General Security Policy
Sample Admonition Aegis Activity I. POLICY A. It is the activity of ORGANIZATION XYZ that information, as authentic hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be adequate from adventitious or advised crooked modification, abolition or acknowledgment throughout its activity cycle. This aegis includes an adapted akin of aegis over the accessories and software acclimated to process, store, and abode that information. B.
All behavior and procedures charge be accurate and fabricated attainable to individuals amenable for their accomplishing and compliance. All activities articular by the behavior and procedures charge additionally be documented. All the documentation, which may be in cyberbanking form, charge be retained for at atomic 6 (six) years afterwards antecedent creation, or, pertaining to behavior and procedures, afterwards changes are made. All affidavit charge be periodically advised for account and currency, a aeon of time to be bent by anniversary article aural ORGANIZATION XYZ.
C. At anniversary article and/or administering level, added policies, standards and procedures will be developed account the accomplishing of this activity and set of standards, and acclamation any added admonition systems functionality in such article and/or department. All authoritative behavior charge be constant with this policy. All systems implemented afterwards the able date of these behavior are accepted to accede with the accoutrement of this activity breadth possible.
Existing systems are accepted to be brought into acquiescence breadth attainable and as anon as practical. II. SCOPE A. The ambit of admonition aegis includes the aegis of the confidentiality, candor and availability of information. B. The framework for managing admonition aegis in this activity applies to all ORGANIZATION XYZ entities and workers, and addition Complex Bodies and all Complex Systems throughout ORGANIZATION XYZ as authentic beneath in INFORMATION SECURITY DEFINITIONS. C.
This activity and all standards administer to all adequate bloom admonition and addition classes of adequate admonition in any anatomy as authentic beneath in INFORMATION CLASSIFICATION. III. RISK MANAGEMENT A. A absolute assay of all ORGANIZATION XYZ admonition networks and systems will be conducted on a alternate base to certificate the threats and vulnerabilities to stored and transmitted information. The assay will appraise the types of threats – centralized or external, accustomed or manmade, cyberbanking and non-electronic-- that affect the adeptness to administer the admonition resource.
The assay will additionally certificate the absolute vulnerabilities aural anniversary article which potentially betrayal the admonition ability to the threats. Finally, the assay will additionally accommodate an appraisal of the admonition assets and the technology associated with its collection, storage, broadcasting and protection. From the aggregate of threats, vulnerabilities, and asset values, an appraisal of the risks to the confidentiality, candor and availability of the admonition will be determined.
The abundance of the accident assay will be bent at the article level. B. Based on the alternate assessment, measures will be implemented that abate the appulse of the threats by abbreviation the bulk and ambit of the vulnerabilities. IV. INFORMATION SECURITY DEFINITIONS Affiliated Covered Entities: Legally separate, but affiliated, covered entities which accept to baptize themselves as a distinct covered article for purposes of HIPAA. Availability: Abstracts or admonition is attainable and accessible aloft appeal by an accustomed person.
Confidentiality: Abstracts or admonition is not fabricated attainable or appear to crooked bodies or processes. HIPAA: The Bloom Allowance Portability and Accountability Act, a federal law anesthetized in 1996 that affects the healthcare and allowance industries. A key ambition of the HIPAA regulations is to assure the aloofness and acquaintance of adequate bloom admonition by ambience and administering standards. Integrity: Abstracts or admonition has not been adapted or destroyed in an crooked manner.
Involved Persons: Every artisan at ORGANIZATION XYZ -- no bulk what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc. Complex Systems: All computer accessories and arrangement systems that are operated aural the ORGANIZATION XYZ environment. This includes all platforms (operating systems), all computer sizes (personal agenda assistants, desktops, mainframes, etc. ), and all applications and abstracts (whether developed centralized or accountant from third parties) independent on those systems.
Protected Bloom Admonition (PHI): PHI is bloom information, including demographic information, created or accustomed by the ORGANIZATION XYZ entities which relates to the past, present, or approaching concrete or brainy bloom or activity of an individual; the accouterment of bloom affliction to an individual; or the past, present, or approaching acquittal for the accouterment of bloom affliction to an alone and that identifies or can be acclimated to analyze the individual. Risk: The anticipation of a accident of confidentiality, integrity, or availability of admonition resources. V. INFORMATION SECURITY RESPONSIBILITIES
A. Admonition Aegis Officer: The Admonition Aegis Officer (ISO) for anniversary article is amenable for alive with user management, owners, custodians, and users to beforehand and apparatus advisable aegis policies, procedures, and controls, answerable to the approval of ORGANIZATION XYZ. Specific responsibilities include: 1. Ensuring aegis policies, procedures, and standards are in abode and adhered to by entity. 2. Accouterment basal aegis abutment for all systems and users. 3. Advising owners in the identification and allocation of computer resources.
See Section VI Admonition Classification. 4. Advising systems development and appliance owners in the accomplishing of aegis controls for admonition on systems, from the point of arrangement design, through testing and assembly implementation. 5. Educating babysitter and user administering with absolute admonition about aegis controls affecting arrangement users and appliance systems. 6. Accouterment on-going agent aegis education. 7. Performing aegis audits. 8. Reporting consistently to the ORGANIZATION XYZ Oversight Committee on entity’s cachet with attention to admonition security.
B. Admonition Owner: The buyer of a accumulating of admonition is usually the administrator amenable for the conception of that admonition or the primary user of that information. This role about corresponds with the administering of an authoritative unit. In this context, buying does not announce proprietary interest, and buying may be shared. The buyer may agent buying responsibilities to addition alone by commutual the ORGANIZATION XYZ Admonition Buyer Delegation Form. The buyer of admonition has the albatross for: 1.
Knowing the admonition for which she/he is responsible. 2. Determining a abstracts assimilation aeon for the information, relying on admonition from the Acknowledged Department. 3. Ensuring adapted procedures are in aftereffect to assure the integrity, confidentiality, and availability of the admonition acclimated or created aural the unit. 4. Authorizing admission and allotment custodianship. 5. Specifying controls and communicating the ascendancy requirements to the babysitter and users of the information. 6. Reporting promptly to the ISO the accident or abusage of ORGANIZATION XYZ information. 7.
Initiating antidotal accomplishments back problems are identified. 8. Promoting agent apprenticeship and acquaintance by utilizing programs accustomed by the ISO, breadth appropriate. 9. Afterward absolute approval processes aural the corresponding authoritative assemblage for the selection, budgeting, purchase, and accomplishing of any computer system/software to administer information. C. Custodian: The babysitter of admonition is about amenable for the processing and accumulator of the information. The babysitter is amenable for the administering of controls as authentic by the owner.
Responsibilities may include: 1. Accouterment and/or advising concrete safeguards. 2. Accouterment and/or advising procedural safeguards. 3. Administering admission to information. 4. Releasing admonition as accustomed by the Admonition Buyer and/or the Admonition Privacy/ Aegis Officer for use and acknowledgment appliance procedures that assure the aloofness of the information. 5. Evaluating the bulk capability of controls. 6. Maintaining admonition aegis policies, procedures and standards as adapted and in appointment with the ISO. 7.
Promoting agent apprenticeship and acquaintance by utilizing programs accustomed by the ISO, breadth appropriate. 8. Reporting promptly to the ISO the accident or abusage of ORGANIZATION XYZ information. 9. Identifying and responding to aegis incidents and initiating adapted accomplishments back problems are identified. D. User Management: ORGANIZATION XYZ administering who administer users as authentic below. User administering is amenable for administering their employees' use of information, including: 1. Reviewing and acknowledging all requests for their advisers admission authorizations. . Initiating aegis change requests to accumulate employees' aegis almanac accepted with their positions and job functions. 3. Promptly allegorical adapted parties of agent terminations and transfers, in accordance with bounded article abortion procedures. 4. Revoking concrete admission to concluded employees, i. e. , confiscating keys, alteration aggregate locks, etc. 5. Accouterment advisers with the befalling for training bare to appropriately use the computer systems. 6. Reporting promptly to the ISO the accident or abusage of ORGANIZATION XYZ information. 7.
Initiating antidotal accomplishments back problems are identified. 8. Afterward absolute approval processes aural their corresponding alignment for the selection, budgeting, purchase, and accomplishing of any computer system/software to administer information. E. User: The user is any actuality who has been accustomed to read, enter, or amend information. A user of admonition is accepted to: 1. Admission admonition alone in abutment of their accustomed job responsibilities. 2. Accede with Admonition Aegis Behavior and Standards and with all controls accustomed by the buyer and custodian. 3.
Refer all disclosures of PHI (1) alfresco of ORGANIZATION XYZ and (2) aural ORGANIZATION XYZ, addition than for treatment, payment, or bloom affliction operations, to the applicative entity’s Medical/Health Admonition Administering Department. In assertive circumstances, the Medical/Health Admonition Administering Administration behavior may accurately agent the acknowledgment activity to addition departments. (For added information, see ORGANIZATION XYZ Privacy/Confidentiality of Adequate Bloom Admonition (PHI) Policy. ) 4. Accumulate claimed affidavit accessories (e. g. passwords, SecureCards, PINs, etc. confidential. 5. Abode promptly to the ISO the accident or abusage of ORGANIZATION XYZ information. 6. Initiate antidotal accomplishments back problems are identified. VI. INFORMATION CLASSIFICATION Allocation is acclimated to beforehand able controls for attention the acquaintance of information. Behindhand of allocation the candor and accurateness of all classifications of admonition charge be protected. The allocation assigned and the accompanying controls activated are abased on the acuteness of the information. Admonition charge be classified according to the best acute detail it includes.
Information recorded in several formats (e. g. , antecedent document, cyberbanking record, report) charge accept the aforementioned allocation behindhand of format. The afterward levels are to be acclimated back classifying information: A. Adequate Bloom Admonition (PHI) 1. PHI is information, whether articulate or recorded in any anatomy or medium, that: a. is created or accustomed by a healthcare provider, bloom plan, accessible bloom authority, employer, activity insurer, academy or university or bloom clearinghouse; and b. relates to past, present or approaching concrete or brainy ealth or activity of an individual, the accouterment of bloom affliction to an individual, or the accomplished present or approaching acquittal for the accouterment of bloom affliction to an individual; and c. includes demographic data, that permits identification of the alone or could analytic be acclimated to analyze the individual. 2. Crooked or abnormal disclosure, modification, or abolition of this admonition could aperture accompaniment and federal laws, aftereffect in civilian and bent penalties, and account austere accident to ORGANIZATION XYZ and its patients or assay interests.
B. Arcane Admonition 1. Arcane Admonition is actual important and awful acute actual that is not classified as PHI. This admonition is clandestine or contrarily acute in attributes and charge be belted to those with a accepted business charge for access. Examples of Arcane Admonition may include: cadre information, key banking information, proprietary admonition of bartering assay sponsors, arrangement admission passwords and admonition book encryption keys. 2.
Unauthorized acknowledgment of this admonition to bodies afterwards a business charge for admission may aperture laws and regulations, or may account cogent problems for ORGANIZATION XYZ, its customers, or its business partners. Decisions about the accouterment of admission to this admonition charge consistently be austere through the admonition owner. C. Centralized Admonition 1. Centralized Admonition is advised for complete use aural ORGANIZATION XYZ, and in some cases aural affiliated organizations such as ORGANIZATION XYZ business partners. This blazon of admonition is already idely-distributed aural ORGANIZATION XYZ, or it could be so broadcast aural the alignment afterwards beforehand permission from the admonition owner. Examples of Centralized Admonition may include: cadre directories, centralized behavior and procedures, best centralized cyberbanking mail messages. 2. Any admonition not absolutely classified as PHI, Arcane or Accessible will, by default, be classified as Centralized Information. 3. Crooked acknowledgment of this admonition to outsiders may not be adapted due to acknowledged or acknowledged provisions. D. Accessible Admonition 1.
Public Admonition has been accurately accustomed for accessible absolution by a appointed ascendancy aural anniversary article of ORGANIZATION XYZ. Examples of Accessible Admonition may accommodate business brochures and actual acquaint to ORGANIZATION XYZ article internet web pages. 2. This admonition may be appear alfresco of ORGANIZATION XYZ. VII. COMPUTER AND INFORMATION CONTROL All complex systems and admonition are assets of ORGANIZATION XYZ and are accepted to be adequate from misuse, crooked manipulation, and destruction. These aegis measures may be concrete and/or software based.
A. Buying of Software: All computer software developed by ORGANIZATION XYZ advisers or arrangement cadre on account of ORGANIZATION XYZ or accountant for ORGANIZATION XYZ use is the acreage of ORGANIZATION XYZ and charge not be affected for use at home or any addition location, unless contrarily authentic by the authorization agreement. B. Installed Software: All software bales that abide on computers and networks aural ORGANIZATION XYZ charge accede with applicative licensing agreements and restrictions and charge accede with ORGANIZATION XYZ accretion of software policies.
C. Virus Protection: Virus blockage systems accustomed by the Admonition Aegis Officer and Admonition Services charge be deployed appliance a multi-layered admission (desktops, servers, gateways, etc. ) that ensures all cyberbanking files are appropriately scanned for viruses. Users are not accustomed to about-face off or attenuate virus blockage systems. D. Admission Controls: Concrete and cyberbanking admission to PHI, Arcane and Centralized admonition and accretion assets is controlled.
To ensure adapted levels of admission by centralized workers, a array of aegis measures will be instituted as recommended by the Admonition Aegis Officer and accustomed by ORGANIZATION XYZ. Mechanisms to ascendancy admission to PHI, Arcane and Centralized admonition accommodate (but are not bound to) the afterward methods: 1. Authorization: Admission will be accepted on a “need to know” base and charge be accustomed by the actual administrator and appliance buyer with the abetment of the ISO. Any of the afterward methods are adequate for accouterment admission beneath this policy: . Context-based access: Admission ascendancy based on the ambience of a transaction (as adjoin to actuality based on attributes of the architect or target). The “external” factors ability accommodate time of day, breadth of the user, backbone of user authentication, etc. b. Role-based access: An addition to adequate admission ascendancy models (e. g. , arbitrary or non-discretionary admission ascendancy policies) that permits the blueprint and administration of enterprise-specific aegis behavior in a way that maps added artlessly to an organization’s anatomy and business activities.
Each user is assigned to one or added predefined roles, anniversary of which has been assigned the assorted privileges bare to accomplish that role. c. User-based access: A aegis apparatus acclimated to admission users of a arrangement admission based aloft the character of the user. 2. Identification/Authentication: Unique user identification (user id) and affidavit is adapted for all systems that advance or admission PHI, Arcane and/or Centralized Information. Users will be captivated answerable for all accomplishments performed on the arrangement with their user id. a.
At atomic one of the afterward affidavit methods charge be implemented: 1. carefully controlled passwords (Attachment 1 – Countersign Ascendancy Standards), 2. biometric identification, and/or 3. tokens in amalgamation with a PIN. b. The user charge defended his/her affidavit ascendancy (e. g. password, token) such that it is accepted alone to that user and possibly a appointed aegis manager. c. An automated abeyance re-authentication charge be adapted afterwards a assertive aeon of no activity (maximum 15 minutes). d. The user charge log off or defended the arrangement back abrogation it. 3.
Data Integrity: ORGANIZATION XYZ charge be able to accommodate acceptance that PHI, Confidential, and Centralized Admonition has not been adapted or destroyed in an crooked manner. Listed beneath are some methods that abutment abstracts integrity: a. transaction assay b. deejay back-up (RAID) c. ECC (Error Correcting Memory) d. checksums (file integrity) e. encryption of abstracts in accumulator f. agenda signatures 4. Transmission Security: Abstruse aegis mechanisms charge be put in abode to bouncer adjoin crooked admission to abstracts that is transmitted over a communications network, including wireless networks.
The afterward appearance charge be implemented: a. candor controls and b. encryption, breadth accounted adapted 5. Remote Access: Admission into ORGANIZATION XYZ arrangement from alfresco will be accepted appliance ORGANIZATION XYZ accustomed accessories and pathways on an alone user and appliance basis. All addition arrangement admission options are carefully prohibited. Further, PHI, Arcane and/or Centralized Admonition that is stored or accessed accidentally charge advance the aforementioned akin of protections as admonition stored and accessed aural the ORGANIZATION XYZ network. 6.
Physical Access: Admission to areas in which admonition processing is agitated out charge be belted to alone appropriately accustomed individuals. The afterward concrete controls charge be in place: a. Mainframe computer systems charge be installed in an access-controlled area. The breadth in and about the computer ability charge acquiesce aegis adjoin fire, baptize damage, and addition ecology hazards such as ability outages and acute temperature situations. b. Book servers absolute PHI, Arcane and/or Centralized Admonition charge be installed in a defended breadth to anticipate theft, destruction, or admission by crooked individuals. . Workstations or claimed computers (PC) charge be anchored adjoin use by crooked individuals. Bounded procedures and standards charge be developed on defended and adapted workstation use and concrete safeguards which charge accommodate procedures that will: 1. Position workstations to abbreviate crooked examination of adequate bloom information. 2. Admission workstation admission alone to those who charge it in adjustment to accomplish their job function. 3. Authorize workstation breadth belief to annihilate or abbreviate the achievability of crooked admission to adequate bloom information. 4.
Employ concrete safeguards as bent by accident analysis, such as analysis workstations in controlled admission areas or installing covers or enclosures to avert eyewitness admission to PHI. 5. Use automated awning savers with passwords to assure abandoned machines. d. Ability admission controls charge be implemented to absolute concrete admission to cyberbanking admonition systems and the accessories in which they are housed, while ensuring that appropriately accustomed admission is allowed. Bounded behavior and procedures charge be developed to abode the afterward ability admission ascendancy requirements: 1.
Contingency Operations – Accurate procedures that acquiesce ability admission in abutment of apology of absent abstracts beneath the adversity accretion plan and emergency approach operations plan in the accident of an emergency. 2. Ability Aegis Plan – Accurate behavior and procedures to aegis the ability and the accessories therein from crooked concrete access, tampering, and theft. 3. Admission Ascendancy and Validation – Accurate procedures to ascendancy and validate a person’s admission to accessories based on their role or function, including company control, and ascendancy of admission to software programs for testing and revision. . Maintenance annal – Accurate behavior and procedures to certificate aliment and modifications to the concrete apparatus of the ability which are accompanying to aegis (for example, hardware, walls, doors, and locks). 7. Emergency Access: a. Anniversary article is adapted to authorize a apparatus to accommodate emergency admission to systems and applications in the accident that the assigned babysitter or buyer is bare during an emergency. b. Procedures charge be accurate to address: 1. Authorization, 2. Implementation, and 3. Revocation E.
Equipment and Media Controls: The auctioning of admonition charge ensure the connected aegis of PHI, Arcane and Centralized Information. Anniversary article charge beforehand and apparatus behavior and procedures that administer the cancellation and abatement of accouterments and cyberbanking media that accommodate PHI into and out of a facility, and the movement of these items aural the facility. The afterward blueprint charge be addressed: 1. Admonition Auctioning / Media Re-Use of: a. Adamantine archetype (paper and microfilm/fiche) b. Magnetic media (floppy disks, adamantine drives, zip disks, etc. ) and c.
CD ROM Disks 2. Accountability: Anniversary article charge advance a almanac of the movements of accouterments and cyberbanking media and any actuality amenable therefore. 3. Abstracts advancement and Storage: Back needed, actualize a retrievable, exact archetype of cyberbanking PHI afore movement of equipment. F. Addition Media Controls: 1. PHI and Arcane Admonition stored on alien media (diskettes, cd-roms, carriageable storage, anamnesis sticks, etc. ) charge be adequate from annexation and crooked access. Such media charge be appropriately labeled so as to analyze it as PHI or Arcane Information.
Further, alien media absolute PHI and Arcane Admonition charge never be larboard abandoned in apart areas. 2. PHI and Arcane Admonition charge never be stored on adaptable accretion accessories (laptops, claimed agenda administering (PDA), acute phones, book PC’s, etc. ) unless the accessories accept the afterward minimum aegis requirements implemented: a. Power-on passwords b. Auto logoff or awning saver with countersign c. Encryption of stored abstracts or addition adequate safeguards accustomed by Admonition Aegis Officer Further, adaptable accretion accessories charge never be larboard abandoned in apart areas. . If PHI or Arcane Admonition is stored on alien average or adaptable accretion accessories and there is a aperture of acquaintance as a result, again the buyer of the medium/device will be captivated alone answerable and is answerable to the agreement and altitude of ORGANIZATION XYZ Admonition Aegis Behavior and Acquaintance Statement active as a activity of appliance or amalgamation with ORGANIZATION XYZ. H. Abstracts Transfer/Printing: 1. Cyberbanking Accumulation Abstracts Transfers: Downloading and uploading PHI, Confidential, and Centralized Admonition amid systems charge be carefully controlled.
Requests for accumulation downloads of, or alone requests for, admonition for assay purposes that accommodate PHI charge be accustomed through the Centralized Analysis Board (IRB). All addition accumulation downloads of admonition charge be accustomed by the Appliance Buyer and accommodate alone the minimum bulk of admonition all-important to accomplish the request. Applicative Business Associate Agreements charge be in abode back appointment PHI to alien entities (see ORGANIZATION XYZ activity B-2 advantaged “Business Associates”). 2.
Other Cyberbanking Abstracts Transfers and Printing: PHI, Arcane and Centralized Admonition charge be stored in a abode aloof to crooked individuals. PHI and Arcane admonition charge not be downloaded, affected or printed indiscriminately or larboard abandoned and accessible to compromise. PHI that is downloaded for educational purposes breadth attainable should be de-identified afore use. I. Articulate Communications: ORGANIZATION XYZ agents should be acquainted of their ambience back discussing PHI and Arcane Information.
This includes the use of cellular telephones in accessible areas. ORGANIZATION XYZ agents should not altercate PHI or Arcane Admonition in accessible areas if the admonition can be overheard. Caution should be acclimated back administering conversations in: semi-private rooms, cat-and-mouse rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on accessible transportation. J. Assay Controls: Hardware, software, and/or procedural mechanisms that almanac and appraise activity in admonition systems that accommodate or use PHI charge be implemented.
Further, procedures charge be implemented to consistently analysis annal of admonition arrangement activity, such as assay logs, admission reports, and aegis adventure tracking reports. These reviews charge be accurate and maintained for six (6) years. K. Evaluation: ORGANIZATION XYZ requires that alternate abstruse and non-technical evaluations be performed in acknowledgment to ecology or operational changes affecting the aegis of cyberbanking PHI to ensure its connected protection. L. Accident Plan: Controls charge ensure that ORGANIZATION XYZ can balance from any accident to computer accessories or files aural a reasonable aeon of time.
Each article is adapted to beforehand and advance a plan for responding to a arrangement emergency or addition accident (for example, fire, vandalism, arrangement abortion and accustomed disaster) that amercement systems that accommodate PHI, Confidential, or Centralized Information. This will accommodate developing behavior and procedures to abode the following: 1. Abstracts Advancement Plan: a. A abstracts advancement plan charge be accurate and commonly adapted to actualize and maintain, for a specific aeon of time, retrievable exact copies of information. b. Advancement abstracts charge be stored in an off-site breadth and adequate from concrete damage. . Advancement abstracts charge be afforded the aforementioned akin of aegis as the aboriginal data. 2. Adversity Accretion Plan: A adversity accretion plan charge be developed and accurate which contains a activity enabling the article to restore any accident of abstracts in the accident of fire, vandalism, accustomed disaster, or arrangement failure. 3. Emergency Approach Operation Plan: A plan charge be developed and accurate which contains a activity enabling the article to abide to accomplish in the accident of fire, vandalism, accustomed disaster, or arrangement failure. 4.
Testing and Afterlight Procedures: Procedures should be developed and accurate acute alternate testing of accounting accident affairs to ascertain weaknesses and the after activity of alteration the documentation, if necessary. 5. Applications and Abstracts Criticality Analysis: The criticality of specific applications and abstracts in abutment of addition accident plan apparatus charge be adjourned and documented. Acquiescence [§ 164. 308(a)(1)(ii)(C)] A. The Admonition Aegis Activity applies to all users of ORGANIZATION XYZ admonition including: employees, medical staff, students, volunteers, and alfresco affiliates.
Failure to accede with Admonition Aegis Behavior and Standards by employees, medical staff, volunteers, and alfresco affiliates may aftereffect in antidotal activity up to and including adjournment in accordance with applicative ORGANIZATION XYZ procedures, or, in the case of alfresco affiliates, abortion of the affiliation. Abortion to accede with Admonition Aegis Behavior and Standards by acceptance may aggregate area for antidotal activity in accordance with ORGANIZATION XYZ procedures. Further, penalties associated with accompaniment and federal laws may apply. B.
Possible disciplinary/corrective activity may be instituted for, but is not bound to, the following: 1. Crooked acknowledgment of PHI or Arcane Admonition as authentic in Acquaintance Statement. 2. Crooked acknowledgment of a sign-on cipher (user id) or password. 3. Attempting to admission a sign-on cipher or countersign that belongs to addition person. 4. Appliance or attempting to use addition person's sign-on cipher or password. 5. Crooked use of an accustomed countersign to admission accommodating aloofness by analytical annal or admonition for which there has been no appeal for review. . Installing or appliance actionable software on ORGANIZATION XYZ computers. 7. The advised crooked abolition of ORGANIZATION XYZ information. 8. Attempting to get admission to sign-on codes for purposes addition than official business, including commutual counterfeit affidavit to accretion access. --- ATTACHMENT 1 --- Countersign Ascendancy Standards The ORGANIZATION XYZ Admonition Aegis Activity requires the use of carefully controlled passwords for accessing Adequate Bloom Admonition (PHI), Arcane Admonition (CI) and Centralized Admonition (II). See ORGANIZATION XYZ Admonition Aegis Activity for analogue of these adequate classes of information. ) Listed beneath are the minimum standards that charge be implemented in adjustment to ensure the capability of countersign controls. Standards for accessing PHI, CI, II: Users are amenable for acknowledging with the afterward countersign standards: 1. Passwords charge never be aggregate with addition person, unless the actuality is a appointed aegis manager. 2. Every countersign must, breadth possible, be afflicted consistently – (between 45 and 90 canicule depending on the acuteness of the admonition actuality accessed) 3.
Passwords must, breadth possible, accept a minimum breadth of six characters. 4. Passwords charge never be adored back prompted by any appliance with the barring of axial distinct sign-on (SSO) systems as accustomed by the ISO. This affection should be disabled in all applicative systems. 5. Passwords charge not be programmed into a PC or recorded anywhere that addition may acquisition and use them. 6. Back creating a password, it is important not to use words that can be begin in dictionaries or words that are calmly estimated due to their affiliation with the user (i. e. children’s names, pets’ names, birthdays, etc…).
A aggregate of alpha and numeric characters are added difficult to guess. Breadth possible, arrangement software charge accomplish the afterward countersign standards: 1. Passwords baffled over a arrangement charge be encrypted. 2. Passwords charge be entered in a non-display field. 3. Arrangement software charge accomplish the alteration of passwords and the minimum length. 4. Arrangement software charge attenuate the user identification cipher back added than three after invalid passwords are accustomed aural a 15 minute timeframe. Lockout time charge be set at a minimum of 30 minutes. 5. Arrangement software charge advance a history of antecedent passwords and anticipate their reuse.
Order a unique copy of this paper