Photo: Vatican Museum Stairs, Vatican City, July 2016.
Executive Summary:
Information Security Program Charter:
Laws, Regulations, and Standards:
Corporate Mobility Policy:
Anti-Malware Policy:
Asset Identification and Classification Policy:
Privacy Policy:
Implementation, Enforcement, and Compliance Plan:
Executive Summary:
Information Security is a necessity for Health Insurance Company, Inc. (HIC, Inc.) to ensure the long-term security of the member’s health records, financial records, and the company’s overall ability to operate. HIC, Inc. must protect information cost-effectively, ensure the security of customer’s Personal Identifiable Information (PII) and Personal Health Information (PHI), and prevent the disclosure, modification, or destruction of information to unauthorized individuals. HIC, Inc. will implement a risk management approach to its Information Security Program. In doing so HIC, Inc. will identify, assess, and mitigate vulnerabilities and threats to information at rest and in transit. The Information Security Program Charter will be the “keystone” document for the HIC, Inc. Information Security Program. Policies shall define the Information Security objectives in specific areas. Standards provide more guidance in each policy area. Procedures shall describe how to implement the standards.
HIC, Inc. shall be in compliance with United States and the State of California laws, policies, standards, and procedures in order to address vulnerabilities and threats to information at rest and in transit. The Summary of Laws, Regulations, and Standards shall be used in the Information Security Program at HIC, Inc. in order to ensure the long-term security of user and customer’s health records and financial records. These Laws, Regulations, and Standards shall keep proprietary and sensitive information from being accessed by unauthorized users.
New restrictions on the corporate Bring Your Own Device (BYOD) policy shall be implemented. (Johnson, 2015) Employees may no longer transmit, store, or process PII and PHI on personal owned mobile devices, to include but not limited to, smart phones and tablets. (Barringer, 2018)
The Anti-Malware Policy defines HIC, Inc.’s standards on protecting the confidentiality, integrity, and availability of HIC, Inc. information, information systems, and networks against malicious programs being created, stored, and/or distributed across HIC, Inc.’s computers and networks. (Palmer, 2000)
The Asset Identification and Classification Policy and the Privacy Policy defines HIC, Inc.’s standards on the identification and classification, and the privacy of data at rest and in transit to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, legal requirements, and business requirements. (Palmer, 2000); (Johnson, 2015)
The Implementation, Enforcement, and Compliance Plan defines HIC, Inc.’s company standards on the implementation, enforcement, and compliance of security policies to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, and sensitive business information. (Palmer, 2000); (Johnson, 2015)
The HIC, Inc. Information Security Policy is necessary to ensure the confidentiality, integrity, and availability of information and information systems within the HIC, Inc. network. The Information Security Policy will also ensure that HIC, Inc. is within State and Federal Laws, Regulations, and Standards. The highest priority of HIC, Inc. must remain to keep the customer’s sensitive data secure and confidential, which further enables HIC, Inc. to provide superior health care financial services to the customers.
HIC, Inc. shall be in compliance with United States and the State of California laws, policies, standards, and procedures in order to address vulnerabilities and threats to information at rest and in transit. The Summary of Laws, Regulations, and Standards shall be used in the Information Security Program at HIC, Inc. in order to ensure the long-term security of user and customer’s health records and financial records. These Laws, Regulations, and Standards shall keep proprietary and sensitive information from being accessed by unauthorized users.
New restrictions on the corporate Bring Your Own Device (BYOD) policy shall be implemented. (Johnson, 2015) Employees may no longer transmit, store, or process PII and PHI on personal owned mobile devices, to include but not limited to, smart phones and tablets. (Barringer, 2018)
The Anti-Malware Policy defines HIC, Inc.’s standards on protecting the confidentiality, integrity, and availability of HIC, Inc. information, information systems, and networks against malicious programs being created, stored, and/or distributed across HIC, Inc.’s computers and networks. (Palmer, 2000)
The Asset Identification and Classification Policy and the Privacy Policy defines HIC, Inc.’s standards on the identification and classification, and the privacy of data at rest and in transit to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, legal requirements, and business requirements. (Palmer, 2000); (Johnson, 2015)
The Implementation, Enforcement, and Compliance Plan defines HIC, Inc.’s company standards on the implementation, enforcement, and compliance of security policies to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, and sensitive business information. (Palmer, 2000); (Johnson, 2015)
The HIC, Inc. Information Security Policy is necessary to ensure the confidentiality, integrity, and availability of information and information systems within the HIC, Inc. network. The Information Security Policy will also ensure that HIC, Inc. is within State and Federal Laws, Regulations, and Standards. The highest priority of HIC, Inc. must remain to keep the customer’s sensitive data secure and confidential, which further enables HIC, Inc. to provide superior health care financial services to the customers.
Information Security Program Charter:
Information Security is a necessity for HIC, Inc. to ensure the long-term security of the member’s health records, financial records, and the company’s overall ability to operate. HIC, Inc. must protect information cost-effectively, ensure the security of customer’s PII and PHI, and prevent the disclosure, modification, or destruction of information to unauthorized individuals.
HIC, Inc. will implement a risk management approach to its Information Security Program. In doing so HIC, Inc. will identify, assess, and mitigate vulnerabilities and threats to information at rest and in transit.
This Information Security Program Charter will be the “keystone” document for the HIC, Inc. Information Security Program. Policies shall define the Information Security objectives in specific areas. Standards provide more guidance in each policy area. Procedures shall describe how to implement the standards.
Scope:
This Information Security Program Charter shall apply to all employees, contractors, and all others employed to perform work on HIC, Inc. premises or those that have been granted access to HIC, Inc. information and/or systems.
Mission:
The Information Security Policy will protect information by developing policies that identify, classify, define protection and management objectives, and define acceptable use of HIC, Inc. information and information network. It shall reduce vulnerabilities by developing policies to assess, identify, prioritize, and manage vulnerabilities. It shall counter threats by developing policies to assess, identify, prioritize, and monitor threats. It shall ensure that the Charter it policies, standards, guidelines, and procedures are understood through a security awareness education program. It will ensure that all applicable laws and regulations are adhered to at all times.
Ownership:
The Chief Information Officer (CIO) is responsible for the ownership and is accountable for the Information Security Program. The CIO must approve all Information Security policies. The CIO will appoint the Chief Information Security Officer (CISO).
The CISO shall implement and manage the Information Security Program. The CISO is responsible for the creation of the Information Security policies, standards, and guidelines, and shall ensure they remain consistent with the Information Security policies. The CISO shall create the Information Awareness Education Program to ensure that all personnel are properly trained and informed on the policies, standards, guidelines, and procedures.
All personnel within HIC, Inc. are responsible for reading and understanding the Information Security Program Charter.
Coverage of the Policy:
Failure to adhere to the HIC, Inc. Information Security policies, standards, guidelines, and procedures can result in termination of employees and termination of contracts for non-employee personnel (contractors, consultants, etc.). Legal actions may also be taken for violations of applicable laws and regulations.
Exceptions must be submitted to the approval authorities stated in the policies, standards, and guidelines. Exceptions must be by written approval from an authorized approval authority.
The Information Security policies, standards, and guidelines shall be reviewed by the CISO annually.
HIC, Inc. will implement a risk management approach to its Information Security Program. In doing so HIC, Inc. will identify, assess, and mitigate vulnerabilities and threats to information at rest and in transit.
This Information Security Program Charter will be the “keystone” document for the HIC, Inc. Information Security Program. Policies shall define the Information Security objectives in specific areas. Standards provide more guidance in each policy area. Procedures shall describe how to implement the standards.
Scope:
This Information Security Program Charter shall apply to all employees, contractors, and all others employed to perform work on HIC, Inc. premises or those that have been granted access to HIC, Inc. information and/or systems.
Mission:
The Information Security Policy will protect information by developing policies that identify, classify, define protection and management objectives, and define acceptable use of HIC, Inc. information and information network. It shall reduce vulnerabilities by developing policies to assess, identify, prioritize, and manage vulnerabilities. It shall counter threats by developing policies to assess, identify, prioritize, and monitor threats. It shall ensure that the Charter it policies, standards, guidelines, and procedures are understood through a security awareness education program. It will ensure that all applicable laws and regulations are adhered to at all times.
Ownership:
The Chief Information Officer (CIO) is responsible for the ownership and is accountable for the Information Security Program. The CIO must approve all Information Security policies. The CIO will appoint the Chief Information Security Officer (CISO).
The CISO shall implement and manage the Information Security Program. The CISO is responsible for the creation of the Information Security policies, standards, and guidelines, and shall ensure they remain consistent with the Information Security policies. The CISO shall create the Information Awareness Education Program to ensure that all personnel are properly trained and informed on the policies, standards, guidelines, and procedures.
All personnel within HIC, Inc. are responsible for reading and understanding the Information Security Program Charter.
Coverage of the Policy:
Failure to adhere to the HIC, Inc. Information Security policies, standards, guidelines, and procedures can result in termination of employees and termination of contracts for non-employee personnel (contractors, consultants, etc.). Legal actions may also be taken for violations of applicable laws and regulations.
Exceptions must be submitted to the approval authorities stated in the policies, standards, and guidelines. Exceptions must be by written approval from an authorized approval authority.
The Information Security policies, standards, and guidelines shall be reviewed by the CISO annually.
Laws, Regulations, and Standards:
HIC, Inc. shall use a risk management approach to its Information Security Program. HIC, Inc. shall be in compliance with United States and the State of California laws, policies, standards, and procedures in order to address vulnerabilities and threats to information at rest and in transit.
This Summary of Laws, Regulations, and Standards shall be used in the Information Security Program at HIC, Inc. in order to ensure the long-term security of user and customer’s health records and financial records. These Laws, Regulations, and Standards shall keep proprietary and sensitive information from being accessed by unauthorized users.
Health Insurance Portability and Accountability Act (HIPAA) (Johnson, 2015)
The HIPAA law defines someone’s health record as PHI. PHI includes both digital and paper copies of health records. Electronic PHI (EPHI) is the electronic form of PHI records. (Johnson, 2015)
For security policies to be HIPAA-compliant, they must have the following key control requirements:
Health Facilities Data Breach – California Health & Safety Code section 1280.15 (Becerra, 2018) – This law requires certain health facilities to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information. It sets fines on notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health. (Becerra, 2018)
Medical Information Confidentiality – California Civil Code sections 56-56.37 (Becerra, 2018) – This law puts limits on the disclosure of patients’ medical information by medical providers, health plans, pharmaceutical companies, and many businesses organized for the purpose of maintaining medical information. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion. (Becerra, 2018)
Sarbanes-Oxley (SOX) Act (Johnson, 2015)
It describes how a company should report earnings, valuations, corporate responsibilities, and executive compensation. The act is intended to improve the financial accuracy and public disclosure to investors. The purpose of SOX 404 is to require security policies and controls that provide confidence in the accuracy of the financial statements. Independent testing of controls is required. Executives are required to sign off quarterly that these controls meet SOX 404 requirements or explain why they did not. (Johnson, 2015)
These are endorsed frameworks that companies commonly use to meet SOX 404 requirements:
Payment Card Industry Data Security Standard (PCI DSS) (Johnson, 2015)
It is a worldwide information security standard that describes how to protect credit card information. If you accept VISA, MasterCard, or American Express, you are required to follow PCI DSS. The standard applies to every organization that stores, processes, or exchanges cardholder information. (Johnson, 2015)
The standard requires an organization to have specific PCI DSS security policies and controls in place. Controls must be validated by a Qualified Security Assessor (QSA). Failing to validate or failing the validation, can result in fines from the credit card companies. (Johnson, 2015)
To be compliant, you need to include these control objectives in your security policies and controls:
This Summary of Laws, Regulations, and Standards shall be used in the Information Security Program at HIC, Inc. in order to ensure the long-term security of user and customer’s health records and financial records. These Laws, Regulations, and Standards shall keep proprietary and sensitive information from being accessed by unauthorized users.
Health Insurance Portability and Accountability Act (HIPAA) (Johnson, 2015)
The HIPAA law defines someone’s health record as PHI. PHI includes both digital and paper copies of health records. Electronic PHI (EPHI) is the electronic form of PHI records. (Johnson, 2015)
For security policies to be HIPAA-compliant, they must have the following key control requirements:
- Administrative safeguards – Refers to the formal security policies and procedures that map to HIPAA security standards, and to the governance of the security policies and the implementation of them.
- Physical safeguards – Refers to the physical standards of computer systems and the physical health records.
- Technical safeguards – Refers to the controls that use technology to protect information assets.
- Risk assessment – Refers to a standard requirement of a risk-based management approach to information security.
Health Facilities Data Breach – California Health & Safety Code section 1280.15 (Becerra, 2018) – This law requires certain health facilities to prevent unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information. It sets fines on notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health. (Becerra, 2018)
Medical Information Confidentiality – California Civil Code sections 56-56.37 (Becerra, 2018) – This law puts limits on the disclosure of patients’ medical information by medical providers, health plans, pharmaceutical companies, and many businesses organized for the purpose of maintaining medical information. It specifically prohibits many types of marketing uses and disclosures. It requires an electronic health or medical record system to protect the integrity of electronic medical information and to automatically record and preserve any change or deletion. (Becerra, 2018)
Sarbanes-Oxley (SOX) Act (Johnson, 2015)
It describes how a company should report earnings, valuations, corporate responsibilities, and executive compensation. The act is intended to improve the financial accuracy and public disclosure to investors. The purpose of SOX 404 is to require security policies and controls that provide confidence in the accuracy of the financial statements. Independent testing of controls is required. Executives are required to sign off quarterly that these controls meet SOX 404 requirements or explain why they did not. (Johnson, 2015)
These are endorsed frameworks that companies commonly use to meet SOX 404 requirements:
- Committee of Sponsoring Organizations (COSO) (Johnson, 2015) – This organization creates rules for implementing internal controls and governance structures. (Johnson, 2015)
- Control Objectives for Information and related Technology (COBIT) (Johnson, 2015) – The controls within COBIT are a rich range of activities: strategic planning, governance, life cycle, implementation, production support, and monitoring. The framework fits in and supports the COBIT framework. The COBIT framework allows COSO to focus on the business side while COBIT focuses on the IT side. If you implement the COBIT framework, you are most likely SOX 404-compliant. (Johnson, 2015)
Payment Card Industry Data Security Standard (PCI DSS) (Johnson, 2015)
It is a worldwide information security standard that describes how to protect credit card information. If you accept VISA, MasterCard, or American Express, you are required to follow PCI DSS. The standard applies to every organization that stores, processes, or exchanges cardholder information. (Johnson, 2015)
The standard requires an organization to have specific PCI DSS security policies and controls in place. Controls must be validated by a Qualified Security Assessor (QSA). Failing to validate or failing the validation, can result in fines from the credit card companies. (Johnson, 2015)
To be compliant, you need to include these control objectives in your security policies and controls:
- Build and maintain a secure network – Refers to having specific firewall, system password, and other security network layer controls.
- Protect cardholder data – Specifies how cardholder data is stored and protected. Also sets rules on the encryption of the data.
- Maintain a vulnerability management program – Specifies how to maintain secure systems and applications, including the required use of antivirus software.
- Implement strong access control measures – Refers to restricting access to cardholder data on a need-to-know basis. It requires physical controls in place and individual unique IDs when accessing cardholder data.
- Regularly monitor and test networks – Requires monitoring access to cardholder. Also requires periodic penetration testing of the network.
- Maintain an information security policy – Requires that security policies reflect the PCI DSS requirements. Requires these policies are kept current and an awareness program is implemented.
Corporate Mobility Policy:
HIC, Inc. shall implement new restrictions on the corporate Bring Your Own Device (BYOD) policy. (Johnson, 2015) Employees may no longer transmit, store, or process PII and PHI on personal owned mobile devices, to include but not limited to, smart phones and tablets. All PII and PHI must be transmitted, stored, or processed on HIC, Inc. provided computers, and mobile devices. (Barringer, 2018)
Failure to adhere to the HIC, Inc. Corporate Mobile Policy can result in termination of employee and termination of contracts for non-employee personnel. Legal actions may also be taken for violations to the applicable laws and regulations. Exceptions must be submitted in writing to the Chief Information Security Officer (CISO), and must be approved in writing by the CISO. (Barringer, 2018); (Johnson, 2015)
HIC, Inc. shall not allow any employee or non-employee personnel to use personal mobile devices, to include but not limited to smart phones, tablets, and laptops, to transmit, store, or process PII and PHI. Furthermore, company e-mails must be accessed, transmitted, and stored only on HIC, Inc. issued devices and not on any personnel devices, to include but not limited to, mobile phones, tablets, and laptops. (Barringer, 2018)
HIC, Inc. shall allow employee and non-employee personnel to access company e-mail accounts with HIC, Inc. issued mobile devices, to include but not limited to company issued smart phones, tablets, and laptops. Company issued devices are for official use only and may not be used for personal purposes or accessing corporate banned material. The appropriate use policy of the company mobile device allows employees and non-employee personnel to access personal e-mail, but not to use personal e-mail for any official or non-official corporate work. (Barringer, 2018)
HIC, Inc. shall allow employee and non-employee personnel to use personal mobile devices, to include but not limited to, smart phones, tablets, and laptops, to log into a Virtual Machine (VM) and access the HIC, Inc. corporate network to complete work and access PII and PHI after working hours. The VM software may be downloaded via the HIC, Inc. website and accessed with a corporate issued username and password.
Failure to adhere to the HIC, Inc. Corporate Mobile Policy can result in termination of employee and termination of contracts for non-employee personnel. Legal actions may also be taken for violations to the applicable laws and regulations. Exceptions must be submitted in writing to the Chief Information Security Officer (CISO), and must be approved in writing by the CISO. (Barringer, 2018); (Johnson, 2015)
HIC, Inc. shall not allow any employee or non-employee personnel to use personal mobile devices, to include but not limited to smart phones, tablets, and laptops, to transmit, store, or process PII and PHI. Furthermore, company e-mails must be accessed, transmitted, and stored only on HIC, Inc. issued devices and not on any personnel devices, to include but not limited to, mobile phones, tablets, and laptops. (Barringer, 2018)
HIC, Inc. shall allow employee and non-employee personnel to access company e-mail accounts with HIC, Inc. issued mobile devices, to include but not limited to company issued smart phones, tablets, and laptops. Company issued devices are for official use only and may not be used for personal purposes or accessing corporate banned material. The appropriate use policy of the company mobile device allows employees and non-employee personnel to access personal e-mail, but not to use personal e-mail for any official or non-official corporate work. (Barringer, 2018)
HIC, Inc. shall allow employee and non-employee personnel to use personal mobile devices, to include but not limited to, smart phones, tablets, and laptops, to log into a Virtual Machine (VM) and access the HIC, Inc. corporate network to complete work and access PII and PHI after working hours. The VM software may be downloaded via the HIC, Inc. website and accessed with a corporate issued username and password.
Anti-Malware Policy:
This Anti-Malware Policy defines HIC, Inc.’s company standards on protecting the confidentiality, integrity, and availability of HIC, Inc. information, information systems, and networks against malicious programs being created, stored, and/or distributed across HIC, Inc.’s computers and networks. (Palmer, 2000)
I. Scope
This Anti-Malware Policy shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000), (SANS, 2014)
II. Objectives
All computers accessing HIC, Inc. networks must have HIC, Inc.’s standards; supported anti-malware software installed and scheduled to run at regular intervals. The anti-malware software must be updated regularly to ensure the most current updates are installed. Malware-infected computers must be removed from the network until they are verified to be malware-free. (SANS, 2014)
Any activities with the intention to create and/or distribute any type of malicious programs into HIC, Inc.’s network, to include but not limited to, viruses, worms, Trojan horses, e-mail bombs, are banned, in accordance with the Acceptable Use Policy. (SANS, 2014)
Any User that accesses the HIC, Inc. network on site or remotely may not use or have anti-malware software installed on a HIC, Inc. computer or personal computer that is based in Russia or China, to include but not limited to, Kaspersky Labs, 360 Safeguard, Baidu, Qihoo, Tencent. (Corera, 2017), (Rubenking, 2015)
HIC, Inc. will employ, maintain, and update an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) to further protect HIC, Inc.’s information assets, and networks from malicious software. The IDS/IPS shall not be from a Russian or Chinese based company. (Corera, 2017), (Rubenking, 2015)
III. Responsibilities
The CIO is the approval authority for the Anti-Malware Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Anti-Malware Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure anti-malware software is run at regular intervals, and computers are verified to be malware-free. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Anti-Malware Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Anti-Malware Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Anti-Malware Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
I. Scope
This Anti-Malware Policy shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000), (SANS, 2014)
II. Objectives
All computers accessing HIC, Inc. networks must have HIC, Inc.’s standards; supported anti-malware software installed and scheduled to run at regular intervals. The anti-malware software must be updated regularly to ensure the most current updates are installed. Malware-infected computers must be removed from the network until they are verified to be malware-free. (SANS, 2014)
Any activities with the intention to create and/or distribute any type of malicious programs into HIC, Inc.’s network, to include but not limited to, viruses, worms, Trojan horses, e-mail bombs, are banned, in accordance with the Acceptable Use Policy. (SANS, 2014)
Any User that accesses the HIC, Inc. network on site or remotely may not use or have anti-malware software installed on a HIC, Inc. computer or personal computer that is based in Russia or China, to include but not limited to, Kaspersky Labs, 360 Safeguard, Baidu, Qihoo, Tencent. (Corera, 2017), (Rubenking, 2015)
HIC, Inc. will employ, maintain, and update an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) to further protect HIC, Inc.’s information assets, and networks from malicious software. The IDS/IPS shall not be from a Russian or Chinese based company. (Corera, 2017), (Rubenking, 2015)
III. Responsibilities
The CIO is the approval authority for the Anti-Malware Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Anti-Malware Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure anti-malware software is run at regular intervals, and computers are verified to be malware-free. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Anti-Malware Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Anti-Malware Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Anti-Malware Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
Asset Identification and Classification Policy:
This Asset Identification and Classification Policy defines HIC, Inc.’s standards on the identification and classification of data at rest and in transit to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, legal requirements, and business requirements. (Palmer, 2000); (Johnson, 2015)
I. Scope
This Asset Identification and Classification Policy is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Asset Identification and Classification Policy that identifies and classifies all information at rest and in transit. All persons accessing HIC, Inc. information shall follow the HIC, Inc. Business Classification Scheme. Information must be regularly reviewed by administrators and managers to ensure proper classification.
HIC, Inc. Business Classification Scheme
The HIC, Inc. Business Classification Scheme has four levels of classification for all information: highly sensitive, sensitive, internal, and public. (Johnson, 2015)
Highly sensitive data refers to mission critical data that includes PII, PHI, financial data, and legal data. (Johnson, 2015) Highly sensitive data shall be compartmentalized to further restrict access to data. Access to highly restricted data will be continuously monitored and only persons with a “need-to-know” shall have access to PII, PHI, financial data, and/or legal data. (Johnson, 2015) Users with authorization to access highly sensitive data are responsible for ensuring information is properly classified and compartmentalized. Users are also responsible for ensuring that highly sensitive data is not leaked into incorrect compartments. (Johnson, 2015) Authorized users to highly sensitive data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015)
Sensitive data refers to data that is important to the business but not vital to the mission. Sensitive data includes client lists, vendor information, and network diagrams. (Johnson, 2015) Access to sensitive data shall be monitored and restricted to only persons with a “need-to-know.” Sensitive data shall be further compartmentalized to ensure sensitive data remains on a “need-to-know” basis. (Johnson, 2015) Users with authorization to access sensitive data are responsible for ensuring information is properly classified and compartmentalized. (Johnson, 2015) Users are also responsible for ensuring that sensitive data is not leaked into incorrect compartments. Authorized users to sensitive data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
Internal data refers to data that is not related to the core business. Internal data includes routine communications within HIC, Inc. Access to internal data is restricted to persons working for HIC, Inc. Internal data is easily available to employees and all other persons working for HIC, Inc., but not releasable to the general public or any other persons outside of HIC, Inc. (Johnson, 2015) Access to internal data shall be monitored and restricted to only persons with a “need-to-know.” Internal data shall be further compartmentalized to ensure internal data remains on a “need-to-know” basis. (Johnson, 2015) Users with authorization to access internal data are responsible for ensuring information is properly classified and compartmentalized. (Johnson, 2015) Users are also responsible for ensuring that internal data is not leaked into incorrect compartments. Authorized users to internal data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
Public data refers to data that has no negative impact on the business when it is released to the general public. (Johnson, 2015) Access to public data shall be released on the HIC, Inc. website and/or through an official HIC, Inc. press release. The CISO shall have authorization on what data and when that data may be released to the public. (Johnson, 2015) Authorized users to public data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
III. Responsibilities
The CIO is the approval authority for the Asset Identification and Classification Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Asset Identification and Classification Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit are properly identified and classified. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Asset Identification and Classification Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Asset Identification and Classification Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Asset Identification and Classification Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
I. Scope
This Asset Identification and Classification Policy is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Asset Identification and Classification Policy that identifies and classifies all information at rest and in transit. All persons accessing HIC, Inc. information shall follow the HIC, Inc. Business Classification Scheme. Information must be regularly reviewed by administrators and managers to ensure proper classification.
HIC, Inc. Business Classification Scheme
The HIC, Inc. Business Classification Scheme has four levels of classification for all information: highly sensitive, sensitive, internal, and public. (Johnson, 2015)
Highly sensitive data refers to mission critical data that includes PII, PHI, financial data, and legal data. (Johnson, 2015) Highly sensitive data shall be compartmentalized to further restrict access to data. Access to highly restricted data will be continuously monitored and only persons with a “need-to-know” shall have access to PII, PHI, financial data, and/or legal data. (Johnson, 2015) Users with authorization to access highly sensitive data are responsible for ensuring information is properly classified and compartmentalized. Users are also responsible for ensuring that highly sensitive data is not leaked into incorrect compartments. (Johnson, 2015) Authorized users to highly sensitive data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015)
Sensitive data refers to data that is important to the business but not vital to the mission. Sensitive data includes client lists, vendor information, and network diagrams. (Johnson, 2015) Access to sensitive data shall be monitored and restricted to only persons with a “need-to-know.” Sensitive data shall be further compartmentalized to ensure sensitive data remains on a “need-to-know” basis. (Johnson, 2015) Users with authorization to access sensitive data are responsible for ensuring information is properly classified and compartmentalized. (Johnson, 2015) Users are also responsible for ensuring that sensitive data is not leaked into incorrect compartments. Authorized users to sensitive data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
Internal data refers to data that is not related to the core business. Internal data includes routine communications within HIC, Inc. Access to internal data is restricted to persons working for HIC, Inc. Internal data is easily available to employees and all other persons working for HIC, Inc., but not releasable to the general public or any other persons outside of HIC, Inc. (Johnson, 2015) Access to internal data shall be monitored and restricted to only persons with a “need-to-know.” Internal data shall be further compartmentalized to ensure internal data remains on a “need-to-know” basis. (Johnson, 2015) Users with authorization to access internal data are responsible for ensuring information is properly classified and compartmentalized. (Johnson, 2015) Users are also responsible for ensuring that internal data is not leaked into incorrect compartments. Authorized users to internal data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
Public data refers to data that has no negative impact on the business when it is released to the general public. (Johnson, 2015) Access to public data shall be released on the HIC, Inc. website and/or through an official HIC, Inc. press release. The CISO shall have authorization on what data and when that data may be released to the public. (Johnson, 2015) Authorized users to public data that mishandle said data can result in disciplinary actions to include termination of employment. (Johnson, 2015); (Palmer, 2000); (SANS, 2014)
III. Responsibilities
The CIO is the approval authority for the Asset Identification and Classification Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Asset Identification and Classification Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit are properly identified and classified. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Asset Identification and Classification Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Asset Identification and Classification Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Asset Identification and Classification Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
Privacy Policy:
This Privacy Policy defines HIC, Inc.’s standards on the privacy of data at rest and in transit to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, and business data. (Palmer, 2000); (Johnson, 2015)
I. Scope
This Privacy Policy is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Privacy Policy of all information at rest and in transit. Information must be regularly reviewed by administrators and managers to ensure the proper handling of PII, PHI, and business data.
PII of customers and employees requires privacy protection. PII is nonpublic personal information, to include but not limited to, full name, home address, email address, telephone number, social security number, credit card number, and bank account number. HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to: One, protect the security and confidentiality of its consumers’ nonpublic personal information. Two, disclose its privacy policies to consumers. Three, provide consumers with an opportunity to direct that the institution not share their nonpublic personal information with unaffiliated third parties. (Bosworth, 2014)
California SB 1386 requires “any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system… to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” (Bosworth, 2014)
California Financial Information Privacy Act gives consumers greater control over their personal information held by businesses requiring simple and understandable notices, and includes strong penalties. (Bosworth, 2014)
PHI on customers and employees requires privacy protection. PHI is nonpublic information about health care, health status, payments for health care, and any other patient health information. HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the establishment of standards to protect the privacy and confidentiality of individually identifiable health information. Key features include: providers and health plans are required to give patients a clear written explanation of how they will use, keep, and disclose information. Covered entities must provide patients with access to health care records. Permitted uses and disclosures of PHI must be limited to the minimum amount necessary to accomplish the purpose for which the information is being used. Disclosure logs must be kept that record each entity to which PHI has been disclosed. A provider or payer is not able to condition treatment, payment, or coverage on a patient’s agreement to the disclosure of PHI for other purposes. (Bosworth, 2014)
Patient Safety and Quality Improvement Act (PSQIA) established a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information. (Bosworth, 2014)
Business Data requires privacy protection. Business data is nonpublic information about the day-to-day processes and the strategic plans for HIC, Inc. Business data also includes, but not limited to, client lists, vendor information, and network diagrams. (Johnson, 2015) HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
The Electronic Communications Privacy Act (ECPA) prohibits unauthorized and intentional “interception” of wire, oral, and electronic communications during the transmission phase and unauthorized “accessing” of electronically stored wire or electronic communications. An email is an “electronic communication.” (Bosworth, 2014)
III. Responsibilities
The CIO is the approval authority for the Privacy Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Privacy Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure the privacy of PII, PHI, and Business data at rest and in transit. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Privacy Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Privacy Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Privacy Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
I. Scope
This Privacy Policy is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Privacy Policy of all information at rest and in transit. Information must be regularly reviewed by administrators and managers to ensure the proper handling of PII, PHI, and business data.
PII of customers and employees requires privacy protection. PII is nonpublic personal information, to include but not limited to, full name, home address, email address, telephone number, social security number, credit card number, and bank account number. HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to: One, protect the security and confidentiality of its consumers’ nonpublic personal information. Two, disclose its privacy policies to consumers. Three, provide consumers with an opportunity to direct that the institution not share their nonpublic personal information with unaffiliated third parties. (Bosworth, 2014)
California SB 1386 requires “any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, [to] disclose any breach of the security system… to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” (Bosworth, 2014)
California Financial Information Privacy Act gives consumers greater control over their personal information held by businesses requiring simple and understandable notices, and includes strong penalties. (Bosworth, 2014)
PHI on customers and employees requires privacy protection. PHI is nonpublic information about health care, health status, payments for health care, and any other patient health information. HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the establishment of standards to protect the privacy and confidentiality of individually identifiable health information. Key features include: providers and health plans are required to give patients a clear written explanation of how they will use, keep, and disclose information. Covered entities must provide patients with access to health care records. Permitted uses and disclosures of PHI must be limited to the minimum amount necessary to accomplish the purpose for which the information is being used. Disclosure logs must be kept that record each entity to which PHI has been disclosed. A provider or payer is not able to condition treatment, payment, or coverage on a patient’s agreement to the disclosure of PHI for other purposes. (Bosworth, 2014)
Patient Safety and Quality Improvement Act (PSQIA) established a voluntary reporting system designed to enhance the data available to assess and resolve patient safety and health care quality issues. To encourage the reporting and analysis of medical errors, PSQIA provides Federal privilege and confidentiality protections for patient safety information. (Bosworth, 2014)
Business Data requires privacy protection. Business data is nonpublic information about the day-to-day processes and the strategic plans for HIC, Inc. Business data also includes, but not limited to, client lists, vendor information, and network diagrams. (Johnson, 2015) HIC, Inc. requires all employees, contractors, and all other persons with authorized access to follow the following privacy laws, regulations, standards, and requirements:
The Electronic Communications Privacy Act (ECPA) prohibits unauthorized and intentional “interception” of wire, oral, and electronic communications during the transmission phase and unauthorized “accessing” of electronically stored wire or electronic communications. An email is an “electronic communication.” (Bosworth, 2014)
III. Responsibilities
The CIO is the approval authority for the Privacy Policy. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Privacy Policy and associated standards and guidelines. (Palmer, 2000)
The Administrators and Managers are responsible for creating procedures that ensure the privacy of PII, PHI, and Business data at rest and in transit. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Privacy Policy can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Privacy Policy should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Privacy Policy shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
Implementation, Enforcement, and Compliance Plan:
This Implementation, Enforcement, and Compliance Plan defines HIC, Inc.’s company standards on the implementation, enforcement, and compliance of security policies to protect the confidentiality, integrity, and availability of HIC, Inc.’s information against improper and malicious handling of PII, PHI, and sensitive business information. (Palmer, 2000); (Johnson, 2015)
I. Scope
This Implementation, Enforcement, and Compliance Plan is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Implementation, Enforcement, and Compliance Plan to insure adherence to information security policies. Information security policies must be regularly reviewed by administrators and managers to ensure proper adherence to HIC, Inc. security policies.
Monitoring and Reporting
HIC, Inc. shall use automated systems, and random audits and departmental compliance to ensure effective monitoring of HIC, Inc. user stations and network systems. Furthermore, HIC, Inc. shall implement an overall organizational report card for policy compliance annually. The Microsoft Baseline Security Analyzer (MBSA) shall be used to query Microsoft systems within the HIC, Inc. network for common vulnerabilities and released patches. HIC, Inc. shall also use Nessus to scan Unix systems on the network for vulnerabilities.
The HIC, Inc. Information Technology (IT) department shall, from time to time, perform random audits on the different departments to determine compliance of the HIC, Inc. Information Security Program Charter and supporting policies. The HIC, Inc. IT department shall deploy specialized security teams to regularly scan systems in the network and randomly target specific department resources. (Johnson, 2015)
The HIC, Inc. IT department shall produce annual organizational report cards for policy compliance. Each department shall receive a letter grade ranging from an A (the highest) to an F (the lowest failing grade). Departments are required to maintain a C grade as the minimum standard. The departments shall be graded on their policy compliance of patch compliance, security settings, and the number of unauthorized changes. (Johnson, 2015)
Communication
HIC, Inc. shall disseminate security policy information via company e-mail accounts and face-to-face presentations. Security managers shall write, and upon approval of the CISO, disseminate new security policy information to all HIC, Inc. personnel’s official company e-mail account. Within two weeks of new security policy information being disseminated to HIC, Inc. personnel the security managers shall conduct a face-to-face brief immediately followed by a Question and Answer session. Security managers shall annually conduct face-to-face security policy information briefs to each department within HIC, Inc. All face-to-face security policy information briefs must be reviewed and approved by the HIC, Inc. CISO.
Furthermore, all HIC, Inc. security policies shall be posted on the company Intranet for all personnel working in the company to access, read, and review as desired.
Training
HIC, Inc. employees, contractors, and all other persons working for HIC, Inc. must conduct annual training to raise the understanding of the importance and value of security policies, and to help provide the skills necessary to comply with security policies. (Johnson, 2015) Employees must complete the Awareness Training online before gaining access to the HIC, Inc. network. The Awareness Training includes teaching personnel about policies and core security concepts. (Johnson, 2015)
III. Responsibilities
The CIO is the approval authority for the Implementation, Enforcement, and Compliance Plan. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Implementation, Enforcement, and Compliance Plan and associated standards and guidelines. (Palmer, 2000)
The Compliance Officer shall be responsible for ensuring HIC, Inc.’s monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of Compliance Officer within HIC, Inc. shall be held by the Senior IT manager, and must be approved by the CIO and CISO.
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit adhere to the Implementation, Enforcement, and Compliance Plan. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Implementation, Enforcement, and Compliance Plan can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Implementation, Enforcement, and Compliance Plan should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Implementation, Enforcement, and Compliance Plan shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)
I. Scope
This Implementation, Enforcement, and Compliance Plan is a mandatory policy that shall apply to all employees, contractors, and all other persons that are working for HIC, Inc. on premises, working remotely, and all persons granted access to HIC, Inc. information, information systems, and network systems. (Palmer, 2000); (SANS, 2014)
II. Objectives
All persons accessing HIC, Inc. information must follow the mandatory Implementation, Enforcement, and Compliance Plan to insure adherence to information security policies. Information security policies must be regularly reviewed by administrators and managers to ensure proper adherence to HIC, Inc. security policies.
Monitoring and Reporting
HIC, Inc. shall use automated systems, and random audits and departmental compliance to ensure effective monitoring of HIC, Inc. user stations and network systems. Furthermore, HIC, Inc. shall implement an overall organizational report card for policy compliance annually. The Microsoft Baseline Security Analyzer (MBSA) shall be used to query Microsoft systems within the HIC, Inc. network for common vulnerabilities and released patches. HIC, Inc. shall also use Nessus to scan Unix systems on the network for vulnerabilities.
The HIC, Inc. Information Technology (IT) department shall, from time to time, perform random audits on the different departments to determine compliance of the HIC, Inc. Information Security Program Charter and supporting policies. The HIC, Inc. IT department shall deploy specialized security teams to regularly scan systems in the network and randomly target specific department resources. (Johnson, 2015)
The HIC, Inc. IT department shall produce annual organizational report cards for policy compliance. Each department shall receive a letter grade ranging from an A (the highest) to an F (the lowest failing grade). Departments are required to maintain a C grade as the minimum standard. The departments shall be graded on their policy compliance of patch compliance, security settings, and the number of unauthorized changes. (Johnson, 2015)
Communication
HIC, Inc. shall disseminate security policy information via company e-mail accounts and face-to-face presentations. Security managers shall write, and upon approval of the CISO, disseminate new security policy information to all HIC, Inc. personnel’s official company e-mail account. Within two weeks of new security policy information being disseminated to HIC, Inc. personnel the security managers shall conduct a face-to-face brief immediately followed by a Question and Answer session. Security managers shall annually conduct face-to-face security policy information briefs to each department within HIC, Inc. All face-to-face security policy information briefs must be reviewed and approved by the HIC, Inc. CISO.
Furthermore, all HIC, Inc. security policies shall be posted on the company Intranet for all personnel working in the company to access, read, and review as desired.
Training
HIC, Inc. employees, contractors, and all other persons working for HIC, Inc. must conduct annual training to raise the understanding of the importance and value of security policies, and to help provide the skills necessary to comply with security policies. (Johnson, 2015) Employees must complete the Awareness Training online before gaining access to the HIC, Inc. network. The Awareness Training includes teaching personnel about policies and core security concepts. (Johnson, 2015)
III. Responsibilities
The CIO is the approval authority for the Implementation, Enforcement, and Compliance Plan. (Palmer, 2000)
The CISO is responsible for the development, implementation, and maintenance of the Implementation, Enforcement, and Compliance Plan and associated standards and guidelines. (Palmer, 2000)
The Compliance Officer shall be responsible for ensuring HIC, Inc.’s monitoring adheres to applicable laws and regulations. (Johnson, 2015) The position of Compliance Officer within HIC, Inc. shall be held by the Senior IT manager, and must be approved by the CIO and CISO.
The Administrators and Managers are responsible for creating procedures that ensure information at rest and in transit adhere to the Implementation, Enforcement, and Compliance Plan. (SANS, 2014)
The Users are responsible for using the information, computers, and network systems only for the intended purposes, and for maintaining the confidentiality, integrity, and availability of the information accessed. (Palmer, 2000)
IV. Policy Enforcement and Exception Handling
Failure to comply with the Implementation, Enforcement, and Compliance Plan can result in disciplinary actions to include termination of employment for all persons working for or at HIC, Inc. Legal actions may also be taken under State and Federal regulations and laws. (Palmer, 2000), (SANS, 2014)
Requests for exceptions to the Implementation, Enforcement, and Compliance Plan should be submitted in writing to the CISO. Exceptions shall be granted only through writing from the CISO. (Palmer, 2000)
V. Review and Revision
The Implementation, Enforcement, and Compliance Plan shall be reviewed and revised in accordance with the Information Security Program Charter. (Palmer, 2000)