Department of Public Health O F S A N F R A N C I S C O
|
|
- Caroline McBride
- 6 years ago
- Views:
Transcription
1 PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: CISSPCISSP/C Distribution: DPH-wide Other: n/a phil.mcdown@sfdph.org 1. POLICY INTENT The document establishes the policy for digital wireless network devices used to receive and transmit information at San Francisco Department of Public Health (SFDPH) facilities. It defines standards and guidelines for measures to protect SFDPH resources and data from security threats associated with digital wireless transmission and reception, to improve incident response for wireless issues and regulate access to and from the SFDPH Enterprise Network. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The sections that relate to Wireless Network Devices (as a subset of Network Security in general) are CFR (b) and (c), the 2010 HITECH act specifies the Federal enforcement and penalty aspects of this policy. Inclusion by Reference: This policy is an annex to the SFDPH Data Network Policy, the Portable Computer Device and Radio Frequency Transmission policies. All of the principles, standards, guidelines and responsibilities described in these Policies are included as part of this document by reference. The purpose of this document is to further extend, refine and define how Data Network Security, use and control principles apply in the wireless data transmission context. For information on policy and standards for secure remote access to the SFDPH Data Network, refer to the Remote Access Policy. For information on policy and standards for secure access and use of wireless devices and for security of information stored in wireless devices, refer to the Workstation Policy and the Portable Computer Policy. Wireless connectivity cannot be guaranteed. Frequency conflicts and signal interference can have a negative effect on the integrity of health information and telemetry that is transmitted wirelessly. Although this is a SFDPH security issue, technical and broader management considerations require that the issues of permissible use, frequency management and assignment to mitigate interference, among wireless technologies be addressed in a separate City-wide Wireless Access Controls policy or section, which is beyond the scope of this document.
2 PAGE 2 of 7 DEFINITIONS: Due to advances in portable wireless capabilities (e.g., smart phones, palm tops, smart pads and laptops) with the capability to both transmit digitally on the 3-4 Giga Hertz bands (3G and 4G) and to act as wireless access points (WAPs) it is necessary to distinguish between this capability, referred to hereinafter as Wi-Fi and lower radio-frequency voice communications (<2.9 GHz) used for on-site communications, telemetry, emergency communications, vehicle dispatch etc. This is referred to hereinafter as RF. For specific policy statements regarding these voice and fixed physical location devices, see the DPH RF Transmission Policy. 2. POLICY STATEMENTS 2.1. Planning and Approval: All systems intended to or actually connected, either physically or wirelessly, to the SFDPH Network are subject to the planning and approval process as defined in the Network Security Policy, Facilities Planning policies and DPH RF Transmission policy and such other SFDPH policies as apply. Refer to the requirements for review and approval by other divisions and departments in the Data Network Policy. For Wi-Fi devices, this may take the form of blanket guidelines for portable Wi-Fi, enforced only for those devices which actually store or transmit PHI Wireless technology will only be used where appropriate Wi-Fi technology will not be used in areas where its emissions will interfere with the function of patient care technology, communications and equipment Wi-Fi technology, regardless of frequency emitted, will not be used as the primary or sole form of network connection in any system where failure of the wireless technology will have serious consequences such as impairing safety, patient care, critical operational functions etc The use of privately owned Wi-Fi devices for personal communications and Web access is permitted in SFDPH facilities, except where they violate section above, If a Wi-Fi device is to be used in the business context to access, transmit or store PHI or other restricted SFDPH data - permission to do so must be obtained in advance from the user s management for such use Documentation of such permission must be recorded and signed in hard copy.
3 PAGE 3 of A signed Confidentiality or other Appropriate Use agreement may be required before such permission is granted Specific device safeguards, such as password use and/or encryption may also be explicitly required in such cases Frequency and Deployment Rules All provisions of this policy are in addition to the requirements of the overall SFDPH Enterprise and CCSF RF Frequency Assignment, Deployment and Conflict Resolution policies and/or guidelines. Where the provisions of this policy and the SFDPH Enterprise or CCSF policies are in conflict, the SFDPH Enterprise or CCSF Policy takes precedence over this policy Registration and Inspection of Wi-Fi Devices All Wi-Fi network access points and Wi-Fi devices which will communicate with the SFDPH network(s) are subject to section and its subsections DPH-IT will establish general risk mitigation strategies for access points, users, client and portable devices, and standards for encryption, virus protection, password setting, signal interception avoidance and other preventative measures Staff must be made aware that many of their Wi-Fi devices (e.g., Smart Phones, Note Pads, Laptops etc.), are capable of functioning as a Wireless Access Point for non- SFDPH devices, as well as operating as network connected devices within SFDPH facilities. Those devices that are expected to be used on an SFDPH campus should be examined by DPH-IT staff for proper encryption and access control applications (e.g. WEP) and been registered as an approved Access Points (see and below) prior to being used on the job. Devices used for storing and transmitting PHI and other SFDPH critical information fall under the SFDPH Workstation, Network, Encryption, Portable Storage Media and Portable Computing Device Policies Prior to deployment, physically fixed wireless access points must meet the current DPH- IT RF security standards and have their MAC addresses added to the appropriate access control tables. What should we require for portable device WAPs? Only approved, inspected and registered Wi-Fi device access points are permitted for deployment within the SFDPH.
4 PAGE 4 of SFDPH will monitor networks for connection of unregistered (rogue) Wi-Fi devices attempting to access sensitive information or applications When detected, unapproved (rogue) devices will be removed from service by DPH-IT, and the person(s) responsible for the devices may be subject to disciplinary action. Isn t this section totally futile in the growing BYOD environment? 2.5. Management and Security of Access Points: Physical Security: Wi-Fi access points shall be properly secured within a safe, adequately monitored space to prevent theft, unauthorized access and physical tampering Portable access points must be secured in accordance with the Portable Computer Policy s requirements and guidelines Loss or theft of portable devices with Access point and/or transmission capability, which have been used to process SPDPH PHI on the job, must be reported in compliance with the Portable Computing Device policy Configuration Management: All Wi-Fi devices which store or transmit restricted data must be secured using a password that complies with the requirements in the SFDPH Password Policy. If this is not possible due to technological limitations of the Wi-Fi device, the strongest security measures available for that device shall be used Administrators must ensure that all vendor default usernames and passwords have been removed from devices as part of the registration process Broadcast Interference: SFDPH reserves the right to limit or control the signal strength and propagation of any Wi-Fi devices that are found to interfere with essential RF activities (see section 2.2.1) Broadcast Security and Encryption: DPH-IT will provide and maintain an up-to-date standards list that will include approved Wi-Fi technologies, current minimum encryption standards, and best practices for secure use.
5 2.8. Access to SFDPH Facilities and Data PAGE 5 of Once a device is inspected and authenticated; users and devices may be limited to routing access only within DFH networks as needed under their job requirements. Just as with a RF or wired network, SFDPH network authentication must satisfy prescribed login/password standards before using SFDPH resources that are not normally accessible by nodes outside the SFDPH firewalls Access control mechanisms such as firewalls should be deployed to separate unauthorized Wi-Fi networks from any network with the ability to access PHI As the technology permits, Wi-Fi devices should employ a combination of layered authentication methods and on-the-device data encryption to protect sensitive, proprietary and patient information Identity Authentication shall require at least two factors beyond a device s registration code: such as the user s logon/id code and password New Technologies not Explicitely Covered in this Policy: All newly deployed Wi-Fi technologies must satisfy all existing and future standards as required by law or established by DPH-IT before being approved for use within SFDPH facilities.. STANDARDS AND GUIDELINES 3. RESPONSIBILITIES 3.1. SFDPH Executive Management: Approves policy, standards and guidelines for the use of Wi-Fi access to the SFDPH Data Network Directs the development and deployment of training in the appropriate and secure use of Wi-Fi devices The SFDPH CIO/CISO is responsible for: Advocating and supporting DPH-IT Wi-Fi security needs, concerns and projects to Chief Officer and Division Director level Senior management
6 PAGE 6 of Implementing SFDPH-wide policy for Wi-Fi devices and is ultimately responsible for the safety and security of the SFDPH Enterprise Network. The SFDPH CIO or designee must approve all exceptions to this policy Development, deployment and maintenance of policies for appropriate and secure use of Wi-Fi network devices Directing the development and promulgation of training and orientation materials to enable and encourage employee awareness of the security problems and issues involved in the use of Wi-Fi devices Directing the monitoring, and analysis of the state of compliance and risk-management of existing programs and procedures DPH-IT: Develops and supports standards and procedures for the centralized registration of authorized devices and access points Develops and supports the procurement, implementation and maintenance of datanetwork wireless intrusion and unauthorized use prevention technologies Will resolve any conflicts between wireless devices in accordance with the guidelines in the San Francisco City Department of Technology and County and SFDPH Wireless Frequency Management Policy. Priority is granted to fully supported and registered installations, except as appropriate in the case of medical, safety, or emergency devices Supports or performs the regular scanning of the Radio Frequency spectrum at all SFDPH sites for vulnerable and/or unregistered wireless devices and will coordinate response with the SFDPH Technical Team in the event of a possible system intrusion or compromise (Organization to be determined) is responsible for: Maintaining the list of acceptable Voice RF frequencies and wireless technologies Assignment of voice communication frequencies and allocation of channels to individual sites Resolving conflicts between incompatible wireless devices.
7 PAGE 7 of Conducting periodic spectrum analysis to assess the potential impact of electromagnetic interference (EMI) from transmitters and the impact of electromagnetic emissions from wireless devices. 4. PENALTIES FOR VIOLATIONS: 4.1. County of San Francisco General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations Trusted Workforce Member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations. 5. EXAMPLES AND ATTACHMENTS: 5.1. Policies to be Included or Developed: Obtaining Authorization to use a personal Wi-Fi Device for business purposes within a SFDPH network environment.
Department of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationThis regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.
UAR NUMBER: 400.01 TITLE: Wireless Network Policy and Procedure INITIAL ADOPTION: 11/6/2003 REVISION DATES: PURPOSE: Set forth the policy for using wireless data technologies and assigns responsibilities
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationDepartment of Public Health
PAGE 1 of 13 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationWireless Network Policy and Procedures Version 1.5 Dated November 27, 2002
Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002 Pace University reserves the right to amend or otherwise revise this document as may be necessary to reflect future changes made
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationWireless Network Standard
Last Modified: 10/20/15 Wireless Network Standard Purpose The standard and guidelines described in this document will ensure the uniformity of wireless network access points at the University of Georgia.
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationIT ACCEPTABLE USE POLICY
CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationUC Santa Cruz Wireless Access Policy
UC Santa Cruz Wireless Access Policy VERSION: 1.4 STATUS: DRAFT DATE: 26 APRIL 2004 STEWARD: Director, Network & Telecommunications Services Tad Reynales AUTHORITY: Vice-Provost, Information Technology
More informationISSP Network Security Plan
ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationTexas Health Resources
Texas Health Resources POLICY NAME: Remote Access Page 1 of 7 1.0 Purpose: To establish security standards for remote electronic Access to Texas Health Information Assets. 2.0 Policy: Remote Access to
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationRMU-IT-SEC-01 Acceptable Use Policy
1.0 Purpose 2.0 Scope 2.1 Your Rights and Responsibilities 3.0 Policy 3.1 Acceptable Use 3.2 Fair Share of Resources 3.3 Adherence with Federal, State, and Local Laws 3.4 Other Inappropriate Activities
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationWireless Security Access Policy and Agreement
Wireless Security Access Policy and Agreement Purpose The purpose of this policy is to define standards, procedures, and restrictions for connecting to Fort Valley State University s internal network(s)
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationInformation Technology Standards
Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationGM Information Security Controls
: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationFLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM
FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM END USER SECURITY POLICY MANUAL 1 INTRODUCTION... 3 2 INFORMATION USAGE AND PROTECTION... 3 2.2 PROTECTED HEALTH INFORMATION...
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationOhio Supercomputer Center
Ohio Supercomputer Center Security Notifications No: Effective: OSC-10 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationNOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.
TITLE MOBILE WIRELESS DEVICES AND SERVICES SCOPE Provincial APPROVAL AUTHORITY Alberta Health Services Executive SPONSOR Information Technology PARENT DOCUMENT TITLE, TYPE AND NUMBER Not applicable DOCUMENT
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationCOMMENTARY. Information JONES DAY
February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States
More informationComplying with RBI Guidelines for Wi-Fi Vulnerabilities
A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Reserve Bank of India (RBI) guidelines
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationTABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.
Page 1 of 1 TABLE OF CONTENTS SECTION PAGE I. Policy 2 II. Authority 2 III. Supportive Data 2 IV. Signature Block with Effective Date 3 V. Definitions 3 VI. Protocol 4 VII. Procedure 4 VIII. Distribution
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationCellular Site Simulator Usage and Privacy
Policy 609 Cellular Site Simulator Usage and Privacy 609.1 PURPOSE AND SCOPE The purpose of this policy is to set guidelines and requirements pertaining to cellular site simulator technology usage and
More informationStandard For IIUM Wireless Networking
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA (IIUM) Document No : IIUM/ITD/ICTPOL/4.3 Effective Date : 13/11/2008 1.0 OBJECTIVE Standard For IIUM Wireless Networking Chapter : Network Status : APPROVED Version
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationHIPAA Security Rule Policy Map
Rule Policy Map Document Information Identifier Status Published Published 02/15/2008 Last Reviewed 02/15/1008 Last Updated 02/15/2008 Version 1.0 Revision History Version Published Author Description
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationImplementing an Audit Program for HIPAA Compliance
Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed
More informationACCEPTABLE USE OF HCHD INTERNET AND SYSTEM
Page Number: 1 of 6 TITLE: PURPOSE: ACCEPTABLE USE OF HCHD INTERNET AND EMAIL SYSTEM To establish the guidelines for the use of the Harris County Hospital District s Internet and email system. POLICY STATEMENT:
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationNational Information Assurance (IA) Policy on Wireless Capabilities
Committee on National Security Systems CNSS Policy No. 17 National Information Assurance (IA) Policy on Wireless Capabilities This document prescribes minimum standards. Your department or agency may require
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationWireless Communication Device Policy Policy No September 2, Standard. Practice
Standard This establishes the business need and use of cellular phones (hereinafter referred to as wireless communication devices ) as an effective means of conducting City of Richland business, and to
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationTherapy Provider Portal. User Guide
Therapy Provider Portal User Guide Page 2 of 16 UCare User Guide V1.7 Table of Contents I. Introduction...3 About HSM Therapy Management... 4 Terms of Use... 4 Contact Information... 6 II. Using the Therapy
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationCell and PDAs Policy
Cell and PDAs Policy CHAPTER: 13 Information Services Department SECTION: 13 SUBJECT: Cell Phones and PDAs POLICY #: 13.13.00 Revised OFFICE/DEPARTMENT: Information Services EFFECTIVE DATE: October 1,
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationHIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE
164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationWhat is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS
What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals
More informationResponsible Officer Approved by
Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationBring Your Own Device (BYOD) Policy
SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationFirewall Configuration and Management Policy
Firewall Configuration and Management Policy Version Date Change/s Author/s Approver/s 1.0 01/01/2013 Initial written policy. Kyle Johnson Dean of Information Services Executive Director for Compliance
More information