INFORMATION TECHNOLOGY POLICY

Similar documents
State of Rhode Island Department of Administration Division of Information Technol

Colocation Service Terms

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

01.0 Policy Responsibilities and Oversight

PHYSICAL & ENVIRONMENTAL PROTECTION GUIDE

Information Security Incident Response and Reporting

Standard: Data Center Security

1. Policy Responsibilities & Oversight

The Common Controls Framework BY ADOBE

Standard CIP Cyber Security Physical Security

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

INFORMATION ASSURANCE DIRECTORATE

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

The University of British Columbia Board of Governors

SPRING-FORD AREA SCHOOL DISTRICT

Virginia Commonwealth University School of Medicine Information Security Standard

SECURITY & PRIVACY DOCUMENTATION

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Information Services IT Security Policies L. Network Management

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Handbook Webinar

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Standard CIP Cyber Security Critical Cyber Asset Identification

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Data Center Access Policies and Procedures

Standard CIP-006-3c Cyber Security Physical Security

Information Security Policy

RMU-IT-SEC-01 Acceptable Use Policy

Bring Your Own Device Policy

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

EXHIBIT A. - HIPAA Security Assessment Template -

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Standard CIP-006-4c Cyber Security Physical Security

STANDARD OPERATING PROCEDURE Critical Infrastructure Credentialing/Access Program Hurricane Season

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

April Appendix 3. IA System Security. Sida 1 (8)

Standard CIP 004 3a Cyber Security Personnel and Training

Ohio Supercomputer Center

Physical and Environmental Security Policy Document Number: OIL-IS-POL-PES

ecare Vault, Inc. Privacy Policy

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Trust Services Principles and Criteria

HIPAA Federal Security Rule H I P A A

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

NYDFS Cybersecurity Regulations

Data Processing Amendment to Google Apps Enterprise Agreement

SOUTHERN CALIFORNIA EDISON COMPANY

TITLE: HIE System Audit

Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice

Cellular Site Simulator Usage and Privacy

Standard CIP-006-1a Cyber Security Physical Security

Department of Public Health O F S A N F R A N C I S C O

Postal Inspection Service Mail Covers Program

Apex Information Security Policy

Mobile Application Privacy Policy

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Standard CIP Cyber Security Physical Security

Enterprise Income Verification (EIV) System User Access Authorization Form

Security Standards for Electric Market Participants

Juniper Vendor Security Requirements

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Website Privacy Policy

Physical and Environmental Security Standards

Private Sector Clearance Program (PSCP) Webinar

Employee Security Awareness Training Program

Putting It All Together:

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.

MNsure Privacy Program Strategic Plan FY

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

NYSVMS WEBSITE PRIVACY POLICY

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Centeris Data Centers - Security Procedure. Revision Date: 2/28/2018 Effective Date: 2/28/2018. Site Information

Cyber Security Program

1 Privacy Statement INDEX

SALT RIVER PROJECT STANDARDS OF CONDUCT AND WRITTEN PROCEDURES FOR COMPLIANCE WITH FERC ORDER 717 February 11, 2009

CYBER SECURITY POLICY REVISION: 12

NMHC HIPAA Security Training Version

CTI BioPharma Privacy Notice

Overview of Presentation

Emsi Privacy Shield Policy

Oracle Data Cloud ( ODC ) Inbound Security Policies

DRAFT. Standard 1300 Cyber Security

Transcription:

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT OF HUMAN SERVICES, INSURANCE AND AGING INFORMATION TECHNOLOGY POLICY Name Of Policy: Physical and Environmental Security Policy Domain: Security Date Issued: 06/09/11 Date Revised: 04/24/17 Number: POL-SEC008 Category: Issued By Direction Of: Sandra Patterson, CIO Bureau of Information Systems

Table of Contents 1 Introduction... 3 1.1 Purpose... 3 1.2 Scope... 3 1.3 Compliance... 3 1.4 Exemptions... 3 1.5 Policy Review and Update... 3 2 Physical and Environmental Security Policy... 3 2.1 Fire Protection, Temperature and Humidity Controls... 3 2.2 Emergency Shutoff / Power... 5 3 Appendix... Error! Bookmark not defined. 3.1 References... 5 Document History Version Date Author Status Notes 1.0 06/09/2011 David Johnson Draft Initial creation 2.0 06/23/2011 David Johnson Draft Revised per Tom Zarb review 2.1 10/11/2013 Pamela Skelton Baseline Revised per Pamela Skelton review 2.2 04/24/2017 John Miknich Update Annual Revision Department of Human ServicesHuman Services Page 2

1 Introduction 1.1 Purpose This policy establishes requirements for the implementation of physical and environmental safeguards to adequately protect Department of Human Services (DHS) personnel, property and information resources from unauthorized physical intrusion and other physical threats. This policy also addresses compliance with applicable DHS, Commonwealth of Pennsylvania (CoPA) and federal requirements. 1.2 Scope All DHS employees, contractors and business partners are responsible for understanding and complying with this policy. 1.3 Compliance All DHS employees, contractors and other stakeholders are expected to be familiar with and comply with this policy. Violations of this policy may lead to revocation of system privileges and/or disciplinary action. DHS employees who knowingly and willfully violate DHS, Commonwealth or federal law addressing improper use or disclosure of an individual s information may be subject to criminal investigation and prosecution or civil monetary penalties. 1.4 Exemptions Requests for exemption to the policy should be submitted to the Chief Information Security Officer (CISO). Any exceptions granted will be issued a policy waiver for a defined period of time. 1.5 Policy Review and Update This document, and its supporting standards and procedures, will be reviewed annually, and updated as needed. 2 Physical and Environmental Security Policy Physical security represents the first line of defense against intruders and adversaries attempting to gain access to DHS facilities and/or information systems. Physical security restricts the entry and exit of personnel from protected areas, and protects sensitive data and systems. Environmental safety and security provides safeguards for fire safety, building environment, utilities, and other safeguards for the protection of DHS personnel, facilities and information resources. a. The physical security of DHS facilities, including facilities containing information resources, shall be managed per the following Commonwealth and DHS policies and standards: : Willow Oak Building Security. CoPA Policy: General Order 41, Security for Commonwealth Owned/Controlled Buildings, Property, Employees and Visitors CoPA Standards: Minimum Standards for Improving Physical Security Access (ITB-SEC029) 2.1 Physical Access Physical Access is the enforcement of a set of rules that govern physical access authorizations at DHS. Effective physical access control is critical to verifying individual access authorizations before granting access to DHS facilities. Department of Human ServicesHuman Services Page 3

a. DHS shall authorize physical access to the facility where the information system resides based on roles and responsibilities. b. DHS shall require two (2) approved forms of identification before granting access to the facility where the information system resides. c. The organization shall restrict unescorted access to the facility where the information system resides to personnel lacking sufficient security clearances and / or appropriate credentials. d. Physical access authorizations shall be enforced to the information system in addition to physical access controls to DHS facilities. e. Every physical access point to DHS facilities shall be equipped with at least alarms and/or guards where the information system resides, twenty-four (24) hours per day, seven (7) days per week. f. DHS shall monitor physical intrusion alarms and surveillance equipment and employ centralized mechanisms to recognize the types of intrusions and initiate appropriate response actions. 2.2 Power Equipment and Cabling Power equipment and cabling relate to the types of protection necessary to effectively protect equipment and cabling both internal and external to organizational facilities and environments of operation against damage and destruction. a. DHS shall employ power cable redundancy paths that are physically separated and automatic voltage controls for critical information system components. 2.3 Fire protection, Water damage protection and Temperature and humidity Controls Fire protection, water damage protection and temperature and humidity controls represents the minimum requirements needed to protect DHS information system and its personnel against fire, water damage and temperature and humidity abnormal levels. Fire Protection a. DHS Information system shall employ and maintain fire suppression and detection systems supported by an independent source of energy (e.g., handheld fire extinguishers, smoke detectors, sprinkler systems and fixed fire hose wheels) b. In the event of a fire, those fire suppression and detection systems shall be activated automatically to notify the organization and proper emergency responders. c. DHS shall employ automatic fire suppression capability when the facility is not staffed on a continuous basis. Water Damage Protection a. DHS shall employ automated centralized mechanisms to detect the presence of water in the information system and alerts the CISO. Temperature and Humidity Controls a. DHS shall define the acceptable temperature and humidity levels within the facility where the information system resides b. The frequency to monitor temperatures and humidity levels shall be defined. c. The organization shall then monitor the temperature and humidity with the organization-defined frequency Department of Human ServicesHuman Services Page 4

2.4 Emergency Shutoff / Power / Lighting DHS information system has established appropriate controls in the event of a primary power source loss or power outage / disruption. Emergency Shutoff a. In emergency situations, DHS shall provide the capability of shutting off power to either the information system or individual system components. Emergency Power a. In the event of a primary power source loss, DHS organization shall provide the following: A short-term uninterruptible power supply to facilitate an eventual orderly shutdown of the information system. A long-term self-contained, alternate power supply for the information system that is capable of maintaining minimally required operational capability Emergency Lighting a. In the event of a power outage or disruption, DHS Information system shall employ and maintain an automatic emergency lighting to cover emergency exits and evacuation routes within DHS facilities. 2.5 Monitoring Physical Access a. DHS shall review physical access logs every at least once every two (2) months. 3 Appendix 3.1 References Document DHS Web Application Privacy Standard Health Insurance Portability and Accountability Act (HIPAA) Privacy Implementation Handbook Source DHS DHS Department of Human ServicesHuman Services Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback