final it policy and procedure 05-09-2012

Upload: kenny-josef

Post on 03-Apr-2018

216 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    1/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 1 of 62

    INFORMATION TECHNOLOGY PLAN 2012

    APPROVAL SHEET

    Prepared by:

    Name Signature Date

    Zuher Arawi

    Information Technology Manager

    Reviewed by:

    Name Signature Date

    Mr. Zuher Arawi

    Quality Assurance Manager

    Ms. Lara Kaddoura

    Administrator & ManagementRepresentative

    Approved by:

    Name Signature Date

    Mr. Rami Kaddoura

    Executive President & C.O.O

    Mrs. Jamal KaddouraCo-founder & Hospital Director

    DOCUMENT AMENDMENT RECORD SHEET

    1

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    2/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 2 of 62

    Date Description of Change Page EffectedRevision

    Number

    TABLE OF CONTENTS:

    2

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    3/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 3 of 62

    SUBJECTS PAGE

    PURPOSE 4

    POLICY 5

    INTRODUCTION 6

    POLICIES PAGE

    Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment 9

    Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, 11and supplying continuous power to critical equipment.

    Using Fax Machines/Fax Modems 12

    Using Modems/ISDN/DSL Connections, Using Centralized, Networked, 13or Stand Alone Printers, Securing Network Cabling.

    Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes 15

    Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop / Portable 16Computers, Portable Electronic Devices and the Removal of Equipment off Hospital System

    (Teleworking) or Working from Home or Other Off-Site Location 18

    Other Hardware Issues Destruction and/or Reuse of Equipment 19

    Controlling Access to Information and Systems and Managing Access Control Standards 21

    Securing Unattended Workstations 23

    POLICIES PAGE

    Managing Network Access Controls 24

    3

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    4/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 4 of 62

    Managing Application Access Control 25

    Managing Passwords 26

    Unauthorized Physical Access Security 28

    Monitoring System Access and Use 29

    Emergency Access 31

    Configuring Networks, Managing the Network 32

    Defending Network Information against Malicious Attack 33

    System Operations and Administration, Appointing System Administrators 35

    Ensuring Information Integrity, Commissioning Facilities Management 36

    E-mail and the World-wide Web, Downloading Files and Information from the Internet

    Sending Electronic Mail (E-Mail) and/or Other Forms of Digital Communication

    Receiving and sending electronic mails and/or any other form of digital communication 38

    Misdirected Information by E-Mail and/or Any Other Form of Digital Communication 39

    Website Maintenance 41

    Data Management, Transferring and Exchanging Data, Managing Data Storage 42

    Purchasing and Maintaining Commercial Software 43

    Developing and Maintaining Custom Software, Controlling Software Code 45Managing Operational Program Libraries

    Testing and Training Environments, the Use of Protected Data for Training 46

    POLICIES PAGE

    New System Training 47

    4

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    5/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 5 of 62

    Complying with Legal and Policy Requirements, Complying with Legal Obligations, 48

    Awareness of Legal Obligation, Copyright Compliance, Computer Misuse

    External Suppliers/Other Vendor Contracts 49

    Personnel Information Security Responsibilities - Passwords and PIN Numbers 50

    Employment Termination - Staff Resignations

    Procedures for Staff Leaving Employment, Training and Staff Awareness 51

    Awareness for Temporary Staff, Security Information Updates to Staff

    Information Security Training on New Systems 53

    New System Staff and Physicians Training in Information SecurityPreparing Hospital for Placement of Computers

    Protecting For, Detecting and Responding to Information Security Incidents 54Reporting Information Security Incidents

    Defending Against Unauthorized or Criminal Activity

    Security Incident Procedures 55

    Responding to Information Security Incidents 56

    1. PURPOSE

    5

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    6/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 6 of 62

    Complete and comprehensive Information Technology policies are necessary, not only to

    communicate hospital expectations clearly to staff, but to protect the hospital. For example,

    a hospital was recently forced to settle a lawsuit filed by four employees claiming they were

    sexually harassed via the hospital's email system. The incident may have been averted, and

    millions are saved, if the hospitals management had instituted simple precautionary measures,

    such as implementing and enforcing an email policy. Information Technology policies and

    procedures, properly administered, can often mitigate or eliminate risk and help address common

    workplace issues.

    Lawsuits are not the only problems hospitals can encounter. Anytime employees can accessemail or the Internet, the organization is at risk of a broad range of potential and costly liabilities.

    For example, hospitals working toward compliance fear the loss or exposure of confidential

    information. Data can be exposed to email viruses, and untold productive hours can be lostsurfing the Web for information unrelated to jobs.

    Internet access is only one Information Technology service that needs protecting. An Internet

    usage policy is the first battle in the seemingly never-ending war to protect employees and

    maintain efficiency. There is no single productindeed, no single protocolthat provides

    complete protection and all the equipment necessary to enforce an organizations policies andprocedures. Hospitals must manage a variety of issues beyond Internet usage. Security concerns

    extend beyond the network to physical aspects, such as the upkeep of hospital equipment. Thereis also a vast amount of offline data that must be protected.

    Faced with problems like this, Information Technology and Internet usage policies are the best

    lines of defense hospital managers can adopt. Not only are they proactive steps that help setnecessary alarms, but they also provide guidance for disciplinary action. Such policy-based

    management has caught on as an effective method for reducing administrative costs, tightening

    security, and helping troubleshooting efforts. Information Technology policies need to address

    all of these issues, not only to avoid disaster, but to know what to do if and when disaster doesstrike. Policies in this document deal not only with technical security issues, such as viruses and

    the privacy of protected, confidential information, but also for more general management issues,such as network passwords and unauthorized software use. This document also addresses theactions supervisors can take when policies are not adhered to.

    2. POLICY

    6

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    7/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 7 of 62

    Hospital Information Technology Policies

    The following Information Technology policies and procedures are reevaluated and revisedtwice a year, or as required. Every staff member is expected to read these policies and comply

    with them. If there are any questions or concerns they should be raised with your supervisor or

    Head of department/manager. After reading these policies sign and date this document torepresent that you have read and understand the policies.

    Hospital Information Technology Policies include:

    1. Internet / Email Policies

    1.1. Internet / Email Acceptable Use

    1.2. Downloads and Executables

    1.3. Peer-to-peer File Sharing and Streaming Media

    1.4. Internet Messaging

    2. Security Policies

    2.1. Computer Viruses

    2.2. Physical Security

    2.3. Passwords

    2.4. Backup

    2.5. Continuance

    2.6. Data retention

    3. Acknowledgement of Policies

    3.1. Signature Page

    Date issued: 16-06-2012

    Authorized by: IT Manager, Quality Manager, Executive Director, Hospital CO-Founder

    Next scheduled review: 12-2012.

    INTRODUCTION

    The purpose of this document is to provide the procedures for the GDC-Hospital to meet the mandates

    of JCIA System Information Security Plan.

    7

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    8/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 8 of 62

    Most hospitals have a tiered policy and procedure system. Administrative policies comprise the hospital-

    wide or interdepartmental directives while there are departmental based policies for intradepartmental

    subjects. This document was written using this scheme.

    8

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    9/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 9 of 62

    1. PURPOSE

    Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment.2. POLICY

    All hardware installations shall be planned and related parties impacted by the installationnotified and given the opportunity to comment prior to the proposed installation date. Allequipment, systems, software, upgrades and patches shall be fully and comprehensively tested

    and authorized by management prior to being converted to a live environment. The extent of

    planning and testing shall be reasonable given the size and complexity of the installation toensure successful implementation with a minimal disruption of operation.

    3. SCOPE

    The base plan describes the policies and procedures, GDC Hospital will follow to prepare for,

    respond to, and manage installation and hardware/systems upgrade

    4. TARGET AUDIENCE

    Staff, doctors, Patients, visitors

    5. RESPONSIBILITY

    IT Team, Hospital wide, all personnel in hospital.

    6. PROCEDURE

    1. Any significant system change that has the likely or expected potential to affect a usergroup shall be planned with the knowledge and cooperation of that group.

    2. A significant system change is any change to hardware, software, or communications lines

    that has the potential to affect the availability or integrity of a program or its data.3. To meet the criteria of likely or expected, the change could have documentation of

    known faults, be provided untested by the vendor, being applied to a program that has local

    customizations that could not be tested by the vendor, or an extended downtime may beneeded for the change.

    9

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    10/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 10 of 62

    4. Certain trusted changes such as virus protection updates and operating system patches that are

    routinely released by the original software vendor can be applied to workstations and file

    servers of non-critical applications without extended testing.5. Any system that contains restricted or protected information should be backed up with a

    restore point prior to implementing the change.

    6. All change actions should be weighed against the potential outcome of not making the change.

    7. Critical software updates for known vulnerabilities may take precedent over a groupsproductivity.

    8. Protecting the program and data is always the top priority.

    9. All significant changes to a system should be documented with the change and the date itoccurred.

    7. REFERENCE

    Null

    10

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    11/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 11 of 62

    1. PURPOSE

    Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, and supplying

    continuous power to critical equipment.

    2. POLICY

    All information systems identified as critical to LSU Hospital system operations shall be

    protected by an uninterruptible power supply adequate to provide continuity of services and/ororderly shutdown to preserve data integrity.

    3. SCOPE

    Describing the policy of doing cabling for UPSs, printers and modems, IT will follow up the

    proper cabling and ensure the proper way of laying cables within proper trunks to protect from

    electrical hazards.

    4. TARGET AUDIENCE

    Staff, maintenance people, service department.

    5. RESPONSIBILITY

    Maintenance department and IT support team

    6. PROCEDURE

    1. Selection of equipment for support by uninterruptible power supply shall be based on the

    critical equipment inventory.2. For data storage devices the uninterruptible power supply should be connected to computing

    device for orderly shutdown in a backup power supply system failure.

    3. Uninterruptible power supplies shall be maintained and tested according to manufactures'recommendations.

    7. REFERENCE

    Null

    11

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    12/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 12 of 62

    1. PURPOSE

    Using Fax Machines/Fax Modems

    2. POLICY

    Protected or restricted information shall only be faxed when more secure methods are notavailable

    3. SCOPE

    Enhance the understanding the usage of fax machines and modems among users/staff

    4. TARGET AUDIENCE

    Receptionists, Pharmacists, Insurance and HR Staff.

    5. RESPONSIBILITY

    IT Support team and Public Relation Officer.

    6. PROCEDURE

    The sender of the protected or restricted information and the intended recipient shall agree to the

    fax transmittal prior to sending

    Documents with personal identifiers can only be faxed with appropriate safeguards. A list ofmedical record numbers without other personal identifiers may be faxed, providing there is no

    reference to medical conditions on either the faxed copy or the cover sheet. Users are responsible

    for ensuring that faxes are not left on the fax machine.

    7. REFERENCE

    Null

    12

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    13/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 13 of 62

    1. PURPOSE

    Using Modems/ISDN/DSL Connections, Using Centralized, Networked, or Stand AlonePrinters.

    Securing Network Cabling.

    2. POLICY

    Protected or restricted information shall only be sent via System network lines when more secure

    methods are not feasible. In that event, additional precautions e.g. encryption of data, virtualprivate network, etc., shall be employed to ensure against unauthorized interception and/or

    disclosure of protected information.

    Protected or restricted information shall not be sent to a network printer in an unsecured areawithout appropriate physical safeguards or an authorized person present to safeguard this

    information during and after printing.

    All cabling in System networks shall be secured to prevent unauthorized interception or damage.

    3. SCOPE

    Defining the usage of modems and stand alone printers and granting authorizations to people in

    charge of networked peripherals with a proper plan in order to secure network cabling.

    4. TARGET AUDIENCE

    Doctors, nurses, receptionists, secretaries, and other hospital staff

    5. RESPONSIBILITY

    IT Support team

    6. PROCEDURE

    In the event that protected or restricted information cannot be sent via NO network lines,additional precautions (e.g. encryption of data, virtual private network, etc.) shall be employed to

    ensure against unauthorized interception and/or disclosure of protected information.

    13

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    14/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 14 of 62

    7. REFERENCE

    Null

    14

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    15/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 15 of 62

    1. PURPOSE

    Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes.

    2. POLICY

    All protected or restricted information stored on removable media, including USBs, DVDs, CDs,and diskettes shall be kept in a safe, secure environment in accordance with the manufacturers

    specifications when not in use. The removal of protected or restricted information from hospital

    premises shall require specific authorization from the hospital designated official.

    3. SCOPE

    The base plan describes the policies and procedures, GDC Hospital staff using systems will

    follow and respond and manage the proper usage in a secure manner the mentioned peripherals.

    4. TARGET AUDIENCE

    Restricted to authorized GDC Hospital staff using networked systems

    5. RESPONSIBILITY

    IT Department and authorized GDC Hospital staff using networked systems

    6. PROCEDURE

    The use of removable media to transport protected or restricted media is strongly discouraged.

    Specific administrative approval is required for the removal of protected information from the

    hospital when stored on removable media. The user should obtain electronic or writtendocumentation of the approval from the appropriate department director.

    USBs, CDs, All diskettes (If still available) and other storage media that contain confidential

    information that has not been completely de-identified.

    7. REFERENCE

    Null

    15

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    16/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 16 of 62

    1. PURPOSE

    Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop/PortableComputers, Portable Electronic Devices and the Removal of Equipment off Hospital System.

    2. POLICY

    Individuals responsible for commissioning outsourced computer processing of protected or

    restricted information shall ensure the services used are from companies that operate in

    accordance the GDC's information security standards which include a Business AssociateAgreement or similar document that communicates the expectation of compliance with these

    standards and the remedies available in the instance of non-compliance.

    Laptops and other portable computing devices issued to hospital System employees shall not beused for activities unrelated to IT organizational goals. The designated hospital official shall

    document who is in possession of each device and that the individual understands his

    responsibility for the confidentiality, integrity, and availability of the information on said device.Each IT Hospital system employee who is assigned a portable or mobile computing device shall

    be responsible for ensuring that data stored on that device is properly backed up, that the

    operating system is patched in a timely fashion, and where applicable, anti-virus software withcurrent virus data file (including spyware detection and firewalls) is installed and running

    continuously. In addition, only authorized personnel shall be permitted to take any equipment

    belonging to the IT Hospital system off the premises and are responsible for its security at all

    times.

    3. SCOPE

    Planning the needed services and taking into consideration the information security measures

    for the required services/hardware/software application for hospital day to day work continuity.

    4. TARGET AUDIENCE

    GDC Hospital staff , using IT Application/hardware.

    5. RESPONSIBILITY

    IT Manager, Support Team, and GDC Hospital staff.

    16

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    17/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 17 of 62

    6. PROCEDURE

    The IT Director at each facility or designee shall keep a listing of all portable computing devices

    (PCD) and who is in possession of the device. Any change in the possession of the portable

    computing device shall be reported to the IT Director immediately.

    Each employee with a PCD shall have appropriate approval stating the need for the device prior

    to possession. The employee shall sign an LSU Portable Computing Device Release prior to

    using the device.

    Handling and Storage of Laptops.

    Safety and security of the PCD is the responsibility of the employee that it is assigned to.

    PCDs are stored in a secure, locked location within the office when not in use. Confidential

    information on PCD removable drives should be carried in a secure vessel. If possible the mediacontaining the confidential, encrypted data should be locked in a location apart from the laptop

    when not in use.

    Loss of any PCD shall be reported immediately to the IT Director/IT Security Lead of the

    hospital.

    7. REFERENCE

    Null

    17

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    18/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 18 of 62

    1. PURPOSE

    (Teleworking) or Working from Home or Other Off-Site Location

    2. POLICY

    IT Hospital systems which allow teleworking or working from home shall establish proceduresthat ensure the confidentiality, integrity and availability of protected data accessed during any

    teleworking session.

    3. SCOPE

    Preparing and describing the policy and procedure for IT Support team and service companiesgranted the permissions to access the relevant servers to do installation/ configuration.

    4. TARGET AUDIENCE

    IT Manager, DB Administrator and Application Developer.

    5. RESPONSIBILITY

    IT Manager, DB Administrator and Application Developer.

    6. PROCEDURE

    1) When using a desktop computer from home or when traveling the screen should be placed soit not visible to non-authorized personnel walking by the office or through a hallway.

    Additionally, computer screens should be situated so that they are not visible through

    windows.2) When laptop computers are used, the screens are managed so as to prevent viewing by others.

    The laptop is never out of sight of the employee when not secured.

    3) All teleworking sessions require a virtual private network (VPN) connection, a Citrix Desktop

    connection, or a dialup connection through an enterprise RAS solution.

    7. REFERENCE

    Null

    18

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    19/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 19 of 62

    1. PURPOSE

    Other Hardware Issues Destruction and/or Reuse of Equipment.

    2. POLICY

    IT equipment and/or media owned by IT Hospital systems shall only be disposed of byauthorized personnel in accordance with the National Industrial Security Program Operations

    Manual. IT equipment and/or media owned by the IT Hospital system which is to be reassignedto another employee or reused shall be evaluated as to whether protected or restricted

    information needs to be purged in accordance with the above standard prior to reassignment

    and/or reuse or disposal.

    3. SCOPE

    Defining the base plan and evaluation sheet of destruction and reuse of the equipment and mediaowned by GDC Hospital system.

    4. TARGET AUDIENCE

    GDC Hospital staff using mentioned equipment and system.

    5. RESPONSIBILITY

    IT manager

    6. PROCEDURE

    Any computing equipment possessing media with protected or restricted information shall havethe media wiped of all information in accordance with the Management of Information

    Technology specifications.

    Media Procedure(s)

    Magnetic Tape

    Magnetic Disk

    Optical Disk

    Read Many, Write Many (e.g., CD-RW) l

    19

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    20/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 20 of 62

    Read Only l

    Write Once, Read Many l

    (e.g., CD-R,CD+R, DVD+R)

    Memory

    Dynamic Random Access Memory (DRAM)

    Flash memory (e.g., USB drives, Picture cards)

    Programmable ROM (PROM)Nonvolatile RAM (NOVRAM)

    Read Only Memory (ROM)

    Static Random Access Memory (SRAM)

    7. REFERENCE

    Null

    20

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    21/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 21 of 62

    1. PURPOSE

    Controlling Access to Information and Systems and Managing Access Control Standards

    2. POLICY

    Each IT Hospital system shall ensure that all access to information systems is based on thelowest level of privilege needed to perform ones job.

    Access to application supervisor-level commands shall require authorization from theemployees supervisor and/or the owner of the application. Access to operating system

    supervisor and/or administrator commands shall be restricted to those persons who are

    authorized to perform systems administration/management functions.

    Managing User Access to any IT Hospital system information system shall be authorized by the

    owner and/or hospital designated official(s). Each staff, and contractor shall be assigned a uniqueuser ID. When generic IDs are required by operational necessity, each hospital shall develop

    procedures to prevent abuse. For audit purposes, such access, including the appropriate access

    rights or privileges.

    Generic Accounts that are used to provide access to network resources for third-party software

    supporters, contractors, or computer supporters that need application service accounts.

    Acquiring a Generic Account The owner of the resource will notify Enterprise InformationSecurity via email that a vendor, contractor, or computer supporter will need a generic account to

    access the network. Before creating the account, shall determine the method to allow access into

    the network. This may require discussions between the vendor, IT contact, and the firewalladministrator. If it has been decided that a generic account is required, the account will be set up

    according to Enterprise Information Security procedures.

    Vendor Account Requirements - Vendors and contractors must submit a vendor account policywhich contains a vendor account agreement before being given access to the network. These

    policies are kept on file by the Enterprise Information Security group.

    Enabling a Generic Account - Activation of generic accounts must be authorized by the IT

    contact. The default activation period is 24 hours unless requested otherwise. Prolongedactivation periods must be justified. When a generic account is activated, an email must be sent

    to the ITO contact notifying them of the new expiration date.

    21

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    22/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 22 of 62

    Generic Account Agreement for Vendors

    a) I acknowledge that I am responsible for all activity attributable to the account assigned

    to my organization.b) I will use my organization's account to perform authorized activities only

    (i.e., to carry out contract-related responsibilities).

    c) If I abuse or gain unauthorized access to computer resources, I understand that IT head may

    immediately revoke my account and report my conduct to law enforcement authorities.d) I understand that, upon change or termination of my organization's relationship with IT

    department, my organization's access to resources on the network will be reviewed and

    modified or terminated as appropriate.e) I understand the importance of privacy and confidentiality of information and in particular

    patient information, student records, and employee personal data. I pledge to handle all

    sensitive data I access with the appropriate care and precautions.f) I will abide by IT policy regarding appropriate use of its network infrastructure.

    3. SCOPE

    Preparing a plan that states controlling the access to information and systems and steps to

    manage the access control standards.

    4. TARGET AUDIENCE

    Each staff, and contractor assigned a unique user ID and generic account.

    5. RESPONSIBILITY

    IT Support team and GDC Staff and contractors, having unique user ID

    6. PROCEDURE

    To be performed on case by case basis according to granted access to end-users/contractors.

    7. REFERENCE

    Null

    22

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    23/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 23 of 62

    1. PURPOSE

    Securing Unattended Workstations

    2. POLICY

    Precautions shall be taken to prevent tampering of unattended equipment by unauthorizedpersons.

    3. SCOPE

    Preparing memos states clearly the responsibility of systems (workstations) custodians/in charge.

    4. TARGET AUDIENCE

    GDC Hospital Doctors/staff using GDC Hospital systems/workstations.

    5. RESPONSIBILITY

    GDC Hospital Doctors/staff working on GDC Hospital workstations.

    6. PROCEDURE

    All workstations should be placed in a secured location. By means in locations that are not at all

    times occupied and cannot be secured the PC should be secured to the work area.

    Viewing screens should be located so that unauthorized personnel cannot view the informationon the screen. Where it is impossible to protect the peripheral view of the screen privacy filters

    shall be employed.

    Private or restricted information shall not be stored on a computer in a public use or untenablearea.

    7. REFERENCE

    Null

    23

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    24/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 24 of 62

    1. PURPOSEManaging Network Access Controls

    2. POLICY

    Access to Hospital system information systems networks shall be strictly controlled to prevent

    unauthorized access. Each hospitals IT department shall develop procedures and standards forsecuring network electronics against unauthorized tampering.

    3. SCOPE

    Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will

    develop the plan and follow to prepare for, respond, and manage system access triggers.

    4. TARGET AUDIENCE

    IT Manager and IT team.

    5. RESPONSIBILITY

    IT Manager and IT Team.

    6. PROCEDURE

    Access to the information systems networks shall be strictly controlled to prevent unauthorized

    access. The Office of Computer Services network equipment standards shall be utilized to secure

    network electronics against unauthorized tampering.

    7. REFERENCE

    Null

    24

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    25/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 25 of 62

    1. PURPOSE

    Managing Application Access Control

    2. POLICY

    The Hospital system procedure for authorizing supervisor-level access shall require approvalfrom the designated hospital IT authority.

    3. SCOPE

    Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will

    develop the plan and follow to prepare for, respond, and manage system access triggers.

    4. TARGET AUDIENCE

    IT Manager and IT team.

    5. RESPONSIBILITY

    IT Manager and IT team.

    6. PROCEDURE

    Access to application supervisor-level commands shall require authorization from the

    employees supervisor and/or the owner of the application. Access to operating systemsupervisor and/or administrator commands shall be restricted to those persons who are

    authorized to perform systems administration/management functions.

    7. REFERENCE

    Null

    25

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    26/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 26 of 62

    1. PURPOSE

    Managing Passwords.

    2. POLICY

    All information systems that use passwords as the primary method of user authentication shallrequire that all user accounts be password protected with non-null (weak) passwords and require

    all users to change passwords on a periodic basis(every six month at least). The IT department of

    the Hospital shall develop and/or adopt standards for password length, password change intervaland password complexity that are appropriate for the system being protected. These standards

    shall be reviewed periodically.

    3. SCOPE

    A plan to be defined in order to control, maintain and monitor the password at all authorizedlevels on quarterly/half yearly basis.

    4. TARGET AUDIENCE

    GDC Hospital Doctors/staff and IT Staff using systems/servers.

    5. RESPONSIBILITY

    IT support team and GDC Hospital doctors and staff using systems.

    6. PROCEDURE

    All computer accounts must be password protected in accordance with password policy. Thispolicy shall not be any less restrictive than Information Technology password policy. These

    password standards shall be reviewed no less frequently than every three years and revised to

    incorporate advances in technology.

    The Password Policy requires that:Minimum password length and format shall be no less than eight (8) characters.

    26

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    27/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 27 of 62

    Minimum password complexity should contain at least 3 of the 4 categories: English upper case

    characters (A-Z), English lower case characters (a-z), Base 10 digits (0-9), and non-

    alphanumeric characters (%,&,!).Maximum validity periods for passwords to be no greater than 180 days, with specific

    exemptions granted for special purposes such as enabling a stored procedure to run against a

    database.

    7. REFERENCE

    Null

    27

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    28/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 28 of 62

    1. PURPOSE

    Unauthorized Physical Access Security.

    2. POLICY

    Physical access to server rooms and network infrastructure closets shall be protected using all

    reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.

    3. SCOPE

    A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,

    respond to, and manage physical access security.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6. PROCEDURE

    Physical access to server rooms and network infrastructure closets shall be protected using all

    reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.

    7. REFERENCE

    Null

    28

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    29/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 29 of 62

    1. PURPOSE

    Monitoring System Access and Use

    2. POLICY

    All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and

    system errors, to the extent that the logging facility exists and is capable. These logs with

    significant activity shall be examined in a timely fashion by staff determined as qualified by thehospital IT department. Security incidents shall be reported to the Security Officer (one of IT

    team members for appropriate action and follow up.

    3. SCOPE

    A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6. PROCEDURE

    All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and

    system errors, to the extent that the logging facility exists and is capable. These logs with

    significant activity shall be examined in a timely fashion by staff determined as qualified by the

    IT department for Computer Services. Reporting of suspected security incidents shall follow theprocess defined in the Information Security Response Procedure.

    29

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    30/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 30 of 62

    7. REFERENCE

    Null

    30

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    31/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 31 of 62

    1. PURPOSE

    Emergency Access

    2. POLICY

    All Hospital systems shall develop and implement a procedure to provide access to electronicinformation on an emergency basis (i.e., an employee is incapacitated and another employee

    must enter the system to continue his job function). For audit purposes, each instance of suchaccess provision shall be documented and shall be maintained on file for a period of no less than

    one year, if the information accessed is protected information.

    3. SCOPE

    A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6. PROCEDURE

    Emergency access (i.e. an employee is incapacitated and another employee must enter the system

    to continue his job function) to electronic information shall be handled by the EIS duringbusiness hours and the Enterprise Information Security Analyst on call after business hours. For

    audit purposes, each instance of such access provision shall be documented and shall be

    maintained on file for a period of no less than one year, if the information accessed is protectedinformation.

    7. REFERENCENull

    31

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    32/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 32 of 62

    1. PURPOSE

    Configuring Networks

    Managing the Network

    2. POLICY

    All System information system networks shall be designed and configured to deliver high

    availability, confidentiality, and integrity to meet business needs.Each Hospital system shall ensure that those responsible for managing the hospital network and

    preserving its integrity in collaboration with the individual system owners does so in accordance

    to the hospitals IT department standards and job descriptions.

    3. SCOPE

    A base plan that describes the policies and procedures, GDC Hospital IT Manager and support

    team will follow to prepare for, respond to, and manage Hospitals network.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6. PROCEDURE

    Those responsible for managing the network and preserving its integrity shall do so inaccordance with the Office of Computer Services standards and job descriptions.

    7. REFERENCE

    Null

    32

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    33/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 33 of 62

    1. PURPOSE

    Defending Network Information against Malicious Attack

    2. POLICY

    Each Hospital system shall develop and implement procedures to adequately configure andsafeguard its information system hardware, operation and application software, networks and

    communication systems against both physical attack and unauthorized network intrusion. All

    servers and work stations shall run anti-virus software (including spyware detection andfirewalls) while connected to the network infrastructure. In the event that the system will not

    operate properly with the anti-virus software, appropriate information security safeguards shall

    be instituted.

    3. SCOPE

    A base plan that describes the policies and procedures, GDC Hospital IT Manager and support

    team will follow to prepare for, respond to, and manage Hospitals network.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6. PROCEDURE

    All servers and workstations shall be configured according to Information Security standards in

    order to safeguard information system hardware, operation and application software, networks,

    and communication systems against both physical attack and unauthorized network intrusion.

    All servers and workstations shall run anti-virus software (including spyware detection) whileconnected to the network infrastructure. In the event that the system will not operate properly

    with the anti-virus software, appropriate information security safeguards shall be instituted.

    33

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    34/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 34 of 62

    7. REFERENCE

    Null

    34

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    35/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 35 of 62

    1. PURPOSE

    System Operations and Administration, Appointing System Administrators

    2. POLICY

    Each Hospital system shall appoint systems administrators who demonstrate the qualificationsestablished by the hospitals IT department to manage the information technology systems and

    oversee the day to day security of these systems.

    3. SCOPE

    Is to prepare definite measures for operating systems used for software applications and end-users, and monitoring the appointed system administrators running those operating systems.

    4. TARGET AUDIENCE

    Information Technology Department

    5. RESPONSIBILITY

    Information Technology Department

    6.PROCEDURE

    The Office of Computer Services (CS) in IT department shall appoint systems administratorswho demonstrate the qualifications established by the department to manage the information

    technology systems and oversee the day to day security of these systems. Only qualified staff or

    third party technicians should repair information system hardware faults. System administratorsmust meet stringent qualifications for hire assuring that IT analysts are capable of handling

    analytic processes.

    7. REFERENCE

    Null

    35

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    36/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 36 of 62

    1.PURPOSE

    Ensuring Information IntegrityCommissioning Facilities Management

    E-mail and the World-wide Web

    Downloading Files and Information from the Internet

    Sending Electronic Mail (E-Mail) and/or Other Forms ofDigital Communication

    2.POLICY

    All Hospital systems shall develop and implement procedures to ensure that the integrity of

    electronic protected or restricted information is maintained in the event of processing errors,system failure, human errors, natural disasters and deliberate acts.

    Hospital shall implement the appropriate procedures within the Disaster Recovery Plan (DRP) to

    ensure that the integrity of electronic protected or restricted information is maintained in theevent of processing errors, system failure, human errors, natural disasters, and deliberate acts.

    Any facilities management company engaged by a Hospital system shall be expected to comply

    with the System Information Security policies and to execute a Business Associate Agreement orsimilar document that communicates the performance expected and the remedies available in the

    instance of noncompliance.

    Each Hospital system IT department shall develop standards and guidelines to ensure

    information, software and media downloaded from the Internet does not jeopardize its operationsor the security of information systems.

    Each Hospital system shall develop procedures that require all email and/or any other form of

    digital communication generated by its information systems that contains protected or restrictedinformation, including data attachments, shall only be permitted after confirming that such action

    is consistent with the restriction specified by the security classification of the information being

    sent. In addition, the file shall be scanned for the possibility of a virus or other malicious code. Inno case shall protected or restricted information be sent outside the information infrastructure

    without taking precautions to ensure the confidentiality and integrity of the information.

    3.SCOPE

    Define a plan for the hospital system IT department to develop standards and guidelines to

    ensure information, software and media downloaded from the Internet does not jeopardize its

    36

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    37/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 37 of 62

    operations or the security of information systems, including e-mails (sending and receiving),

    www, data extraction/download from internet, and digital communications.

    4.TARGET AUDIENCE

    All hospital End-users granted hospital systems (computers).

    5.RESPONSIBILITY

    IT department and all end-users using hospital computers.

    6. PROCEDURE

    All email and/or any other form of digital communication generated by information systems that

    contain protected or restricted information, including data attachments, shall only be permitted

    after confirming that such action is consistent with the restriction specified by the securityclassification of the information being sent. In addition, the file shall be scanned for the

    possibility of a virus or other malicious code. In no case shall protected or restricted information

    be sent outside the information infrastructure without taking precautions to ensure theconfidentiality and integrity of the information.

    7. REFERENCE

    Null

    37

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    38/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 38 of 62

    1. PURPOSE

    Receiving and sending electronic mails and/or any other form of digital communication.

    2. POLICY

    Each Hospital system shall develop and implement standards and procedures that will ensure thatmalicious code is not delivered to or executed on the information systems by receiving email

    and/or any other form of digital communication.

    3. SCOPE

    Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure electronic data/e-mails received and sent do not

    jeopardize the security of information systems and digital communications.

    4.TARGET AUDIENCE

    All hospital End-users granted hospital systems (computers).

    5.RESPONSIBILITY

    IT department and all end-users using hospital computers.

    6. PROCEDURE

    All workstations shall have anti-virus software that scans emails and attachments. All inbound

    and outbound external and internal email shall be scanned for viruses on the email servers. The

    Office of Computer Services may also implement any procedures it feels necessary to ensure thatmalicious code is not delivered to or executed on the information systems by receiving email

    and/or any other form of digital communication.

    7. REFERENCE

    Null

    38

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    39/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 39 of 62

    1. PURPOSE

    Misdirected Information by E-Mail and/or Any Other Form of Digital Communication

    2. POLICY

    Each Hospital system shall develop and implement procedures that ensure that emails and/or anyother form of digital communication that contain protected or restricted information, including

    attachments, are correctly addressed and only being sent to appropriate persons. This procedure

    shall include a mechanism in which the misdirected communication is correctly deliveredwithout the content being viewed any further than is necessary to identify the appropriate

    recipient and deleted from the mistaken recipients computer system.

    3. SCOPE

    Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure that the appropriate data being sent to proper

    receiver.

    4. TARGET AUDIENCE

    All hospital end-users granted hospitals email user name/password.

    5. RESPONSIBILITY

    IT Department (End-user support) and all hospital end-users granted hospitals email username/password.

    6. PROCEDURE

    Protected and/or restricted information should not be sent via email until has developed and

    implemented procedures that ensure that emails and/or any other form of digital communication

    that contains protected or restricted information, including attachments, are correctly addressedand only being sent to appropriate persons. This procedure when developed shall include a

    mechanism in which the misdirected communication is correctly delivered without the content

    39

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    40/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 40 of 62

    being viewed any further than is necessary to identify the appropriate recipient and deleted from

    the mistaken recipients computer system.

    Protected and/or restricted information can be sent electronically via Secure FTP, encrypted dataon PCDs, or by giving protected access to a data drive.

    7. REFERENCE

    Null

    40

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    41/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 41 of 62

    1. PURPOSE

    Website Maintenance

    2. POLICY

    Hospital system shall develop and implement a procedure which ensures System websites thatcontain protected or restricted information are protected from unauthorized intrusion.

    3. SCOPE

    Having a proper plan describes the policies and procedures to define and maintain an in-

    house/out-sourced website managed internally by IT department.

    4. TARGET AUDIENCE

    GDC Hospitals employees and outside customers (Patients).

    5. RESPONSIBILITY

    Information Technology Department.

    6. PROCEDURE

    Websites that contain protected or restricted information should be protected from unauthorized

    intrusion using website security standards. Only personnel who demonstrate the qualificationsestablished by the Office of Computer Services should modify the hospital website, especially if

    it contains protected information. These modifications shall be documented for audit purposes.

    7. REFERENCE

    Null

    41

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    42/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 42 of 62

    1. PURPOSE

    Data Management, Transferring and Exchanging Data, Managing Data Storage

    2. POLICY

    All restricted or protected information shall only be transferred outside of hospital networks, orcopied to other media, when the confidentiality and integrity of the data can reasonably be

    assured. All data stored on information systems shall be managed to ensure the confidentiality,

    integrity, and availability of the data.

    3. SCOPE

    The base plan describes the policies and procedures to maintain GDC Hospital data storage,

    backups, data confidentiality, integrity, and proper restoring indexing.

    4. TARGET AUDIENCE

    GDC Hospital employees, Doctors, and Medical recordsdepartment (archive system).

    5. RESPONSIBILITY

    Information Technology Department.

    6. PROCEDURE

    Storage Array with fair capacity that contains all saved data on all nodes, protected or restricted

    information should be mirrored and duplicated and incrementally updated in the backup system

    with IT department for retrieval purposes in case of loss in addition to transferred and exchangeddata on daily basis.

    7. REFERENCE

    Null

    42

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    43/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 43 of 62

    1. PURPOSE

    Purchasing and Maintaining Commercial Software1-Purchasing and Installing Software

    2-Using Licensed Software (Software Maintenance and Upgrade)

    3-Supporting Application Software

    4-Disposing of Information System Software

    2. POLICY

    Each Hospital system shall make every effort to ensure that all terms and conditions of End User

    License Agreements (EULA) are strictly adhered to in order to comply with applicable laws and

    to ensure ongoing vendor support.All application software shall be supported to ensure that the hospital business is not

    compromised. Every effort shall be made to resolve software problems efficiently and within an

    acceptable time period.Disposal of information systems software shall not occur unless the disposal is authorized by the

    appropriate hospital official, the information systems software is no longer required, and its

    related data can be archived and will not require restoration in the future.

    3. SCOPE

    The base plan describes the policies and procedures for purchasing, installing, using, upgrading,supporting, and maintaining licensed software and describing a proper way for disposing

    information system software.

    4. TARGET AUDIENCE

    All GDC Hospital employees using in-house application software.

    5. RESPONSIBILITY

    GDC Hospital Information Technology Department.

    43

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    44/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 44 of 62

    6. PROCEDURE

    The Disposition Phase represents the end of the systems life cycle. It provides for the systematictermination of a system to ensure that vital information is preserved for potential future access

    and/or reactivation. The system, when placed in the Disposition Phase, has been declared surplus

    and/or obsolete, and is scheduled to be shut down. The emphasis of this phase is to ensure that

    the system (e.g. software, data, procedures, and documentation) is packaged and archived in anorderly fashion, enabling the system to be reinstalled later, if desired.

    7. REFERENCE

    Null

    44

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    45/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 45 of 62

    1. PURPOSE

    Developing and Maintaining Custom SoftwareControlling Software Code

    Managing Operational Program Libraries

    2. POLICY

    Each Hospital system shall implement a procedure in which only authorized staff may access

    operational program libraries.

    3. SCOPE

    Defining a plan that describes different authorization levels for all end-users with different

    access permissions.

    4. TARGET AUDIENCE

    GDC Hospital end-users, using hospital systems and software applications (databases).

    5. RESPONSIBILITY

    IT Department.

    6. PROCEDURE

    All operational program libraries for critical applications that developed shall reside on

    enterprise servers. Access to operational program libraries shall be controlled by the Information

    Security group and will be provided on an as needed basis.

    7. REFERENCE

    Null

    45

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    46/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 46 of 62

    1. PURPOSE

    Testing and Training EnvironmentsThe Use of Protected Data for Training

    2. POLICY

    Each Hospital system shall implement a procedure that requires adequate controls for the

    security of protected or restricted data when used in the testing of new systems or system

    changes.

    3. SCOPE

    Defining a plan for data security policy and procedure that protects database live data accessed

    and used for training purposes.

    4. TARGET AUDIENCE

    New doctors, employees, and receptionists.

    5. RESPONSIBILITY

    IT Department.

    6. PROCEDURE

    The use of protected or restricted data in the testing of new systems or system changes shall be

    adequately controlled. Access to operational test environments for critical applications shall be

    controlled by the Information Security group and will be provided on an as needed basis.

    7. REFERENCE

    Null

    46

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    47/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 47 of 62

    1. PURPOSE

    New System Training

    2. POLICY

    Each Hospital system shall implement a procedure in which users and technical staff are trained

    in the functionality and operations of all new systems.

    3. SCOPE

    Defining a plan for data security policy and procedure that protects database live data accessedand used for training purposes

    4. TARGET AUDIENCE

    New doctors, new employees and receptionists

    5. RESPONSIBILITY

    IT Department.

    6. PROCEDURE

    IT Director will work with the application vendors, HR, Staff Development, and the developersof new applications to implement training plans for each new application prior to the application

    being put into production.

    7. REFERENCE

    Null

    47

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    48/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 48 of 62

    1. PURPOSE

    Complying with Legal and Policy RequirementsComplying with Legal Obligations, Awareness of Legal Obligations

    Copyright Compliance, Computer Misuse: Legal Safeguards

    2. POLICY

    All Hospital systems shall develop and implement procedures to inform employees of their legal

    responsibilities in relation to the use of computer based information and data.All Hospital systems shall develop and implement procedures to inform employees of their

    obligation to comply with applicable copyright laws.

    Each Hospital system shall implement a procedure by which employees are informed of changesin computer misuse law, as well as hospital policy, as it directly impacts their job duties.

    3. SCOPE

    Defining a plan to develop and implement policy and procedures for employees roles and

    responsibilities in using data and understanding copyrights where applicable.

    4. TARGET AUDIENCE

    Employees that are using GDC Hospital systems.

    5. RESPONSIBILITY

    IT Support team to guide and GDC end-users when they apply policies and procedures.

    6. PROCEDURE

    IT Director will work on copyrights procedures.

    7. REFERENCE

    Null

    48

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    49/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 49 of 62

    1. PURPOSE

    External Suppliers/Other Vendor Contracts

    2. POLICY

    All Hospital systems suppliers/vendors who handle protected or restricted information shallacknowledge compliance with the hospital information security procedures prior to the delivery

    of services.

    3. SCOPE

    Defining a plan that clearly describes most restricted information and acknowledges complinacywith GDC Hospital.

    4. TARGET AUDIENCE

    External Suppliers and software vendors

    5. RESPONSIBILITY

    IT Department and Hospital Legal advisors.

    6. PROCEDURE

    Lending of keys, both physical and electronic, should be prohibited by each Hospital system.In the event that access to an area or information secured by a physical or electronic key is

    required by an individual without such key, that individual should be accompanied and

    supervised by someone who has been issued such a key.

    7. REFERENCE

    Null

    49

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    50/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 50 of 62

    1. PURPOSE

    Personnel Information Security Responsibilities - Passwords and PIN NumbersEmployment Termination - Staff Resignations

    2. POLICY

    All Hospital system users, staff and physicians are expected to treat passwords as private and

    highly confidential.

    All Hospital systems shall ensure that the appropriate Security Officer is notified of all employeeterminations and that access to the Hospital system information systems is revoked. If in the

    judgment of the appropriate hospital official, it is determined that an employee represents a risk

    to the security of the Hospital system information, all access shall be terminated immediately.

    3. SCOPE

    Defining measures in steps in order to secure hospital information/data

    4. TARGET AUDIENCE

    Any terminated employee, used to work on hospitals systems/data.

    5. RESPONSIBILITY

    GDC Human Resources Department and IT Department.

    6. PROCEDURE

    The HR Manager will contact IT Department to immediately disable the account of anyemployee that represents a risk to the security of the Hospital system information.

    The Enterprise Information Security group generates reports to determine terminations and

    transfers of users with access to computer resources.

    7. REFERENCE

    Null

    50

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    51/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 51 of 62

    1. PURPOSE

    Procedures for Staff Leaving EmploymentTraining and Staff Awareness

    Awareness for Temporary Staff

    Security Information Updates to Staff

    2. POLICY

    GDC Hospital systems shall develop and implement a procedure to ensure that all Hospitalsystem property previously assigned to a departing employee is returned, and also that all keys,

    access cards and forms of employee identification are returned.

    All Hospital systems temporary staff with access privileges to the hospital networks shallacknowledge compliance with the hospital Information Security policies prior to beginning

    work with the hospital. Updates on Information Security awareness shall be provided to the staff

    on an evolving, ongoing basis as events warrant.

    3. SCOPE

    Defining a plan to make sure that people on leave will be revoked from any remote access to

    hospital data/information during their leave, including changing access passwords where

    required/applicable.

    4. TARGET AUDIENCE

    GDC Hospital employees on leave

    5. RESPONSIBILITY

    HR Department and IT Department.

    6. PROCEDURE

    Proposed changes or amendments to policies will be presented to the hospital Compliance

    Committee for approval.

    Updated policies will be distributed to Hospital personnel and to the HR for implementation.

    51

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    52/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 52 of 62

    In all of the training, it will be emphasized that the Compliance Officer/ Privacy Officer or

    Security Officer must be notified if these policies are not followed At that point, it will be

    determined if the employee/resident requires more in-depth education and training, or if thematter needs to be referred to Human Resources for disciplinary action.

    7. REFERENCE

    Null

    52

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    53/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 53 of 62

    1. PURPOSE

    Information Security Training on New SystemsNew System Staff and Physicians Training in Information Security

    Preparing Hospital for Placement of Computers

    2. POLICY

    Each Hospital system staff and physicians shall complete information security training

    appropriate for their job function. If the users job responsibilities change, then the userstraining requirements shall be reassessed and new training must occur, if required/applicable.

    All new Hospital system staff and physicians shall receive application training/mandatory

    Information Security training appropriate for their job or educational function within 3 calendardays of their start date.

    All Hospital system information systems hardware and media that contain protected or restricted

    information shall be located in areas that are protected from physical intrusion, theft, fire,excessive temperature/humidity or other hazards.

    3. SCOPE

    Prepare a training plan including manuals (if required) and other training materials.

    4. TARGET AUDIENCE

    GDC system end-users and physicians

    5. RESPONSIBILITY

    Hospital HR Department and IT Department.

    6. PROCEDURE

    IT Management to define according procedures.

    7. REFERENCE

    Null

    53

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    54/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 54 of 62

    1. PURPOSE

    Protecting For, Detecting and Responding to Information Security IncidentsReporting Information Security Incidents

    Defending Against Unauthorized or Criminal Activity

    2. POLICY

    GDC Hospital system shall develop and implement procedures to defend hospital networks and

    information systems that contain protected or restricted information against vandalism,unauthorized physical intrusion, and unauthorized access, denial of service, virus attack, spyware

    or malware.

    3. SCOPE

    Preparing a scope of work to develop policy and procedures to protect hospitals NIS (NetworkInformation System).

    4. TARGET AUDIENCE

    GDC Hospital network and information systems

    5. RESPONSIBILITY

    IT Department.

    6. PROCEDURE

    Hospitals shall adhere to the Information Security (IS) and Incident Response Procedure aboveand shall adhere to the Workstation and Server Standards and the Network Standards in to help

    defend hospital networks and information systems that contain protected or restricted

    information against unauthorized physical intrusion, unauthorized access, denial of service, virus

    attack, spyware/malware or criminal activity.

    7. REFERENCE

    Null

    54

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    55/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 55 of 62

    1. PURPOSE

    Security Incident Procedures

    2. POLICY

    All hospital systems shall develop and implement procedures requiring that all suspected oractual information security incidents as defined by the hospital IT department are promptly

    reported to the Information Technology Manager.

    3. SCOPE

    Develop policy and procedures for suspected information incidents defined by the hospital inorder to protect hospitals information and software application (management database).

    4. TARGET AUDIENCE

    Hospital software application, Database, and Information system.

    5. RESPONSIBILITY

    IT Department.

    6. PROCEDURE

    Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.Each hospital system should adhere to industry recognized best practices when collecting and

    protecting evidence from information systems so that criminal perpetrators can be prosecuted to

    the fullest extent of the law.

    7. REFERENCE

    Null

    55

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    56/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 56 of 62

    1. PURPOSE

    Responding to Information Security Incidents

    2. POLICY

    All Hospital's systems shall develop and implement procedures for the response to informationsystem security incidents, as defined by the hospital IT department. Every effort shall be made

    to mitigate the adverse impact on the confidentiality, integrity and availability of data, and to

    preserve any evidence that could be used in the investigation of the incident.

    3. SCOPE

    Develop policy and procedures for suspected information incidents defined by the hospital in

    order to protect hospitals information and software application (management database).

    Prepare a backup plan to restore data in case of loss.

    4. TARGET AUDIENCE

    Hospital software application, Database, and Information system.

    5. RESPONSIBILITY

    Information Technology Department.

    6. PROCEDURE

    Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.

    Every effort shall be made to mitigate the adverse impact on the confidentiality, integrity, andavailability of data, and to preserve any evidence that could be used in the investigation of the

    incident.

    7. REFERENCE

    Null

    56

  • 7/28/2019 Final IT Policy and Procedure 05-09-2012

    57/62

    GULFDIAGNOSTICCENTER

    HOSPITAL

    INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

    TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

    Revision No.: Original

    Department : Information Technology Revision Date : June 2012

    Section : IT Next Revision : June 2014

    Distribution : Hospital Wide Page 57 of 62

    APPENDIX A

    WORKSTATION AND SERVER STANDARDS

    The purpose of these standards is to provide guidelines for best security practices when installing

    new workstations and servers (or reconfiguring older workstations and servers) on the network. It is

    not the purpose of this document to provide the information necessary to correctly administer a

    workstation or server. It is assumed that the computer supporters responsible for implementing thesestandards are knowledgeable of the operating system they have chosen, the hardware on which it

    runs, and any applications they intend to install.

    A.1 Workstation Standards

    No workstation should be connected to the network until the following items have beenaccomplished:

    1. All security patches for the OS and any applications have been acquired using a local

    connection that does not require an IP address (e.g. USB hard drive, zip drive, CD, etc.)2. All documentation for the workstation should be properly stored in a secure location.

    3. The OS has been properly installed and configured and all relevant security patches for both

    the OS and any applications have been applied.4. All