ecfirst has developed deep expertise in tailoring information security policies and procedures to meet compliance requirements and business priorities. Our impact on the customized development of your policies and procedures is typically based on:
The ecfirst team assigned to this engagement will only include credentialed professionals with deep experience developing information security policies and procedures for organizations. The intent is to leverage industry best practices so ensure that each policy genuinely reflects the actual process used within your organization and is influenced by regulatory requirements such as HIPAA, PCI DSS and others.
Figure 1 provides a brief summary of the objective of each security policy and procedure that organizations typically develop to address regulatory requirements. ecfirst will prepare the policies identified in Figure 1. ecfirst will review and enhance all existing policies. New policies will be developed if those do not exist in your organization.
Information Security Policy/Procedure |
Description |
Administrative Safeguards Policies |
|
Information Security Strategy |
The purpose is to provide reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability (CIA) of information assets by protecting those assets from unauthorized access, modification, destruction, or disclosure. |
Security Management Process |
The purpose is to implement policies and procedures to prevent, detect, contain, and correct security violations. |
Risk Analysis |
The purpose is to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information. |
Risk Management |
The purpose is implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with impacted regulations. |
Sanction Policy |
The purpose is to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the organization. |
Information System Activity Review |
The purpose is to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. |
Assigned Security Responsibility |
The purpose of this policy is to identify the security official who is responsible for the development and implementation of policies and procedures. |
Workforce Security |
The purpose is to implement policies and procedures to ensure that all members of the workforce have appropriate access to sensitive information and to prevent those workforce members who do not have access from obtaining access to sensitive information. |
Authorization and/or Supervision |
The purpose is to implement procedures for the authorization and/or supervision of workforce members who work with sensitive information or in locations where it might be accessed.
|
Workforce Clearance Procedure |
The purpose is to implement procedures to determine that the access of a workforce member to sensitive information is appropriate. |
Termination Procedures |
The purpose is to implement procedures for terminating access to sensitive information when the employment of a workforce member ends. |
Information Access Management |
The purpose is to implement policies and procedures for authorizing access to sensitive information. |
Access Authorization |
The purpose is to implement policies and procedures for granting access to sensitive information, for example, authorization required to access a workstation, transaction, program, process, or other mechanism. |
Access Establishment and Modification |
The purpose is to implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. |
Security Awareness and Training |
The purpose is to implement a security awareness and training program for all members of its workforce, including management. |
Security Reminders |
The purpose is to provide periodic security updates to all members of the workforce. |
Protection from Malicious Software |
The purpose is to develop procedures for guarding against, detecting, and reporting malicious software. |
Log-in Monitoring |
The purpose is to develop procedures for monitoring log-in attempts and reporting discrepancies. |
Password Management |
The purpose is to implement procedures for creating, changing and safeguarding passwords. |
Security Incident Procedures |
The purpose is to address security incidents. |
Response and Reporting |
The purpose is to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. |
Contingency Plan |
The purpose is to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain sensitive information. |
Data Backup Plan |
The purpose is to establish and implement procedures to create and maintain retrievable exact copies of sensitive information. |
Disaster Recovery Plan |
The purpose is to establish (and implement as needed) procedures to restore any loss of data. |
Emergency Mode Operation Plan |
The purpose is to establish and implement as needed procedures to enable continuation of critical business processes for protection of the security of sensitive information while operating in emergency mode. |
Testing and Revision Procedures |
The purpose is to implement procedures for periodic testing and revision of contingency plans.
|
Applications and Data Criticality Analysis |
The purpose is to assess the relative criticality of specific applications and data in support of other contingency plan components. |
Evaluation |
The purpose is to perform a technical and non-technical evaluation and subsequently, in response to environmental or operational changes affecting the security of sensitive information, that establishes the extent to which organization security policies and procedures meet the requirements of compliance requirements and business priorities. |
Business Associate Contracts and Other Arrangements |
The purpose is to obtain satisfactory assurances with impacted regulations that the business associate will appropriately safeguard all sensitive information. |
Physical Safeguards |
|
Access Control |
The purpose is to implement technical policies and procedures for electronic information systems that maintain sensitive information to allow access only to those persons or software programs that have been granted access rights. |
Unique User Identification |
The purpose is to assign a unique name and/or number for identifying and tracking user identity. |
Emergency Access Procedure |
The purpose is to establish (and implement as needed) procedures for obtaining necessary sensitive information during an emergency. |
Automatic Logoff |
The purpose is to implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
Encryption and Decryption |
The purpose is to implement a mechanism to encrypt and decrypt sensitive information.
|
Audit Controls |
The purpose is to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use sensitive information. |
Integrity |
The purpose is to implement policies and procedures to protect sensitive information from improper alteration or destruction. |
Mechanism to Authenticate Electronic Protected Health Information |
The purpose is to implement electronic mechanisms to corroborate that sensitive information has not been altered or destroyed in an unauthorized manner. |
Person or Entity Authentication |
The purpose is to implement procedures to verify that a person or entity seeking access to sensitive information is the one claimed. |
Transmission Security |
The purpose is to implement technical security measures to guard against unauthorized access to sensitive information that is being transmitted over an electronic communications network. |
Integrity Controls |
The purpose is to implement security measures to ensure that electronically transmitted sensitive information is not improperly modified without detection until disposed of. |
Encryption |
The purpose is to implement a mechanism to encrypt sensitive information whenever deemed appropriate. |
Organizational Framework |
|
Policies and Procedures Standard |
The purpose is to implement reasonable and appropriate policies and procedures to comply with applicable regulations. |
Documentation |
The purpose is to maintain the policies and procedures implemented to comply with regulations in written (or electronic) form and if an action, activity or assessment is required to maintain a written (which may be electronic) record. |
Other Policies |
|
Information Classification |
The Information Classification Policy is intended to assist employees of organization make decisions regarding what information may and may not be released to the public or disclosed to any individual outside of the organization. |
Email Security |
The purpose of this policy is to protect the confidentiality and integrity of sensitive information that may be sent or received via email. |
Remote Access Policy |
The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the organization’s enterprise infrastructure to a reasonable and appropriate level. |
Portable Devices Policy |
The purpose is to secure the use of portable devices used by members of the workforce. |
Wireless Security Policy |
The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of organization’s wireless infrastructure to a reasonable and appropriate level. |
Figure 1: Summary of Information Security Policies and Procedures.
You are only 1-click away from major information security and business continuity related standards and key references at www.ecfirst.com/complianceportal/. Visit today.
ecfirst delivers world-class information security, regulatory compliance solutions and its professional services team enables businesses address IT staffing challenges every day. With over 1400+ clients, ecfirst was recognized as an Inc. 500 business – America’s Top 500 Fastest Growing Privately Held Business in 2004 – our first year of eligibility. ecfirst assists organizations with their compliance initiatives for a secure information infrastructure that is compliant with regulations such as PCI DSS, HIPAA, Sarbanes-Oxley, ISO 27002, or federal and state legislations. ecfirst serves a Who's Who client list that includes technology firms, numerous hospitals, state and county governments, and hundreds of businesses across the United States and abroad. A partial list of clients includes EMC, IBM, Principal Financial, U.S. Army, U.S. Dept. of Homeland Security, U.S. Dept. of Veterans Affairs and many others.
ecfirst delivers deep expertise with its full suite of services that include Single Sign-On (SSO), context management, contingency planning/Business Impact Analysis (BIA), vulnerability assessment, as well as managed compliance, security and IT infrastructure solutions. ecfirst has successfully executed fixed price, fixed deliverable, turnkey projects across the United States.
The ecfirst Professional Staffing Practice excels in meeting your short and long term requirements for contract professionals in the areas of Web development, system, database and network administration, application development, system architecture, and project management. This practice is distinguished with credentialed staff (PMP, CBCP, CISSP, CSCS, CHSS or others that may be required) that includes deep industry knowledge in the healthcare, financial, technology and government markets.
The ecfirst compliance training program is exclusively endorsed by the American Hospital Association (AHA). The Certified HIPAA Administrator (CHA™), Certified HIPAA Professional (CHP) and the Certified HIPAA Security Specialist (CHSS™) certifications are the gold standards in the Industry. The ecfirst Certified Security Compliance Specialist (CSCS) Program is the first and only information security program that addresses all major compliance regulations from a security perspective.
Talk to ecfirst.com and you will find an organization that is passionate about the services we deliver and exceptionally devoted to its clients. For more information, please visit http://www.ecfirst.com/
