You are on page 1of 104

Authors: Dan Pesserl, Kevin Williams, Lori Nesbitt & Andrew Brasier

OVERVIEW:______________________________________________________ 3
Introduction _______________________________________________________ 3 Mission Statement __________________________________________________ 4 Vision Statement ___________________________________________________ 5 Scope ______________________________________________________________ 6 Values Statement ___________________________________________________ 7 Goals ______________________________________________________________ 8 Objectives _________________________________________________________ 9 Information Security Awareness & Training _________________________ 10 Company Roles and Responsibilities ________________________________ 11 Responsibilities of Owners, Custodians, and Users _________________ 13 Management of the Policy __________________________________________ 14

Enterprise Information Security Policy________________________ 16


Policy ____________________________________________________________ 16

Policy Change Process_________________________________________ 18


FlowchartPolicy Exception Process _________________________________ 18 Policy Exception Process __________________________________________ 19

Access Control________________________________________________ 21
General ___________________________________________________________ 21 Telecommuting Arrangements ________________________________________ 30 Physical Security _________________________________________________ 33 Building Access Records ___________________________________________ 38 Handling Visitors _________________________________________________ 40 Restricted Access to Computer Facilities __________________________ 42 Computer Location and Facility Construction _______________________ 44 Clear Desk Policy _________________________________________________ 49 Management Section ________________________________________________ 50 Granting Access to Sensitive Data _________________________________ 53

Network_______________________________________________________ 55
Making Network Connections ________________________________________ 55 Violations ________________________________________________________ 61

Encryption____________________________________________________ 62
When to Use Encryption ____________________________________________ 62 Encryption Key Management _________________________________________ 64

One-Health Hospital

Page 1

Revised 6/10/2009

Miscellaneous Encryption Matters __________________________________ 70 Mobile Device Encryption Policy ___________________________________ 72

Records and Files_____________________________________________ 73


Handling __________________________________________________________ 73

Privacy_______________________________________________________ 75
Disclosure ________________________________________________________ 75

HIPAA Compliance______________________________________________ 79 Change Control________________________________________________ 88


Overview __________________________________________________________ 88 Policy ____________________________________________________________ 91

Risk Assessment/Business Impact Analysis______________________ 93


Summary ___________________________________________________________ 93 Risk Assessment Approach __________________________________________ 94

Contingency Planning__________________________________________ 96
Purpose ___________________________________________________________ 96 Applicability _____________________________________________________ 96 Operations ________________________________________________________ 97 Activation ________________________________________________________ 98 Recovery Operations _______________________________________________ 98 Return to Normal Operations _______________________________________ 98 Plan Appendices ___________________________________________________ 99

Topology_____________________________________________________ 100 Glossary_____________________________________________________ 101 References___________________________________________________ 103

One-Health Hospital

Page 2

Revised 6/10/2009

OVERVIEW:
Introduction
One-Health Hospital has taken many steps to ensure the confidentiality, integrity, and availability of our systems and information. This document serves as a blueprint to achieve this. This policy handbook is ever changing, and as the industry evolves, adaptations will be required. The outlined policies stipulated here provide a foundation for future procedures to be developed. It is every employees responsibility to adhere to this document.

One-Health Hospital

Page 3

Revised 6/10/2009

Mission Statement
One-Health Hospital provides affordable and exceptional health-care services to the neighbors and surrounding communities. One-Health Hospital strives to offer medical and professional services that include the utmost respect and care to our patients.

One-Health Hospital

Page 4

Revised 6/10/2009

Vision Statement
One-Health Hospital will be the leader in patient care practices in the state of Michigan, implementing the latest technological advances and research the scientific community offers. Our medical professionals will be leaders in their respective fields, setting new standards of medical excellence.

One-Health Hospital

Page 5

Revised 6/10/2009

Scope
The span of this policy for the One-Health Hospital is its assets. The assets are the computer, mobile, network, peripheral, and wireless devices, personnel, building, and data. This policy extends to any external companies devices, system and building access, and data.

One-Health Hospital

Page 6

Revised 6/10/2009

Values Statement
Oneness We believe in one health for all and we will protect it for every patient. Numbers We cost-effectively operate without compromising the quality of care. Excellence We set a high standard and remain as close as possible at every point of the hospital to maintain a successful partnership with the patient. Health We strive in assisting the patient to have all the tools and knowledge available beyond the purpose of their visit. Equality We recognize all individuals as an equal and treat them with the respect and dignity they deserve as a person. Awareness We keep an eye on the region to ensure that we are adhering to the demands of the community. Links We are linked to other hospitals and to the community in the case of any type of medical disaster occurring. Teamwork We believe in collaboration professionally for results of efficiency, institutional growth, and creative research. Hospital We are more than a building structure and a foundation of the communities mental and health stability.

One-Health Hospital

Page 7

Revised 6/10/2009

Goals
Operational: Maintain system backups. Monitor the network. Secure the data with access controls. Perform account access cleanup. Tactical: Upgrade software and hardware. Audit the computers, servers, and network. Have training and awareness education. Strategic: Customer satisfaction, expand the hospital information technology in other parts of the hospital functions, profit by using the most modern information technologies in the hospital.

One-Health Hospital

Page 8

Revised 6/10/2009

Objectives
Confidentiality: Data that the hospital has in its possession is available to those with a need to know. This can be and is not limited to the patient, patient family member, health care worker, legal representation, and government official. Integrity: Auditing in place ensures data on the hospital network not altered or compromised during storage, access, or transmission. Availability: Monitoring the network communication, mobile devices, and computer data provides high up-time percentage for the users.

One-Health Hospital

Page 9

Revised 6/10/2009

Information Security Awareness & Training


Information security awareness helps protect the people and the hospital assets. Protection of the assets is necessary to maintaining profitability, compliance, public image, and a competitive edge. Hospital threats can include natural disasters, computer network attacks and viruses, spying, & fraud effecting employees, systems, operations, and information every day. There are laws and regulations that can destroy the hospital from the penalties involved with non-compliance. Information security training attempts to generate applicable and required security skills and competencies. The training must embrace: State and Federal Laws including: o o o Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standards ( PCI DSS) Sarbanes-Oxley Act (SOX)

Information security and password tips How to identify security and report incidents

All new employees will have orientation training for use of the hospitals computers and upon completion, each person is required to sign a statement they have read, understand, and agree to comply with the General Computer Use Policies: Organizational security policy - computing users receive a copy of the General Computer Use Policies. Security operating procedures - computing users get instructions in the proper use of the hospital systems available. Access control procedures - first-time employees using the corporate computing facilities receive instruction in the proper use and protection of password Roles and Responsibilities.

One-Health Hospital

Page 10

Revised 6/10/2009

Company Roles and Responsibilities


Information and information systems are critical and vitally important OneHealth Hospital assets. Without reliable information and information systems, One-Health Hospital would quickly go out of business. Accordingly, One-Health Hospital management has a fiduciary duty to preserve, improve, and account for One-Health Hospital information and information systems. This means that One-Health Hospital management must take appropriate steps to ensure that information and information systems are properly protected from a variety of threats such as error, fraud, embezzlement, sabotage, terrorism, extortion, industrial espionage, privacy violation, service interruption, and natural disaster. One-Health Hospital information must be protected in a manner commensurate with its sensitivity, value, and criticality. Security measures must be employed regardless of the media on which information is stored (paper, overhead transparency, computer bits, etc.), the systems which process it (microcomputers, firewalls, voice mail systems, etc.), or the methods by which it is moved (electronic mail, face-to-face conversation, etc.). Such protection includes restricting access to information based on the need-toknow. Management must devote sufficient time and resources to ensure that information is properly protected. One-Health Hospital management must additionally make sure that information and information systems are protected in a manner that is at least as secure as other organizations in the same industry handling the same type of information. To achieve this objective, annual reviews of the risks to OneHealth Hospital information and information systems must be conducted. Similarly, whenever a major security incident indicates that the security of information or information systems is insufficient, management must promptly take remedial action to reduce One-Health Hospital's exposure. Annual reports reflecting One-Health Hospitals information security status and progress must also be prepared and submitted to the President. Decision making within One-Health Hospital is also critically dependent on information and information systems. Management is expected to know the nature of information they use for decision-making (accuracy, timeliness, relevance, completeness, confidentiality, criticality, etc.). The awareness of and fine-tuning of such information attributes is an important information management activity. One-Health Hospital's future competitive advantage will in part be achieved through the appropriate management of both information and information systems. Information security requires the participation of and support from all workers. All One-Health Hospital workers (employees, consultants, contractors, and temporaries) must be provided with sufficient training and supporting reference materials to allow them to properly protect and otherwise manage One-Health Hospital information assets. Training materials should communicate that information security is an important part of OneHealth Hospital's business, and must be viewed like other on-going business functions such as accounting and marketing. Training and documentation with respect to information security is the responsibility of the Information Security Department. Guidance, direction, and authority for information security activities are centralized for the entire organization in the Information Security Department. The Information Security Department is responsible for

One-Health Hospital

Page 11

Revised 6/10/2009

establishing and maintaining organization-wide information security policies, standards, guidelines, and procedures. Compliance checking to ensure that organizational units are operating in a manner consistent with these requirements is the responsibility of the EDP Audit Unit within the Internal Audit Department. Investigations of system intrusions and other information security incidents is the responsibility of the Information Security Department.

One-Health Hospital

Page 12

Revised 6/10/2009

Responsibilities of Owners, Custodians, and Users


Owners: Owners are the department managers or their delegates within OneHealth Hospital who bear responsibility for the acquisition, development, and maintenance of production applications that process One-Health Hospital information. Production applications are periodically executed computer programs that support One-Health Hospital business activities. All production application system information must have a designated Owner. For each type of information, Owners designate whether it is confidential, designate its criticality, define which users will be permitted to access it, and define its authorized uses. Custodians: Custodians are in physical or logical possession of either OneHealth Hospital information or information that has been entrusted to OneHealth Hospital. While Information Systems Department staff members clearly are Custodians, distributed multi-user system administrators are also Custodians. Whenever information is maintained only on a personal computer, the User is necessarily also the Custodian. Each type of production application system information must have one or more designated Custodians. Custodians are responsible for safeguarding the information, including implementing access control systems to prevent inappropriate disclosure, and making back-ups so that critical information will not be lost. Custodians are also required to implement, operate, and maintain the security measures defined by information Owners. Users: Users are responsible for familiarizing themselves with and complying with all One-Health Hospital policies, procedures, and standards dealing with information security. Questions about the appropriate handling of a specific type of information should be directed to either the Custodian or the Owner of the involved information.

One-Health Hospital

Page 13

Revised 6/10/2009

Management of the Policy


Introduction The One-Health Hospital Information Security Polices provides the operational detail required for the successful implementation of the Information Security program. These security policies were developed based on and cross-referenced to the Security Policy Standards. In addition, these policies have been developed by interpreting HIPAA and other legislation and legal requirements, understanding business needs, evaluating existing technical implementations, and by considering the cultural environment. Changing Environment The business, technical, cultural, and legal environment of One-Health Hospital, as it relates to information technology use and security, is constantly changing. The Security Policies will be revised as needed to comply with changes in law or administrative rules or to enhance its effectiveness. Technology Neutral

These policies are technology neutral and apply to all aspects of information technology. Emerging technologies or new legislation however, will impact these practice standards over time.
Ownership and Approval

The One-Health Hospital Information Resources Manager (IRM) owns the security policies. IRM, or designate, is the only authority that can approve modifications to the security policies.
Change Drivers

A number of factors could result in the need or desire to change the security policies. These factors include, but are not limited to the following: Review schedule New legislation Newly discovered security vulnerability New technology Audit report Business requirements Cost/benefit analysis

One-Health Hospital

Page 14

Revised 6/10/2009

Cultural change

Change Process

Updates to the One-Health Hospital information policies, which include establishing new policies, modifying existing policies, or removing policies, can result from three different processes: At least annually, the Information Security Officer (ISO), or designate, will review the policies for possible addition, revision, or deletion. An addition, revision, or deletion is created if it is deemed appropriate. Every time new Information Resources (IR) technology is introduced into One-Health Hospital a security assessment must be completed. The result of the security assessment could necessitate changes to the security policies before the new technology is permitted for use at One-Health Hospital. Any User may propose the establishment, revision, or deletion of any practice standard at any time. These proposals should be directed to the ISO who will evaluate the proposal and make recommendations to the IRM.

Change Distribution and Notification

Once a change to the security policies has been approved by the IRM, or designate, the following steps will be taken as appropriate to properly document and communicate the change: The appropriate IR Security web pages will be updated with the change Training and compliance materials will be updated to reflect the change The changes will be communicated using standard One-Health Hospital communications methods such as internal cable TV system, announcements web page, newsletters, and communications meetings.

One-Health Hospital

Page 15

Revised 6/10/2009

Enterprise Information Security Policy


Policy
Purpose This policy is designed to lay the foundation for security practices for OneHealth Hospital in regards to their computer networking infrastructure and electronic resources. These policies are designed to ensure data confidentiality, integrity, and availability. This document also outlines a timeline for reviewing and updating the policy. Information Security Elements Information Security is outlined as policies and procedures intended to protect data and the hardware that stores, processes, and transmits it. OneHealth Hospital utilizes several layers of security comprised of security policies, technological controls, and education of users. Policy Statement It is essential that information and technological assets be protected, as these systems are critical to the function of One-Health Hospital. These systems and the data they contain are at constant risk from threats ranging from employee errors to criminal actions, to natural disasters. Any number of events can lead to a loss of data integrity, confidentiality, or availability. The policies implemented by One-Health Hospital are intended to reduce these risks by implementing controls meant to detect and prevent errors that might occur. Information Technology Standards and Guidelines All data processing, residing or transiting One-Health Hospital networks, and machines are held in great trust and it must be afforded the greatest safeguards. Therefore, information security policy, instruction, processes, and standards created in furtherance of protecting One-Health Hospital information assets rely upon local laws and ordinances to ensure compliance. Violators will be prosecuted accordingly. Scope The policies and guidelines within this document affect all users who will utilize computing assets belonging to One-Health Hospital.

One-Health Hospital

Page 16

Revised 6/10/2009

Need for Information Technology Security All systems within One-Health Hospital and the data that is contained and transmitted on/by them are property of One-Health Hospital. To ensure the proper management of this property, One-Health Hospital reserves the right to monitor, record, and examine all data traveling its networks with or without consent or warning. One-Health Hospital technological systems should be used for appropriate academic and business purposes only. In addition, most files and documents maintained by One-Health Hospital are subject to public review under the Georgia Open Records Act. This includes computer files and other data regardless of the medium of storage. For these reasons faculty, staff, students, contractors, agents, or other individuals should have no expectation of privacy associated with the information they store in or send through these systems. These systems exist to support mission critical Academy activities and goals. Review Schedule The CIO, Network, and Security Managers will review the Enterprise Information Security policy annually. Authority Authority to establish and enforce this policy and associated security policy documents held by the CIO, Network, and Security Managers.

One-Health Hospital

Page 17

Revised 6/10/2009

Policy Change Process


Flowchart

P o lic y C h a n g e P ro c e s s

C h a n g e trig g e r

A p p o in t sp o n s o r E sta b lish tim e lin e D ra ft P ro p o sa l

R e v ie w p ro p o sa l

A cce p t P ro p o s a l?

No

N o tify o rig in a to r

S to p

Yes

S ta ke h o ld e r R e vie w M a ke m o d ifica tio n s

Yes

M o d ifica tio n re q u ire d ? No

No

F in a l a p p ro va l b y IR M o r d e le g a te .

P ro p o sa l A cce p te d b y th e IR M o r d e le g a te ?

Yes

P u b lish a n d C o m m u n ica te

S to p M ay 18, 2009

One-Health Hospital

Page 18

Revised 6/10/2009

Policy Exception Process


Exception Introduction

The One-Health Hospital security practice standards provide the techniques and methodology to protect One-Health Hospital IR assets. While these policies are technology independent they are more closely linked to the technology than the policy standards and are hence more likely to be impacted by changing technology, legislation, and business requirements. An exception is a method used to document variations from the rules. Examples are: Allowing a desktop modem when the practice standard states desktop modems are not permitted Giving an individual elevated privileges in comparison to another individual with similar responsibilities

Any User of One-Health Hospital Information Resources may apply for an exception.

One-Health Hospital

Page 19

Revised 6/10/2009

Exception Process

The steps for permitting and documenting an exception are: A request for an exception is received by the ISO along with a business case for justifying the exception The ISO analyzes the request and the business case and determines if the exception should be accepted, denied, or if it requires more investigation If more investigation is required the ISO and IR technical staff determines if there is a cost effective solution to the problem that does not require an exception If there is not an alternate cost effective solution, and the risk is minimal, the exception may be granted Each exception must be re-examined according to its assigned schedule. The schedule can vary from 3 months to 12 months depending on the nature of the exception Any exception request that is rejected may be appealed to the IRM.

One-Health Hospital

Page 20

Revised 6/10/2009

Access Control
General
Where to Use Computer System Access Controls Policy: All computer-resident information, which is sensitive, critical, or valuable, must have system access controls to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable. Commentary: The intention of this policy is to require that the information, which needs it, will indeed be properly protected. Ideally, security measures are designed in consistent manner, such that information is properly protected wherever it travels and whatever form it takes. This policy mandates the use of access controls to support that notion. Four Category Data Classification Scheme Policy: Data must be broken into four sensitivity classifications with separate handling requirements: protected, sensitive, private, and public. This standard data sensitivity classification system must be used throughout One-Health Hospital. The classifications defined as follows: Protected: This classification applies to the most sensitive business information, which is intended strictly for use within One-Health Hospital. Its unauthorized disclosure could seriously and adversely impact One-Health Hospital, its stockholders, its business partners, and/or its customers. Sensitive: This classification applies to all individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law as well as less sensitive business information, which is intended for use within One-Health Hospital. Its unauthorized disclosure could adversely impact One-Health Hospital, its patients, staff, stockholders, its business partners, and/or its customers. Private: This classification applies to personal information, which is intended for use within One-Health Hospital. Its unauthorized disclosure could seriously and adversely impact One-Health Hospital and/or its employees. Public: This classification applies to all other information which does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact One-Health Hospital, its employees, its stockholders, its business partners, and/or its customers.

One-Health Hospital

Page 21

Revised 6/10/2009

All Software Must Be Regulated By Access Control Systems Software Policy: All software installed on One-Health Hospital multi-user systems must be regulated by approved access control systems software. This means that the approved access control systems software must initially control a users session, and if defined permissions then allow it, control will be passed to the separate installed software. Commentary: This policy attempts to prevent the installation of software that cannot be regulated by an access control system. Systems Requiring Password-Based Access Control Package Policy: If a small system (PC, LAN, etc.) handles either critical or sensitive information, the system must also utilize a properly maintained version of an approved password-based access control system. Commentary: The intention of this policy is to provide managers of small systems with a specific rule-of-thumb that can be used to determine whether they should employ a password-based access control system. Those systems, which do not contain either critical or sensitive information, are, by default, not required to have access control systems. Privilege Restriction Based on the Need-to-Know Policy: The computer and communications system privileges of all users, systems, and programs must be restricted based on the need-to-know. Commentary: The intention of this policy is to prevent the granting of excessive privileges to users. Excessive privileges often allow users to perform abusive and unauthorized acts, such as viewing private information belonging to other users. Excessive privileges may also allow users to commit errors that have serious consequences, such as bringing a communications server down during business hours. Borrowed from the military, the need-toknow approach is a fundamental idea underlying nearly all commercial access control systems.

One-Health Hospital

Page 22

Revised 6/10/2009

No Read up Permissions to Access Sensitive Information Policy: Workers who have authorization to view information classified at a certain sensitivity level must be permitted to access only the information at this level and at less sensitive levels. Commentary: The intention of this policy is explicitly instruct system administrators and others who set access control privileges, to prevent users from gaining unauthorized access to information. For example, if a person has authorization to view protected information, he or she may also view sensitive and public information because these are less sensitive than protected information. This person, however, may not view PROTECTED information unless specific authorization has been granted. This approach is sometimes called "read down" or "no read up" because the user is only given permission to read at his or her classification level and those levels down (progressively getting less sensitive). This policy applies to all levels of data, no matter how many levels there are in a classification system. No Write Down Permissions to Access Sensitive Information Policy: Workers must never have authorization to move information classified at a certain sensitivity level to a less sensitive level unless this action is a formal part of an approved declassification process. Commentary: This policy is intended to prevent users from moving data from one classification level to another to be able to gain unauthorized access to it. For instance, if an individual could copy "protected" information and then write it to a "sensitive" (less sensitive) system, he, or she may be able to gain access to the information while access was not otherwise available. The process of "writing [information] down" to a less sensitive classification level can also be considered to be effectively declassifying the information so that unauthorized parties may then access it. Time Dependent Access Control Policy: All multi-user systems must employ user-IDs and passwords to control access to both data and programs. Beyond this basic access control, user activities must be restricted by time of day and day of the week. Commentary: The default access control found on many systems is based on files, i.e., on various types of access to data and/or programs. Organizations wishing to bolster this control environment can mandate additional restrictions based on time as mentioned in this policy. The policy's intent is to require more than simple access controls, normally based on user-IDs and passwords. Note that more than the ordinary user-IDs and passwords need not mean smart cards, biometrics, or some of the more expensive and esoteric technologies.

One-Health Hospital

Page 23

Revised 6/10/2009

Unbecoming Conduct and the Revocation of Access Privileges Policy: One-Health Hospital management reserves the right to revoke the privileges of any user at any time. Conduct that interferes with the normal and proper operation of One-Health Hospital information systems, which adversely affects the ability of others to use these information systems, or which is harmful or offensive to others will not be permitted. Commentary: The intention of this policy is to put users on notice that they jeopardize their status as authorized users if they engage in the activities described. For example, crashing the system could reasonably be expected to be harmful to other users, and would accordingly subject the perpetrator to disciplinary action including privilege revocation. Prohibition against Testing Information System Controls Policy: Workers must not test, or attempt to compromise internal controls unless specifically approved in advance and in writing by the Manager of the Information Security Department. Commentary: When users attempt to break controls, this fosters an "attack ethic, i.e., an environment where it is acceptable for workers to attempt to break system controls. This policy eliminates an often-invoked excuse for computer crimes, as the perpetrators may say that they were merely "testing the control system so as to be able to improve it. Of course, internal auditors already have this approval (in their departmental mission statement), and they should continue to test controls. Prohibition against Exploiting Systems Security Vulnerabilities Policy: Users must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have authorization to obtain, to take resources away from other users, or to gain access to other systems for which proper authorization has not been granted. All such vulnerabilities and deficiencies should be promptly reported to the Manager of Information Security. Commentary: The intention of this policy is to make it clear that users must not take advantage of information security vulnerabilities and deficiencies, even if they are aware of such problems. One example of such a problem involves having knowledge of a special password that allows a user to do things he or she would otherwise not be able to perform.

One-Health Hospital

Page 24

Revised 6/10/2009

Requests for One-Health Hospital Information Referred to Public Relations Policy: Unless authorized by management, all requests for information about One-Health Hospital and its business must be referred to the Public Relations Department. These requests include questionnaires, surveys, newspaper interviews, and the like. This policy does not apply to sales and marketing information about One-Health Hospital products and services, nor does it pertain to customer support calls. Commentary: The intention of this policy is to prevent workers, many of whom have only the best of intentions, from disclosing sensitive information to the press, market researchers, competitors, industrial spies, system crackers/hackers, and others. Effectively this policy says that only the Public Relations Department is authorized to disclose information about OneHealth Hospital and its business. By funneling disclosures through Public Relations, an organization is also able to present a coordinated and orderly image to the public.

Approval Required Prior to Release of One-Health Hospital Information Policy: Permission to disclose any internal One-Health Hospital information to the news media or to other third parties must be obtained from One-Health Hospital senior management prior to release. Commentary: The intention of this policy is to prevent workers from disclosing sensitive information to the press, market researchers, competitors, industrial spies, system crackers/hackers, and others. Without explicit approval, disclosure is forbidden. Public Representations about Future Earnings or New Product Prospects Policy: To avoid shareholder class-action lawsuits, workers are forbidden from making any public representations about One-Health Hospital future earnings or the prospects for new products. Commentary: The rash of recent class-action lawsuits (many of which are frivolous) has made senior management at many American organizations worry about the repercussions of making any future projections. This policy accordingly prohibits any public statement along these lines.

One-Health Hospital

Page 25

Revised 6/10/2009

Waiting Period Prior to External Disclosure of Requested Information Policy: If One-Health Hospital has received an outsider's request for internal information that is not of a sales, marketing, or public relations nature, then the following process must be followed. The information's owner and the corporate counsel must each be given five (5) business days to evaluate the merits of the request. If no objection is received from either the owner or the corporate counsel, then the information may be released. All requesters should be charged for the direct costs incurred in the process of fulfilling their requests. Commentary: The intention of this policy is to define the ways to handle external requests for internal information that may be of a sensitive nature. This policy is used by the State of Michigan, and the information involved is assumed to be public (under "freedom of information" laws or the equivalent thereof). This assumption warrants the relatively lenient attitude about disclosure. The requested information might invade the privacy of a certain party, it might be national defense information, it might be needed by law enforcement for an investigation in process, or for some other reason might not be appropriate to disclose. The possibility that it might be sensitive warrants the five-day review period. Established Procedure for Review of Information Released to Public Policy: All information to be released to the public must have first have been reviewed by management according to an established and documented process. Commentary: The intention of this policy is to require management to establish and observe a formal procedure for the review of information before it is released to the public. Beyond requiring such a procedure be used, this policy also requires the procedure to be documented. The policy could be expanded to require that documentation reflecting each request be generated. The most important part of the latter type of documentation is the specific approvals provided (signatures, dates, etc.). The existence of documentation is likely to have a sobering effect, such that conservative and well-reasoned decisions are more likely to be made.

One-Health Hospital

Page 26

Revised 6/10/2009

Prior Review for Speeches, Presentations, Technical Papers, Etc. Policy: Every speech, presentation, technical paper, book, or other communication to be delivered to the public must first have been approved for release by the involved employee's immediate manager. This policy applies if the involved employee will represent One-Health Hospital, if the employee will discuss One-Health Hospital affairs (even if only generally), or if the communication is based on information obtained in the course of One-Health Hospital duties. If new products, research results, corporate strategies, customer information, or marketing approaches are to be divulged, prior approval of the director of R&D and the director of the Legal Department must also be obtained. Commentary: This policy requires that employees always obtain approval from their managers prior to delivering a speech, presentation, technical paper, or other communication. It thus helps prevent unauthorized (ofteninadvertent) disclosure of sensitive information. Additionally, the policy helps make sure that employees representing the organization will do a polished and professional job. The policy does not apply to personal matters, such as when an employee writes a paper on political matters or when he or she gives a speech at church. Nonetheless, if an employee discussed the general state of the industry in which One-Health Hospital offered products or services, this too would need to be approved. Conditions for Acceptance of Third Party Sensitive Information Policy: If an agent, employee, consultant, or contractor is to receive protected or sensitive information from a third party on behalf of One-Health Hospital, this disclosure must be preceded by the third party's signature of a release form approved by the Legal Department. Commentary: This policy is intended to prevent One-Health Hospital from being obliged to pay royalties or other compensation to third parties if, subsequent to this disclosure, One-Health Hospital releases a product or service which is related to the ideas disclosed by the third party. A release form should make it clear that One-Health Hospital is under no obligation to pay any such royalties or other compensation, and that receipt of the information does not imply any contractual arrangement whatsoever.

One-Health Hospital

Page 27

Revised 6/10/2009

Signing Third Party Confidentiality Agreements without Approval Policy: Workers must not sign confidentiality agreements provided by third parties without the advance authorization of One-Health Hospital legal counsel designated to handle intellectual property matters. Commentary: In an effort to expedite discussions with suppliers, customers, and potential strategic partners, many workers will sign third party confidentiality agreements without thinking about it. They may thereby obligate their organization to pay royalties, should the organization later come out with a similar product or service. Similarly, they may prevent their organization from introducing a similar product or service. To avoid these and other unfortunate and detrimental outcomes, this policy requires all confidentiality agreements to route through internal legal counsel (or designated external legal counsel). Confidentiality Agreements and Disclosures of Sensitive Information Policy: All disclosures of protected, sensitive, or private One-Health Hospital information to third parties must be accomplished via a signed confidentiality agreement that includes restrictions on the subsequent dissemination and usage of the information. Commentary: The intention of this policy is to prevent unauthorized uses of One-Health Hospital information including what is called "secondary dissemination. "When secondary dissemination takes place, the recipient of information passes it on to some other person, and this other person then has no agreements with the information's source about how the information should be handled. This policy prohibits additional distribution without the information owner's consent. Specific Handling Instructions for Recipients of Sensitive Information Policy: An explicit statement describing exactly what information is restricted and how this information may and may not be used must accompany all disclosures of protected, sensitive, or private One-Health Hospital information to third parties. Commentary: This policy can be used to address "secondary dissemination" issues, unauthorized use, and related abuses of restricted information after it has left One-Health Hospital. An "explicit statement" may be part of a non-disclosure agreement signed by a third party receiving the information, or simply given in narrative or verbal form at the time of disclosure.

One-Health Hospital

Page 28

Revised 6/10/2009

Disclosure of Privacy Related Information Security Policies & Procedures Policy: Generally, information security policies and procedures should reveal only to One-Health Hospital workers and selected outsiders (such as auditors) who have a legitimate business need for this information. A notable exception involves private data about individuals. In these cases, One-Health Hospital has a duty to communicate the information security policies and procedures employed. In addition, One-Health Hospital has a duty to disclose the existence of systems containing private information and the ways this information is used. Commentary: This policy addresses a dichotomy that has many people confused. On one hand, information about security should be restricted to insiders only, but on the other hand, it should be revealed to outsiders. Browsing on One-Health Hospital Systems and Networks Prohibited Policy: Workers must not browse through One-Health Hospital computer systems or networks. For example, curious searching for interesting files and/or programs in the directories of other users is prohibited. Steps taken to legitimately locate information needed to perform ones job are not considered browsing. Commentary: The intention of this policy is to prohibit hacking, cracking, and related activities. In many instances, the perpetrators of computer abuse are simply seeking thrills and are curious rather than deliberately malicious.

One-Health Hospital

Page 29

Revised 6/10/2009

Telecommuting Arrangements
Permissible Equipment for Telecommuting Policy: Employees working on One-Health Hospital business at alternative worksites must use One-Health Hospital-provided computer and network equipment. An exception will be made only if other equipment has been approved as compatible with One-Health Hospital information systems and controls. Commentary: The intention of this policy is to make sure that telecommuting workers do not use information systems that could: (a) cause malfunctions or damage to One-Health Hospital systems or information, or (b) insufficiently protect One-Health Hospital information. The latter might for instance, occur if telecommuting equipment was not able to encrypt sensitive information stored on a computer at an employee's home. A burglary could then lead to unauthorized disclosure of this sensitive information. Alteration/Expansion of Computers Provided by One-Health Hospital Policy: Computer equipment provided by One-Health Hospital must not be altered or added to in any way (e.g., upgraded processor, expanded memory, or extra circuit boards) without departmental management knowledge and authorization. Commentary: The intention of this policy is to ensure that users know that they must not tamper with One-Health Hospital provided equipment. Such tampering could inadvertently cause any of various security measures to malfunction; for example, a boot protection system (which requires a password when the system is turned on) could lock a user out of a computer altogether. Tampering could also be used to deliberately circumvent security measures. In addition, in an indirect way, the policy prohibits theft of internal components like memory chips. Furthermore, the policy helps to ensure the equipment issued to a user is the equipment that will be delivered when the user is no longer employed at One-Health Hospital. Reporting of Damage to One-Health Hospital Off-Site Systems Policy: Workers must promptly report to their manager any damage to or loss of One-Health Hospital computer hardware, software, or information that has been entrusted to their care. Commentary: The intention of this policy is to make sure that telecommuting workers, as well as those workers with mobile computers, report all damages or losses promptly. This will in turn allow remedial measures, such as the replacement of a portable computer, to take place expediently to minimize the impact on business activity.

One-Health Hospital

Page 30

Revised 6/10/2009

Protection of One-Health Hospital Property at Alternative Worksites Policy: The security of One-Health Hospital property at an alternative worksite is just as important as it is at the central office. At alternative worksites, reasonable precautions must be taken to protect One-Health Hospital hardware, software, and information from theft, damage, and misuse. Commentary: The intention of this policy is to impress telecommuters (and others working with One-Health Hospital information systems at locations other than a central office) that the same security measures apply no matter where they are located. In some respects, this policy is another way of saying that information should be protected in a manner consistent with its value, sensitivity, and criticality. Protective measures should apply no matter where the information is located, no matter what form it takes, and no matter what technology is used to handle it. Rights to Intellectual Property Developed Off-Site Policy: Intellectual property developed or conceived of while an employee is working at alternative worksites is the exclusive property of One-Health Hospital. This policy includes patent, copyright, trademark, and all other intellectual property rights as manifested in memos, plans, strategies, products, computer programs, documentation, and other materials. Commentary: This policy seeks to notify telecommuters and others working off-site that their intellectual property work is still One-Health Hospital property, even though it was developed at another location. Detailed discussions with internal legal counsel about this topic are highly advisable. This policy is equally applicable to mobile computer users and others who might not be at an officially designated alternative worksite (satellite offices, neighborhood work centers, and virtual offices Telecommuters and Structured Working Environments Policy: To retain the privilege of doing off-site work, all telecommuters must structure their remote working environment so that it complies with OneHealth Hospital policies and standards. Commentary: This policy is intended to put telecommuters on notice that being a telecommuter is a privilege, not a right, and as such, this privilege may be revoked if the workers do not abide by One-Health Hospital policies and standards. The policy specifically avoids dictating the specifics of remote working environments, since these are expected to change often. When it comes to security, these specifics typically include keeping equipment and other materials in a locked room, as well as regular use of a surge protector, a hard disk drive password-based access control system, a paper shredder, and a virus-screening program.

One-Health Hospital

Page 31

Revised 6/10/2009

Telecommuter Remote System Information Security Procedures Policy: As a condition of continued employment, telecommuters agree to abide by all remote system security procedures. These include, but are not limited to, compliance with software license agreements, performance of regular backups, and use of shredders to dispose of sensitive information. Commentary: The intention of this policy to make telecommuters aware of the procedures they must perform on a day-to-day basis. Some organizations may wish a more detailed procedural description of the security requirements associated with telecommuting

Right to Conduct Inspections of Telecommuter Environments Policy: One-Health Hospital maintains the right to conduct inspections of telecommuter offices with one or more days advance notice. Commentary: The intention of this policy is to put telecommuters on notice that One-Health Hospital representatives may conduct inspections of their home offices. This will help ensure that telecommuters observe both safety and security policies and procedures. In return for permitting employees to telecommute, One-Health Hospital can receive the right to conduct inspections of its property kept in the houses of telecommuters. Thus, by conducting inspections, One-Health Hospital management is carrying out its duty to protect One-Health Hospital assets.

One-Health Hospital

Page 32

Revised 6/10/2009

Physical Security
Physical Access Control for Areas Containing Sensitive Information Policy: Access to every office, computer room, and work area containing sensitive information must be physically restricted. Management responsible for the staff working in these areas must consult the Security Department to determine the appropriate access control method (receptionists, metal key locks, magnetic card door locks, etc.). Commentary: The intention of this policy is to require that local management restrict those who have access to areas where sensitive information may be found. A second intention of this policy is to require that local management consult internal security specialists to determine what type of access control technology should be used. Multi-User Computer or Communications Systems in Locked Rooms Policy: All multi-user computer and communications equipment must be located in locked rooms to prevent tampering and unauthorized usage. Commentary: No matter how sophisticated software access controls may be, if physical access to servers and similar equipment can be obtained, then software access controls can be overcome. Guards or Receptionists for Areas Containing Sensitive Information Policy: Guards, receptionists, or other staff must control Visitor or other third party access to One-Health Hospital offices, computer facilities, and other work areas containing sensitive information. Visitors and other third parties must not be permitted to use employee entrances or other uncontrolled pathways leading to areas containing sensitive information. Commentary: The objective of this policy is to require that an authorized staff person get involved in the process of determining whether visitors or other third parties should be allowed to come into areas containing sensitive information. Unchecked access to such areas may otherwise lead to industrial espionage, fraud, equipment theft, and other problems.

One-Health Hospital

Page 33

Revised 6/10/2009

Badges Must Be Worn in Visible Places When in One-Health Hospital Premises Policy: Whenever in One-Health Hospital buildings or facilities, all persons must wear an identification badge on their outer garments so that the information on the badge is clearly visible. Commentary: The purpose of this policy is to put all workers on notice that they must wear their badges in a conspicuous place. This will allow guards and other workers to determine whether a worker is permitted in a certain area. When picture badges are used, this will also allow workers to readily notice if someone is using a stolen (or "borrowed") badge. This policy applies several different types of premises: (a) where authorized workers have picture badges but visitors do not, (b) where every person in a restricted area has a picture badge, or (c) where none of the badges has pictures on them. Temporary Badges for Workers Who Have Forgotten Their Badges Policy: Workers who have forgotten their identification badge must obtain a temporary badge by providing a driver's license or another piece of picture identification. Such a temporary badge is valid for a single day only. Commentary: The purpose of this policy is to emphasize that everyone must have an identification badge, even if they forgot their regular badge. The process of issuing a temporary badge takes a few moments and therefore discourages people from forgetting their badges. If workers habitually forget their badges, the Security department records showing temporary badges issued will readily note this. If the number of temporary badges for a specific individual is excessive, this may be cause for a notice to the individual's manager. Temporary badges should expire at the end of the day in case visitors forget to bring them back and as an inducement to regular workers to bring in their regular badge the next day. To make expiration readily apparent, some types of temporary badges will discolor after a certain period from the time of issuance has elapsed. Separately, identification should be required to prove that a worker is who they say they are; this will prevent third parties from gaining access to restricted areas by alleging they are authorized workers who forgot their badges. A temporary badge system implies that worker privileges are resident in a computer database, and that these privileges can be readily recorded on a new badge.

One-Health Hospital

Page 34

Revised 6/10/2009

Reporting Lost or Stolen Identification Badges and System Access Tokens Policy: Identification badges and physical access cards that have been lost or stolen, or are suspected of being lost or stolen, must be reported to the Security Department immediately. Likewise, all computer or communication system access tokens (smart cards with dynamic passwords, telephone credit cards, etc.) that have been lost or stolen, or are suspected of being lost or stolen, must be reported to the Security Department immediately. Commentary: The intention of this policy is to require all workers to notify the Security Department of all badges or tokens that may have been lost or stolen. The Security Department can then take steps to immediately block the privileges associated with these badges or tokens. In this way, losses occasioned by lost or stolen badges or tokens can be minimized. Ideally, there are other mechanisms, which prevent badges, or tokens from allowing either work area or system access. No 'Piggybacking' Through Controlled Doors Permitted Policy: Physical access controls for One-Health Hospital buildings are intended to restrict the entry of unauthorized persons. Workers must not permit unknown or unauthorized persons to pass through doors, gates, and other entrances to restricted areas at the same time when authorized persons go through these entrances. Commentary: This policy is known as a "no piggybacking" policy. It is intended to prevent unauthorized persons from following authorized persons into restricted areas (for instance, by using the authorized persons key or card to open the door). If turnstiles or mantraps are used, then this policy is less important, because piggybacking is physically prevented. Propped-Open Doors to Computer Center Require Presence of a Guard Policy: Whenever the doors to the computer center are propped-open (perhaps for moving computer equipment, furniture, supplies, or similar items), the entrance must be continuously monitored by an employee or a contract guard from the Physical Security Department. Commentary: The intention of this policy is to make sure that equipment and information are not improperly removed because doors to the computer center are not sufficiently controlled.

One-Health Hospital

Page 35

Revised 6/10/2009

Testing Physical Access Controls Forbidden Policy: Workers must not attempt to enter restricted areas in One-Health Hospital buildings for which they have not received access authorization. Commentary: The intention of this policy is to put workers on notice that they are not to attempt to defeat physical access controls. If workers need access to a certain area, they must go through the proper authorization channels rather than taking matters into their own hands. Granted, there will always be emergencies and disasters where this policy does not apply; in these circumstances, workers will do what they need to do, and explain the situation later. Working Alone in Restricted Areas Forbidden Policy: Workers must never be permitted to work alone in restricted areas containing sensitive information. Commentary: The intention of this policy is to prevent workers from taking advantage of the fact that they are the only person in an area containing sensitive information. For example, one worker might look at the private personnel file of another worker, something they would not do if other people were around. Working in Restricted Areas Only During Official Business Hours Policy: If access to a particular One-Health Hospital facility has been restricted because sensitive, critical, or valuable information is handled therein, workers must be allowed to access these facilities ONLY during official business hours. Commentary: If employees stay late or come in early, they may be unsupervised, and may therefore be able to engage in computer abuse (such as using another employee's computer to view sensitive data). If workers are restricted to normal hours, they may not engage in abusive acts because they would not risk being caught or because other people would prevent them from performing these acts. This policy is thus a background policy that helps to ensure that separation of duties policies are effective. Separately, in the policy, the word "official" may be replaced by "authorized" to give management additional leeway in setting working hours.

One-Health Hospital

Page 36

Revised 6/10/2009

Physical Security or Encryption Required for All Sensitive Information Policy: All information storage media (such as hard disk drives, floppy disks, magnetic tapes, and CD-ROMs) containing sensitive information must be physically secured when not in use. An exception will be made if this information is protected via an encryption system approved by the Information Security Department. Commentary: The intention of this policy is to require all local managers to implement either physical security measures or encryption (or both) for sensitive information. This policy is particularly relevant to portable, laptop, palmtop and other small microcomputers (PCs). Since physical security cannot be assured when these systems are moved from building to building, encryption will be required. This policy also helps prevent theft of microcomputers containing sensitive information. Property Pass for Removal of All Computer and Communications Gear Policy: Cellular telephones, portable computers, modems, and related information systems equipment must not leave One-Health Hospital premises unless accompanied by an approved property pass. Commentary: The intention of this policy is to make sure that workers are not stealing equipment (and perhaps the information stored inside such equipment). Guards at controlled exit points can check property passes to make sure they are properly approved by management, still up-to-date, and apply to the equipment in question. Workers Must Show Contents of Luggage When Leaving Premises Policy: All briefcases, suitcases, handbags, and other luggage must be opened for One-Health Hospital building guards to check when people leave the premises. This will ensure that sensitive or valuable information is not being removed from the premises. Commentary: The objective of this policy is to discourage people from walking out with sensitive or valuable information.

Provision of Lockable Metal Furniture to Staff Working at Home Policy: All workers who must keep sensitive One-Health Hospital information at their homes in order to do their work must receive lockable furniture for the proper storage of this information. At the time of separation from OneHealth Hospital, both the furniture and sensitive information stored therein must be immediately returned to One-Health Hospital. Commentary: The purpose of this policy is to make sure that telecommuters and other staff who work in their homes have the proper furniture to securely store sensitive One-Health Hospital information. If a worker already has suitable furniture, then it need not be provided by One-Health Hospital. Ownership of the furniture remains with One-Health Hospital (labels on the furniture should note this, and a memo to the employee clarifying ownership is appropriate).

One-Health Hospital

Page 37

Revised 6/10/2009

Building Access Records


Maintaining Building Access Control System Records Policy: To facilitate evacuation and to support investigations, the Security Department must maintain records of the persons currently and previously inside One-Health Hospital buildings. This information must be securely retained for at least three (3) months. Commentary: The purpose of this policy is to force the recording of information about who comes and goes through a building containing sensitive, valuable, or critical information. This information may be especially important when physical access control systems are combined with computer access control systems. Changing Physical Access Control Codes on Worker Termination Policy: In the event that a worker is terminating his or her relationship with One-Health Hospital, all physical security access codes known by the worker must be deactivated or changed. For example, the serial number recorded on a magnetic stripe attached to an identification badge must be changed before the badge is reissued to another worker. Commentary: This policy is intended to eliminate any confusion about the identity of the person who is using an access code. The policy may also prevent a terminated worker from using a copy of the access mechanism (like a magnetic card) to gain unauthorized entry to One-Health Hospital work areas. This objective is particularly important if the worker is disgruntled and potentially vengeful. Maintenance of List Showing Those Permitted to Grant Physical Access Policy: A list of managers who are authorized to grant access to One-Health Hospital premises must be kept up-to-date. The higher-level managers who delegated authority to these managers must also periodically review this list. Commentary: The objective of this policy is to establish a clear hierarchy showing the delegation of authority regarding granting of physical access. The managers mentioned in the first sentence are the ones who, on a day-today basis, actually authorize certain workers to gain access to restricted areas. The "higher-level managers" mentioned are the ones who decided which managers would make the day-to-day decisions. The existence of a clear and up-to-date delegation of authority will prevent demoted, transferred, terminated, or otherwise no-longer-authorized managers from misusing their authority. Likewise, the existence of this hierarchy will focus attention on the appropriate rights to grant various managers, thereby helping to ensure that the rights actually granted are commensurate with business needs. A foundation of basic physical security (including the policies found in this section) is necessary for many information security controls to work properly.

One-Health Hospital

Page 38

Revised 6/10/2009

Periodic Identification Badge Reports Issued to Department Heads Policy: Every department head must receive a monthly listing of all persons in their area who currently have valid identification badges. Department heads must promptly report to the Security Department all valid badges that are no longer needed. Commentary: The intention of this policy is to force the issuance and review of a report reflecting currently authorized badges. This will in turn help to identify and eliminate expired badges, which have not yet had the associated privileges revoked. If unauthorized persons are permitted to gain access to One-Health Hospital premises, then the security of the information found in these premises will be unduly at risk. The process of generating and reviewing a report can be effectively used with computer user-IDs, telephone credit cards, and other access mechanisms. The report mentioned pertains to all types of workers (employees, consultants, contractors, temporaries, etc.), and this is why the term "in their area" is used.

One-Health Hospital

Page 39

Revised 6/10/2009

Handling Visitors
Identification and Sign-In Process Required for All Visitors Policy: All visitors must show picture identification and sign-in prior to gaining access to restricted areas controlled by One-Health Hospital. Commentary: The objective of this policy is to require that all visitors (even employees from different locations) show definitive identification proving who they are before they are permitted to enter restricted areas. This will discourage unauthorized persons from masquerading as though they are authorized. It will also help ensure that a log showing who entered/exited the restricted area (the so-called "sign-in" process) is accurate and reflects the actual identity of the individuals involved. Escorts Required For All Visitors Policy: An authorized employee, consultant, or contractor must escort at Visitors to One-Health Hospital offices all times. This means that an escort is required as soon as a visitor enters a controlled area, and until this same visitor goes outside the controlled area. Visitors requiring an escort include customers, former employees, worker family members, equipment repair contractors, package delivery company staff, and police officers. Commentary: The intention of this policy is to prevent unauthorized persons from gaining access to sensitive, proprietary, or private information while inside a controlled area such as an office. Third Party Supervision in Areas Containing Sensitive Information Policy: Individuals who are neither One-Health Hospital employees, nor authorized contractors, nor authorized consultants, must be supervised whenever they are in restricted areas containing sensitive information. Commentary: The intention of this policy is to ensure that third parties are not permitted to roam unescorted in areas containing sensitive information. If these people are permitted unsupervised access, industrial espionage, privacy violation, and other problems may occur. This policy could be expanded to include "valuable or critical" information, not just "sensitive" information.

One-Health Hospital

Page 40

Revised 6/10/2009

Individuals without Identification Badges Must Be Challenged Policy: Whenever a worker notices an unescorted visitor inside One-Health Hospital restricted areas, the visitor must be immediately questioned about the purpose for being in restricted areas. The visitor must then be directly accompanied to a reception desk, a guard station, or the person they came to see. Commentary: This "challenge" policy is intended to prevent unauthorized people from roaming around controlled areas where sensitive, proprietary, or private information is handled. It helps to make sure that only authorized persons wearing proper identification badges are in restricted areas. The policy is applicable to those environments where badges are required, as well as smaller office environments without badges.

One-Health Hospital

Page 41

Revised 6/10/2009

Restricted Access to Computer Facilities


Physical Security Measures for Computers & Communications Systems Policy: Buildings that house One-Health Hospital computers or communications systems must be protected with physical security measures that prevent unauthorized persons from gaining access. Commentary: The intention of this policy is to ensure that rudimentary physical security measures are used to protect both computers and communications systems. Computer Center is a Closed Shop Policy: One-Health Hospital computer centers are closed shops. Programmers and users are not permitted inside computer machine rooms. Commentary: The term "closed shop" means that the doors are locked and that programmers, users, and others who do not have a need to be inside the machine room do not get access. The objective of this policy is to physically enforce separation of duties between computer operators on one hand and programmers and users on the other. The policy also helps to reduce congestion and confusion in the machine room. Restricted Access to Magnetic Tape, Disk, and Documentation Libraries Policy: The magnetic tape, disk, and documentation libraries are controlled areas within the computer center. Access must be restricted to workers whose job responsibilities require their presence in these libraries. Commentary: The intention of this policy is to physically restrict access to areas containing sensitive, valuable, or critical information (the libraries). This will in turn reduce the chance that such information will be disclosed, manipulated, deleted, or otherwise handled in a manner which is not in keeping with management intentions. This policy is a specific manifestation of the separation of duties principle.

One-Health Hospital

Page 42

Revised 6/10/2009

Public Tours of Computer Facilities Prohibited Policy: Public tours of major computer and communications facilities are prohibited. Commentary: The intention of this policy is to eliminate public tours, which can be a covert means for industrial spies, hackers, disgruntled employees, and others intent on doing harm to gain access to restricted areas. Individuals such as these have been known to pick up information while on a tour, which was then instrumental in subsequent compromises of system access controls. Other individuals have used their proximity to computer and communications equipment while on a tour to sabotage systems. The policy does not prevent private tours, such as those for employees, consultants, and/or contractors who have a business need-to-know about the facilities. Likewise, this policy does not prevent tours for top management, stockholders, important customers, and the like.

One-Health Hospital

Page 43

Revised 6/10/2009

Computer Location and Facility Construction


Location of New Computer or Communications Centers Policy: All new One-Health Hospital computer or communications centers must be located in an area unlikely to experience natural disasters, serious manmade accidents (chemical spills, dangerous release of nuclear materials, etc.), riots, and related problems. Commentary: The intention of this policy is to force management to consider the consequences in advance of locating a computer or communications center in a dangerous area. All too often a decision is made to locate a facility and only later are the serious risks appreciated. Redundant Supplies for Public Utility Resources Policy: All new One-Health Hospital computer or communications centers must be located such that they have ready access to two electrical power substations and two telephone central offices. Such centers must not be unduly near flood plains, earthquake faults, airports, railroad tracks, major highways, or other sources of danger. Commentary: The purpose of this policy is to require individuals who are designing new computer or communications centers to consider redundant sources of supply for public utilities.

Adequate Construction for Computer or Communications Centers Policy: New and remodeled One-Health Hospital computer or communications centers must be constructed so that they are protected against fire, water damage, vandalism, and other threats known to occur, or that are likely to occur at the involved locations. Commentary: The purpose of this policy is to force those responsible for building new and remodeled computer or communications centers to consider local security risks in advance of construction.

One-Health Hospital

Page 44

Revised 6/10/2009

Computer and Communications Facility Location within a Building Policy: To minimize theft and water damage, multi-user computers and communications facilities must be located above the first floor in buildings. To minimize potential damage from smoke and fire, kitchen facilities should be located away from (including not directly above or below) multi-user systems. Likewise, to minimize potential water damage, rest room facilities should not be located directly above these systems. To minimize potential damage from bombs, and to minimize unauthorized electromagnetic eavesdropping and interference, these systems should not be located adjacent to a building's exterior wall. Commentary: The intention of this policy is to provide guidance for those responsible for the location of a computer facility within a building. Many of the managers responsible for locating computer centers do not consider these matters, and problems are encountered after the installation is complete. Intermediate Holding Area Required to Restrict Computer Room Access Policy: A secured intermediate holding area must be used for computer supplies, equipment, and other deliveries. Delivery personnel must not be able to directly access rooms containing multi-user computer facilities. Commentary: The intention of this policy is to protect computer rooms from unauthorized access, such as from delivery service personnel. For example, loading dock doors should not open directly to the computer room. By restricting the movement of materials, this policy also helps bolster access controls to a computer room. No Signs Indicating Location of Computer or Communications Center Policy: There must be no signs indicating the location of computer or communications centers. Commentary: This policy means that organization name signs, communications center signs, computer room signs, Information Systems Department signs, technical support group signs, and the like should not be visible from public areas. The policy is intended to prevent terrorist attack or sabotage.

One-Health Hospital

Page 45

Revised 6/10/2009

Computer Center Fire Resistance and Self-Closing Openings Policy: Firewalls surrounding computer facilities must be non-combustible and resistant to fire for at least one hour. All openings to these walls (doors, ventilation ducts, etc.) should be self-closing and likewise rated at least one hour. Commentary: The intention of this policy is to clearly specify a minimum acceptable fire resistance construction for computer centers. The same could apply to communications facilities, such as a network control center. Openings such as ventilation ducts can be self-closing, and doors can have automatic release latches that close them if a fire alarm is initiated. Fire is the most common cause of a major disaster at computer centers, and often a fire starts in adjacent areas, then spreading to the computer center. If adequate fire resistance is built into the premises, the likelihood that a fire is put out before major damage is caused will be increased. Computer Facilities and Doors Resistant to Forcible Entry Policy: Computer facility rooms must be equipped with riot doors, fire doors, and other doors resistant to forcible entry. Commentary: The intent of this policy is to make sure that the doors to a computer room provide adequate protection for the expensive equipment contained therein. In many offices, there is no locked door to computer facilities (particularly where small systems like local area network (LAN) servers are located). The policy includes the requirement that such doors automatically unlock whenever there is a fire alarm, and/or whenever there is an emergency need for someone on the inside to get out. Computer Facilities and Automatically Closing Doors Policy: Computer facility rooms must be equipped with doors that automatically close immediately after they have been opened, and which set off an audible alarm when they have been kept open beyond a certain time. Commentary: The requirements embodied in this policy prevent people from propping doors open with chairs, books, etc., so that others can enter. Such doors help to ensure that the physical access control that management intended is actually being used (and that worker entrances and exits are being recorded in a log). These doors have been shown to be very effective when it comes to forcing people to use a physical access control system. The policy could be expanded to include communications facilities, such as network management centers.

One-Health Hospital

Page 46

Revised 6/10/2009

Computer-Assisted Equipment Tracking Policy: All One-Health Hospital computer and communications equipment must have a unique computer-readable identifier attached to it so that physical inventories are conducted efficiently and regularly. Commentary: Having an up-to-date inventory of equipment is an important management tool for making various decisions like: (a) determining whether equipment has been stolen, (b) determining what equipment needs to be upgraded, and (c) planning network reconfigurations. Such inventories are especially useful when an employee is terminated (fired or sacked). In this case, there is often a dispute about what equipment the employee had in his/her possession and which of these pieces of equipment belong to the employer. The "unique identifier" mentioned in the policy can be a bar code, an optical character recognition mark, or some other computer-sensed marking. Ideally, the mark is invisible to the naked eye, thus making its removal difficult. This policy is particularly relevant to inventories of microcomputers (PCs), workstations, fax machines, and other small office equipment. Marking Information Systems Equipment with Identification Codes Policy: All One-Health Hospital computer and communications equipment must have an identification number permanently etched onto the equipment. This code will assist police in their attempts to return the property to its rightful owner. Commentary: The theft and illegal resale ("fencing") of computer and communications equipment has become a very large problem. Moving Microcomputer Equipment without Approval Prohibited Policy: Microcomputer equipment (PCs, LAN servers, etc.) must not be moved or relocated without the prior approval of the involved department manager. Commentary: This policy seeks to prevent employees from stealing computer equipment, claiming they are using the equipment to perform business activities, when in fact they are not. It also helps maintain some semblance of change control in the small systems environment. It gives local management rather than a centralized Information Technology Department the ultimate sayso regarding the location and uses of small systems equipment. Separately, unauthorized movement of equipment may cause unanticipated problems such as network addressing problems, electrical wiring problems, fire hazards, ventilation problems, etc.

One-Health Hospital

Page 47

Revised 6/10/2009

Positioning of Computer Display Screens with Respect to Windows Policy: The display screens for all microcomputers (PCs), workstations, and dumb terminals used to handle sensitive or valuable data must be positioned such that they cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. Commentary: The intention of this policy is to reduce the chance that unauthorized people will be able to view sensitive information displayed on a computer screen. Electromagnetic Radiation (Emanation) Protection for Protected Systems Policy: One-Health Hospital systems containing employ hardware, which meets military standards (emanation) control. These systems must also be encased with wire mesh or other electromagnetic as specified by military standards. protected information must for electromagnetic radiation protected inside locked rooms radiation blocking materials

Commentary: This policy addresses a problem largely unknown in the nonmilitary and non-diplomatic world: electromagnetic radiation generated by computer and network equipment. This type of radiation can be detected at significant distances and then converted into readable signals. For instance, the information appearing on a computer monitor can be picked up at 1,000 feet using relatively inexpensive equipment, even though there exists no line of sight connection with the involved monitor.

One-Health Hospital

Page 48

Revised 6/10/2009

Clear Desk Policy


Clear Desks and Working Areas Policy: Outside of regular working hours, all workers must clean their desks and working areas such that all sensitive or valuable data is properly secured. Commentary: This policy is a modified "clean desk policy"--also called a "clear desk policy" by some firms. The traditional clean desk policy requires all information to be secured, lest an individual's judgment about the relative sensitivity of information be in error. The revised policy presented here is designed for microcomputer (PC) and workstation users--who often leave floppy disks and printouts out on their desk. The intention of the policy is to prevent people who happen to be in the building after hours from gaining access to sensitive information. Traditional Clean Desk Policy Policy: During non-working hours, employees in areas containing sensitive information must lock-up all information. Unless information is in active use by authorized personnel, desks must be clear and clean during non-working hours. Commentary: This traditional clean desk policy intends to prevent inadvertent disclosure of sensitive information.

One-Health Hospital

Page 49

Revised 6/10/2009

Management Section
Specific Information Access Policies Must Be Prepared Policy: Management must establish specific written policies regarding the categories of people who will be granted permission to access various types of information. These policies must also specify limitations on the use of this information by those to whom access has been granted. Commentary: A specification of access rights is a necessary precursor to implementing either a password-based access control package (like IBM's RACF) or the native access control facilities found in many operating systems (like DEC's VMS). If an access control package implementation is attempted without first having decided what the rules will be, confusion inevitably results. The intention of this policy is to put management and technical staff on notice that such policies about information access must be not only specified, but also put in writing. Information Ownership Must Be Assigned Policy: Management must clearly specify in writing the assignment of ownership responsibilities for databases, master files, and other shared collections of information. These statements must also indicate the individuals who have been granted authority to originate, modify, or delete specific types of information found in these collections. Commentary: The intention of this policy is to establish a clear and documented delegation of information-access-control-related authority. A clear definition of delegated authorities is also very useful when determining access control permissions. Another intention of this policy is to clarify who is responsible for security and related matters for shared information resources such as a database. This should prevent responsibilities to fall between the cracks. Default to Denial of Access Control Privileges Policy: If a computer or network access control system is not functioning properly, it must default to denial of privileges to end-users. Commentary: Rather than allow open and uncontrolled access, the intention of this policy is to prevent access until the access control system can be fixed. For example, if a password-based access control system on a web server were to break-down, no end-user access to the system would be permitted. Of course, technical staff would need access in order to fix the problem. Restating the policy, one could say that management would prefer not to do business if it would be done in an uncontrolled manner.

One-Health Hospital

Page 50

Revised 6/10/2009

End-User Access to Operating System Commands Policy: After logging-in, all end-users of multi-user systems must be kept in menus, which show the options that they have been authorized to select. End-users must not be allowed to invoke operating system level commands. Commentary: The intention of this policy is to significantly restrict the damage that users can do and the trouble that they can cause. By preventing users from running operating system level commands, such as reformat a hard disk on a local area network server; the security of the system is improved. Descriptive Prefixes for Data Classification Categories Policy: Prefixes such as "medical" and "financial" must be used in front of approved data classification categories. These prefixes provide general indicators about the nature of the information and the persons who are authorized to access it. Commentary: The intention of this policy is to provide greater granularity than standard data classifications provide. If specific information has to do with employee physical examinations, the information might be labeled "PRIVATE. This will in turn designate that only persons dealing with employee medical matters should be given access to this information. In the absence of further access information, to simply label the information "PRIVATE" does not sufficiently restrict access. Note that these prefixes do not confer any additional protection than the data classification markings themselves provide. In other words, PRIVATE information should be handled a certain way, regardless of the prefix. Ideally, specific prefixes are defined in this or a similar policy; alternatively, the involved information owners may choose them.

One-Health Hospital

Page 51

Revised 6/10/2009

Trade Secrets Specifically Identified Prior To Disclosure Policy: As a condition of continued employment at One-Health Hospital, workers must diligently protect all One-Health Hospital information specifically identified as trade secrets from unauthorized disclosure. Trade secrets must be identified as such prior to being disclosed to any workers. For One-Health Hospital internal purposes, trade secrets are classified as protected information. Commentary: The intention of this policy is communicate to workers that OneHealth Hospital has certain types of information that it considers being trade secrets, and that it expects all workers to diligently protect this information as a condition of continued employment. From a legal standpoint, the policy is also intended to make sure that workers who are exposed to a trade secret know that such information is considered a trade secret. Because most organizations do not have a separate category in their data classification system for trade secrets, the policy defines where trade secrets fit in with respect to a data classification system ("protected" in the policy provided here). Separately, some organizations go one-step further by requiring all new employees to sign a non-disclosure agreement (NDA) that specifies the types of information considered a trade secret. On another note, this policy only addresses workers (employees, consultants, contractors, etc.); different arrangements will be required for strategic business partners and other third party organizations.

One-Health Hospital

Page 52

Revised 6/10/2009

Granting Access to Sensitive Data


Approval Required Before Access to Sensitive or Valuable Information Policy: Access to One-Health Hospital sensitive or valuable information must be provided only after express management authorization has been obtained. Commentary: The intention of this policy is to restrict access to One-Health Hospital sensitive and valuable data, not allowing people to gain access unless they have first obtained explicit (preferably written) management approval. Typically, the management approval would involve answering the question: "Does this individual have a bone fide need-to-know?" The policy furthermore discourages workers from sharing such information with others workers (and with outsiders) in the absence of management approval. The policy is a general high-level policy under which various more-detailed policies related to access control could be added. Access to Protected Information Granted on Individual (Not Group) Basis Policy: Access to protected information must be granted only to specific individuals, not groups of individuals. Commentary: The intention of this policy is to require that management make person-by-person decisions when granting access to the most sensitive types of information. If access is granted to groups of individuals, inevitably there will be greater access than is necessary to get the business done. Likewise, if access is granted to a group, it will be very much more difficult to trace leaks (unauthorized disclosures). When deciding to grant access to sensitive information, management should consider the individual's tenure with the organization, his or her current responsibilities, any disciplinary problems, potential conflicts of interest, and related matters. Separately, this policy supports the notion of having one user-ID for each individual (no group user-IDs). For ideas about group user-IDs, see the policy entitled "Unique User-ID and Password Required." A supplementary policy to the general policy entitled "Privilege Restriction Based on the Need-to-Know, this policy could be expanded to all types of sensitive information (not just "protected information"). Granting System Privileges by Chain of Authority Delegation Policy: Only a clear chain of authority delegation must grant Computer and communication system privileges. Commentary: The intention of this policy is to clarify which managers can grant system privileges as well as the specific privileges they can grant. If a clear chain of delegation does not exist, a manager does not have the authority to grant access to other people. This notion is particularly important when departmental management and other end-user management is involved in system privilege granting activities. Access privileges can be granted to another person. When the granting user's authority is revoked, the delegated authorities are also automatically revoked.

One-Health Hospital

Page 53

Revised 6/10/2009

Information Released to the Public Must Have Single Official Source Policy: Information generated by One-Health Hospital and released to the public must be accompanied by the name of a designated staff member acting as the single recognized official source and point-of-contact. All updates and corrections to this information that are released to the public must flow through this official source. Commentary: The intention of this policy is to bring some order to what has become a relatively chaotic and disorganized process for the release of information to the public. Government agencies for example may conduct research, and then several different people may discuss that research with the media. This policy helps to ensure a consistent position with respect to the information in question, as well as a mechanism to control the different forms in which the information my be presented. It relies on designated sources rather than a public relations department to bring some order to this process. Separately, the policy could be changed to state that only the designated "owner" of the information can release it to the public. With computers on nearly everyone's desk these days, all workers are potential publishers. Separately, some organizations may want to specify a few exceptions to the policy, such as marketing brochures. Sensitive Information Access for Temporary Employees and Consultants Policy: Activities requiring access to sensitive One-Health Hospital information must only be performed by full-time permanent employees, unless one of the following conditions prevail: (1) the requisite knowledge or skills are not possessed by a full-time permanent employee (2) an emergency or disaster requires the use of additional workers, or (3) permission of the Director of Human Resources has been obtained. Commentary: The intention of this policy is to restrict access to sensitive information (information that requires a data classification designation besides "private") to the most-trusted individuals. Full-time permanent employees (not newly hired employees who may still be on probation) are generally more loyal than temporary employees or consultants, and are therefore more trustworthy. Once the employment relationship has ended, OneHealth Hospital has little control over the activities of temporary employees or consultants, but it maintains significant control over full-time employees. The risks of using people other than full-time permanent employees can be partially mitigated via confidentiality agreements. Entities, which are virtual corporations that use outsourcing extensively, or that have other modern decentralized/networked organization structures, may have trouble with this policy because it is based on an assumption that a core group of employees runs the organization.

One-Health Hospital

Page 54

Revised 6/10/2009

Network
Making Network Connections
Isolate Systems Containing Protected Information from Network Policy: One-Health Hospital computer systems containing protected information must connect to any network or any other computer. Commentary: The intention of this policy is to prevent the unauthorized disclosure of particularly sensitive information. Knowing that network access controls are still somewhat unreliable, some organizations choose to prohibit network connections, lest the information somehow be improperly disclosed. Customers Must Specifically Agree to Receive New/Enhanced Service Policy: Customers receiving computer or communications services from OneHealth Hospital must explicitly agree to receive new or enhanced services before these new or enhanced services are provided. In the absence of explicit acquiescence, One-Health Hospital must continue to provide the services that were previously available. Commentary: The intention of this policy is to maintain good customer relations as well as to ensure that customer computer and communication systems will continue to be compatible with One-Health Hospital systems. Thus the policy in effect requires support of previously available services (this does not preclude One-Health Hospital from also offering new or enhanced services). Standards of Common Carriers Do Not Apply Policy: The networking services provided by One-Health Hospital are provided on a contractual carrier basis, not those of a common carrier. As the operator of a private network, this organization has a right to make policies regarding the use of its network systems without being held to the standards of common carriers. Commentary: The intention of this policy is to avoid the need to provide equitable access to the network and other requirements of common carriers, some of which include security. Although One-Health Hospital may have security superior to that found on common carrier systems, this policy gives One-Health Hospital management more leeway to decide just how they want to set-up and maintain their network. Since this policy is legalistic in nature, it is especially important that the organizations legal department approve it.

One-Health Hospital

Page 55

Revised 6/10/2009

Prior Approval Required for All Communication Line Changes Policy: Workers and vendors must not arrange for, or actually complete the installation of voice or data lines with any carrier, if they have not first obtained approval from the director of the Telecommunications Department. Commentary: The intention of this policy is to ensure that only previously approved changes in communication lines are actually installed. Establishing unauthorized communication paths can significantly compromise the security of One-Health Hospital systems. This policy is relevant to microcomputers (PCs) and workstations, many of which have unauthorized modems attached to them. If there is no additional security for these systems (such as a password-based access control package), anyone may be able to dial-up into these systems using the public switched telephone network (PSTN); this may in turn allow an intruder to access a connected LAN. Prior Approval Required for Set-Up of Multi-User Systems Policy: Workers must not establish electronic bulletin boards, local area networks, modem connections to existing internal networks, or other multiuser systems for communicating information without the specific approval of the director of the Information Security Department. This policy helps ensure that all One-Health Hospital networked systems have the controls needed to prevent unauthorized access. Commentary: The intention of this policy is to make sure that users are not setting up communication systems, which may inadvertently compromise an organization's systems and information. The policy is particularly important for the microcomputer (PC) and workstation environment (including client/server systems), where users so often do as they please regardless of in-house standards or Information Systems Department instructions. Unless there is a centralized approval process, supported by some sort of an audit and enforcement process, some users may create major information security vulnerabilities without the knowledge of the Information Security Department, the Telecommunications Department, or the Information Systems Department. The approving authority may easily be shifted to another relevant manager and away from the director of the Information Security Department.

One-Health Hospital

Page 56

Revised 6/10/2009

Prior Approval Required for In-House System Interconnection Policy: Real-time connections between two or more in-house computer systems must not be established unless the Information Security Department has first determined that such connections will not jeopardize information security. Commentary: The intention of this policy is to keep certain information within certain areas in the organization, and to thereby be better able to control its dissemination. This basic design objective involves isolation to achieve security. For example, salary information about employees could be kept in Human Resources Department computers only. To establish a connection with the in-house LAN may open up a pathway for unauthorized dissemination of this private information. Note that this policy does not preclude the movement of tapes, disks, CD-ROMs, and other storage media between systems. Criteria for Connecting One-Health Hospital Networks to Third Party Networks Policy: One-Health Hospital computers or networks may only be connected to third party computers or networks after the Information Security Department has determined that the combined system will comply with One-Health Hospital security requirements. Commentary: Many organizations are having trouble with systems interconnection issues related to decentralized systems management. For example, without examining the security implications, a marketing department manager may connect an internal One-Health Hospital LAN to a consulting firm's internal network. To avoid the exposures that such actions introduce, a minimum amount of centralization is necessary. Security Requirements for Network-Connected Third Party Systems Policy: As a condition of gaining access to One-Health Hospital's computer network, every third party must secure its own connected systems in a manner consistent with One-Health Hospital requirements. One-Health Hospital reserves the right to audit the security measures in effect on these connected systems without warning. One-Health Hospital also reserves the right to immediately terminate network connections with all third party systems not meeting such requirements. Commentary: The intention of this policy is to notify third parties who have access to One-Health Hospital's network that they must maintain the security of their own systems in order to continue to do business over One-Health Hospital's network.

One-Health Hospital

Page 57

Revised 6/10/2009

Approval Required for Internet Connection Establishment Policy: Unless prior approval of the Director of Information Systems has been obtained, workers may not establish Internet or any other external network connections that could allow non-One-Health Hospital users to gain access to One-Health Hospital systems and information. These connections include the establishment of multi-computer file systems, Internet WWW home pages, Internet FTP servers, and the like. Commentary: Unlike the policy entitled "Prior Approval Required for In-House System Interconnection, this policy addresses connections via the Internet and other external networks.

Participation in Public Networks as Service Provider Policy: Participation in public networks as a provider of services that others rely on is expressly prohibited unless two conditions are first fulfilled. Specifically, One-Health Hospital legal counsel must first assess the extent and nature of the liabilities involved, and then top management must expressly accept these risks. Commentary: Involvement as a message-forwarding node on the Internet, as an encryption key notarization center, as an encryption key distribution point, or some other provider of information services may open One-Health Hospital up to liabilities that they had previously not considered. Use of Computer Systems Belonging to Workers on Company Property Policy: Workers must not bring their own computers, computer peripherals, or computer software into One-Health Hospital facilities without prior authorization from their department head. Commentary: This policy prevents: (1) propagation of viruses, (2) disputes about ownership of hardware and software, and (3) improper removal of hardware, software, or data at the time when a worker's employment is terminated. The policy is also desirable because it helps make sure that everyone uses the same type of software (this makes it easier to provide access control, contingency planning services, and technical support services). This policy is particularly relevant to microcomputers (PCs) and workstations, as well as client/server systems, for which the ownership status is often unclear.

One-Health Hospital

Page 58

Revised 6/10/2009

Security Requirements for Work at Home Arrangements Policy: Work at home (telecommuting) arrangements is a management option, not a universal employee benefit. Permission to telecommute is the decision of the involved employee's manager. Before a telecommuting arrangement can begin, this manager must be satisfied that an alternative worksite (such as a home office) is appropriate for the One-Health Hospital work performed by the involved employee. Considerations include physical and information security for One-Health Hospital property, a distraction-free work environment, ways to measure worker performance, and methods to stay in touch with other workers. Formation of Binding Contracts via Electronic Systems Policy: Although One-Health Hospital seeks to implement aggressively Electronic Data Interchange (EDI) and other electronic business systems with third parties, all contracts must be formed by paper documents prior to purchasing or selling via electronic systems. EDI, electronic mail, and similar binding business messages must therefore be releases against blanket orders, such as a blanket purchase order. Commentary: Contracts formed by electronic messages may not be enforceable from a legal standpoint. Some laws, like the United States statute of frauds, require a document, writing, or a signature in order to be enforceable. The intention of this policy is to make sure that all contract-related EDI or electronic mail messages sent between organizations be legally binding. Be sure to get the organization's attorney to review this policy prior to dissemination. Trading Partner Agreement Required Prior to Use of EDI Policy: Prior to the use of One-Health Hospital systems for Electronic Data Interchange (EDI) with any third party, a trading partner agreement, fixing the terms and conditions of EDI use, must be negotiated. One-Health Hospital legal counsel must approve this agreement prior to using any EDI systems for business transactions. Commentary: A trading agreement specifies who is liable if a message is lost, if the system goes down, or if other problems occur. The intention of this policy is to prevent user department management from employing an EDI system without first getting the terms and conditions properly worked out. This policy is intends to make sure that centralized control over EDI arrangements is maintained. Centralized control over EDI set-ups may also provide an opportunity to review the control measures on the system prior to use. This is also useful when defining the meaning of digital signatures and message authentication codes (Macs) used for EDI messages.

One-Health Hospital

Page 59

Revised 6/10/2009

Disclosure of Bank Account Numbers Policy: One-Health Hospital disbursement bank account numbers are confidential and not to be disclosed to third parties on forms, stationery, brochures, and the like. Commentary: Unauthorized individuals who have entered publicly available bank account numbers on automatic debit request forms have easily committed Frauds. The amounts involved are often relatively small, and many organizations don't bother to reconcile their accounts for a significant period of time. Criteria for Accepting and Acting on Computerized Transactions Policy: If transactions are sent and processed automatically (via Electronic Data Interchange for instance), then a message must not be accepted or acted on unless: (a) the message has been shown to match a trading profile for the initiating organization, or (b) the message has been shown to deviate from a trading profile but additional steps have been taken to verify the accuracy and authenticity of the message. Commentary: The intention of this policy is to make sure that unusual messages are not automatically processed without further investigation. If an active wiretapper were to enter an EDI system and spoof one of the participants, then the other participants might blindly follow the instructions received. This type of problem is prevented with the general procedure defined in this policy. The implementation of part (b) in the second sentence might, for example, involve separate communication with the alleged sender via a method other than the EDI system that handled the original. The words "trading profile" means the typical way that the other party interacts with One-Health Hospital; this might for instance refer to the networks that the other party typically uses, the way the other party's messages are structured, the frequency of the other party's messages, etc. Multiple Communication Channels for Electronic Offers & Acceptances Policy: All contracts formed through electronic offer and acceptance messages (fax, Electronic Data Interchange, electronic mail, etc.) must be formalized and confirmed via paper documents within two (2) weeks of acceptance. Commentary: Confirmation by a different communication channel helps to catch fraud and helps make agreements legally enforceable. The intention of this policy is to require that users always employ multiple communication channels for each contract.

One-Health Hospital

Page 60

Revised 6/10/2009

Violations
One-Health Hospital workers who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination.

One-Health Hospital

Page 61

Revised 6/10/2009

Encryption
When to Use Encryption
Encryption Processes Must Not Be Used Unless Previously Approved Policy: Encryption processes must not be used for One-Health Hospital information unless the processes are first approved by the Information Security Department. Commentary: The intention of this policy is to prevent users from damaging or destroying One-Health Hospital information because they don't have the expertise or knowledge required to use encryption facilities properly. Only after the Information Security Department is satisfied that adequate "safety nets" exist to recover the involved information, should it approve the use of encryption. One of the best safety nets for encryption is to have management override keys, that allow management to decrypt information even if the key has been lost, misplaced, or intentionally withheld (these are also called "key escrow" or "key recovery" facilities). Encryption Utilities with User-Provided Passwords or Keys Prohibited Policy: To prevent the loss of critical information, workers must never employ encryption utilities requiring a user to input a password or encryption key. If sensitive information needs protection, alternative information protection mechanisms must be used. Commentary: This policy attempts to keep information perpetually available for business activities. The policy states that management does not want to run the risk that the password or key entered by a user is lost, forgotten, or deliberately withheld. Protected Data Sent Over Networks Must Be Encrypted Policy: Transmitted One-Health Hospital protected data over any communication network must be sent in encrypted form. Commentary: The intention of this policy is to forbid the transmission of unencrypted protected data over a network were it could be wiretapped. Business can still be done, and protected data can still be sent over a network--it just needs to be encrypted. Encryption, also known as encoding or scrambling, conceals data such that unauthorized parties cannot read it. Encryption can also be used to provide an indication that a certain party sent a message and that the message was not modified in transit.

One-Health Hospital

Page 62

Revised 6/10/2009

Transportation of Protected Data in Computer-Readable Storage Media Policy: Transported protected data in computer-readable storage media (such as magnetic tapes, floppy disks, or CD-ROMs), must be in encrypted form. Commentary: The intention of this policy is to prohibit workers from transporting protected data in computer-readable storage media when this protected data has not been encrypted. Transportation can still take place however; the information needs to be encrypted. Encryption of such media not only conceals the data, it can be used to detect system errors and tampering. Protected Information Must Be Encrypted When Not In Active Use Policy: All computerized protected information must be encrypted when not in active use (for example, when not manipulated by software or viewed by an authorized user). Commentary: The intention of this policy is to prevent protected information from being inadvertently disclosed to unauthorized persons. If encrypted data was stored in unencrypted form, it may end up on back-up tapes, which then might be viewed by unauthorized persons. Data Stored on Hard Disk Drives Must Be Encrypted Policy: To prevent unauthorized disclosure of data when computers are sent out for repair, when they are stolen, or when unauthorized parties use them, all data stored on hard disks must be encrypted via user-transparent processes. Commentary: The intention of this policy is to prevent unauthorized persons from gaining access to One-Health Hospital confidential or proprietary data.

One-Health Hospital

Page 63

Revised 6/10/2009

Encryption Key Management


Government Standard Encryption Algorithm & Implementation Policy: If encryption is used, government-approved standard algorithms (such as the Data Encryption Standard or DES) and standard implementations (such as cipher-block chaining) must be employed. Commentary: The intention of this policy is to require all systems within an organization (or on a multi-organizational network) employ the same encryption algorithm and the same encryption system implementation (sometimes called "mode of operation"). This policy will help ensure interoperability, which in turn will lower costs and facilitate secure business communications. Disclosure of Encryption Keys Requires Special Approval Policy: Encryption keys are a most sensitive type of information, and access to such keys must be strictly limited to those who have a need-to-know. Unless the approval of the CISO is obtained, encryption keys must not be revealed to consultants, contractors, or other third parties. Commentary: The intention of this policy is to clearly put workers on notice that encryption keys should be protected with the most stringent security measures. Encryption Key Management Systems and Separation of Duties Policy: One-Health Hospital encryption systems must be designed such that no single person has full knowledge of any single encryption key. This must be achieved by separation of duties and dual control. Separation of duties refers to use of more than one individual to handle a certain important activity, while dual control means that two people must be simultaneously present for an important activity to be accomplished. Commentary: The intention of this policy is to prevent any one individual from gaining access to a full encryption key. If any one individual, then this individual held a full encryption key, could (depending on how the encryption system was set-up) decrypt other keys and/or decrypt sensitive information.

One-Health Hospital

Page 64

Revised 6/10/2009

Conditions for Delegation of Key Management Responsibility Policy: Key management responsibility may only be delegated to a party who has passed a background check, passed an operational security audit, and signed a confidentiality agreement. Commentary: The intention of this policy is to keep middle management from delegating key management responsibility to outsourcing firms, service bureaus, business partners, and other external organizations which may not handle keys in as secure a manner, as they should. A policy like this can also be used to define the internal staff who may take on key management duties. The policy describes a process for making sure that the receiving entity meets One-Health Hospital's criteria for a trusted party. Separate Communication Channel for Data and Encryption Keys Policy: If encryption is used, the information protected with encryption must be transmitted over a different communication channel than the keys used to govern the encryption process. Commentary: The intention of this policy is to prevent a wire tapper from obtaining readable versions of both the keys and the sensitive data. Automated Encryption Key Management Systems Preferred Policy: Whenever such facilities are commercially available, One-Health Hospital must employ automated rather than manual encryption key management processes. Commentary: The intention of this policy is to save One-Health Hospital money and time, as well as to obtain the most effective security system available. Maximum Life of Encryption Keys Policy: Whenever encryption is used to protect One-Health Hospital data, the keys must be changed at least every ninety (90) days. Commentary: The intention of this policy is to force periodic changes in encryption keys. Changing the keys more rapidly will increase the security of an encryption system. If an adversary is able to derive a particular encryption key through cryptanalysis, he or she must start from the beginning whenever the key is changed.

One-Health Hospital

Page 65

Revised 6/10/2009

Stated Life for All Encryption Keys Policy: All encryption keys must have a stated life and must be changed on or before the stated expiration date. Commentary: This policy is intended to make it clear that the people handling keys must assign a life span (expiration date) to all keys. Process for Generating Encryption Keys Policy: Whenever encryption is used, the keys employed must be generated by means which are not practically replicable by an adversary, and which will yield keys that are difficult-to-guess. An example of this key generation process is the use of a pseudo-random number generator which takes the low order bits of the computer clock as input. Commentary: The intention of this process is to ensure that encryption systems provide all the security they are meant to provide. If encryption keys are easily guessed, then the security provided by encryption systems may be easily compromised. Minimum Length for User-Chosen Encryption Keys Policy: Whenever user-chosen encryption keys are employed, the encryption system must prevent users from employing keys made up of less than eight (8) characters. Commentary: Like the policy entitled "Process for Generating Encryption Keys, the intention of this policy is to make sure that an encryption system provides the security it was meant to provide. Protection for Encryption Key Generation Materials Policy: Whenever encryption is used, materials to develop encryption keys as well as hardcopy versions of keys must be kept locked when not in use. Protective measures to prevent these keying materials from falling into the wrong hands must be observed throughout the life cycle of the information protected by the keys. Commentary: The term "keying materials" is used to refer to data encryption keys, keys that encrypt other keys (master keys), initialization vectors (IVs), pseudo-random number generator seeds, and other parameters used to control or initialize encryption processes. The intention of this policy is to prevent the parameters used to construct encryption keys from falling into the wrong hands, and then being used to construct or intelligently-guess encryption keys. As soon as possible after their use, these keying materials should be destroyed according to approved procedures for most sensitive information (shredding, burning, etc.).

One-Health Hospital

Page 66

Revised 6/10/2009

Protection for Plaintext Encryption Master Keys Policy: Only two approaches for protecting plaintext (readable) master keys are acceptable to One-Health Hospital. Master keys may be manually handled via dual control with split knowledge. Alternatively, they may be stored in tamper-proof modules. In all other places, they must appear only in encrypted form. Commentary: This policy specifies the permissible ways to protect the keys at the top of a hierarchy of keys -- the most sensitive type of encryption keys. Master keys are used to encrypt all other keys, or at least encrypt keys, which in turn encrypt other keys. If a master key is revealed, an entire encryption system can quickly be compromised. Accordingly, significant efforts are needed to prevent these keys from falling into the wrong hands. Destruction of Encryption Key Generation Materials Policy: All supplies used for the generation, distribution, and storage of keys (such as carbon copies, printer ribbons, and the like) must be protected from disclosure to unauthorized persons. When they are not longer needed, they must be destroyed by pulping, shredding, burning, or other approved methods. Commentary: The intention of this policy is to prevent unauthorized parties from obtaining access to the information used to generate, distribute, or store encryption keys. This might allow these parties to obtain copies of the keys, which in turn would allow them to obtain the sensitive information protected with encryption. The policy also serves to make workers aware that these materials are sensitive and that they should be handled with care. Time Frame for Destruction of Key Exchange Material Policy: Custodians of key exchange material must destroy this material according to approved procedures within a reasonable time -- not to exceed ten business days -- following the successful verification of a key exchange process. Commentary: The intent of this policy is to clearly specify when custodians of keying materials (master keys, encryption key components, initialization vectors, random number generator seeds, etc.) must destroy the keying materials they have received. The smaller the amount of time that these materials exist outside the system, and the fewer the number of people that have them, the more secure the encryption process will be.

One-Health Hospital

Page 67

Revised 6/10/2009

Prevention of Unauthorized Disclosure of Encryption Keys Policy: Encryption keys must be prevented from unauthorized disclosure via technical controls such as encryption under a separate key and use of tamperresistant hardware. Commentary: The intention of this policy is to specify that measures must always be taken to prevent the unauthorized disclosure of encryption keys. If encryption keys are disclosed, the security of encryption systems is in most instances defeated (assuming the algorithm and implementation are public knowledge, which they are with the Data Encryption Standard (DES)). Tamper resistant hardware prevents people from opening it to recover the encryption keys stored inside. Transmission of Clear Text Encryption Keys Prohibited Policy: If encryption keys are transmitted over communication lines, they must be sent in encrypted form. The encryption of keys should be performed with a stronger algorithm than is used to encrypt other sensitive data protected by encryption. Commentary: The intention of this policy is to prevent users from inadvertently sending readable (clear text) encryption keys over communication systems. If this is done, then the encryption process (depending on the type of system) may be easily circumvented. Storing Encryption Keys on Same Media as Protected Data Prohibited Policy: If encryption is used to protect sensitive data resident on computer storage media, the encryption keys and related encryption keying materials (initialization vectors, time-and-date stamps, salt parameters, etc.) used in the encryption process must not be stored anywhere on this storage media in unencrypted form. Commentary: The intention of this policy is to prevent an astute cryptanalyst from noticing that the keying materials are stored on the same data storage media as encrypted data.

One-Health Hospital

Page 68

Revised 6/10/2009

General Purpose Encryption Systems Must Include Key Escrow Policy: All general-purpose encryption processes running on One-Health Hospital information systems must include key escrow functions. These special functions allow One-Health Hospital management to recover encrypted information should there be system errors, human errors, or other problems. Commentary: Although the US government's Clipper chip, key escrow, and key recovery proposals are unlikely to be widely adopted in the manner they were originally proposed, the ideas behind them are still of use for information security management purposes. The intent of this policy is to require encryption systems used for regular business activities to employ a system with key escrow. Key escrow allows management (or some other trusted party) to circumvent the encryption process when and if needed. A secure process (known as escrow) is needed to protect the special "skeleton key" which allows the encryption process to be broken. Digital Signature and User Authentication Keys Must Not Be Escrowed Policy: Keys used for digital signatures, digital certificates, and user authentication must never be included in a key escrow arrangement. To make these keys available to third parties allows impersonation, which in turn facilitates fraud and deceit. Commentary: This policy is intended to make sure that users cannot readily repudiate their encryption keys (also called non-repudiation). Repudiation would wreak havoc with legal proceedings, which rely on digital signatures, or other security mechanisms based on encryption keys. In general, digital signatures and a number of other control measures assume that only the involved user has control over a key (or password). However, key escrow is an arrangement whereby encryption keys can be shared with certain parties.

One-Health Hospital

Page 69

Revised 6/10/2009

Miscellaneous Encryption Matters


Deletion of Readable Data after Encrypted Version Has Been Made Policy: Whenever encryption is used, workers must not delete the sole readable version of data unless they have first demonstrated that the encryption process is able to reestablish a readable version of the data. Commentary: The intention of this policy is to prevent all copies of sensitive data from being lost. Without first checking that an encryption process works, an encryption system malfunction could mean that the only copy of data is lost forever.

Explicit Assignment of Encryption Key Management Functions Policy: Whenever encryption is used to protect sensitive data, the relevant owner(s) of the data must explicitly assign responsibility for encryption key management. Commentary: When encryption is employed, responsibility for protecting sensitive data has been changed to responsibility for protecting encryption keys. The protection activity is still needed, even though the quantity of information that needs to be protected shrinks dramatically. Separate Keys for Encryption and Message Authentication Policy: If both encryption and message authentication codes (Macs) are used, separate keys must be used for each of these two control measures. Commentary: Use of different keys is in keeping with the security principle of least common mechanism. The intention of this policy is to prevent an adversary who gains possession of one key from compromising both encryption and MAC systems.

One-Health Hospital

Page 70

Revised 6/10/2009

Compression and Encryption of Sensitive Data to Be Held in Storage Policy: If protected information is to be stored on a multi-user computer system, it must first be compressed and then encrypted using an approved encryption algorithm. Commentary: By compressing the data, a good deal of the redundancy in natural languages such as English is eliminated. This makes the job of cryptanalysis considerably more difficult, which in turn helps protect the confidentiality of the data in question. Thus, by first compressing and then encrypting, the strength of the encryption process is enhanced. The intention of this policy is to require systems designers, programmers, and other technical people to implement data compression with encryption, as well as to specify the sequence in which these processes are to be applied to data. Tamper Resistant Hardware Modules for Encryption Processes Policy: All encryption related processes must be performed in tamperresistant hardware modules rather than in software. This approach minimizes the threat of software reverse engineering and unauthorized disclosure of key(s). Commentary: Tamper-resistant modules will automatically erase sensitive data, such as encryption keys and initialization vectors, which are held in memory when the modules are opened or tampered with. Such modules are also shielded to prevent the keys and other security-relevant data from being revealed via electro-magnetic emanations. The intention of this policy is thus to require that all encryption processes be implemented using special gear that will increase the security of encryption processes.

One-Health Hospital

Page 71

Revised 6/10/2009

Mobile Device Encryption Policy


Policy: All mobile devices containing stored data owned by One-Health Hospital must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, PDAs, and cell phones. Users are expressly forbidden from storing One-Health Hospital data on devices that are not issued by One-Health Hospital, such as storing OneHealth Hospital email on a personal cell phone or PDA. Laptops Laptops must employ full disk encryption with an approved software encryption package. No One-Health Hospital data may exist on a laptop in clear text. PDAs and Cell phones Any One-Health Hospital data stored on a cell phone or PDA must be saved to an encrypted file system using One-Health Hospital-approved software. OneHealth Hospital shall also employ remote wipe technology to remotely disable and delete any data stored on a One-Health Hospital PDA or cell phone, which is reported lost or stolen. Keys All keys used for encryption and decryption must meet complexity requirements described in One-Health Hospitals Password Protection Policy. Loss and Theft The loss or theft of any mobile device containing One-Health Hospital data must be reported immediately. Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

One-Health Hospital

Page 72

Revised 6/10/2009

Records and Files


Handling
Assignment of Patent, Copyright, and Other Intellectual Property Rights Policy: While an employee of One-Health Hospital, all staff members grant to One-Health Hospital exclusive rights to patents, copyrights, or other intellectual property they originate and/or develop. Commentary: This common policy assigns the rights to all intellectual property generated by employees to their employer. Some consulting and contracting agreements also contain provisions to this effect. Although generally not done, the policy could be restricted material, which in one way or another is related to One-Health Hospital business. A more general approach is used instead to ensure that One-Health Hospital retains the option to exploit such intellectual property. Legal Ownership of Information Systems Files and Messages Policy: One-Health Hospital has legal ownership of the contents of all files stored on its computer and network systems as well as all messages transmitted via these systems. One-Health Hospital reserves the right to access this information without prior notice whenever there is a genuine business need. Commentary: This policy seeks to clarify the ownership of information resident on One-Health Hospital systems. It can facilitate the examination of electronic mail files and personal computer (PC) file directories, which users may otherwise consider confidential and private. The policy can also act as a deterrent, discouraging users from using One-Health Hospital systems for personal purposes.

Existence of Protected Systems Containing Personnel Records Policy: With the exception of criminal investigations, there must be no system of personnel records whose very existence is kept secret from the subjects or workers described therein. Commentary: This policy prohibits "shadow databases" which may be kept by supervisors or others as a way to persecute, harass, intimidate, or otherwise control employees. In this case, the word "shadow" indicates behind-thescenes or secret. The policy helps build worker trust that they indeed know of all systems being used to judge their performance and promotion prospects. The intention of the policy is also to ensure that all systems containing personnel information are known by not only the subjects but also by the information security staff.

One-Health Hospital

Page 73

Revised 6/10/2009

Guaranteed Employee Access to His or Her Own Personnel File Policy: Upon written request, every worker must be given access to his or her own personnel file. Commentary: The intention of this policy is to give the subjects (workers, employees, etc.) the right to know the information that has been used in decisions about them. Knowledge of this information then allows the subjects to object to inaccuracies or misleading statements appearing in the record. Periodic Distribution of Employee Personnel Records Policy: To allow each employee an opportunity to acquaint himself or herself with the information, and to ensure that it contains no errors, every employee must be given a copy of his or her personnel file once a year. Commentary: The provision of a free copy of one's record is thus a way to reduce complaints about inaccurate reports, as well as a way to ensure that the information is current and accurate.

One-Health Hospital

Page 74

Revised 6/10/2009

Privacy
Disclosure
Disclosure of Private Information to Third Parties Policy: Disclosure of private information about One-Health Hospital workers to third parties must NOT take place unless required by law or permitted by explicit consent of the subject. Commentary: This policy helps prevent invasion of privacy, defamation of character, libel, and slander lawsuits. The intention of the policy is to ensure that third parties are not given access to private information about employees (or more generally "workers"). The only exceptions are: (1) when specifically required by law--as would be the case if a subpoena was tendered, or (2) when the individual authorized the transfer--as would be the case if the information were to be used by a prospective employer doing a background check. For this reason, without further authorization from the worker, many United States employers disclose only: (1) the fact that an individual worked/works at the organization, (2) the most recent place of work, (3) the dates of employment, and perhaps (4) an indication whether the employee would be rehired. Disclosure of Worker Names, Titles, and Other Contact Particulars Policy: One-Health Hospital does not disclose the names, titles, phone numbers, locations, or other contact particulars of its workers unless required for business purposes. Exceptions will be made when law or when the involved persons have previously consented to the disclosure requires such a disclosure. Commentary: The intention of this policy is to protect the privacy of workers (employees, consultants, temporaries, etc.), especially from unwanted solicitations and marketing pitches. Granting Workers Access to Disclosures of Private Data Records Policy: Workers must be given access to records reflecting the disclosure of their own private information to third parties. In addition, workers must be given sufficient information to allow them to contact such third parties to rectify errors or supply additional information. Commentary: Workers should have an opportunity to provide their own interpretation of events, should that interpretation differ from the interpretation found in One-Health Hospital records. Accordingly, the intention of this policy is to allow workers to rectify what they may consider inaccurate or misleading information when One-Health Hospital elects to take no action to correct their records.

One-Health Hospital

Page 75

Revised 6/10/2009

Privacy of Personal Files Stored on Computers and in Desks Policy: Personal files on One-Health Hospital computers and in One-Health Hospital worker desks must both be handled with the same privacy perspective given to personal mail and personal phone calls. This means that other workers, including managers and system administrators, must not read such personal files. Exceptions will be made if the action is part of: (a) a formal investigation initiated by the Security Department, or (b) an effort to dispose of or reassign files after a worker has left One-Health Hospital. Commentary: The intention of this policy is to clarify privacy expectations about the personal files of workers. Essentially this policy says that the files of workers, even though they may be work-related, are not to be read by managers or system administrators. Keeping Records of Private Information Disclosed to Third Parties Policy: Every disclosure of private information to third parties must be recorded and these records must be maintained for at least five (5) years. Commentary: The intention of this policy is to be able to definitively show exactly what information has been disclosed to which third parties, and that the disclosures have been in keeping with law, organizational policies, and general business practices. Keeping a log of disclosures will also be important when notifying information recipients of errors found in a private record. Protection of the Privacy of Customer Information Policy: Information that can be directly linked to a specific customer (especially an individual) must ONLY be released to third parties if: (1) the customer has provided prior written consent, or (2) One-Health Hospital is legally required to disclose the information. Commentary: The intention of this policy is to restrict the unauthorized dissemination of information about an organization's customers--be they individuals or organizations. Customer Requests for Anonymity on One-Health Hospital Systems Policy: To help preserve the privacy of customer information, One-Health Hospital provides mechanisms for customers to remain anonymous when using One-Health Hospital systems. One-Health Hospital will not disclose the identity of the customers who elect to use these mechanisms unless compelled to do so by law. Commentary: The intention of this policy is give customers a clear picture of what is meant by anonymous user-IDs, anonymous remailers (for electronic mail on the Internet), anonymous electronic cash (for financial transactions on the Internet), and similar anonymous mechanisms.

One-Health Hospital

Page 76

Revised 6/10/2009

Distribution of Statistical Information about Customer Records Policy: Statistical information derived from customer records may be disclosed to parties outside One-Health Hospital only if the customers involved cannot be identified by the information. Commentary: The objective of this policy is to prevent workers from distributing reports to outsiders, which might inadvertently reveal the identity of, or information about customers. This policy is thus relevant to the preparation of annual reports (financial statements), government forms, and the like. The idea behind this policy is that customer information be aggregated so much that its disclosure does not damage customers. Confidentiality Agreements Required for All One-Health Hospital Workers Policy: All employees, consultants, contractors, and temporaries must sign a confidentiality agreement at the time they join One-Health Hospital. Commentary: Being written acknowledgment that workers agree not to disclose sensitive data is very important if prosecution or disciplinary action is later required. The intention of this policy is therefore to require that a confidentiality agreement be obtained for every worker. A standard agreement may be a stand-alone document or it may be standard words integrated into employment contracts, consulting contracts, and related documents. For this and related policy matters, discussions with internal legal staff are essential. Exposure of Sensitive Information in Public Places Policy: Protected, sensitive, or private One-Health Hospital information must not be read, discussed, or otherwise exposed on airplanes, restaurants, public transportation, or in other public places. Commentary: The intention of this relatively liberal policy is to help prevent the unauthorized disclosure of sensitive information. With the pressure to perform that so many employees face, it is not uncommon for them to work while sitting on a bus, an airplane, etc. Often they work with sensitive information. The policy seeks to prevent other travelers from looking over their shoulder, read the material while using the same table, or in some other way, being exposed the material.

One-Health Hospital

Page 77

Revised 6/10/2009

Removal of Sensitive Information from One-Health Hospital Premises Policy: Sensitive One-Health Hospital information may not be removed from One-Health Hospital premises unless there has been prior approval from the information's owner. This policy includes portable computers with hard disks, floppy disks, hard-copy output, paper memos, and the like. An exception is made for authorized off-site back-ups. Commentary: The intention of this policy is to prevent sensitive information from travelling around, and in the process being disclosed in unauthorized ways. The more information stays in one place, the easier it is to track and control. Note that this policy may restrict the activities of telecommuters and employees who wish to take work home with them. If such sensitive information routinely travels over computer networks, it may be difficult to identify its location at any particular point in time; in these cases, this policy will be difficult to implement and is most often inappropriate. On another note, this policy assumes the term "owner" has been previously defined.

One-Health Hospital

Page 78

Revised 6/10/2009

HIPAA Compliance
Notice of Privacy Practices Policy Policy: One-Health Hospital will ensure that all patients are provided with a Notice of Privacy Practices describing their rights and One-Health Hospitals duties with respect to Protected Health Information. This Notice of Privacy Practices will contain the necessary requirements and be distributed in accordance with Federal and state privacy laws. Commentary: The purpose of this policy is to describe the process for documentation and maintenance of a Notice of Privacy Practices (Notice), identify the process for making changes to the terms of the Notice, establish the process for making Notice provisions effective for all Protected Health Information (PHI) maintained by One-Health Hospital (OHH), outline the process for providing and making available the Notice to patients at the first point of services, and provide an opportunity for the patients to discuss any concerns related to their PHI with their health care Provider. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Privacy Officer, Roles and Responsibilities Policy: The President/ Chief Executive Officer of One-Health Hospital will determine the administrative requirements for the Privacy Officer and select a Privacy Officer(s) to oversee the development, implementation, and management of the One-Health Hospitals privacy policies and procedures in accordance with applicable Federal and state privacy laws. Commentary: The purpose of this policy is to define the roles and responsibilities of the Privacy Officer(s) and the guidelines for his/her selection. This policy supports the One-Health Hospitals (OHH) Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.

One-Health Hospital

Page 79

Revised 6/10/2009

Complaints Regarding Privacy and Security Policies and Procedures Policy: Pursuant to federal and state Privacy and Security laws, patients, visitors, contractors and employees of One-Health Hospital may submit allegation(s)/complaint(s) regarding violations of patient confidentiality, information security, or Hospital Privacy and Security policies and/or procedures to the Office of Privacy Administration. The Office of Privacy Administration and/or the Information Security Office will investigate and address the complaints. OHH will not threaten, intimidate, discriminate, or retaliate against a Person who exercises his/her right to file a complaint to OHH or the Secretary of the Department of Health and Human Services (DHHS). Commentary: To establish a process for submitting and addressing complaints related to Federal and state Privacy and Security laws and One-Health Hospitals Privacy and Security policies and procedures. This policy supports One-Health Hospitals (OHH) Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Mitigation for Patient Privacy Violations under HIPAA Policy: Pursuant to Federal and state Privacy laws and within reasonable efforts, One-Health Hospital will mitigate harmful effects known to it, resulting from the Use and/or Disclosure of Protected Health Information in violation of its privacy policies and procedures by itself or its Business Associates. Commentary: To define the process of One-Health Hospitals (OHH) Mitigation Plan for addressing and responding to violations of Federal and state Privacy laws and the Districts Privacy policies and procedures. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Sanctions for Failure to Comply with Privacy Policies Policy: One-Health Hospital is strongly committed to ensuring compliance with all applicable privacy laws, regulations, standards, policies, and procedures, including the Health Insurance Portability and Accountability Act of 1996. The Office of Privacy Administration and One-Health Hospitals Management will thoroughly investigate any alleged patient privacy violation and take the appropriate disciplinary action regarding the employee, including reporting to Federal, state and local entities as appropriate. Commentary: The purpose of this policy is to define the disciplinary actions for employees of the One-Health Hospital (OHH) who violate patient privacy rules. This policy supports the One-Health Hospitals HIPAA policy and may require development of department specific procedures.

One-Health Hospital

Page 80

Revised 6/10/2009

Use and Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations Policy: The workforce of One-Health Hospital will Use and Disclose Protected Health Information for the purpose of carrying out Treatment, Payment, or Healthcare Operations, pursuant to Federal and state laws. Commentary: The purpose of this policy is to provide District-wide guidelines on the Use and Disclosure of PHI to carry out Treatment, Payment, or Healthcare Operations. This policy supports the One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Facility Directories Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital may Use and Disclose certain Protected Health Information in the facility directories without obtaining a patients Authorization, as long as the patient has an opportunity to agree or object to such Use or Disclosure. OneHealth Hospital will honor his/her request. Commentary: The purpose of this policy is to outline the process for Use and Disclosure of Protected Health Information (PHI) in facility directories and to describe the procedure for allowing patients to agree or object to such Use and Disclosure. This policy supports One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Patients Request for Confidential Communications Policy: One-Health Hospital will accommodate a reasonable request from a patient to receive Confidential Communication of his/her Protected Health Information by alternative means or at alternative locations, pursuant to Federal and state laws. Commentary: To provide guidance for complying with patients requests to communicate with them using alternative means or at alternative locations. This policy supports the Hospital Districts Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.

One-Health Hospital

Page 81

Revised 6/10/2009

Requests for Restricting Use and Disclosure of Protected Health Information Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital will use reasonable efforts to comply with requests from patients to restrict the Use and Disclosure of their Protected Health Information. If OHH can no longer abide by a restriction, the Privacy Officer, or designee, may terminate a restriction. Commentary: The purpose of this policy is to define the process for receiving, evaluating and responding to requests for restrictions on the use and disclosure of patient Protected Health Information (PHI). This policy supports One-Health Hospitals Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Authorization for Use and Disclosure of Protected Health Information for Purposes other than Treatment, Payment, and Health Care Operations Policy: Pursuant to Federal and state privacy laws, One-Health Hospital will ensure that a properly written and signed authorization by the patient, or his/her representative, for use or disclosure of information is received before the patients Protected Health Information is used or disclosed for reasons other than treatment, payment, or healthcare operations. An Authorization may be revoked in writing at any time. Commentary: The purpose of this policy is to outline the process for the Use and Disclosure or release of patients Protected Health Information (PHI) when a patients Authorization is required. This policy supports One-Health Hospitals (OHH) HIPAA policy and may require development of department specific procedures. Use and Disclosure of Psychotherapy Notes Policy: One-Health Hospital (OHH) desires to ensure that Psychotherapy Notes are Used and disclosed in accordance with applicable Federal and state laws by maintaining a separate Commentary: It is the purpose of this policy to provide guidance to OneHealth Hospital (OHH) on the Use and Disclosure of Psychotherapy Notes for Treatment, Payment, or Healthcare Operations. This policy supports OHHs HIPAA policy and may require development of department specific procedures.

One-Health Hospital

Page 82

Revised 6/10/2009

Minimum Necessary Standard for Use and Disclosure of Protected Health Information Policy: One-Health Hospital workforce will have access to the Protected Health Information required to fulfill their responsibilities. Minimum Necessary restrictions do not apply to the Use and Disclosure for Treatment purposes. Pursuant to Federal and state laws, when Using or Disclosing Protected Health Information or when requesting it from another Covered Entity, One-Health Hospital will make reasonable efforts to limit the Protected Health Information Used, Disclosed or requested to the Minimum Necessary amount needed to accomplish the intended purpose. Commentary: To provide guidance for assuring that the Minimum Necessary amount of Protected Health Information (PHI) is Used, Disclosed or requested by One-Health Hospital (OHH). This policy supports One-Health Hospitals Health Insurance portability and Accountability Act (HIPAA) policy and may require development of department specific procedures. Patients Access to the Designated Record Set Policy: A patient may review and obtain a copy of his/her Designated Record Set, with few exceptions, pursuant to Federal and state laws. One-Health Hospital will provide the patient reason(s) for denials of access in writing and how to file an appeal. If appropriate, the patient or legal representative may request to have the denial reviewed by an independent licensed health care the patient professional. One-Health Hospital reserves the right to charge state mandated rates for providing copies of the Designated Record Set. Commentary: The purpose of this policy is to provide District-wide guidelines to assure patients access to his/her Designated Record Set, describing the procedure for submission, processing, and outlining grounds for denials. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Accounting of Disclosures of Protected Health Information Policy: The employees and Business Associates of One-Health Hospital will document, track, and retain all records pertaining to the Disclosure of Protected Health Information. Patients may request an Accounting of Disclosures of their Protected Health Information from the Privacy Officer, who will respond in accordance with the Federal and state privacy laws and One-Health Hospitals privacy policies and procedures. Commentary: The purpose of this policy is to provide guidance on documenting the Disclosure of Protected Health Information (PHI) and responding to a Request for an Accounting of Disclosures from patients or their Personal Representative. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures.

One-Health Hospital

Page 83

Revised 6/10/2009

Patients Request to Amend the Designated Record Set Policy: Pursuant to Federal and state Privacy laws, One-Health Hospital will process a patients request to amend his/her Protected Health Information contained within the Designated Record Set within the specified period. The request to amend the patients Designated Record Set must be submitted in writing. The Clinician/author must approve amendments to clinical information. OHH will respond to each request to amend the medical record in writing. Commentary: The purpose of this policy is to provide guidance for processing patients requests to amend information contained within their Designated Record Set (DRS), identify circumstances when a request may be denied, and to outline the process for filing a complaint, appeal, or review of the denial of the request. This policy supports the Districts HIPAA policy and may require development of department specific procedures. Permitted Use and Disclosure of Protected Health Information without Patients Authorization Policy: One-Health Hospital will ensure that any use or disclosure of Protected Health Information, without a patients Authorization, is in accordance with applicable Federal and state Privacy laws. Disclosures of PHI will be documented in the patients medical record and tracked to enable OneHealth Hospital to respond to patients requests for Accounting of Disclosures. Commentary: The purpose of this policy is to provide guidelines concerning the One-Health Hospitals (OHH) Use and Disclosure of Protected Health Information without the patients Authorization. This policy supports OneHealth Hospitals HIPAA policy and may require development of department specific procedures. Designated Record Set Policy: One-Health Hospital has identified the items included and not included in the Designated Record Set for all patients. Commentary: To define the specific information or records that patients may access and amend within their medical and billing files in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other Federal and state privacy laws. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures.

One-Health Hospital

Page 84

Revised 6/10/2009

Use and Disclosure of Limited Data Sets Policy: It is the policy of One-Health Hospital (OHH) to Use and Disclose Protected Health Information (PHI) from which certain direct identifiers have been removed to create a Limited Data Set, for the purposes of research, public health or healthcare operations when appropriate. OHH facilities and providers will follow the enclosed guidelines for authorizing and creating Limited Data Sets to safeguard PHI and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. Commentary: To: 1) outline the requirements for Use and Disclosure of PHI using Limited Data Sets, 2) provide guidance on how to create a Limited Data Set and 3) define requirements of a Data Use Agreement to be executed before a Limited Data Set is provided to authorized parties. De-Identification of Protected Health Information Policy: It is the policy of One-Health Hospital (OHH) to assure that when using or disclosing De-identified Information, the PHI is de-identified in accordance with applicable Federal privacy requirements and that Deidentified Information that is re-identified is treated as PHI under Federal privacy requirements. OHH Workforce members are encouraged to utilize deidentified information where possible in conducting Hospital business. Commentary: To: 1) provide guidance on how to de-identify Protected Health Information (PHI), 2) outline the process for reviewing and responding to requests for de-identifying PHI and 3) provide guidance for re-identification of De-identified Information. HIPAA Business Associates Policy: OHH values the protection of Individually Identifiable Health Information and Protected Health Information. OHH will permit the Disclosure of such information to a Business Associate, if there is a current written Business Associate Agreement. Commentary: To provide guidance in identifying the One-Health Hospitals (OHH) Business Associates, to ensure that OHH enters into written Business Associate Agreements prior to the use or disclosure of Individually Identifiable Health Information (IIHI) or Protected Health Information (PHI), and to outline OHHs steps in the event of a breach of a Business Associate Agreement or this policy. This policy supports the One-Health Hospitals Health Insurance Portability and Accountability Act (HIPAA) policy and may require development of department specific procedures.

One-Health Hospital

Page 85

Revised 6/10/2009

HIPAA Privacy Education Policy: One-Health Hospital will ensure that its Workforce receives general education and specialized training, as indicated, regarding Federal and state privacy laws and One-Health Hospitals privacy policies and procedures. Each Workforce member will participate in training as required by job classification or role. Commentary: The purpose of the policy is to delineate One-Health Hospitals (OHH) responsibilities for educating the Workforce regarding Federal and state privacy laws and OHHs policies and procedures. This policy supports One-Health Hospitals HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Marketing Policy: One-Health Hospital will obtain a patients authorization for any use or disclosure of Protected Health Information for marketing purposes in accordance with Federal and state privacy laws. Commentary: The purpose of this policy is to provide guidance on the Use and Disclosure of patients Protected Health Information for One-Health Hospitals (OHH), Marketing purposes, identify when an Authorization is required for Marketing purposes, identify when an Authorization is not required for Marketing purposes, and identify special considerations for Use and Disclosure of Protected Health Information for Marketing purposes. This policy supports OHHs HIPAA policy and may require development of department specific procedures. Use and Disclosure of Protected Health Information for Fundraising Policy: For its fundraising purposes and in accordance with Federal and state privacy laws, One-Health Hospital (OHH) may Use or Disclose to a Business Associate or to One-Health Hospital Foundation (OHH Foundation) the patients Demographic Information and dates of healthcare services provided to the patient without obtaining the patients Authorization. Any other Use or Disclosure of PHI for OHHs Fundraising purposes requires the patients Authorization. Commentary: The purpose of this policy is to provide guidance on the Use and Disclosure of Protected Health Information (PHI) for One-Health Hospitals (OHH) Fundraising purposes, and to identify when Authorization is required to Use and Disclose Protected Health Information for One-Health Hospitals Fundraising purposes. This policy supports OHHs HIPAA policy and may require development of department specific procedures.

One-Health Hospital

Page 86

Revised 6/10/2009

Access to One-Health Hospital Information Policy: OHH will provide access to its information as permitted or required by law and required for the purposes of treatment, payment, healthcare operations or other necessary business activities and functions. Commentary: To ensure that access to One-Health Hospital (OHH) information, whether maintained in a paper or electronic format, is requested properly, approved, and managed. To identify the individual(s) who is authorized to approve requests for access and those who may approve granting access.

One-Health Hospital

Page 87

Revised 6/10/2009

Change Control
Overview
Introduction

The Information Resources infrastructure at One-Health Hospital is expanding and continuously becoming more complex. There are more people dependent upon the network, more client machines, upgraded and expanded administrative systems, and more application programs. As the interdependency between Information Resources infrastructure grows, the need for a strong change management process is essential. From time to time, each Information Resource element requires an outage for planned upgrades, maintenance, or fine-tuning. Additionally, unplanned outages may occur that may result in upgrades, maintenance, or fine-tuning. Managing these changes is a critical part of providing a robust and valuable Information Resources infrastructure
Purpose

The purpose of the Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources.
Audience

The One-Health Hospital Change Management Policy applies to all individuals that install, operate, or maintain Information Resources.

One-Health Hospital

Page 88

Revised 6/10/2009

Definitions

Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Owner

The manager or agent responsible for the function, which is supported by the resource, the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments.
Custodian

Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. For mainframe applications, Information Services is the custodian; for micro and mini applications, the owner or user may retain custodial responsibilities. The custodian is normally a provider of services.

One-Health Hospital

Page 89

Revised 6/10/2009

Change Management

The process of controlling modifications to hardware, software, firmware, and documentation to ensure that Information Resources are protected against improper modification before, during, and after system implementation.
Change

Any Any Any Any

implementation of new functionality interruption of service repair of existing functionality removal of existing functionality

Scheduled Change

Formal notification received, reviewed, and approved by the review process in advance of the change being made.
Unscheduled Change

Failure to present notification to the formal process in advance of the change being made. Unscheduled changes will only be acceptable in the event of a system failure or the discovery of security vulnerability.
Emergency Change

When an unauthorized immediate response to imminent critical system failure is needed to prevent widespread service disruption.

One-Health Hospital

Page 90

Revised 6/10/2009

Policy
Change Management Policy

Every change to a One-Health Hospital Information Resources resource such as operating systems, computing hardware, networks, and applications is subject to the Change Management Policy and must follow the Change Management Procedures. All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the leader of the change management process. A Change Management Committee, appointed by IS Leadership, will meet regularly to review change requests and to ensure that change reviews and communications are being satisfactorily performed. A formal written change request must be submitted for all changes, both scheduled and unscheduled. All scheduled change requests must be submitted in accordance with change management procedures so that the Change Management Committee has time to review the request, determine and review potential failures, and make the decision to allow or delay the request. Each scheduled change request must receive formal Change Management Committee approval before proceeding with the change. The appointed leader of the Change Management Committee may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate backup plans, the timing of the change will negatively impact a key business process such as year-end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events. Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Change Management Procedures.

One-Health Hospital

Page 91

Revised 6/10/2009

A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not. A Change Management Log must be maintained for all changes. The log must contain, but is not limited to: o o o o Date of submission and date of change Owner and custodian contact information Nature of the change Indication of success or failure

All One-Health Hospital information systems must comply with an Information Resources change management process that meets the standards outlined above.

Disciplinary Actions

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of One-Health Hospital Information Resources access privileges, civil, and criminal prosecution.

One-Health Hospital

Page 92

Revised 6/10/2009

Risk Assessment/Business Impact Analysis


Summary
As part of the implementation of an information security policy at One-Health Hospital, a detailed business impact analysis (BIA) must be performed. The assessment is designed to identify all risk elements regarding information systems, as well as their likelihood of occurrence and magnitude of impact should any vulnerability of the system be exploited. This section provides a framework for performing a BIA/Risk Assessment. Purpose The purpose of the risk assessment is to identify vulnerabilities and their respective threats regarding the information systems at One-Health Hospital. The results of this assessment are to be used to create plans to mitigate risk to acceptable levels. Due to the nature of the data collected and stored on these systems, the magnitude of impact is relatively high should a system become compromised. The risk assessment seeks to reduce the likelihood of security incidents, ultimately reducing risk. A formal analysis would identify informational assets and their respective values, and provide information regarding the probability and potential business impact of the identified threats. Scope All systems connected to the network infrastructure at One-Health Hospital will be evaluated to determine potential vulnerabilities. These systems include all staff computers, peripheral devices, mobile devices, and servers.

One-Health Hospital

Page 93

Revised 6/10/2009

Risk Assessment Approach


Risk Model In order to determine risks associated with information systems at One-Health Hospital, use the model following for classifying risk: Risk = Threat Likelihood x Magnitude of Impact Threat likelihood and magnitude of impact are defined as follows:

Threat Likelihood Likelihood (Weight Factor) High (1.0) Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede the vulnerability from being exercised.

Medium (0.5)

Low (0.1)

Magnitude of Impact Impact (Score) High (100) Definition The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals. The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals. The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.

Medium (50)

Low (10)

One-Health Hospital

Page 94

Revised 6/10/2009

Risk is calculated as follows Impact Threat Likelihood High (1.0) Low (10) Low Risk (10 x 1.0 = 10) Low Risk (10 x 0.5 = 5) Low Risk (10 x 0.1 = 1) Medium (50) Medium Risk (50 x 1.0 = 50) Medium Risk (50 x 0.5 = 25) Low Risk (50 x 0.1 = 5) High (100) High Risk (100 x 1.0 = 100) Medium Risk (100 x 0.5 = 50) Low Risk (100 x 0.1 = 10)

Medium (0.5) Low (0.1)

One-Health Hospital

Page 95

Revised 6/10/2009

Contingency Planning
Purpose
This information system contingency policy establishes a framework for recovering information system services following a disruption. The following objectives have been established in this policy: Maximize the effectiveness of contingency operations through an established plan that consists of the following phases: Notification/Activation phase to detect and assess damage and to activate the plan. Recovery phase to restore temporary IT operations and recover damage done to the original system. Reconstitution phase to restore IT system-processing capabilities to normal operations.

Applicability
The information system contingency plan applies to the functions, operations, and resources necessary to restore and resume One-Health Hospitals information system operations as it is installed at its primary location. The information system contingency plan applies to One-Health Hospital and all other persons associated with information systems. Planning Principles Various scenarios considered forming a basis for the policy, and multiple assumptions were made. The applicability of the policy is predicated on two key principles: The One-Health Hospitals primary facility is inaccessible; therefore, One-Health Hospital is unable to perform information system processing for the Department. A valid contract exists with the alternate site that designates that site as the One-Health Hospitals alternate operating facility. One-Health Hospital will use the alternate site building and IT resources to recover information system functionality during an emergency that prevents access to the original facility. The designated computer system at the alternate site has been configured to begin processing system information. The alternate site will be used to continue information system recovery and processing throughout the period of disruption, until the return to normal operations.

One-Health Hospital

Page 96

Revised 6/10/2009

Operations
Line of Succession The One-Health Hospital sets forth an order of succession, in coordination with the order set forth by the department to ensure that decision-making authority for the information system contingency plan is uninterrupted. The DR leader of One-Health Hospital is responsible for ensuring the safety of personnel and the execution of procedures documented within this information system contingency plan. If the DR leader is unable to function as the overall authority or chooses to delegate this responsibility to a successor, an alternate leader shall function as that authority. Responsibilities The contingency policy establishes several teams assigned to participate in recovering information system operations. The DR Team is responsible for recovery of the information system computer environment and all applications. Members of the team name include personnel who are also responsible for the daily operations and maintenance of information system. Notification and Activation Phase This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to core information systems. Based on the assessment of the event, the plan may be activated by the Contingency planning Coordinator. In an emergency, the One-Health Hospitals top priority is to preserve the health and safety of its staff before proceeding to the Notification and Activation procedures.

Damage Assessment Procedures Detailed procedures should be outlined to include activities to determine the cause of the disruption; potential for additional disruption or damage; affected physical area and status of physical infrastructure; status of IT equipment functionality and inventory, including items that will need to be replaced; and estimated time to repair services to normal operations.

One-Health Hospital

Page 97

Revised 6/10/2009

Activation
The Contingency plan is to be activated if one or more of the following criteria are met: The information system will be unavailable for more than 2 hours. Facility is damaged and will be unavailable for more than 24 hours. Other criteria, as appropriate.

Recovery Operations
This section provides the framework for recovering the application at the alternate site, whereas other efforts are directed to repair damage to the original system and capabilities. The following goals are for recovering the information system at the alternate site. Recovery Goal #1. State the first recovery objective as determined by the Business Impact Assessment (BIA). Recovery Goal #2. State the second recovery objective as determined by the BIA. For each team responsible for executing a function to meet this objective, state the team names and list their respective procedures. Recovery Goals Remaining. State the remaining recovery objectives (as determined by the BIA). For each team responsible for executing a function to meet this objective, state the team names and list their respective procedures.

Return to Normal Operations


This section discusses activities necessary for restoring information system operations at the One-Health Hospitals original or new site. When the computer center at the original or new site has been restored, information system operations at the alternate site must be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the new site. Original or New Site Restoration Procedures should be outlined, per necessary team, to restore or replace the original site so that normal operations may be transferred. IT equipment and telecommunications connections should be tested.

One-Health Hospital

Page 98

Revised 6/10/2009

Concurrent Processing Procedures should be outlined to operate the system in coordination with the system at the original or new site. These procedures should include testing the original or new system until it is functioning properly and the contingency system is shut down gracefully.

Plan Deactivation Procedures should be outlined, per team, to clean the alternate site of any equipment or other materials belonging to the organization, with a focus on handling sensitive information. Materials, equipment, and backup media should be properly packaged, labeled, and shipped to the appropriate location(s). Team members should be instructed to return to the original or new site.

Plan Appendices
The appendices included should be developed and based on system and plan requirements.

Personnel Contact List Vendor Contact List Equipment and Specifications Service Level Agreements and Memorandums of Understanding IT Standard Operating Procedures Business Impact Analysis Related Contingency plans Emergency Management Plan Occupant Evacuation Plan Continuity of Operations Plan.

One-Health Hospital

Page 99

Revised 6/10/2009

Topology

One-Health Hospital

Page 100

Revised 6/10/2009

Glossary
Access control: A system to restrict the activities of users and processes based on the need-to-know. Agents: A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information. Algorithm: A mathematical process for performing a certain calculation; generally used to refer to the process for performing encryption. Badge reader: A device, which reads badges and interconnects with a physical access control system. Clear text: Un-encrypted data

Compliance statement: A document used to obtain a promise from a computer user that such user will abide by system policies and procedures. Critical information: Any information essential to One-Health Hospital's business activities, the destruction, modification, or unavailability of which would cause serious disruption to One-Health Hospital's business. Dynamic password: A password that changes each time a user logs-into a computer system. Encryption key: A secret password or bit string used to control the algorithm governing an encryption process. Encryption: A process involving data coding to achieve confidentiality, anonymity, time stamping, and other security objectives. End-user: A user who employs computers to support One-Health Hospital business activities, who is acting as the source or destination of information flowing through a computer system. Firewall: A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have first passed some security check (such as providing a password). Full disk encryption: Technique that encrypts an entire hard drive, including operating system and data. Key: Phrase used to encrypt or decrypt data.

Login script: A set of stored commands that can log a user into a computer automatically. Multi-user computer system: Any computer that can support more than one user simultaneously. Password guessing attack: A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access.

One-Health Hospital

Page 101

Revised 6/10/2009

Password-based access control: Software, which relies on passwords as the primary mechanism to control system privileges. Password: Any secret string of characters used to positively identify a computer user or process. PDA: Personal Data Assistant.

Privilege: An authorized ability to perform a certain action on a computer, such as read a specific computer file. Restricted information: Particularly sensitive information, the disclosure of which is expected to severely damage One-Health Hospital or its business affiliates (see sensitive information). Remote wipe: device. Software that remotely deletes data stored on a mobile

Sensitive information: A designation for information, the disclosure of which is expected to damage One-Health Hospital or its business affiliates (see restricted information). User-IDs: Also known as, accounts, these character strings uniquely identify computer users or computer processes. Valuable information: Information of significant financial value to OneHealth Hospital or another party.

One-Health Hospital

Page 102

Revised 6/10/2009

References
(2002, June). National Institute of Standards and Technology. Retrieved May 30, 2009, from Contingency Planning Guide for Information Technology Systems Web site: http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf (2006, June 12). DIR -Security - Policies, Standards, & Guidelines. Retrieved May 30, 2009, from Policies, Standards, & Guidelines Web site: http://www.dir.state.tx.us/security/policies/policy_standard_development.doc (2008). Information security awareness training and new employee orientation. Houston, Texas. Retrieved May 1, 2009, Web site: http://www.uh.edu/infotech/php/template.php?nonsvc_id=291 Bider, Ilia (2004). Towards a common notion of goal for business process modeling. Sweden. Retrieved May 1, 2009, Web site: http://sunsite.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol109/discussion.pdf Wood, Charles. C (2001). Information Security Policies Made Easy, Version 8 . Houston, Texas: Information Shield.

One-Health Hospital

Page 103

Revised 6/10/2009

You might also like