this policy is another way of saying that information should be protected in a manner consistent with its value, sensitivity, and criticality. Protective measures should apply no matter where the information is located, no matter what form it takes, and no matter what technology is used to handle it. Rights to Intellectual Property Developed Off-Site Policy: Intellectual property developed or conceived of while an employee is working at alternative worksites is the exclusive property of One-Health Hospital. This policy includes patent, copyright, trademark, and all other intellectual property rights as manifested in memos, plans, strategies, products, computer programs, documentation, and other materials. Commentary: This policy seeks to notify telecommuters and others working off-site that their intellectual property work is still One-Health Hospital property, even though it was developed at another location. Detailed discussions with internal legal counsel about this topic are highly advisable. This policy is equally applicable to mobile computer users and others who might not be at an officially designated alternative worksite (satellite offices, neighborhood work centers, and virtual offices Telecommuters and Structured Working Environments Policy: To retain the privilege of doing off-site work, all telecommuters must structure their remote working environment so that it complies with OneHealth Hospital policies and standards. Commentary: This policy is intended to put telecommuters on notice that being a telecommuter is a privilege, not a right, and as such, this privilege may be revoked if the workers do not abide by One-Health Hospital policies and standards. The policy specifically avoids dictating the specifics of remote working environments, since these are expected to change often. When it comes to security, these specifics typically include keeping equipment and other materials in a locked room, as well as regular use of a surge protector, a hard disk drive password-based access control system, a paper shredder, and a virus-screening program.
One-Health Hospital
Page 31
Revised 6/10/2009
Telecommuter Remote System Information Security Procedures Policy: As a condition of continued employment, telecommuters agree to abide by all remote system security procedures. These include, but are not limited to, compliance with software license agreements, performance of regular backups, and use of shredders to dispose of sensitive information. Commentary: The intention of this policy to make telecommuters aware of the procedures they must perform on a day-to-day basis. Some organizations may wish a more detailed procedural description of the security requirements associated with telecommuting
Right to Conduct Inspections of Telecommuter Environments Policy: One-Health Hospital maintains the right to conduct inspections of telecommuter offices with one or more days advance notice. Commentary: The intention of this policy is to put telecommuters on notice that One-Health Hospital representatives may conduct inspections of their home offices. This will help ensure that telecommuters observe both safety and security policies and procedures. In return for permitting employees to telecommute, One-Health Hospital can receive the right to conduct inspections of its property kept in the houses of telecommuters. Thus, by conducting inspections, One-Health Hospital management is carrying out its duty to protect One-Health Hospital assets.
One-Health Hospital
Page 32
Revised 6/10/2009
Physical Security
Physical Access Control for Areas Containing Sensitive Information Policy: Access to every office, computer room, and work area containing sensitive information must be physically restricted. Management responsible for the staff working in these areas must consult the Security Department to determine the appropriate access control method (receptionists, metal key locks, magnetic card door locks, etc.). Commentary: The intention of this policy is to require that local management restrict those who have access to areas where sensitive information may be found. A second intention of this policy is to require that local management consult internal security specialists to determine what type of access control technology should be used. Multi-User Computer or Communications Systems in Locked Rooms Policy: All multi-user computer and communications equipment must be located in locked rooms to prevent tampering and unauthorized usage. Commentary: No matter how sophisticated software access controls may be, if physical access to servers and similar equipment can be obtained, then software access controls can be overcome. Guards or Receptionists for Areas Containing Sensitive Information Policy: Guards, receptionists, or other staff must control Visitor or other third party access to One-Health Hospital offices, computer facilities, and other work areas containing sensitive information. Visitors and other third parties must not be permitted to use employee entrances or other uncontrolled pathways leading to areas containing sensitive information. Commentary: The objective of this policy is to require that an authorized staff person get involved in the process of determining whether visitors or other third parties should be allowed to come into areas containing sensitive information. Unchecked access to such areas may otherwise lead to industrial espionage, fraud, equipment theft, and other problems.
One-Health Hospital
Page 33
Revised 6/10/2009
Badges Must Be Worn in Visible Places When in One-Health Hospital Premises Policy: Whenever in One-Health Hospital buildings or facilities, all persons must wear an identification badge on their outer garments so that the information on the badge is clearly visible. Commentary: The purpose of this policy is to put all workers on notice that they must wear their badges in a conspicuous place. This will allow guards and other workers to determine whether a worker is permitted in a certain area. When picture badges are used, this will also allow workers to readily notice if someone is using a stolen (or "borrowed") badge. This policy applies several different types of premises: (a) where authorized workers have picture badges but visitors do not, (b) where every person in a restricted area has a picture badge, or (c) where none of the badges has pictures on them. Temporary Badges for Workers Who Have Forgotten Their Badges Policy: Workers who have forgotten their identification badge must obtain a temporary badge by providing a driver's license or another piece of picture identification. Such a temporary badge is valid for a single day only. Commentary: The purpose of this policy is to emphasize that everyone must have an identification badge, even if they forgot their regular badge. The process of issuing a temporary badge takes a few moments and therefore discourages people from forgetting their badges. If workers habitually forget their badges, the Security department records showing temporary badges issued will readily note this. If the number of temporary badges for a specific individual is excessive, this may be cause for a notice to the individual's manager. Temporary badges should expire at the end of the day in case visitors forget to bring them back and as an inducement to regular workers to bring in their regular badge the next day. To make expiration readily apparent, some types of temporary badges will discolor after a certain period from the time of issuance has elapsed. Separately, identification should be required to prove that a worker is who they say they are; this will prevent third parties from gaining access to restricted areas by alleging they are authorized workers who forgot their badges. A temporary badge system implies that worker privileges are resident in a computer database, and that these privileges can be readily recorded on a new badge.
One-Health Hospital
Page 34
Revised 6/10/2009
Reporting Lost or Stolen Identification Badges and System Access Tokens Policy: Identification badges and physical access cards that have been lost or stolen, or are suspected of being lost or stolen, must be reported to the Security Department immediately. Likewise, all computer or communication system access tokens (smart cards with dynamic passwords, telephone credit cards, etc.) that have been lost or stolen, or are suspected of being lost or stolen, must be reported to the Security Department immediately. Commentary: The intention of this policy is to require all workers to notify the Security Department of all badges or tokens that may have been lost or stolen. The Security Department can then take steps to immediately block the privileges associated with these badges or tokens. In this way, losses occasioned by lost or stolen badges or tokens can be minimized. Ideally, there are other mechanisms, which prevent badges, or tokens from allowing either work area or system access. No 'Piggybacking' Through Controlled Doors Permitted Policy: Physical access controls for One-Health Hospital buildings are intended to restrict the entry of unauthorized persons. Workers must not permit unknown or unauthorized persons to pass through doors, gates, and other entrances to restricted areas at the same time when authorized persons go through these entrances. Commentary: This policy is known as a "no piggybacking" policy. It is intended to prevent unauthorized persons from following authorized persons into restricted areas (for instance, by using the authorized persons key or card to open the door). If turnstiles or mantraps are used, then this policy is less important, because piggybacking is physically prevented. Propped-Open Doors to Computer Center Require Presence of a Guard Policy: Whenever the doors to the computer center are propped-open (perhaps for moving computer equipment, furniture, supplies, or similar items), the entrance must be continuously monitored by an employee or a contract guard from the Physical Security Department. Commentary: The intention of this policy is to make sure that equipment and information are not improperly removed because doors to the computer center are not sufficiently controlled.
One-Health Hospital
Page 35
Revised 6/10/2009
Testing Physical Access Controls Forbidden Policy: Workers must not attempt to enter restricted areas in One-Health Hospital buildings for which they have not received access authorization. Commentary: The intention of this policy is to put workers on notice that they are not to attempt to defeat physical access controls. If workers need access to a certain area, they must go through the proper authorization channels rather than taking matters into their own hands. Granted, there will always be emergencies and disasters where this policy does not apply; in these circumstances, workers will do what they need to do, and explain the situation later. Working Alone in Restricted Areas Forbidden Policy: Workers must never be permitted to work alone in restricted areas containing sensitive information. Commentary: The intention of this policy is to prevent workers from taking advantage of the fact that they are the only person in an area containing sensitive information. For example, one worker might look at the private personnel file of another worker, something they would not do if other people were around. Working in Restricted Areas Only During Official Business Hours Policy: If access to a particular One-Health Hospital facility has been restricted because sensitive, critical, or valuable information is handled therein, workers must be allowed to access these facilities ONLY during official business hours. Commentary: If employees stay late or come in early, they may be unsupervised, and may therefore be able to engage in computer abuse (such as using another employee's computer to view sensitive data). If workers are restricted to normal hours, they may not engage in abusive acts because they would not risk being caught or because other people would prevent them from performing these acts. This policy is thus a background policy that helps to ensure that separation of duties policies are effective. Separately, in the policy, the word "official" may be replaced by "authorized" to give management additional leeway in setting working hours.
One-Health Hospital
Page 36
Revised 6/10/2009
Physical Security or Encryption Required for All Sensitive Information Policy: All information storage media (such as hard disk drives, floppy disks, magnetic tapes, and CD-ROMs) containing sensitive information must be physically secured when not in use. An exception will be made if this information is protected via an encryption system approved by the Information Security Department. Commentary: The intention of this policy is to require all local managers to implement either physical security measures or encryption (or both) for sensitive information. This policy is particularly relevant to portable, laptop, palmtop and other small microcomputers (PCs). Since physical security cannot be assured when these systems are moved from building to building, encryption will be required. This policy also helps prevent theft of microcomputers containing sensitive information. Property Pass for Removal of All Computer and Communications Gear Policy: Cellular telephones, portable computers, modems, and related information systems equipment must not leave One-Health Hospital premises unless accompanied by an approved property pass. Commentary: The intention of this policy is to make sure that workers are not stealing equipment (and perhaps the information stored inside such equipment). Guards at controlled exit points can check property passes to make sure they are properly approved by management, still up-to-date, and apply to the equipment in question. Workers Must Show Contents of Luggage When Leaving Premises Policy: All briefcases, suitcases, handbags, and other luggage must be opened for One-Health Hospital building guards to check when people leave the premises. This will ensure that sensitive or valuable information is not being removed from the premises. Commentary: The objective of this policy is to discourage people from walking out with sensitive or valuable information.
Provision of Lockable Metal Furniture to Staff Working at Home Policy: All workers who must keep sensitive One-Health Hospital information at their homes in order to do their work must receive lockable furniture for the proper storage of this information. At the time of separation from OneHealth Hospital, both the furniture and sensitive information stored therein must be immediately returned to One-Health Hospital. Commentary: The purpose of this policy is to make sure that telecommuters and other staff who work in their homes have the proper furniture to securely store sensitive One-Health Hospital information. If a worker already has suitable furniture, then it need not be provided by One-Health Hospital. Ownership of the furniture remains with One-Health Hospital (labels on the furniture should note this, and a memo to the employee clarifying ownership is appropriate).
One-Health Hospital
Page 37
Revised 6/10/2009
One-Health Hospital
Page 38
Revised 6/10/2009
Periodic Identification Badge Reports Issued to Department Heads Policy: Every department head must receive a monthly listing of all persons in their area who currently have valid identification badges. Department heads must promptly report to the Security Department all valid badges that are no longer needed. Commentary: The intention of this policy is to force the issuance and review of a report reflecting currently authorized badges. This will in turn help to identify and eliminate expired badges, which have not yet had the associated privileges revoked. If unauthorized persons are permitted to gain access to One-Health Hospital premises, then the security of the information found in these premises will be unduly at risk. The process of generating and reviewing a report can be effectively used with computer user-IDs, telephone credit cards, and other access mechanisms. The report mentioned pertains to all types of workers (employees, consultants, contractors, temporaries, etc.), and this is why the term "in their area" is used.
One-Health Hospital
Page 39
Revised 6/10/2009
Handling Visitors
Identification and Sign-In Process Required for All Visitors Policy: All visitors must show picture identification and sign-in prior to gaining access to restricted areas controlled by One-Health Hospital. Commentary: The objective of this policy is to require that all visitors (even employees from different locations) show definitive identification proving who they are before they are permitted to enter restricted areas. This will discourage unauthorized persons from masquerading as though they are authorized. It will also help ensure that a log showing who entered/exited the restricted area (the so-called "sign-in" process) is accurate and reflects the actual identity of the individuals involved. Escorts Required For All Visitors Policy: An authorized employee, consultant, or contractor must escort at Visitors to One-Health Hospital offices all times. This means that an escort is required as soon as a visitor enters a controlled area, and until this same visitor goes outside the controlled area. Visitors requiring an escort include customers, former employees, worker family members, equipment repair contractors, package delivery company staff, and police officers. Commentary: The intention of this policy is to prevent unauthorized persons from gaining access to sensitive, proprietary, or private information while inside a controlled area such as an office. Third Party Supervision in Areas Containing Sensitive Information Policy: Individuals who are neither One-Health Hospital employees, nor authorized contractors, nor authorized consultants, must be supervised whenever they are in restricted areas containing sensitive information. Commentary: The intention of this policy is to ensure that third parties are not permitted to roam unescorted in areas containing sensitive information. If these people are permitted unsupervised access, industrial espionage, privacy violation, and other problems may occur. This policy could be expanded to include "valuable or critical" information, not just "sensitive" information.
One-Health Hospital
Page 40
Revised 6/10/2009
Individuals without Identification Badges Must Be Challenged Policy: Whenever a worker notices an unescorted visitor inside One-Health Hospital restricted areas, the visitor must be immediately questioned about the purpose for being in restricted areas. The visitor must then be directly accompanied to a reception desk, a guard station, or the person they came to see. Commentary: This "challenge" policy is intended to prevent unauthorized people from roaming around controlled areas where sensitive, proprietary, or private information is handled. It helps to make sure that only authorized persons wearing proper identification badges are in restricted areas. The policy is applicable to those environments where badges are required, as well as smaller office environments without badges.
One-Health Hospital
Page 41
Revised 6/10/2009
One-Health Hospital
Page 42
Revised 6/10/2009
Public Tours of Computer Facilities Prohibited Policy: Public tours of major computer and communications facilities are prohibited. Commentary: The intention of this policy is to eliminate public tours, which can be a covert means for industrial spies, hackers, disgruntled employees, and others intent on doing harm to gain access to restricted areas. Individuals such as these have been known to pick up information while on a tour, which was then instrumental in subsequent compromises of system access controls. Other individuals have used their proximity to computer and communications equipment while on a tour to sabotage systems. The policy does not prevent private tours, such as those for employees, consultants, and/or contractors who have a business need-to-know about the facilities. Likewise, this policy does not prevent tours for top management, stockholders, important customers, and the like.
One-Health Hospital
Page 43
Revised 6/10/2009
Adequate Construction for Computer or Communications Centers Policy: New and remodeled One-Health Hospital computer or communications centers must be constructed so that they are protected against fire, water damage, vandalism, and other threats known to occur, or that are likely to occur at the involved locations. Commentary: The purpose of this policy is to force those responsible for building new and remodeled computer or communications centers to consider local security risks in advance of construction.
One-Health Hospital
Page 44
Revised 6/10/2009
Computer and Communications Facility Location within a Building Policy: To minimize theft and water damage, multi-user computers and communications facilities must be located above the first floor in buildings. To minimize potential damage from smoke and fire, kitchen facilities should be located away from (including not directly above or below) multi-user systems. Likewise, to minimize potential water damage, rest room facilities should not be located directly above these systems. To minimize potential damage from bombs, and to minimize unauthorized electromagnetic eavesdropping and interference, these systems should not be located adjacent to a building's exterior wall. Commentary: The intention of this policy is to provide guidance for those responsible for the location of a computer facility within a building. Many of the managers responsible for locating computer centers do not consider these matters, and problems are encountered after the installation is complete. Intermediate Holding Area Required to Restrict Computer Room Access Policy: A secured intermediate holding area must be used for computer supplies, equipment, and other deliveries. Delivery personnel must not be able to directly access rooms containing multi-user computer facilities. Commentary: The intention of this policy is to protect computer rooms from unauthorized access, such as from delivery service personnel. For example, loading dock doors should not open directly to the computer room. By restricting the movement of materials, this policy also helps bolster access controls to a computer room. No Signs Indicating Location of Computer or Communications Center Policy: There must be no signs indicating the location of computer or communications centers. Commentary: This policy means that organization name signs, communications center signs, computer room signs, Information Systems Department signs, technical support group signs, and the like should not be visible from public areas. The policy is intended to prevent terrorist attack or sabotage.
One-Health Hospital
Page 45
Revised 6/10/2009
Computer Center Fire Resistance and Self-Closing Openings Policy: Firewalls surrounding computer facilities must be non-combustible and resistant to fire for at least one hour. All openings to these walls (doors, ventilation ducts, etc.) should be self-closing and likewise rated at least one hour. Commentary: The intention of this policy is to clearly specify a minimum acceptable fire resistance construction for computer centers. The same could apply to communications facilities, such as a network control center. Openings such as ventilation ducts can be self-closing, and doors can have automatic release latches that close them if a fire alarm is initiated. Fire is the most common cause of a major disaster at computer centers, and often a fire starts in adjacent areas, then spreading to the computer center. If adequate fire resistance is built into the premises, the likelihood that a fire is put out before major damage is caused will be increased. Computer Facilities and Doors Resistant to Forcible Entry Policy: Computer facility rooms must be equipped with riot doors, fire doors, and other doors resistant to forcible entry. Commentary: The intent of this policy is to make sure that the doors to a computer room provide adequate protection for the expensive equipment contained therein. In many offices, there is no locked door to computer facilities (particularly where small systems like local area network (LAN) servers are located). The policy includes the requirement that such doors automatically unlock whenever there is a fire alarm, and/or whenever there is an emergency need for someone on the inside to get out. Computer Facilities and Automatically Closing Doors Policy: Computer facility rooms must be equipped with doors that automatically close immediately after they have been opened, and which set off an audible alarm when they have been kept open beyond a certain time. Commentary: The requirements embodied in this policy prevent people from propping doors open with chairs, books, etc., so that others can enter. Such doors help to ensure that the physical access control that management intended is actually being used (and that worker entrances and exits are being recorded in a log). These doors have been shown to be very effective when it comes to forcing people to use a physical access control system. The policy could be expanded to include communications facilities, such as network management centers.
One-Health Hospital
Page 46
Revised 6/10/2009
Computer-Assisted Equipment Tracking Policy: All One-Health Hospital computer and communications equipment must have a unique computer-readable identifier attached to it so that physical inventories are conducted efficiently and regularly. Commentary: Having an up-to-date inventory of equipment is an important management tool for making various decisions like: (a) determining whether equipment has been stolen, (b) determining what equipment needs to be upgraded, and (c) planning network reconfigurations. Such inventories are especially useful when an employee is terminated (fired or sacked). In this case, there is often a dispute about what equipment the employee had in his/her possession and which of these pieces of equipment belong to the employer. The "unique identifier" mentioned in the policy can be a bar code, an optical character recognition mark, or some other computer-sensed marking. Ideally, the mark is invisible to the naked eye, thus making its removal difficult. This policy is particularly relevant to inventories of microcomputers (PCs), workstations, fax machines, and other small office equipment. Marking Information Systems Equipment with Identification Codes Policy: All One-Health Hospital computer and communications equipment must have an identification number permanently etched onto the equipment. This code will assist police in their attempts to return the property to its rightful owner. Commentary: The theft and illegal resale ("fencing") of computer and communications equipment has become a very large problem. Moving Microcomputer Equipment without Approval Prohibited Policy: Microcomputer equipment (PCs, LAN servers, etc.) must not be moved or relocated without the prior approval of the involved department manager. Commentary: This policy seeks to prevent employees from stealing computer equipment, claiming they are using the equipment to perform business activities, when in fact they are not. It also helps maintain some semblance of change control in the small systems environment. It gives local management rather than a centralized Information Technology Department the ultimate sayso regarding the location and uses of small systems equipment. Separately, unauthorized movement of equipment may cause unanticipated problems such as network addressing problems, electrical wiring problems, fire hazards, ventilation problems, etc.
One-Health Hospital
Page 47
Revised 6/10/2009
Positioning of Computer Display Screens with Respect to Windows Policy: The display screens for all microcomputers (PCs), workstations, and dumb terminals used to handle sensitive or valuable data must be positioned such that they cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. Commentary: The intention of this policy is to reduce the chance that unauthorized people will be able to view sensitive information displayed on a computer screen. Electromagnetic Radiation (Emanation) Protection for Protected Systems Policy: One-Health Hospital systems containing employ hardware, which meets military standards (emanation) control. These systems must also be encased with wire mesh or other electromagnetic as specified by military standards. protected information must for electromagnetic radiation protected inside locked rooms radiation blocking materials
Commentary: This policy addresses a problem largely unknown in the nonmilitary and non-diplomatic world: electromagnetic radiation generated by computer and network equipment. This type of radiation can be detected at significant distances and then converted into readable signals. For instance, the information appearing on a computer monitor can be picked up at 1,000 feet using relatively inexpensive equipment, even though there exists no line of sight connection with the involved monitor.
One-Health Hospital
Page 48
Revised 6/10/2009
One-Health Hospital
Page 49
Revised 6/10/2009
Management Section
Specific Information Access Policies Must Be Prepared Policy: Management must establish specific written policies regarding the categories of people who will be granted permission to access various types of information. These policies must also specify limitations on the use of this information by those to whom access has been granted. Commentary: A specification of access rights is a necessary precursor to implementing either a password-based access control package (like IBM's RACF) or the native access control facilities found in many operating systems (like DEC's VMS). If an access control package implementation is attempted without first having decided what the rules will be, confusion inevitably results. The intention of this policy is to put management and technical staff on notice that such policies about information access must be not only specified, but also put in writing. Information Ownership Must Be Assigned Policy: Management must clearly specify in writing the assignment of ownership responsibilities for databases, master files, and other shared collections of information. These statements must also indicate the individuals who have been granted authority to originate, modify, or delete specific types of information found in these collections. Commentary: The intention of this policy is to establish a clear and documented delegation of information-access-control-related authority. A clear definition of delegated authorities is also very useful when determining access control permissions. Another intention of this policy is to clarify who is responsible for security and related matters for shared information resources such as a database. This should prevent responsibilities to fall between the cracks. Default to Denial of Access Control Privileges Policy: If a computer or network access control system is not functioning properly, it must default to denial of privileges to end-users. Commentary: Rather than allow open and uncontrolled access, the intention of this policy is to prevent access until the access control system can be fixed. For example, if a password-based access control system on a web server were to break-down, no end-user access to the system would be permitted. Of course, technical staff would need access in order to fix the problem. Restating the policy, one could say that management would prefer not to do business if it would be done in an uncontrolled manner.
One-Health Hospital
Page 50
Revised 6/10/2009
End-User Access to Operating System Commands Policy: After logging-in, all end-users of multi-user systems must be kept in menus, which show the options that they have been authorized to select. End-users must not be allowed to invoke operating system level commands. Commentary: The intention of this policy is to significantly restrict the damage that users can do and the trouble that they can cause. By preventing users from running operating system level commands, such as reformat a hard disk on a local area network server; the security of the system is improved. Descriptive Prefixes for Data Classification Categories Policy: Prefixes such as "medical" and "financial" must be used in front of approved data classification categories. These prefixes provide general indicators about the nature of the information and the persons who are authorized to access it. Commentary: The intention of this policy is to provide greater granularity than standard data classifications provide. If specific information has to do with employee physical examinations, the information might be labeled "PRIVATE. This will in turn designate that only persons dealing with employee medical matters should be given access to this information. In the absence of further access information, to simply label the information "PRIVATE" does not sufficiently restrict access. Note that these prefixes do not confer any additional protection than the data classification markings themselves provide. In other words, PRIVATE information should be handled a certain way, regardless of the prefix. Ideally, specific prefixes are defined in this or a similar policy; alternatively, the involved information owners may choose them.
One-Health Hospital
Page 51
Revised 6/10/2009
Trade Secrets Specifically Identified Prior To Disclosure Policy: As a condition of continued employment at One-Health Hospital, workers must diligently protect all One-Health Hospital information specifically identified as trade secrets from unauthorized disclosure. Trade secrets must be identified as such prior to being disclosed to any workers. For One-Health Hospital internal purposes, trade secrets are classified as protected information. Commentary: The intention of this policy is communicate to workers that OneHealth Hospital has certain types of information that it considers being trade secrets, and that it expects all workers to diligently protect this information as a condition of continued employment. From a legal standpoint, the policy is also intended to make sure that workers who are exposed to a trade secret know that such information is considered a trade secret. Because most organizations do not have a separate category in their data classification system for trade secrets, the policy defines where trade secrets fit in with respect to a data classification system ("protected" in the policy provided here). Separately, some organizations go one-step further by requiring all new employees to sign a non-disclosure agreement (NDA) that specifies the types of information considered a trade secret. On another note, this policy only addresses workers (employees, consultants, contractors, etc.); different arrangements will be required for strategic business partners and other third party organizations.
One-Health Hospital
Page 52
Revised 6/10/2009
One-Health Hospital
Page 53
Revised 6/10/2009
Information Released to the Public Must Have Single Official Source Policy: Information generated by One-Health Hospital and released to the public must be accompanied by the name of a designated staff member acting as the single recognized official source and point-of-contact. All updates and corrections to this information that are released to the public must flow through this official source. Commentary: The intention of this policy is to bring some order to what has become a relatively chaotic and disorganized process for the release of information to the public. Government agencies for example may conduct research, and then several different people may discuss that research with the media. This policy helps to ensure a consistent position with respect to the information in question, as well as a mechanism to control the different forms in which the information my be presented. It relies on designated sources rather than a public relations department to bring some order to this process. Separately, the policy could be changed to state that only the designated "owner" of the information can release it to the public. With computers on nearly everyone's desk these days, all workers are potential publishers. Separately, some organizations may want to specify a few exceptions to the policy, such as marketing brochures. Sensitive Information Access for Temporary Employees and Consultants Policy: Activities requiring access to sensitive One-Health Hospital information must only be performed by full-time permanent employees, unless one of the following conditions prevail: (1) the requisite knowledge or skills are not possessed by a full-time permanent employee (2) an emergency or disaster requires the use of additional workers, or (3) permission of the Director of Human Resources has been obtained. Commentary: The intention of this policy is to restrict access to sensitive information (information that requires a data classification designation besides "private") to the most-trusted individuals. Full-time permanent employees (not newly hired employees who may still be on probation) are generally more loyal than temporary employees or consultants, and are therefore more trustworthy. Once the employment relationship has ended, OneHealth Hospital has little control over the activities of temporary employees or consultants, but it maintains significant control over full-time employees. The risks of using people other than full-time permanent employees can be partially mitigated via confidentiality agreements. Entities, which are virtual corporations that use outsourcing extensively, or that have other modern decentralized/networked organization structures, may have trouble with this policy because it is based on an assumption that a core group of employees runs the organization.
One-Health Hospital
Page 54
Revised 6/10/2009
Network
Making Network Connections
Isolate Systems Containing Protected Information from Network Policy: One-Health Hospital computer systems containing protected information must connect to any network or any other computer. Commentary: The intention of this policy is to prevent the unauthorized disclosure of particularly sensitive information. Knowing that network access controls are still somewhat unreliable, some organizations choose to prohibit network connections, lest the information somehow be improperly disclosed. Customers Must Specifically Agree to Receive New/Enhanced Service Policy: Customers receiving computer or communications services from OneHealth Hospital must explicitly agree to receive new or enhanced services before these new or enhanced services are provided. In the absence of explicit acquiescence, One-Health Hospital must continue to provide the services that were previously available. Commentary: The intention of this policy is to maintain good customer relations as well as to ensure that customer computer and communication systems will continue to be compatible with One-Health Hospital systems. Thus the policy in effect requires support of previously available services (this does not preclude One-Health Hospital from also offering new or enhanced services). Standards of Common Carriers Do Not Apply Policy: The networking services provided by One-Health Hospital are provided on a contractual carrier basis, not those of a common carrier. As the operator of a private network, this organization has a right to make policies regarding the use of its network systems without being held to the standards of common carriers. Commentary: The intention of this policy is to avoid the need to provide equitable access to the network and other requirements of common carriers, some of which include security. Although One-Health Hospital may have security superior to that found on common carrier systems, this policy gives One-Health Hospital management more leeway to decide just how they want to set-up and maintain their network. Since this policy is legalistic in nature, it is especially important that the organizations legal department approve it.
One-Health Hospital
Page 55
Revised 6/10/2009
Prior Approval Required for All Communication Line Changes Policy: Workers and vendors must not arrange for, or actually complete the installation of voice or data lines with any carrier, if they have not first obtained approval from the director of the Telecommunications Department. Commentary: The intention of this policy is to ensure that only previously approved changes in communication lines are actually installed. Establishing unauthorized communication paths can significantly compromise the security of One-Health Hospital systems. This policy is relevant to microcomputers (PCs) and workstations, many of which have unauthorized modems attached to them. If there is no additional security for these systems (such as a password-based access control package), anyone may be able to dial-up into these systems using the public switched telephone network (PSTN); this may in turn allow an intruder to access a connected LAN. Prior Approval Required for Set-Up of Multi-User Systems Policy: Workers must not establish electronic bulletin boards, local area networks, modem connections to existing internal networks, or other multiuser systems for communicating information without the specific approval of the director of the Information Security Department. This policy helps ensure that all One-Health Hospital networked systems have the controls needed to prevent unauthorized access. Commentary: The intention of this policy is to make sure that users are not setting up communication systems, which may inadvertently compromise an organization's systems and information. The policy is particularly important for the microcomputer (PC) and workstation environment (including client/server systems), where users so often do as they please regardless of in-house standards or Information Systems Department instructions. Unless there is a centralized approval process, supported by some sort of an audit and enforcement process, some users may create major information security vulnerabilities without the knowledge of the Information Security Department, the Telecommunications Department, or the Information Systems Department. The approving authority may easily be shifted to another relevant manager and away from the director of the Information Security Department.
One-Health Hospital
Page 56
Revised 6/10/2009
Prior Approval Required for In-House System Interconnection Policy: Real-time connections between two or more in-house computer systems must not be established unless the Information Security Department has first determined that such connections will not jeopardize information security. Commentary: The intention of this policy is to keep certain information within certain areas in the organization, and to thereby be better able to control its dissemination. This basic design objective involves isolation to achieve security. For example, salary information about employees could be kept in Human Resources Department computers only. To establish a connection with the in-house LAN may open up a pathway for unauthorized dissemination of this private information. Note that this policy does not preclude the movement of tapes, disks, CD-ROMs, and other storage media between systems. Criteria for Connecting One-Health Hospital Networks to Third Party Networks Policy: One-Health Hospital computers or networks may only be connected to third party computers or networks after the Information Security Department has determined that the combined system will comply with One-Health Hospital security requirements. Commentary: Many organizations are having trouble with systems interconnection issues related to decentralized systems management. For example, without examining the security implications, a marketing department manager may connect an internal One-Health Hospital LAN to a consulting firm's internal network. To avoid the exposures that such actions introduce, a minimum amount of centralization is necessary. Security Requirements for Network-Connected Third Party Systems Policy: As a condition of gaining access to One-Health Hospital's computer network, every third party must secure its own connected systems in a manner consistent with One-Health Hospital requirements. One-Health Hospital reserves the right to audit the security measures in effect on these connected systems without warning. One-Health Hospital also reserves the right to immediately terminate network connections with all third party systems not meeting such requirements. Commentary: The intention of this policy is to notify third parties who have access to One-Health Hospital's network that they must maintain the security of their own systems in order to continue to do business over One-Health Hospital's network.
One-Health Hospital
Page 57
Revised 6/10/2009
Approval Required for Internet Connection Establishment Policy: Unless prior approval of the Director of Information Systems has been obtained, workers may not establish Internet or any other external network connections that could allow non-One-Health Hospital users to gain access to One-Health Hospital systems and information. These connections include the establishment of multi-computer file systems, Internet WWW home pages, Internet FTP servers, and the like. Commentary: Unlike the policy entitled "Prior Approval Required for In-House System Interconnection, this policy addresses connections via the Internet and other external networks.
Participation in Public Networks as Service Provider Policy: Participation in public networks as a provider of services that others rely on is expressly prohibited unless two conditions are first fulfilled. Specifically, One-Health Hospital legal counsel must first assess the extent and nature of the liabilities involved, and then top management must expressly accept these risks. Commentary: Involvement as a message-forwarding node on the Internet, as an encryption key notarization center, as an encryption key distribution point, or some other provider of information services may open One-Health Hospital up to liabilities that they had previously not considered. Use of Computer Systems Belonging to Workers on Company Property Policy: Workers must not bring their own computers, computer peripherals, or computer software into One-Health Hospital facilities without prior authorization from their department head. Commentary: This policy prevents: (1) propagation of viruses, (2) disputes about ownership of hardware and software, and (3) improper removal of hardware, software, or data at the time when a worker's employment is terminated. The policy is also desirable because it helps make sure that everyone uses the same type of software (this makes it easier to provide access control, contingency planning services, and technical support services). This policy is particularly relevant to microcomputers (PCs) and workstations, as well as client/server systems, for which the ownership status is often unclear.
One-Health Hospital
Page 58
Revised 6/10/2009
Security Requirements for Work at Home Arrangements Policy: Work at home (telecommuting) arrangements is a management option, not a universal employee benefit. Permission to telecommute is the decision of the involved employee's manager. Before a telecommuting arrangement can begin, this manager must be satisfied that an alternative worksite (such as a home office) is appropriate for the One-Health Hospital work performed by the involved employee. Considerations include physical and information security for One-Health Hospital property, a distraction-free work environment, ways to measure worker performance, and methods to stay in touch with other workers. Formation of Binding Contracts via Electronic Systems Policy: Although One-Health Hospital seeks to implement aggressively Electronic Data Interchange (EDI) and other electronic business systems with third parties, all contracts must be formed by paper documents prior to purchasing or selling via electronic systems. EDI, electronic mail, and similar binding business messages must therefore be releases against blanket orders, such as a blanket purchase order. Commentary: Contracts formed by electronic messages may not be enforceable from a legal standpoint. Some laws, like the United States statute of frauds, require a document, writing, or a signature in order to be enforceable. The intention of this policy is to make sure that all contract-related EDI or electronic mail messages sent between organizations be legally binding. Be sure to get the organization's attorney to review this policy prior to dissemination. Trading Partner Agreement Required Prior to Use of EDI Policy: Prior to the use of One-Health Hospital systems for Electronic Data Interchange (EDI) with any third party, a trading partner agreement, fixing the terms and conditions of EDI use, must be negotiated. One-Health Hospital legal counsel must approve this agreement prior to using any EDI systems for business transactions. Commentary: A trading agreement specifies who is liable if a message is lost, if the system goes down, or if other problems occur. The intention of this policy is to prevent user department management from employing an EDI system without first getting the terms and conditions properly worked out. This policy is intends to make sure that centralized control over EDI arrangements is maintained. Centralized control over EDI set-ups may also provide an opportunity to review the control measures on the system prior to use. This is also useful when defining the meaning of digital signatures and message authentication codes (Macs) used for EDI messages.
One-Health Hospital
Page 59
Revised 6/10/2009
Disclosure of Bank Account Numbers Policy: One-Health Hospital disbursement bank account numbers are confidential and not to be disclosed to third parties on forms, stationery, brochures, and the like. Commentary: Unauthorized individuals who have entered publicly available bank account numbers on automatic debit request forms have easily committed Frauds. The amounts involved are often relatively small, and many organizations don't bother to reconcile their accounts for a significant period of time. Criteria for Accepting and Acting on Computerized Transactions Policy: If transactions are sent and processed automatically (via Electronic Data Interchange for instance), then a message must not be accepted or acted on unless: (a) the message has been shown to match a trading profile for the initiating organization, or (b) the message has been shown to deviate from a trading profile but additional steps have been taken to verify the accuracy and authenticity of the message. Commentary: The intention of this policy is to make sure that unusual messages are not automatically processed without further investigation. If an active wiretapper were to enter an EDI system and spoof one of the participants, then the other participants might blindly follow the instructions received. This type of problem is prevented with the general procedure defined in this policy. The implementation of part (b) in the second sentence might, for example, involve separate communication with the alleged sender via a method other than the EDI system that handled the original. The words "trading profile" means the typical way that the other party interacts with One-Health Hospital; this might for instance refer to the networks that the other party typically uses, the way the other party's messages are structured, the frequency of the other party's messages, etc. Multiple Communication Channels for Electronic Offers & Acceptances Policy: All contracts formed through electronic offer and acceptance messages (fax, Electronic Data Interchange, electronic mail, etc.) must be formalized and confirmed via paper documents within two (2) weeks of acceptance. Commentary: Confirmation by a different communication channel helps to catch fraud and helps make agreements legally enforceable. The intention of this policy is to require that users always employ multiple communication channels for each contract.
One-Health Hospital
Page 60
Revised 6/10/2009
Violations
One-Health Hospital workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination.
One-Health Hospital
Page 61
Revised 6/10/2009
Encryption
When to Use Encryption
Encryption Processes Must Not Be Used Unless Previously Approved Policy: Encryption processes must not be used for One-Health Hospital information unless the processes are first approved by the Information Security Department. Commentary: The intention of this policy is to prevent users from damaging or destroying One-Health Hospital information because they don't have the expertise or knowledge required to use encryption facilities properly. Only after the Information Security Department is satisfied that adequate "safety nets" exist to recover the involved information, should it approve the use of encryption. One of the best safety nets for encryption is to have management override keys, that allow management to decrypt information even if the key has been lost, misplaced, or intentionally withheld (these are also called "key escrow" or "key recovery" facilities). Encryption Utilities with User-Provided Passwords or Keys Prohibited Policy: To prevent the loss of critical information, workers must never employ encryption utilities requiring a user to input a password or encryption key. If sensitive information needs protection, alternative information protection mechanisms must be used. Commentary: This policy attempts to keep information perpetually available for business activities. The policy states that management does not want to run the risk that the password or key entered by a user is lost, forgotten, or deliberately withheld. Protected Data Sent Over Networks Must Be Encrypted Policy: Transmitted One-Health Hospital protected data over any communication network must be sent in encrypted form. Commentary: The intention of this policy is to forbid the transmission of unencrypted protected data over a network were it could be wiretapped. Business can still be done, and protected data can still be sent over a network--it just needs to be encrypted. Encryption, also known as encoding or scrambling, conceals data such that unauthorized parties cannot read it. Encryption can also be used to provide an indication that a certain party sent a message and that the message was not modified in transit.
One-Health Hospital
Page 62
Revised 6/10/2009
Transportation of Protected Data in Computer-Readable Storage Media Policy: Transported protected data in computer-readable storage media (such as magnetic tapes, floppy disks, or CD-ROMs), must be in encrypted form. Commentary: The intention of this policy is to prohibit workers from transporting protected data in computer-readable storage media when this protected data has not been encrypted. Transportation can still take place however; the information needs to be encrypted. Encryption of such media not only conceals the data, it can be used to detect system errors and tampering. Protected Information Must Be Encrypted When Not In Active Use Policy: All computerized protected information must be encrypted when not in active use (for example, when not manipulated by software or viewed by an authorized user). Commentary: The intention of this policy is to prevent protected information from being inadvertently disclosed to unauthorized persons. If encrypted data was stored in unencrypted form, it may end up on back-up tapes, which then might be viewed by unauthorized persons. Data Stored on Hard Disk Drives Must Be Encrypted Policy: To prevent unauthorized disclosure of data when computers are sent out for repair, when they are stolen, or when unauthorized parties use them, all data stored on hard disks must be encrypted via user-transparent processes. Commentary: The intention of this policy is to prevent unauthorized persons from gaining access to One-Health Hospital confidential or proprietary data.
One-Health Hospital
Page 63
Revised 6/10/2009
One-Health Hospital
Page 64
Revised 6/10/2009
Conditions for Delegation of Key Management Responsibility Policy: Key management responsibility may only be delegated to a party who has passed a background check, passed an operational security audit, and signed a confidentiality agreement. Commentary: The intention of this policy is to keep middle management from delegating key management responsibility to outsourcing firms, service bureaus, business partners, and other external organizations which may not handle keys in as secure a manner, as they should. A policy like this can also be used to define the internal staff who may take on key management duties. The policy describes a process for making sure that the receiving entity meets One-Health Hospital's criteria for a trusted party. Separate Communication Channel for Data and Encryption Keys Policy: If encryption is used, the information protected with encryption must be transmitted over a different communication channel than the keys used to govern the encryption process. Commentary: The intention of this policy is to prevent a wire tapper from obtaining readable versions of both the keys and the sensitive data. Automated Encryption Key Management Systems Preferred Policy: Whenever such facilities are commercially available, One-Health Hospital must employ automated rather than manual encryption key management processes. Commentary: The intention of this policy is to save One-Health Hospital money and time, as well as to obtain the most effective security system available. Maximum Life of Encryption Keys Policy: Whenever encryption is used to protect One-Health Hospital data, the keys must be changed at least every ninety (90) days. Commentary: The intention of this policy is to force periodic changes in encryption keys. Changing the keys more rapidly will increase the security of an encryption system. If an adversary is able to derive a particular encryption key through cryptanalysis, he or she must start from the beginning whenever the key is changed.
One-Health Hospital
Page 65
Revised 6/10/2009
Stated Life for All Encryption Keys Policy: All encryption keys must have a stated life and must be changed on or before the stated expiration date. Commentary: This policy is intended to make it clear that the people handling keys must assign a life span (expiration date) to all keys. Process for Generating Encryption Keys Policy: Whenever encryption is used, the keys employed must be generated by means which are not practically replicable by an adversary, and which will yield keys that are difficult-to-guess. An example of this key generation process is the use of a pseudo-random number generator which takes the low order bits of the computer clock as input. Commentary: The intention of this process is to ensure that encryption systems provide all the security they are meant to provide. If encryption keys are easily guessed, then the security provided by encryption systems may be easily compromised. Minimum Length for User-Chosen Encryption Keys Policy: Whenever user-chosen encryption keys are employed, the encryption system must prevent users from employing keys made up of less than eight (8) characters. Commentary: Like the policy entitled "Process for Generating Encryption Keys, the intention of this policy is to make sure that an encryption system provides the security it was meant to provide. Protection for Encryption Key Generation Materials Policy: Whenever encryption is used, materials to develop encryption keys as well as hardcopy versions of keys must be kept locked when not in use. Protective measures to prevent these keying materials from falling into the wrong hands must be observed throughout the life cycle of the information protected by the keys. Commentary: The term "keying materials" is used to refer to data encryption keys, keys that encrypt other keys (master keys), initialization vectors (IVs), pseudo-random number generator seeds, and other parameters used to control or initialize encryption processes. The intention of this policy is to prevent the parameters used to construct encryption keys from falling into the wrong hands, and then being used to construct or intelligently-guess encryption keys. As soon as possible after their use, these keying materials should be destroyed according to approved procedures for most sensitive information (shredding, burning, etc.).
One-Health Hospital
Page 66
Revised 6/10/2009
Protection for Plaintext Encryption Master Keys Policy: Only two approaches for protecting plaintext (readable) master keys are acceptable to One-Health Hospital. Master keys may be manually handled via dual control with split knowledge. Alternatively, they may be stored in tamper-proof modules. In all other places, they must appear only in encrypted form. Commentary: This policy specifies the permissible ways to protect the keys at the top of a hierarchy of keys -- the most sensitive type of encryption keys. Master keys are used to encrypt all other keys, or at least encrypt keys, which in turn encrypt other keys. If a master key is revealed, an entire encryption system can quickly be compromised. Accordingly, significant efforts are needed to prevent these keys from falling into the wrong hands. Destruction of Encryption Key Generation Materials Policy: All supplies used for the generation, distribution, and storage of keys (such as carbon copies, printer ribbons, and the like) must be protected from disclosure to unauthorized persons. When they are not longer needed, they must be destroyed by pulping, shredding, burning, or other approved methods. Commentary: The intention of this policy is to prevent unauthorized parties from obtaining access to the information used to generate, distribute, or store encryption keys. This might allow these parties to obtain copies of the keys, which in turn would allow them to obtain the sensitive information protected with encryption. The policy also serves to make workers aware that these materials are sensitive and that they should be handled with care. Time Frame for Destruction of Key Exchange Material Policy: Custodians of key exchange material must destroy this material according to approved procedures within a reasonable time -- not to exceed ten business days -- following the successful verification of a key exchange process. Commentary: The intent of this policy is to clearly specify when custodians of keying materials (master keys, encryption key components, initialization vectors, random number generator seeds, etc.) must destroy the keying materials they have received. The smaller the amount of time that these materials exist outside the system, and the fewer the number of people that have them, the more secure the encryption process will be.
One-Health Hospital
Page 67
Revised 6/10/2009
Prevention of Unauthorized Disclosure of Encryption Keys Policy: Encryption keys must be prevented from unauthorized disclosure via technical controls such as encryption under a separate key and use of tamperresistant hardware. Commentary: The intention of this policy is to specify that measures must always be taken to prevent the unauthorized disclosure of encryption keys. If encryption keys are disclosed, the security of encryption systems is in most instances defeated (assuming the algorithm and implementation are public knowledge, which they are with the Data Encryption Standard (DES)). Tamper resistant hardware prevents people from opening it to recover the encryption keys stored inside. Transmission of Clear Text Encryption Keys Prohibited Policy: If encryption keys are transmitted over communication lines, they must be sent in encrypted form. The encryption of keys should be performed with a stronger algorithm than is used to encrypt other sensitive data protected by encryption. Commentary: The intention of this policy is to prevent users from inadvertently sending readable (clear text) encryption keys over communication systems. If this is done, then the encryption process (depending on the type of system) may be easily circumvented. Storing Encryption Keys on Same Media as Protected Data Prohibited Policy: If encryption is used to protect sensitive data resident on computer storage media, the encryption keys and related encryption keying materials (initialization vectors, time-and-date stamps, salt parameters, etc.) used in the encryption process must not be stored anywhere on this storage media in unencrypted form. Commentary: The intention of this policy is to prevent an astute cryptanalyst from noticing that the keying materials are stored on the same data storage media as encrypted data.
One-Health Hospital
Page 68
Revised 6/10/2009
General Purpose Encryption Systems Must Include Key Escrow Policy: All general-purpose encryption processes running on One-Health Hospital information systems must include key escrow functions. These special functions allow One-Health Hospital management to recover encrypted information should there be system errors, human errors, or other problems. Commentary: Although the US government's Clipper chip, key escrow, and key recovery proposals are unlikely to be widely adopted in the manner they were originally proposed, the ideas behind them are still of use for information security management purposes. The intent of this policy is to require encryption systems used for regular business activities to employ a system with key escrow. Key escrow allows management (or some other trusted party) to circumvent the encryption process when and if needed. A secure process (known as escrow) is needed to protect the special "skeleton key" which allows the encryption process to be broken. Digital Signature and User Authentication Keys Must Not Be Escrowed Policy: Keys used for digital signatures, digital certificates, and user authentication must never be included in a key escrow arrangement. To make these keys available to third parties allows impersonation, which in turn facilitates fraud and deceit. Commentary: This policy is intended to make sure that users cannot readily repudiate their encryption keys (also called non-repudiation). Repudiation would wreak havoc with legal proceedings, which rely on digital signatures, or other security mechanisms based on encryption keys. In general, digital signatures and a number of other control measures assume that only the involved user has control over a key (or password). However, key escrow is an arrangement whereby encryption keys can be shared with certain parties.
One-Health Hospital
Page 69
Revised 6/10/2009
Explicit Assignment of Encryption Key Management Functions Policy: Whenever encryption is used to protect sensitive data, the relevant owner(s) of the data must explicitly assign responsibility for encryption key management. Commentary: When encryption is employed, responsibility for protecting sensitive data has been changed to responsibility for protecting encryption keys. The protection activity is still needed, even though the quantity of information that needs to be protected shrinks dramatically. Separate Keys for Encryption and Message Authentication Policy: If both encryption and message authentication codes (Macs) are used, separate keys must be used for each of these two control measures. Commentary: Use of different keys is in keeping with the security principle of least common mechanism. The intention of this policy is to prevent an adversary who gains possession of one key from compromising both encryption and MAC systems.
One-Health Hospital
Page 70
Revised 6/10/2009
Compression and Encryption of Sensitive Data to Be Held in Storage Policy: If protected information is to be stored on a multi-user computer system, it must first be compressed and then encrypted using an approved encryption algorithm. Commentary: By compressing the data, a good deal of the redundancy in natural languages such as English is eliminated. This makes the job of cryptanalysis considerably more difficult, which in turn helps protect the confidentiality of the data in question. Thus, by first compressing and then encrypting, the strength of the encryption process is enhanced. The intention of this policy is to require systems designers, programmers, and other technical people to implement data compression with encryption, as well as to specify the sequence in which these processes are to be applied to data. Tamper Resistant Hardware Modules for Encryption Processes Policy: All encryption related processes must be performed in tamperresistant hardware modules rather than in software. This approach minimizes the threat of software reverse engineering and unauthorized disclosure of key(s). Commentary: Tamper-resistant modules will automatically erase sensitive data, such as encryption keys and initialization vectors, which are held in memory when the modules are opened or tampered with. Such modules are also shielded to prevent the keys and other security-relevant data from being revealed via electro-magnetic emanations. The intention of this policy is thus to require that all encryption processes be implemented using special gear that will increase the security of encryption processes.
One-Health Hospital
Page 71
Revised 6/10/2009
One-Health Hospital
Page 72
Revised 6/10/2009
Existence of Protected Systems Containing Personnel Records Policy: With the exception of criminal investigations, there must be no system of personnel records whose very existence is kept secret from the subjects or workers described therein. Commentary: This policy prohibits "shadow databases" which may be kept by supervisors or others as a way to persecute, harass, intimidate, or otherwise control employees. In this case, the word "shadow" indicates behind-thescenes or secret. The policy helps build worker trust that they indeed know of all systems being used to judge their performance and promotion prospects. The intention of the policy is also to ensure that all systems containing personnel information are known by not only the subjects but also by the information security staff.
One-Health Hospital
Page 73
Revised 6/10/2009
Guaranteed Employee Access to His or Her Own Personnel File Policy: Upon written request, every worker must be given access to his or her own personnel file. Commentary: The intention of this policy is to give the subjects (workers, employees, etc.) the right to know the information that has been used in decisions about them. Knowledge of this information then allows the subjects to object to inaccuracies or misleading statements appearing in the record. Periodic Distribution of Employee Personnel Records Policy: To allow each employee an opportunity to acquaint himself or herself with the information, and to ensure that it contains no errors, every employee must be given a copy of his or her personnel file once a year. Commentary: The provision of a free copy of one's record is thus a way to reduce complaints about inaccurate reports, as well as a way to ensure that the information is current and accurate.
One-Health Hospital
Page 74
Revised 6/10/2009
Privacy
Disclosure
Disclosure of Private Information to Third Parties Policy: Disclosure of private information about One-Health Hospital workers to third parties must NOT take place unless required by law or permitted by explicit consent of the subject. Commentary: This policy helps prevent invasion of privacy, defamation of character, libel, and slander lawsuits. The intention of the policy is to ensure that third parties are not given access to private information about employees (or more generally "workers"). The only exceptions are: (1) when specifically required by law--as would be the case if a subpoena was tendered, or (2) when the individual authorized the transfer--as would be the case if the information were to be used by a prospective employer doing a background check. For this reason, without further authorization from the worker, many United States employers disclose only: (1) the fact that an individual worked/works at the organization, (2) the most recent place of work, (3) the dates of employment, and perhaps (4) an indication whether the employee would be rehired. Disclosure of Worker Names, Titles, and Other Contact Particulars Policy: One-Health Hospital does not disclose the names, titles, phone numbers, locations, or other contact particulars of its workers unless required for business purposes. Exceptions will be made when law or when the involved persons have previously consented to the disclosure requires such a disclosure. Commentary: The intention of this policy is to protect the privacy of workers (employees, consultants, temporaries, etc.), especially from unwanted solicitations and marketing pitches. Granting Workers Access to Disclosures of Private Data Records Policy: Workers must be given access to records reflecting the disclosure of their own private information to third parties. In addition, workers must be given sufficient information to allow them to contact such third parties to rectify errors or supply additional information. Commentary: Workers should have an opportunity to provide their own interpretation of events, should that interpretation differ from the interpretation found in One-Health Hospital records. Accordingly, the intention of this policy is to allow workers to rectify what they may consider inaccurate or misleading information when One-Health Hospital elects to take no action to correct their records.
One-Health Hospital
Page 75
Revised 6/10/2009
Privacy of Personal Files Stored on Computers and in Desks Policy: Personal files on One-Health Hospital computers and in One-Health Hospital worker desks must both be handled with the same privacy perspective given to personal mail and personal phone calls. This means that other workers, including managers and system administrators, must not read such personal files. Exceptions will be made if the action is part of: (a) a formal investigation initiated by the Security Department, or (b) an effort to dispose of or reassign files after a worker has left One-Health Hospital. Commentary: The intention of this policy is to clarify privacy expectations about the personal files of workers. Essentially this policy says that the files of workers, even though they may be work-related, are not to be read by managers or system administrators. Keeping Records of Private Information Disclosed to Third Parties Policy: Every disclosure of private information to third parties must be recorded and these records must be maintained for at least five (5) years. Commentary: The intention of this policy is to be able to definitively show exactly what information has been disclosed to which third parties, and that the disclosures have been in keeping with law, organizational policies, and general business practices. Keeping a log of disclosures will also be important when notifying information recipients of errors found in a private record. Protection of the Privacy of Customer Information Policy: Information that can be directly linked to a specific customer (especially an individual) must ONLY be released to third parties if: (1) the customer has provided prior written consent, or (2) One-Health Hospital is legally required to disclose the information. Commentary: The intention of this policy is to restrict the unauthorized dissemination of information about an organization's customers--be they individuals or organizations. Customer Requests for Anonymity on One-Health Hospital Systems Policy: To help preserve the privacy of customer information, One-Health Hospital provides mechanisms for customers to remain anonymous when using One-Health Hospital systems. One-Health Hospital will not disclose the identity of the customers who elect to use these mechanisms unless compelled to do so by law. Commentary: The intention of this policy is give customers a clear picture of what is meant by anonymous user-IDs, anonymous remailers (for electronic mail on the Internet), anonymous electronic cash (for financial transactions on the Internet), and similar anonymous mechanisms.
One-Health Hospital
Page 76
Revised 6/10/2009
Distribution of Statistical Information about Customer Records Policy: Statistical information derived from customer records may be disclosed to parties outside One-Health Hospital only if the customers involved cannot be identified by the information. Commentary: The objective of this policy is to prevent workers from distributing reports to outsiders, which might inadvertently reveal the identity of, or information about customers. This policy is thus relevant to the preparation of annual reports (financial statements), government forms, and the like. The idea behind this policy is that customer information be aggregated so much that its disclosure does not damage customers. Confidentiality Agreements Required for All One-Health Hospital Workers Policy: All employees, consultants, contractors, and temporaries must sign a confidentiality agreement at the time they join One-Health Hospital. Commentary: Being written acknowledgment that workers agree not to disclose sensitive data is very important if prosecution or disciplinary action is later required. The intention of this policy is therefore to require that a confidentiality agreement be obtained for every worker. A standard agreement may be a stand-alone document or it may be standard words integrated into employment contracts, consulting contracts, and related documents. For this and related policy matters, discussions with internal legal staff are essential. Exposure of Sensitive Information in Public Places Policy: Protected, sensitive, or private One-Health Hospital information must not be read, discussed, or otherwise exposed on airplanes, restaurants, public transportation, or in other public places. Commentary: The intention of this relatively liberal policy is to help prevent the unauthorized disclosure of sensitive information. With the pressure to perform that so many employees face, it is not uncommon for them to work while sitting on a bus, an airplane, etc. Often they work with sensitive information. The policy seeks to prevent other travelers from looking over their shoulder, read the material while using the same table, or in some other way, being exposed the material.
One-Health Hospital
Page 77
Revised 6/10/2009
Removal of Sensitive Information from One-Health Hospital Premises Policy: Sensitive One-Health Hospital information may not be removed from One-Health Hospital premises unless there has been prior approval from the information's owner. This policy includes portable computers with hard disks, floppy disks, hard-copy output, paper memos, and the like. An exception is made for authorized off-site back-ups. Commentary: The intention of this policy is to prevent sensitive information from travelling around, and in the process being disclosed in unauthorized ways. The more information stays in one place, the easier it is to track and control. Note that this policy may restrict the activities of telecommuters and employees who wish to take work home with them. If such sensitive information routinely travels over computer networks, it may be difficult to identify its location at any particular point in time; in these cases, this policy will be difficult to implement and is most often inappropriate. On another note, this policy assumes the term "owner" has been previously defined.
One-Health Hospital
Page 78
Revised 6/10/2009
HIPAA Compliance
Notice of Privacy Practices Policy Policy: One-Health Hospital will ensure that all patients are provided with a Notice of Privacy Practices describing their rights and One-Health Hospitals duties with respect to Protected Health Information. This Notice of Privacy Practices will contain the necessary requirements and be distributed in accordance with Federal and state privacy laws. Commentary: The purpose of this policy is to describe the process for documentation and maintenance of a Notice of Privacy Practices (Notice), identify the process for making changes to the terms of the Notice, establish the process for making Notice provisions effective for all Protected Health Information (PHI) maintained by One-Health Hospital (OHH), outline the process for providing and making available the Notice to patients at the first point of services, and provide an opportunity for the patients to discuss any concerns related to their PHI with their health care Provider. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Privacy Officer, Roles and Responsibilities Policy: The President/ Chief Executive Officer of One-Health Hospital will determine the administrative requirements for the Privacy Officer and select a Privacy Officer(s) to oversee the development, implementation, and management of the One-Health Hospitals privacy policies and procedures in accordance with applicable Federal and state privacy laws. Commentary: The purpose of this policy is to define the roles and responsibilities of the Privacy Officer(s) and the guidelines for his/her selection. This policy supports the One-Health Hospitals (OHH) Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.
One-Health Hospital
Page 79
Revised 6/10/2009
Complaints Regarding Privacy and Security Policies and Procedures Policy: Pursuant to federal and state Privacy and Security laws, patients, visitors, contractors and employees of One-Health Hospital may submit allegation(s)/complaint(s) regarding violations of patient confidentiality, information security, or Hospital Privacy and Security policies and/or procedures to the Office of Privacy Administration. The Office of Privacy Administration and/or the Information Security Office will investigate and address the complaints. OHH will not threaten, intimidate, discriminate, or retaliate against a Person who exercises his/her right to file a complaint to OHH or the Secretary of the Department of Health and Human Services (DHHS). Commentary: To establish a process for submitting and addressing complaints related to Federal and state Privacy and Security laws and One-Health Hospitals Privacy and Security policies and procedures. This policy supports One-Health Hospitals (OHH) Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Mitigation for Patient Privacy Violations under HIPAA Policy: Pursuant to Federal and state Privacy laws and within reasonable efforts, One-Health Hospital will mitigate harmful effects known to it, resulting from the Use and/or Disclosure of Protected Health Information in violation of its privacy policies and procedures by itself or its Business Associates. Commentary: To define the process of One-Health Hospitals (OHH) Mitigation Plan for addressing and responding to violations of Federal and state Privacy laws and the Districts Privacy policies and procedures. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Sanctions for Failure to Comply with Privacy Policies Policy: One-Health Hospital is strongly committed to ensuring compliance with all applicable privacy laws, regulations, standards, policies, and procedures, including the Health Insurance Portability and Accountability Act of 1996. The Office of Privacy Administration and One-Health Hospitals Management will thoroughly investigate any alleged patient privacy violation and take the appropriate disciplinary action regarding the employee, including reporting to Federal, state and local entities as appropriate. Commentary: The purpose of this policy is to define the disciplinary actions for employees of the One-Health Hospital (OHH) who violate patient privacy rules. This policy supports the One-Health Hospitals HIPAA policy and may require development of department specific procedures.
One-Health Hospital
Page 80
Revised 6/10/2009
Use and Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations Policy: The workforce of One-Health Hospital will Use and Disclose Protected Health Information for the purpose of carrying out Treatment, Payment, or Healthcare Operations, pursuant to Federal and state laws. Commentary: The purpose of this policy is to provide District-wide guidelines on the Use and Disclosure of PHI to carry out Treatment, Payment, or Healthcare Operations. This policy supports the One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Facility Directories Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital may Use and Disclose certain Protected Health Information in the facility directories without obtaining a patients Authorization, as long as the patient has an opportunity to agree or object to such Use or Disclosure. OneHealth Hospital will honor his/her request. Commentary: The purpose of this policy is to outline the process for Use and Disclosure of Protected Health Information (PHI) in facility directories and to describe the procedure for allowing patients to agree or object to such Use and Disclosure. This policy supports One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Patients Request for Confidential Communications Policy: One-Health Hospital will accommodate a reasonable request from a patient to receive Confidential Communication of his/her Protected Health Information by alternative means or at alternative locations, pursuant to Federal and state laws. Commentary: To provide guidance for complying with patients requests to communicate with them using alternative means or at alternative locations. This policy supports the Hospital Districts Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.
One-Health Hospital
Page 81
Revised 6/10/2009
Requests for Restricting Use and Disclosure of Protected Health Information Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital will use reasonable efforts to comply with requests from patients to restrict the Use and Disclosure of their Protected Health Information. If OHH can no longer abide by a restriction, the Privacy Officer, or designee, may terminate a restriction. Commentary: The purpose of this policy is to define the process for receiving, evaluating and responding to requests for restrictions on the use and disclosure of patient Protected Health Information (PHI). This policy supports One-Health Hospitals Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Authorization for Use and Disclosure of Protected Health Information for Purposes other than Treatment, Payment, and Health Care Operations Policy: Pursuant to Federal and state privacy laws, One-Health Hospital will ensure that a properly written and signed authorization by the patient, or his/her representative, for use or disclosure of information is received before the patients Protected Health Information is used or disclosed for reasons other than treatment, payment, or healthcare operations. An Authorization may be revoked in writing at any time. Commentary: The purpose of this policy is to outline the process for the Use and Disclosure or release of patients Protected Health Information (PHI) when a patients Authorization is required. This policy supports One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Use and Disclosure of Psychotherapy Notes Policy: One-Health Hospital (OHH) desires to ensure that Psychotherapy Notes are Used and disclosed in accordance with applicable Federal and state laws by maintaining a separate Commentary: It is the purpose of this policy to provide guidance to OneHealth Hospital (OHH) on the Use and Disclosure of Psychotherapy Notes for Treatment, Payment, or Healthcare Operations. This policy supports OHHs HIPAA policy and may require development of department specific procedures.
One-Health Hospital
Page 82
Revised 6/10/2009
Minimum Necessary Standard for Use and Disclosure of Protected Health Information Policy: One-Health Hospital workforce will have access to the Protected Health Information required to fulfill their responsibilities. Minimum Necessary restrictions do not apply to the Use and Disclosure for Treatment purposes. Pursuant to Federal and state laws, when Using or Disclosing Protected Health Information or when requesting it from another Covered Entity, One-Health Hospital will make reasonable efforts to limit the Protected Health Information Used, Disclosed or requested to the Minimum Necessary amount needed to accomplish the intended purpose. Commentary: To provide guidance for assuring that the Minimum Necessary amount of Protected Health Information (PHI) is Used, Disclosed or requested by One-Health Hospital (OHH). This policy supports One-Health Hospitals Health Insurance portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Patients Access to the Designated Record Set Policy: A patient may review and obtain a copy of his/her Designated Record Set, with few exceptions, pursuant to Federal and state laws. One-Health Hospital will provide the patient reason(s) for denials of access in writing and how to file an appeal. If appropriate, the patient or legal representative may request to have the denial reviewed by an independent licensed health care the patient professional. One-Health Hospital reserves the right to charge state mandated rates for providing copies of the Designated Record Set. Commentary: The purpose of this policy is to provide District-wide guidelines to assure patients access to his/her Designated Record Set, describing the procedure for submission, processing, and outlining grounds for denials. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Accounting of Disclosures of Protected Health Information Policy: The employees and Business Associates of One-Health Hospital will document, track, and retain all records pertaining to the Disclosure of Protected Health Information. Patients may request an Accounting of Disclosures of their Protected Health Information from the Privacy Officer, who will respond in accordance with the Federal and state privacy laws and One-Health Hospitals privacy policies and procedures. Commentary: The purpose of this policy is to provide guidance on documenting the Disclosure of Protected Health Information (PHI) and responding to a Request for an Accounting of Disclosures from patients or their Personal Representative. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures.
One-Health Hospital
Page 83
Revised 6/10/2009
Patients Request to Amend the Designated Record Set Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital will process a patients request to amend his/her Protected Health Information contained within the Designated Record Set within the specified period. The request to amend the patients Designated Record Set must be submitted in writing. The Clinician/author must approve amendments to clinical information. OHH will respond to each request to amend the medical record in writing. Commentary: The purpose of this policy is to provide guidance for processing patients requests to amend information contained within their Designated Record Set (DRS), identify circumstances when a request may be denied, and to outline the process for filing a complaint, appeal, or review of the denial of the request. This policy supports the Districts HIPAA policy and may require development of department specific procedures. Permitted Use and Disclosure of Protected Health Information without Patients Authorization Policy: One-Health Hospital will ensure that any use or disclosure of Protected Health Information, without a patients Authorization, is in accordance with applicable Federal and state Privacy laws. Disclosures of PHI will be documented in the patients medical record and tracked to enable OneHealth Hospital to respond to patients requests for Accounting of Disclosures. Commentary: The purpose of this policy is to provide guidelines concerning the One-Health Hospitals (OHH) Use and Disclosure of Protected Health Information without the patients Authorization. This policy supports OneHealth Hospitals HIPAA policy and may require development of department specific procedures. Designated Record Set Policy: One-Health Hospital has identified the items included and not included in the Designated Record Set for all patients. Commentary: To define the specific information or records that patients may access and amend within their medical and billing files in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other Federal and state privacy laws. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures.
One-Health Hospital
Page 84
Revised 6/10/2009
Use and Disclosure of Limited Data Sets Policy: It is the policy of One-Health Hospital (OHH) to Use and Disclose Protected Health Information (PHI) from which certain direct identifiers have been removed to create a Limited Data Set, for the purposes of research, public health or healthcare operations when appropriate. OHH facilities and providers will follow the enclosed guidelines for authorizing and creating Limited Data Sets to safeguard PHI and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Commentary: To: 1) outline the requirements for Use and Disclosure of PHI using Limited Data Sets, 2) provide guidance on how to create a Limited Data Set and 3) define requirements of a Data Use Agreement to be executed before a Limited Data Set is provided to authorized parties. De-Identification of Protected Health Information Policy: It is the policy of One-Health Hospital (OHH) to assure that when using or disclosing De-identified Information, the PHI is de-identified in accordance with applicable Federal privacy requirements and that Deidentified Information that is re-identified is treated as PHI under Federal privacy requirements. OHH Workforce members are encouraged to utilize deidentified information where possible in conducting Hospital business. Commentary: To: 1) provide guidance on how to de-identify Protected Health Information (PHI), 2) outline the process for reviewing and responding to requests for de-identifying PHI and 3) provide guidance for re-identification of De-identified Information. HIPAA Business Associates Policy: OHH values the protection of Individually Identifiable Health Information and Protected Health Information. OHH will permit the Disclosure of such information to a Business Associate, if there is a current written Business Associate Agreement. Commentary: To provide guidance in identifying the One-Health Hospitals (OHH) Business Associates, to ensure that OHH enters into written Business Associate Agreements prior to the use or disclosure of Individually Identifiable Health Information (IIHI) or Protected Health Information (PHI), and to outline OHHs steps in the event of a breach of a Business Associate Agreement or this policy. This policy supports the One-Health Hospitals Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.
One-Health Hospital
Page 85
Revised 6/10/2009
HIPAA Privacy Education Policy: One-Health Hospital will ensure that its Workforce receives general education and specialized training, as indicated, regarding Federal and state privacy laws and One-Health Hospitals privacy policies and procedures. Each Workforce member will participate in training as required by job classification or role. Commentary: The purpose of the policy is to delineate One-Health Hospitals (OHH) responsibilities for educating the Workforce regarding Federal and state privacy laws and OHHs policies and procedures. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Marketing Policy: One-Health Hospital will obtain a patients authorization for any use or disclosure of Protected Health Information for marketing purposes in accordance with Federal and state privacy laws. Commentary: The purpose of this policy is to provide guidance on the Use and Disclosure of patients Protected Health Information for One-Health Hospitals (OHH), Marketing purposes, identify when an Authorization is required for Marketing purposes, identify when an Authorization is not required for Marketing purposes, and identify special considerations for Use and Disclosure of Protected Health Information for Marketing purposes. This policy supports OHHs HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Fundraising Policy: For its fundraising purposes and in accordance with Federal and state privacy laws, One-Health Hospital (OHH) may Use or Disclose to a Business Associate or to One-Health Hospital Foundation (OHH Foundation) the patients Demographic Information and dates of healthcare services provided to the patient without obtaining the patients Authorization. Any other Use or Disclosure of PHI for OHHs Fundraising purposes requires the patients Authorization. Commentary: The purpose of this policy is to provide guidance on the Use and Disclosure of Protected Health Information (PHI) for One-Health Hospitals (OHH) Fundraising purposes, and to identify when Authorization is required to Use and Disclose Protected Health Information for One-Health Hospitals Fundraising purposes. This policy supports OHHs HIPAA policy and may require development of department specific procedures.
One-Health Hospital
Page 86
Revised 6/10/2009
Access to One-Health Hospital Information Policy: OHH will provide access to its information as permitted or required by law and required for the purposes of treatment, payment, healthcare operations or other necessary business activities and functions. Commentary: To ensure that access to One-Health Hospital (OHH) information, whether maintained in a paper or electronic format, is requested properly, approved, and managed. To identify the individual(s) who is authorized to approve requests for access and those who may approve granting access.
One-Health Hospital
Page 87
Revised 6/10/2009
Change Control
Overview
Introduction
The Information Resources infrastructure at One-Health Hospital is expanding and continuously becoming more complex. There are more people dependent upon the network, more client machines, upgraded and expanded administrative systems, and more application programs. As the interdependency between Information Resources infrastructure grows, the need for a strong change management process is essential. From time to time, each Information Resource element requires an outage for planned upgrades, maintenance, or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance, or fine-tuning. Managing these changes is a critical part of providing a robust and valuable Information Resources infrastructure
Purpose
The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources.
Audience
The One-Health Hospital Change Management Policy applies to all individuals that install, operate, or maintain Information Resources.
One-Health Hospital
Page 88
Revised 6/10/2009
Definitions
Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Owner
The manager or agent responsible for the function, which is supported by the resource, the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments.
Custodian
Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. For mainframe applications, Information Services is the custodian; for micro and mini applications, the owner or user may retain custodial responsibilities. The custodian is normally a provider of services.
One-Health Hospital
Page 89
Revised 6/10/2009
Change Management
The process of controlling modifications to hardware, software, firmware, and documentation to ensure that Information Resources are protected against improper modification before, during, and after system implementation.
Change
implementation of new functionality interruption of service repair of existing functionality removal of existing functionality
Scheduled Change
Formal notification received, reviewed, and approved by the review process in advance of the change being made.
Unscheduled Change
Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of security vulnerability.
Emergency Change
When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.
One-Health Hospital
Page 90
Revised 6/10/2009
Policy
Change Management Policy
Every change to a One-Health Hospital Information Resources resource such as operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Procedures. All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the leader of the change management process. A Change Management Committee, appointed by IS Leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed. A formal written change request must be submitted for all changes, both scheduled and unscheduled. All scheduled change requests must be submitted in accordance with change management procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request. Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change. The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate backup plans, the timing of the change will negatively impact a key business process such as year-end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events. Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.
One-Health Hospital
Page 91
Revised 6/10/2009
A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not. A Change Management Log must be maintained for all changes. The log must contain, but is not limited to: o o o o Date of submission and date of change Owner and custodian contact information Nature of the change Indication of success or failure
All One-Health Hospital information systems must comply with an Information Resources change management process that meets the standards outlined above.
Disciplinary Actions
Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of One-Health Hospital Information Resources access privileges, civil, and criminal prosecution.
One-Health Hospital
Page 92
Revised 6/10/2009
One-Health Hospital
Page 93
Revised 6/10/2009
Threat Likelihood Likelihood (Weight Factor) High (1.0) Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede the vulnerability from being exercised.
Medium (0.5)
Low (0.1)
Magnitude of Impact Impact (Score) High (100) Definition The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals. The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals. The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.
Medium (50)
Low (10)
One-Health Hospital
Page 94
Revised 6/10/2009
Risk is calculated as follows Impact Threat Likelihood High (1.0) Low (10) Low Risk (10 x 1.0 = 10) Low Risk (10 x 0.5 = 5) Low Risk (10 x 0.1 = 1) Medium (50) Medium Risk (50 x 1.0 = 50) Medium Risk (50 x 0.5 = 25) Low Risk (50 x 0.1 = 5) High (100) High Risk (100 x 1.0 = 100) Medium Risk (100 x 0.5 = 50) Low Risk (100 x 0.1 = 10)
One-Health Hospital
Page 95
Revised 6/10/2009
Contingency Planning
Purpose
This information system contingency policy establishes a framework for recovering information system services following a disruption. The following objectives have been established in this policy: Maximize the effectiveness of contingency operations through an established plan that consists of the following phases: Notification/Activation phase to detect and assess damage and to activate the plan. Recovery phase to restore temporary IT operations and recover damage done to the original system. Reconstitution phase to restore IT system-processing capabilities to normal operations.
Applicability
The information system contingency plan applies to the functions, operations, and resources necessary to restore and resume One-Health Hospitals information system operations as it is installed at its primary location. The information system contingency plan applies to One-Health Hospital and all other persons associated with information systems. Planning Principles Various scenarios considered forming a basis for the policy, and multiple assumptions were made. The applicability of the policy is predicated on two key principles: The One-Health Hospitals primary facility is inaccessible; therefore, One-Health Hospital is unable to perform information system processing for the Department. A valid contract exists with the alternate site that designates that site as the One-Health Hospitals alternate operating facility. One-Health Hospital will use the alternate site building and IT resources to recover information system functionality during an emergency that prevents access to the original facility. The designated computer system at the alternate site has been configured to begin processing system information. The alternate site will be used to continue information system recovery and processing throughout the period of disruption, until the return to normal operations.
One-Health Hospital
Page 96
Revised 6/10/2009
Operations
Line of Succession The One-Health Hospital sets forth an order of succession, in coordination with the order set forth by the department to ensure that decision-making authority for the information system contingency plan is uninterrupted. The DR leader of One-Health Hospital is responsible for ensuring the safety of personnel and the execution of procedures documented within this information system contingency plan. If the DR leader is unable to function as the overall authority or chooses to delegate this responsibility to a successor, an alternate leader shall function as that authority. Responsibilities The contingency policy establishes several teams assigned to participate in recovering information system operations. The DR Team is responsible for recovery of the information system computer environment and all applications. Members of the team name include personnel who are also responsible for the daily operations and maintenance of information system. Notification and Activation Phase This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to core information systems. Based on the assessment of the event, the plan may be activated by the Contingency planning Coordinator. In an emergency, the One-Health Hospitals top priority is to preserve the health and safety of its staff before proceeding to the Notification and Activation procedures.
Damage Assessment Procedures Detailed procedures should be outlined to include activities to determine the cause of the disruption; potential for additional disruption or damage; affected physical area and status of physical infrastructure; status of IT equipment functionality and inventory, including items that will need to be replaced; and estimated time to repair services to normal operations.
One-Health Hospital
Page 97
Revised 6/10/2009
Activation
The Contingency plan is to be activated if one or more of the following criteria are met: The information system will be unavailable for more than 2 hours. Facility is damaged and will be unavailable for more than 24 hours. Other criteria, as appropriate.
Recovery Operations
This section provides the framework for recovering the application at the alternate site, whereas other efforts are directed to repair damage to the original system and capabilities. The following goals are for recovering the information system at the alternate site. Recovery Goal #1. State the first recovery objective as determined by the Business Impact Assessment (BIA). Recovery Goal #2. State the second recovery objective as determined by the BIA. For each team responsible for executing a function to meet this objective, state the team names and list their respective procedures. Recovery Goals Remaining. State the remaining recovery objectives (as determined by the BIA). For each team responsible for executing a function to meet this objective, state the team names and list their respective procedures.
One-Health Hospital
Page 98
Revised 6/10/2009
Concurrent Processing Procedures should be outlined to operate the system in coordination with the system at the original or new site. These procedures should include testing the original or new system until it is functioning properly and the contingency system is shut down gracefully.
Plan Deactivation Procedures should be outlined, per team, to clean the alternate site of any equipment or other materials belonging to the organization, with a focus on handling sensitive information. Materials, equipment, and backup media should be properly packaged, labeled, and shipped to the appropriate location(s). Team members should be instructed to return to the original or new site.
Plan Appendices
The appendices included should be developed and based on system and plan requirements.
Personnel Contact List Vendor Contact List Equipment and Specifications Service Level Agreements and Memorandums of Understanding IT Standard Operating Procedures Business Impact Analysis Related Contingency plans Emergency Management Plan Occupant Evacuation Plan Continuity of Operations Plan.
One-Health Hospital
Page 99
Revised 6/10/2009
Topology
One-Health Hospital
Page 100
Revised 6/10/2009
Glossary
Access control: A system to restrict the activities of users and processes based on the need-to-know. Agents: A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information. Algorithm: A mathematical process for performing a certain calculation; generally used to refer to the process for performing encryption. Badge reader: A device, which reads badges and interconnects with a physical access control system. Clear text: Un-encrypted data
Compliance statement: A document used to obtain a promise from a computer user that such user will abide by system policies and procedures. Critical information: Any information essential to One-Health Hospital's business activities, the destruction, modification, or unavailability of which would cause serious disruption to One-Health Hospital's business. Dynamic password: A password that changes each time a user logs-into a computer system. Encryption key: A secret password or bit string used to control the algorithm governing an encryption process. Encryption: A process involving data coding to achieve confidentiality, anonymity, time stamping, and other security objectives. End-user: A user who employs computers to support One-Health Hospital business activities, who is acting as the source or destination of information flowing through a computer system. Firewall: A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have first passed some security check (such as providing a password). Full disk encryption: Technique that encrypts an entire hard drive, including operating system and data. Key: Phrase used to encrypt or decrypt data.
Login script: A set of stored commands that can log a user into a computer automatically. Multi-user computer system: Any computer that can support more than one user simultaneously. Password guessing attack: A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access.
One-Health Hospital
Page 101
Revised 6/10/2009
Password-based access control: Software, which relies on passwords as the primary mechanism to control system privileges. Password: Any secret string of characters used to positively identify a computer user or process. PDA: Personal Data Assistant.
Privilege: An authorized ability to perform a certain action on a computer, such as read a specific computer file. Restricted information: Particularly sensitive information, the disclosure of which is expected to severely damage One-Health Hospital or its business affiliates (see sensitive information). Remote wipe: device. Software that remotely deletes data stored on a mobile
Sensitive information: A designation for information, the disclosure of which is expected to damage One-Health Hospital or its business affiliates (see restricted information). User-IDs: Also known as, accounts, these character strings uniquely identify computer users or computer processes. Valuable information: Information of significant financial value to OneHealth Hospital or another party.
One-Health Hospital
Page 102
Revised 6/10/2009
References
(2002, June). National Institute of Standards and Technology. Retrieved May 30, 2009, from Contingency Planning Guide for Information Technology Systems Web site: http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf (2006, June 12). DIR -Security - Policies, Standards, & Guidelines. Retrieved May 30, 2009, from Policies, Standards, & Guidelines Web site: http://www.dir.state.tx.us/security/policies/policy_standard_development.doc (2008). Information security awareness training and new employee orientation. Houston, Texas. Retrieved May 1, 2009, Web site: http://www.uh.edu/infotech/php/template.php?nonsvc_id=291 Bider, Ilia (2004). Towards a common notion of goal for business process modeling. Sweden. Retrieved May 1, 2009, Web site: http://sunsite.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol109/discussion.pdf Wood, Charles. C (2001). Information Security Policies Made Easy, Version 8 . Houston, Texas: Information Shield.
One-Health Hospital
Page 103
Revised 6/10/2009