NOTE: In this paper we were assigned to write a limited information security policies paper.
Rian Booyer
Professor Terance Carlson
CISS 391 DEA Information Systems Security
20 October 2018
Information Security Policies Paper
FNH Enterprise Information Security Policy
Statement of purpose
The purpose of this policy document is to establish the minimum-security requirements and practices for FNH in its goals of protecting our patient’s information and reducing all possible risks while maintaining functionality and integrity of FNH and its subsidiaries.
Information Security Elements
It is the intention of FNH to protect its information based on the CIA Triad standard of Confidentiality, Integrity, and Availability (Whitman). FNH Information Security consists of specific policies that are formed by different teams and are agreed upon by management. The Policies are subject to a semi-annual review for necessity and revision.
Need for Information Security
Due to the type of information that FNH deals with every day with confidential patient information FNH needs to adopt a secure environment in which to analyze, interpret, store, and utilize this information in a way that allows us to freely perform our work without the worry of outside interference and breaches of our patient’s confidentiality and confidence in FNH as a whole. We are dedicated to our patient’s privacy and hope with ongoing analysis and proactive dedication to Information Security we can stay on top of or ahead of threats to our company and to our patient’s information.
Information Security Responsibilities and Roles
Chief Information Officer (CIO): The Chief Information Officer is responsible for overseeing the entire FNH technology infrastructure and security solution by directing all other parts of the FNH Information Technology, Information Security, and Systems Analysis teams as needed to guide FNH technological future.
Chief Information Security Officer (CISO): The Chief Information Security Officer will lead FNH’s development and adoption of security related policies for the Information Security department. The CISO will constantly monitor the security stances of FNH and analyze possible problems and find solutions to the security threats FNH may face in the future. The CISO must also make sure that FNH maintains compliance with the different regulatory agencies that FNH may fall under including but not limited to the Office for Civil Rights and HIPAA privacy and security rules and the Centers for Medicare & Medicaid Services in relation to the HITECH Act. (“Guide To Healthcare Compliance Resources And Agencies”).
Information Technology Management: Information technology management will aid in the policy writing process due to their innate knowledge of the intricacies of the FNH Information Technology Solution.
Policy Maintenance Team: Consists of the CIO, CISO, and Information Technology Management. The responsibility of this team is to provide timely creation and updates to existing policies and the analysis and writing of new policies that are needed in the future.
Software Security Specialists: These individuals are pulled from the systems analysis teams and specialize in the development of the software and systems that are developed by the information technology department. They will aid in the development of new technologies but implementation of new technology standards in the encryption and storage of our data when it is written to the local storage mediums or transmitted across our local network. They will aid in decisions and analysis of new software standards to utilize in the future as well as migration from older standards to newer standards as needed while making recommendations to the systems analysis teams as to which standards to adopt for the rest of the FNH technology solution that is set in place or being developed.
Network Security Specialists: These individuals are responsible for keeping our networks secure through the use of software and infrastructure measures including but not limited to intrusion detection systems, firewalls, network monitoring systems including the use of vulnerability scanning and ethical hacking attempts on a virtualized version of the FNH system.
Facilities Management Personnel: These individuals will aid the Information Technology team in developing physical controls for our buildings and limiting personnel access to specific parts of the building dealing with information technology including server rooms, office spaces, and general building access.
Information Technology Policy Education Specialists: These individuals will have the responsibility of training existing and new employee’s in the security policies set forth by the Policy Maintenance Team specialists. There will be a semi-annual meeting of these individuals to discuss the current policies that are set forth and the analysis, development, and implementation of new policy training sessions as well as auditing existing training materials and processes to optimize the policy acceptance and understanding at all levels of FNH employment.
Information Technology Specialists: These team members will be made up of select specialists from the information technology department that know the specific infrastructure FNH uses and have the ability to interact with each level of the Information Security Team to be able to aid not only in policy creation but also keeping the team apprised of the actual structure of FNH’s Information Technology System.
Miscellaneous Personnel: These personnel will be pulled in from other areas of FNH on an as needed basis and will aid the specific team making the request for their presence in the specific task requested. Their knowledge of the workings of FNH security should be kept to a minimum as much as possible as to limit exposure of sensitive information that may be compartmentalized for security purposes.
Related Standards and Policies
Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule
Health Insurance Portability and Accountability Act (HIPPA) Security Rule
Section 405, Cybersecurity Act 2015 (6 U.S.C. 1533 (2016))
NIST Cybersecurity Framework
(First ISSP)
Use of personal equipment on company networks policy.
Overview
The use of personal equipment on FNH company networks can cause problems with security intrusion and create instances where classified material may be mishandled.
Purpose
The Purpose of this policy is to prevent leakage of FNH proprietary materials and materials that are entrusted to us by our clients. While many companies allow the use of personal devices by employees the use of personal devices on our network is strictly prohibited due to the sensitive nature of the data we handle on a daily basis.
Scope
This policy covers all electronic devices that are capable of network connectivity by themselves or can be connected to the company network through connection to a computer system that is brought into the department from the outside the department including but not limited to: USB Devices, Smart Watches, Cellular Phones, and Camera’s.
Policy
Personal equipment usage while in the FNH department is strictly prohibited and in such all equipment must be handed in to security immediately while inside the mantrap at the entrance of the department. All metal objects will also need to be handed to the security officer until passage through the mantrap is complete.
Security personnel will log the employee’s belongings in a log book and secure them in a locker. The log will contain the Employee ID, total number of items, the item type, and serial number if available. The locker number will also be logged along with this information.
After the information is logged and the items stored in a locker the security guard will check the employee with a magnetic detection wand to verify that they have no other devices on them, once complete the guard will give the employee the key to the locker. And release them from the mantrap into the department.
It is the responsibility of the employee to retain and not misplace the keys to the security lockers. Employee’s that lose their keys will be charged a $100 fee for recovery of items and replacement of the security lock on the locker. Please note it may take up to a maximum of 48 hours for the employee to recover their belongings after they lose their keys.
Employee may retrieve their belongings on the way out of the department by re-entering the mantrap, checking in with security and presenting their key and Photo Employee ID.
Once presented the security officer on duty will verify visual id of the employee, recover the log entry for their entrance, retrieve their belongings, verify the number, type and serial number of belongings on the entry log. Once complete the employee will be checked again using a magnetic wand or arch to verify they are not carrying any unauthorized devices to the outside of the department. The employee will be recorded in the log as leaving the department, their stored belongings will be returned, and they will be able to exit the mantrap.
Violations of Policy
Security officers will verify compliance to the policy through the use of metal detection wands and arches. With the nature of security in our office security personnel may monitor the employee’s through the use of video surveillance, walk-throughs, audits of entrance and exit logs, and electronic verification of employee eligibility for entrance into the department (“Email”)
Employee’s that do not comply with this policy or are caught with personal devices without obtaining prior authorization may be detained by security officers, have their devices confiscated, and be submitted to a full internal audit of all actions inside and outside of the FNH department.
Limitations of Liability
FNH shall have no liability for any loss or damage, direct or indirect, from the use of the information technology solution in place in the FNH department. Loss of employee personal belongings stored with security while they are working in the FNH department, Illegal conduct of employee’s in relation to their duties. Depending on the severity of any security breaches by employee’s said employee may be subject to applicable state and federal laws depending on the type and source of information they may be assigned at the time. If such employee breaks the confidentiality or releases such information FNH will aid in the investigation and prosecution of any and all employees involved in the breach of confidentiality of data trusted to FNH (“ISSP Terms And Conditions | International Society Of Sustainability Professionals”).
Related Standards, Policies and Processes
Department Embarkation and disembarkation policy.
Authorizing devices for embarkation and disembarkation policy.
Embarkation and Disembarkation with authorized devices policy.
Definition and Terms
None.
Policy Review and Modification
This policy may be periodically revised and updated in accordance to the schedule set forth in the Enterprise Information Security Policy.
The Current Revision is October, 2018 A.
(Second ISSP)
FNH Minimum Employee Computer Configuration for Prevention of Malicious Software
Overview
With the employee use of home computers and computers not located at FNH we must address the issue of network intrusion from possible malicious software such as worms, viruses, and malware. Malicious software is an unfortunate reality in today’s world and users face infection every time they connect to the internet.
Purpose
The purpose of this policy is to make a set standard for the minimum configuration of machines that will be used to access the FNH servers and storage locations using an employee’s home-based computer. Therefore, it is necessary to setup necessary requirements that employee’s must follow to be able to access the resources of FNH in a secure manner so that they can perform their duties efficiently and safely not only for themselves but for FNH as well.
Scope
This policy covers all computers that employee’s must use to perform their duties from home, their connection to FNH, and the controls implemented to secure said computers and connections including but not limited to software-based controls (software VPN, Antivirus/Antimalware software, Enterprise Software, etc.), Hardware based controls (router VPN, router-based antivirus/antimalware, etc.).
Policy
The home computer that an employee uses for work must meet the following minimum requirements to be able to access FNH servers and storage.
| Windows | Macintosh | Linux | |
| OS Version | 7 Or 10 | Mojave | Centos 7 |
| Architecture | x64 | x64 | x86_64 |
| Processor | Intel i5 or AMD Equivalent | Intel i7 | Intel i5 or AMD Equivalent |
| Memory | 16 GB | 16 GB | 8 GB |
| Available Storage* | 120GB | 120GB | 120GB |
| Network | 10/100 | 10/100 | 10/100 |
| Internet | 25 MB Downstream, 3 Mb Upstream for all operating systems |
* The available storage is for the FNH Software Toolkit and does not include space for employee software, operating system installs, or any other miscellaneous data.
Employees must keep their Operating System Software up to date with the newest patches offered by the software manufacturer.
Employees are required to use the FNH Software Toolkit to perform their duties from home. The FNH Software Toolkit is available from the Information Technology department on installation media or can be downloaded from our secure site, however, access to the installer is strictly regulated and the employee must ask for temporary credentials from the Information Technology department to download the FNH Software Toolkit.
Employees must keep the FNH Software Toolkit installed in its entirety so that you can connect through the software Virtual Private Network (VPN) service over your home internet connection to the company network. The toolkit also includes software to protect your work and home computer against malicious software such as viruses, malware, ransomware and is kept up to date automatically. FNH reserves the right to push updates to the employee’s home computer to keep the FNH Software Toolkit up to date to company standards.
Employee’s must keep their computers in operational condition. FNH’s Information Technology provides a 24-hour help line at 1-800-867-5309 for any technical issues that the employee is not able to handle on their own. We also provide a low-cost repair service to employee’s so that if parts fail on their machines we can aid them in getting them up and running as soon as possible and back to productive work.
Employees are required to keep their internet connections at a minimum of 25 Mb downstream and 3 Mb upstream for the FNH Software Toolkit to work as expected. Before calling technical support perform a bandwidth speed test to verify there are no problems with the employee’s Internet Service Provider. Please note that this is the minimum needed to connect, if the employee has other home computers, Smart TV’s and users that are using these devices while they are trying to work they may need to increase their bandwidth availability with their Internet Service Provider.
When an employee needs to begin their work session they need to open the FNH employee software suite, The FNH Software Toolkit will establish a Virtual Private Network (VPN) Connection to FNH servers and prompt the user to login with their assigned Credentials. Once this is completed the user will have access to the FNH Intranet software to perform their duties and access to their web drive, so they have access to their files. The web drive will automatically be mapped as a network drive for ease of use.
At the end of the employee’s work session they must save all work and close any files open on their web drive then log out of the FNH Software Toolkit. The software will close the Virtual Private Network (VPN) connection with FNH and clear any temporary files that were in use on the employee’s computer.
Employees are strictly forbidden from saving any data from the FNH servers to their local computers and are required to destroy any data they may have inadvertently saved locally.
If in the case of employee termination, the employee is required to bring their computers to FNH Information Technology Staff so that the FNH Software Toolkit can be removed and any FNH data that remains can be removed as well.
Violations of Policy
Employees are expected to follow this policy to be able to work from their homes. Deviation from this policy may cause disruptions in the employees work and incur sanctions from FNH including loss of pay, suspension, or in extreme cases termination of employment.
Limitations of Liability
FNH has no liability implied or otherwise in the installation, use, or dissemination of the FNH Software Toolkit. By Installing the FNH Software Toolkit the user agrees to the FNH Software Toolkit User agreement and the FNH Acceptable Usage Policy. FNH is not responsible for lost wages due to the hardware condition of employee computers, infection of malicious software code, and internet connection availability or quality. (“ISSP Terms and Conditions | International Society of Sustainability Professionals”).
Related Standards, Policies and Processes
Low Cost Employee Computer Repair Policy
FNH Software Toolkit Update Policy
FNH Acceptable Usage Policy
Definition and Terms
Employee Owned Computer: This is a device that may be a standard PC or Macintosh computer system that is owned by FNH employee’s that does not reside on company property and who’s responsibility for maintenance and upkeep rests solely on the employee.
Internet Service Provider (ISP): This is a company that provides internet service to its customers through differentiating technologies for a fee. Connections to the ISP typically consist of the connection medium (cable connection, phone connection for DSL types, Fiber Optic Cable, Wireless radio frequency, etc.) and a home modem or modem/router combo device (“What Is an Internet Service Provider (ISP)? – Definition from Techopedia”).
Virtual Private Network (VPN): A secure way for employees to connect to FNH servers and storage locations that encapsulates all data transferred over public internet with encryption so that limits the ability of outside sources from obtaining data related to the employee’s work (Rouse).
Malicious Software: Malicious software is more of a group of software types and can range from a virus to spyware and ransomware. The software is usually installed on a user’s system unknowingly through something as innocuous as an email attachment or clicking on the wrong link on the internet. Malicious software can take control of a user’s computer, steal information, or even encrypt the contents of the drive and demand monetary compensation for decrypting the contents (ransomware). To help protect not only our employees but FNH as well we provide a software solution as part of our FNH Software Toolkit to combat Malicious Software from affecting our employee’s work. If you believe you have been infected, please call the helpline immediately at 1-800-867-5309 (“Malicious Software”).
Operating System Software (OS): Operating System Software is the base software installed on a user’s system to give the user a graphical user interface (GUI) for interaction with software they wish to install. Common Operating systems include Microsoft Windows, Macintosh OS, and Linux although there are many different types of Linux Operating system providers.
FNH Software Toolkit: This Toolkit is provided by FNH to employees that work at home and includes the following software and or services to aid in the connection of the employee home computer to the company network: Malicious Software tools, Software VPN Module, FNH Employee software suite, and Data Encryption Suite.
Policy Review and Modification
This policy may be periodically revised and updated in accordance to the schedule set forth in the Enterprise Information Security Policy.
The Current Revision is October 2018 A.
References
References (EISP Policy)
“Guide To Healthcare Compliance Resources And Agencies”. Searchhealthit, 2018, https://searchhealthit.techtarget.com/essentialguide/Guide-to-healthcare-compliance-resources-and-agencies. Accessed 16 Oct 2018.
Whitman, M., & Mattord, H. (2018). Principles of information security (6th ed.). Boston, Mass.: Cengage Learning.
References (First ISSP)
“Email Policy”. Sans.Org, 2013, https://www.sans.org/security-resources/policies/general/pdf/email-policy. Accessed 17 Oct 2018.
“ISSP Terms and Conditions | International Society of Sustainability Professionals”. Sustainabilityprofessionals.Org, 2018, https://www.sustainabilityprofessionals.org/issp-terms-and-conditions. Accessed 17 Oct 2018.
Reference (Second ISSP)
“Malicious Software”. Seas.Ucla.Edu, 2018, http://www.seas.ucla.edu/security/malware.html. Accessed 18 Oct 2018.
Rouse, Margaret. “What Is VPN (Virtual Private Network)? – Definition from Whatis.Com”. Searchnetworking, 2018, https://searchnetworking.techtarget.com/definition/virtual-private-network. Accessed 18 Oct 2018.
“What Is an Internet Service Provider (ISP)? – Definition from Techopedia”. Techopedia.Com, 2018, https://www.techopedia.com/definition/2510/internet-service-provider-isp. Accessed 18 Oct 2018.