PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Transcription

1 PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC APPROVAL AUTHORITY: President, CHSi GARY G. PALMER /s/ OPR: Director, Information Security NUMBER: ISSUED: VERSION: APRIL THOMAS P. DELAINE JR. /s/ 1.0 TITLE: INFORMATION SECURITY INCIDENT RESPONSE PROGRAM 2.0 PURPOSE: The Purpose of this document is to protect CHSi ( the Company) information and to protect the information of others that might be affected by any adverse event that threatens the security and/or privacy of information resources. 3.0 SCOPE: This Procedure is an overarching requirements document and is applicable to CHSi employees and any subsidiaries, team member sub-contractors, affiliates and/or agents operating on behalf of the Company. 4.0 DEFINITIONS: (1) Information Security Incident Defined as any adverse event that could potentially threaten the security of information resources. Examples include but are not limited to theft, misuse of data, intrusions, hostile probes, and malicious software. These incidents pose the potential to become adverse events. (2) Adverse Event Includes compromises of integrity, denial of service, compromises of data sold or used in an unauthorized fashion, loss of accountability, or damage to any part of the information or information system. (3) In the s role, the Director of Information Security is to provide vision and leadership for developing and supporting security initiatives. Acting as (CSO), the Director of Information Security directs the planning and implementation of enterprise IT system, business operation, and facility defenses against security breaches and vulnerability issues. Page 1 of 5

2 This individual is also responsible for auditing existing systems, while directing the administration of security policies, activities, and standards. (4) User Anyone with authorized access to the organization s internal information or information systems. (5) System Administrator The System Administrator position involves running computer systems; they are the people responsible for running the system, or running some aspect of it. (6) Networking Manager/Administrator The network specialist and network analyst designate job positions of engineers involved in computer networks, the people who carry out network administration. (7) IT Security Department Responsible and accountable for ensuring that technical, procedural and administrative security measures exist to protect information held by CHSi. Duties within this include: developing and reviewing specific policies governing elements of overall information security; configuring, managing and monitoring systems that enforce security measures; the collection of security information, events and logs to facilitate management of security measures; responding to security incidents and adverse events of technical and administrative natures affecting the security of information, assets and networks. (8) Supervisor/Manager Responsible and accountable for the performance of tasks within CHSi contracts, hiring, training, and retaining personnel to assist in completing contractual obligations. Responsible for interacting with other managers, directors and executive leadership when areas within their expertise are called upon. Responsible for escalating events and incidents relating to information and information security that affect CHSi, employees, affiliates, and customers. (9) SIEM Security Information and Event Management system records, tracks, correlates security events and generates alerts upon security events having well-known patterns of abuse and attack. There is overlap between an IDS and SIEM. The SIEM also addresses the collection of routine management activity for the purposes of accountability and records retention. (10) IDS Intrusion Detection System is a device or software Page 2 of 5

3 application that monitors network or system activities for malicious activities or policy violations, logs information about them, and produces reports to a management station. There is overlap between an IDS and SIEM. The IDS addresses more types and patterns of system and network intrusion. (11) IPS Intrusion Prevention System expands upon the capability of IDS systems and attempts to stop an intrusion attempt raising alerts to bring in administrative and management personnel. (12) Breach An incident in which protected or confidential data has potentially been viewed, stolen or used by an individual(s) unauthorized to do so. (13) Confidential Information Information that is critical to CHSi s ongoing operations and could seriously impede or disrupt them if shared internally or made public. This also includes Information belonging to or pertaining to another company which has been entrusted to CHSi and governed by non-disclosure agreements and/or a contract. 5.0 COMPLIANCE DOCUMENTS: (1) Employee Handbook (2) Company Policies and Procedures (3) International, Federal, State and Local Laws 6.0 QUALITY RECORDS: Title Preliminary Incident Reports Final Incident Reports Event Logs Investigation Reports Audit Reports Responsible Organization or Office Supervisor/Manager User/System Administrator Retention Period Indefinitely Indefinitely Page 3 of 5

4 7.0 PROCEDURE: 7.1 GENERAL STATEMENT: CHSi must be able to respond to computer security-related incidents in a manner that protects its own information and helps to protect the information of others that might be adversely affected by the incident. 7.2 ORGANIZATION S POSITION: CHSi s IT Security Department has established a Security Information and Event Management (SIEM) system as well as an Intrusion Detection and Prevention System (IDS/IPS). CHSi has established tools and processes to assist in the handling of customer data breaches that address the unique laws of the Federal and State governments. The CHSi IT Security Department will comprise the core of a team to respond to adverse events and security incidents, including theft, misuse of data, intrusions, hostile probes, and malicious software. 7.3 SECURITY INCIDENT STEPS: (1) The User will notify the CSO and their direct supervisor/manager of an actual or possible incident as soon as identified. (2) The User will file an incident report via the applicable reporting system within one (1) business day. (3) The CSO will provide management oversight of the process for handling all computer security incidents. The CSO will work with the user, supervisor/ manager, system administrators, and the network manager/administrator, as applicable, to investigate the incident and formulate a response plan. (4) The CSO will inform Company Senior Management of significant incidents (major compromise of data, denial of service). (5) The CSO will inform the contract representative within the appropriate timeframe, as defined in their respective contracts. (6) If the incident involves PII/PHI, the appropriate supervisor/manager will contact the affected individual via telephone to inform him/her of the incident. (7) Written notification with credit monitoring instructions will be placed in the U.S. Mail by the CSO or designee within three working days after the affected individual has been notified. (8) If necessary and as applicable, the CSO will work with law enforcement. (9) The CSO will determine if incident follow-up and remedial action is needed. Page 4 of 5

5 (10) The CSO will submit a final report to Company Senior Management and contract representative. (11) The CSO will inform the U.S. Computer Emergency Readiness Team (US-CERT), as applicable. 7.4 POINTS OF CONTACT: (1) Located in the Corporate Office. 8.0 CHANGE RECORD: (1) September 2006: Basic Document. No changes necessary at this time. (2) Version 2 (Rev. 1); March 2015: Major revisions to document to include the following: Changed CHS to CHSi. Changed Computer Security Incident to Information Security Incident. Added definitions for IT Security Department, Supervisor/Manager, SIM, IDS and IPS. Revised the Company Position. Replaced Roles and Responsibility, Compliance, Supplementary Information and Points of Contact with Security Incident Steps. Page 5 of 5