information security and privacy policy handbook v
TRANSCRIPT
Elizabeth Leinbach 399 Revolution Drive, Somerville, MA 02145
Information Security and Privacy Policy Handbook v.2 PARTNERS HEALTHCARE
2
Table of Contents Policy, Standards And Procedures Reference ..............................................................................................................2 Information Security Program Policy (EISP-5) .............................................................................................................3
1. Partners Information Security Policy Program ........................................................................................................ 3 2. Availability Of Policies ............................................................................................................................................. 3 3. Policy Training Requirement ................................................................................................................................... 3 4. Information Security: Roles And Responsibilities ................................................................................................... 3 5. Business Partners .................................................................................................................................................... 3
Managing Workforce Members Information Security Responsibilities (EISP-7) ...............................................................4 1. Responsibilities Before, During And After Employment ......................................................................................... 4
Sanctions Addressing Information Security & Privacy Violations (EISP-7a) .....................................................................5 1. Categorization Of Violations ................................................................................................................................... 5 2. Roles And Responsibilities ...................................................................................................................................... 5 3. Addressing Violations.............................................................................................................................................. 5 4. Correct Action Options ........................................................................................................................................... 5 5. Personal Accountability .......................................................................................................................................... 5
IT Asset Management Policy (EISP-8) .........................................................................................................................6 1. Responsibility For IT Assets ..................................................................................................................................... 6 2. Data Classification Of IT Assets ............................................................................................................................... 6 3. Information Security Risk Management ................................................................................................................. 6 4. Media Handling ....................................................................................................................................................... 6 5. Macintosh Devices .................................................................................................................................................. 6
IT Access Control Policy (EISP-9) ................................................................................................................................7 1. Controls To Prevent Unauthorized Access. ............................................................................................................. 7 2. Responsibilities For Protecting Access To Partners Data And Systems. .................................................................. 7 3. Remote Access To The Partners Network And Systems ......................................................................................... 7 4. Proper Configuration. ............................................................................................................................................. 7
IT Acquisition, SDLC & Maintenance Policy (EISP-12) ...................................................................................................8 1. Follow Security Requirements For All Information Systems ................................................................................... 8 2. Practice Secure Software Development ................................................................................................................. 8 3. Maintainence Of IT Solutions .................................................................................................................................. 8
Information Security & Privacy Incident Response Policy (EISP-16) ............................................................................. 10 1. Incident Response Process ................................................................................................................................... 10 2. Who Is Responsible For Incident Response Assistance......................................................................................... 10 3. How To Report Incidents ...................................................................................................................................... 10 4. Incident Handling .................................................................................................................................................. 10 5. Incident Monitoring .............................................................................................................................................. 10 6. Incident Closure .................................................................................................................................................... 10
Disaster Recovery Policy For Information Systems (EISP-17a) ..................................................................................... 11 1. Creation Of Disaster Recovery Plan (DRP) ............................................................................................................ 11 2. Publication And Training ....................................................................................................................................... 11 3. Roles And Responsibilities .................................................................................................................................... 11
3
Information Security Program Policy (EISP-5)
1. Partners has an Information Security Policy Program with standards and procedures that is reviewed and revised on
an annual basis. (ISPR-5a: Policy Development Procedures)
2. Policies are available to all workforce members on Policy Central via the Partners network.
• Located in the Partners Application Menu
• Direct link: https://grcarcher.partners.org 3. Workforce must be trained on policies upon hire, annually and on
any Policy changes. (EISS-5: Information Security Program Standards)
4. Information Security: Roles and Responsibilities
5. Business partners must comply with Partners Information Security policies, standards and procedures. (EISS 8b: IT Asset Management Standards for Risk Management)
• Complete Vendor Information Security Plan (VISP): provide documentation and implement mitigating controls o ISPO Cybersecurity Risk Assessment Request Form
• Comply with Variance conditions: submit a Variance request and implement mitigating controls o ISPO Cybersecurity Variance Request Form
• Cooperate with Audits
6. All must comply with regulatory, legal and contractual drivers as well as Partners Policy or Variances.
• Partners conducts periodic audits that review system activity in compliance with regulations.
•Adopts and EnforcesChief Information Officer
•Develops and MaintainsCISPO & ISPO
•Implements and FacilitatesInformation Security Officers
•Plan for ComplianceBusiness & System Owners
•Understand and DoWorkforce
Information security is a responsibility shared by all users of Partners information and information systems.
4
Managing Workforce Members Information Security Responsibilities (EISP-7)
In alignment with your institution’s local HR policies
Pri
or
to E
mp
loym
ent Job Description:
•Describe information security skills
•Include required certificates and degrees
Disclose:
•Background checks
•Verifications
Du
rin
g Em
plo
ymen
t Accountability:
•Terms and conditions of employment
Education:
•Onboarding training
•Periodic refreshers
•Updates due to changes
Corrective Action:
•Follow Corrective Action Standards C
han
ge o
r Te
rmin
atio
n Procedures:
•Document at institution level
Access:
•Initiating changes
•Authorizing and applying
•Validating
Communication:
•Share changes with staff
•Update any acceptable use or confidentiality agreements
Workforce members have Information Security responsibilities throughout employment at Partners.
Workforce Member: employees (and temporary employees), professional staff, researchers, volunteers, trainees and other persons whose conduct, in the performance of their work, is under the direct control of Partners, or a Partners member Institution, whether or not they are paid by Partners or a Partners Institution.
5
Sanctions Addressing Information Security & Privacy Violations (EISP-7b.1)
1. Categorization of Violations
2. Roles and Responsibilities
• Human Resources o Implements locally adopted HR Policies, Standards and Procedures at each institution o Always consult with HR to assure that corrective action complies with institution’s HR policies & practice
• Supervisor o Works in cooperation with HR, Privacy Officer and Information Security Officer to address behavior
• Privacy Officer / Information Security Officer o Facilitates assessment of the severity and impact of the violation o Provides guidance on categorization and technical remediation of violation
3. Addressing Violations
4. Correct Action Options
• Corrective action is based on the severity, frequency and impact of the violation itself.
5. Personal Accountability
• Workforce members may expose themselves to personal loss when a breach to their information is a direct result of workforce member’s own actions.
Note: Privileged Users are held to a higher standard of conduct
•Accidental or inadvertent violationCategory 1
•Failure to follow established privacy and security policies and proceduresCategory 2
•Deliberate or purposeful violation without harmful intentCategory 3
•Willful and malicious violation with harmful intentCategory 4
Notification
•Notify of the violation from:•Privacy Officer
•Information Security Officer
•Supervisor
•CISPO or his designee
Education
•Educate how to prevent repeat occurrences of similar instances
Documentation
•Document notification and education to keep with employment records or other tracking mechanism
Terminate Privileges
Change Staff Appointment
Change Role Assignment
Eligibility for Job Transfer
Terminate Employee
Information Security and Privacy violations are grounds for corrective actions up to and including termination of IT privileges, staff appointment or employment.
6
IT Asset Management Policy (EISP-8)
1. Responsibility for IT Assets (EISS 8a: IT Asset Management Standards for
Acceptable Use of ITRs)
• Inventory (What do we have?)
• Ownership (Who owns it?)
• Acceptable use (How can assets be used?)
• Return (How do we get assets back when their intended use has ended?)
2. Data Classification of IT Assets (EISS 8c: IT Asset Management Standards for Data Classification)
• Roles (Who: Owner, Manager, Steward, User)
• Classification Levels
• Access & Handling (How: Labeling and Protections)
3. Information Security Risk Management (EISS 8b: IT Asset Management Standards for Risk Management)
• Roles and Responsibilities (Who is owns it?)
• Risk Assessments (What is assessed?)
• Risk Treatment (How are risks addressed?)
• Monitoring and Review (What happens when something changes?)
4. Media Handling (ISPR-8a: Enterprise Secure Media Destruction Procedures)
5. Macintosh Devices (EISS 8d: IT Asset Management Standards for Apple Macintosh Products)
• Enroll in Partners Enterprise Apple Support (PEAS) for support with Apple Macintosh devices within Partners.
Access & Protection
•Protect in storage and from unauthorized access.
Management of Removable Media
•Clean prior to reuse, track if required, encrypt if confidential
Transfer
•Use authorized transportation methods
•log transport if required.
Disposal
•Dispose of securely
IT Assets acquired, created, managed and maintained by Partners must be identified, protected, managed and disposed of in accordance with its sensitivity classification and Partners responsibilities.
•Data created for public use.Public
•Partners has chosen to keep private. Institutional
•Protected health information (PHI), personally identifiable information (PII) or other regulated data.
Confidential
What are Information Technology Resources (ITR)?
ITRs are business tools provided by Partners to conduct the institution’s business or work-related matters. Examples: Partners computers, printers, programs, wireless and local network, etc.
7
IT Access Control Security Policy (EISP-9)
1. Business owners must enforce sufficient controls to prevent unauthorized access. (EISS-9b: IT Access Control
Standards for Users)
2. Individuals are responsible for protecting access to Partners data and systems.
• Even if you are given access to something doesn’t mean you should use it, if you don’t have a business purpose. (EISS 8a: IT Asset Management Standards for Acceptable Use of ITRs)
o Protect all passwords o Refrain from leaving equipment unattended and unlocked o Keep a clear desk and clear screen
3. Remote access to the Partners network and systems introduces a need for additional security precautions. (EISS-
9a: IT Access Control Standards for Networks)
• All equipment that is connected to the network must be configured property.
• If the equipment is not authorized or configured correctly, it may be kicked off the network. (EISS-9a: IT Access Control Standards for Networks)
All workforce is responsible for protecting access to Partners data and systems-- access is a privilege not a right.
Register Users
•Document how access
•Elevated privileges are authorized
•Assign rights in accordance with sensitivity of system or data
Manage Privileges
•Assign accounts to individuals whenever possible
•Delegate roles based on least privilege, separation of duties and auditability
Manage Passwords
•Use unique account/ password combinations
•Adhere to strength and duration standards
8
IT Acquisition, SDLC & Maintenance Policy (EISP-12)
1. Follow Security Requirements for All Information Systems
• Classification of Data: How sensitive is the data that your system will deal with?
• Trustworthiness: How likely is it that your system could be compromised?
• Security Functionality vs. Requirements: How do differences between the system functionality and your technical requirements effect the security of the system?
• Disable Unnecessary Functionality: Is there unnecessary functionality included in the system that you can disable to avoid introducing unanticipated issues?
• Budget for Security: Have you reviewed how implementing security functionality and controls could impact your budget?
2. Practice Secure Software Development
• Develop security controls based on sensitivity and risks: o Access, Authentication and Authorization o Session Management o Input Validation o Encryption o Error Handling & Logging o Data Protection o Communication Protection o Business Logic o Files and Resources o Mobile Development
3. Maintaining IT Solutions
4. Protect All IT Environments
• Hardened Servers o Protect production servers by using a layered security approach
• Business purpose and security requirements must not conflict o Don’t treat business requirements and security requirements as “either/or”
See standards (EISS-12a.1: Enterprise IT Acquisition, SDLC and Maintenance Standards: General Use IT Systems )
Plan for Information Security throughout your system development lifecycle.
•Follow standard change control proceduresChange Control
•Only modify software packages when necessary and authorized by software provider
Modification to Software Packages
•Retire unsupported components in a timely mannerUnsupported System Components
•Install patches, software updates and other corrective measures in a timely manner
Technical Vulnerabilities
9
Email Back-up and Retention Standards (EISS-13a)
1. Email Back-up Standards
2. Preserving Email for Legal or Regulatory Reasons
• Workforce members on legal hold are not be able to permanently delete email data.
• Procedures for legal holds (ISPR-13a: Extended Email Retention Procedures)
On premise Exchange mailboxes
• Backed-up at the Data Center
• Deleted email is available for 14 days unless permanently deleted by the user.
Exchange online cloud mailboxes
• Backed-up by multiple Data Centers
• Deleted email is available for 28 days unless permanently deleted by the user.
Partners managed email applications have specific standard for back-ups, retention and destruction.
10
Information Security & Privacy Incident Response Policy (EISP-16)
1. Incident Response Process
2. Who is Responsible for Incident Response Assistance
3. How to Report Incidents (ISPR-16a: Internal Reporting Procedures)
• Who to notify: o Notify the entity’s Police/Security Department. o Notify the IS Service Desk immediately if the incident involves a lost or stolen device or technical issue. o Notify entity Privacy and/or Information Security Office. o Principal Investigators must notify the Institutional Review Board (IRB) of any privacy or information
security incidents involving an IRB approved research study and the entity Privacy Office. o Anonymous Reporting:
▪ Partners compliance helpline (800-856-1983) ▪ Partners compliance website: (http://www.partners.org/complianceline)
4. Incident Handling
• There are specific procedures to help assure that incidents are handled consistently and that enough support is made available to effectively contain and remediate. (ISPR-16a: Internal Reporting Procedures)
5. Incident Monitoring
• Incidents must be documented, tracked and maintained for all evidence.
6. Incident Closure
• CSIRT or the Privacy Officer must document, track and manage activities associated with information security and privacy incident closure.
o Notifications and communications o Incident debrief o Articulation and implementation of lessons learned, as appropriate
Workforce members must immediately report information security and privacy incidents. Those members making a good faith report of a suspected incident are protected from retaliation.
DiscoveryActivation
and Containment
Mitigation Monitoring Closure
Information Security Incidents
•Routed through the Computer Security Incident Response Team (Csirt) or Information Security Officer
Privacy Incidents
•Routed through a Privacy Officer or Privacy Office
11
Disaster Recovery Policy for Information Systems (EISP-17a)
1. Create a Disaster Recovery Plan (DRP)
• Containing details necessary to respond, manage and recover from a major disruption or catastrophic event.
o Provide provisions for protecting data and confidential information
o Align with applicable legal and regulatory requirements
o Recover the most critical functions of the business unit and their supporting information systems
o Perform Datacenter failover exercise before application go-live
o Perform regular DR exercises
o Store DR plans in a designated secure repository o Keep plans current and updated between annual tests and
reviews
2. Publish Disaster Recovery Plan (DRP) and Train All Involved Individuals
• Document DRP in Archer GRC (EISS-17a: Disaster Recovery Standards)
3. Roles and responsibilities:
Business Owner
•Owns or manages a business unit
•Consults with the System or Application Manager throughout the DR planning and testing process.
System Owner or App Manager
•Verifies owned applications have an approved Disaster Recovery plan
Site CIO
•Verifies all related DR Plans are compliance
•Determines the appropriate level of plan testing.
•Integrates with the Site Institution Hospital Incident Command System (HICS) Administrator.
Disaster Recovery Team
•Oversees the DR Program at Partners
•Reviews the DR Policy and standards.
•Assists regular site DR testing
•Provides necessary training to end users
Internal Audit
•Tests controls outlined in the DR Policy and Guidance document during the course of its auditing process.
All information systems that are deemed in scope by the appropriate parties must have Disaster Recovery Plans. (DRP).
12
Policy, Standards and Procedures Reference
Policy Standards & Procedures
EISP-5: Information Security Program Policy EISS-5: Information Security Program Standards ISPR-5b: Privileged User Annual Audit Procedures
EISP-7: Managing Workforce Members Information Security Responsibilities Policy EISP-7b.1: Policy for Sanctions Addressing Information Security and Privacy Violations
EISP-8: Enterprise IT Asset Management Policy EISS 8a: IT Asset Management Standards for Acceptable Use of ITRs ISPR-8a: Enterprise Secure Media Destruction Procedures) EISS 8c: IT Asset Management Standards for Data Classification EISS 8d: IT Asset Management Standards for Apple Macintosh Products
EISP-9: IT Access Control Security Policy EISS-9a: IT Access Control Standards for Networks EISS-9b: IT Access Control Standards for Users
EISP-12: IT Acquisition, SDLC and Maintenance Policy EISS-12a.1: Enterprise IT Acquisition, SDLC and Maintenance Standards: General Use IT Systems
EISS-13a: Email Back-up and Retention Standards ISPR-13a: Extended Email Retention Procedures
EISP-16: Information Security and Privacy Incident Response Policy
ISPR-16a: Internal Reporting Procedures
EISP-17a: Disaster Recovery Policy for Information Systems EISS-17a: Disaster Recovery Standards