Information Security Policy, IS.SEC.000 by 2d3k8FA

VIEWS: 12 PAGES: 3

									 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       – Security Committees
PAGE: 1 of 3                           REPLACES POLICY DATED: 2/25/98
                                       (IS.AA.002), 4/21/05, 1/15/10
EFFECTIVE DATE: May 1, 2011            REFERENCE NUMBER: IS.SEC.007
APPROVED BY: Ethics and Compliance Policy Committee

 SCOPE: All Company-affiliated facilities and all Corporate Departments.

 PURPOSE: To establish requirements for Information Security Committees at the facility and
 Division level needed to respond to information security issues and serve as a decision-making
 authority for information security and other compliance-related concerns in the Divisions and
 facilities.

 POLICY:
   1. Each Division must establish and maintain a Division Security Committee (DSC), or
      equivalent committee (e.g., Multi-Facility Committee), which is able to serve as an
      authority to which Division security concerns and decisions are escalated and addressed.

     2. Each Company-affiliated Facility must establish and maintain a Facility Security
        Committee (FSC), or equivalent committee (e.g., Facility Ethics and Compliance
        Committee) which is able to serve as an authority to which Facility security concerns and
        decisions are escalated and addressed.

 PROCEDURES:
 Requirements for Division Security Committees (DSC):

     1. The DSC, or equivalent committee, must be established and maintained in all Divisions in
        order to serve as a decision-making authority for Division information security topics. If
        an alternate committee is used in place of a DSC, the alternate committee must meet the
        requirements of the DSC as outlined in this policy.

     2. The DSC may be a separate committee, or it may be incorporated into an existing Division
        Committee. In order to adequately address concerns, serve as an escalation point for
        issues identified in FSCs, and effectively make decisions which impact the Division as a
        whole, membership must include, at a minimum, the following:
            a. Division Chief Information Officer (CIO);
            b. Division Director of Information Security Operations (DISO);
            c. Director of Technology Services (DoTS);
            d. Director of Application Services (DAS);
            e. Division Facility Privacy Official (FPO); and
            f. Division Ethics and Compliance Officer (ECO).

     3. The DSC must meet at least quarterly and must establish procedures for recording and
        publishing minutes.
     4. Each Division can make determinations about other roles which may attend on a regular
        or rotating basis. Examples of other roles which may attend DSCs include:
3/2011
 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       – Security Committees
PAGE: 2 of 3                           REPLACES POLICY DATED: 2/25/98
                                       (IS.AA.002), 4/21/05, 1/15/10
EFFECTIVE DATE: May 1, 2011            REFERENCE NUMBER: IS.SEC.007
APPROVED BY: Ethics and Compliance Policy Committee

            a.   Division Project Manager
            b.   Consulting Division Network Engineer
            c.   Human Resources Vice President
            d.   Director of Information Technology, aka HDIS (all facilities including PAS and
                 CSC)
            e.   Facility Information Security Officials (FISOs) (all facilities)
            f.   System administrators
            g.   Physician Support Coordinators
            h.   Clinical Analysts
            i.   Zone FISO

     5. In addition to serving as a decision-making authority for Division security concerns, DSCs
        must also:
            a. Provide oversight to ensure Division facilities are complying with IT&S
                Information Security Policies and Standards.
            b. Facilitate business decisions and development of mitigation plans associated with
                accepting risks as outlined in the Information Security Risk Acceptance and
                Accountability Policy, IS.SEC.009.
            c. Ensure operational and technical security initiatives are aligned with Division
                business and operational goals.
            d. To the extent practical, standardize Facility and Division information security
                procedures across the Division.

 Requirements for Facility Security Committees (FSCs):

     1. The FSC, or equivalent committee, must be established and maintained in all Facilities in
        order to serve as a decision-making authority for Facility information security topics. This
        committee must be designated for oversight of all Information Security operations at each
        facility. If an alternate committee is used in place of an FSC, the alternate committee
        must meet the requirements for the FSC as outlined in this policy.

     2. The FSC must meet at least quarterly and must establish procedures for recording and
        publishing minutes.

     3. In order to adequately address concerns and effectively make decisions which impact the
        Facility, the FSC membership must include the following representatives:
            a. FISO
            b. Facility IT Director
            c. Facility Administration Representation
            d. Ethics and Compliance Officer
3/2011
 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       – Security Committees
PAGE: 3 of 3                           REPLACES POLICY DATED: 2/25/98
                                       (IS.AA.002), 4/21/05, 1/15/10
EFFECTIVE DATE: May 1, 2011            REFERENCE NUMBER: IS.SEC.007
APPROVED BY: Ethics and Compliance Policy Committee

            e.   Facility Privacy Official
            f.   Health Information Management
            g.   Risk Management
            h.   MEDITECH Clinical Support
            i.   Physician Support
            j.   Nursing
            k.   Human Resources
            l.   Other (optional) (some suggestions: SMS Administrator, Network Administrator,
                 PC/Desktop Tech, Facility Management, Decision Support, Division DISO, LSC,
                 Zone FISO, Facility Plant Operations/Security).

     4. In addition to serving as a decision-making authority for Facility security concerns, FSCs
        must also:
            a. Provide oversight to ensure the Facility is complying with IT&S Information
                Security Policies and Standards;
            b. Facilitate business decisions and development of mitigation plans associated with
                accepting risks as outlined in Information Security Risk Acceptance and
                Accountability Policy, IS.SEC.009, and escalate to the DSC as appropriate;
            c. Review required system appropriate access audits results, including actions taken
                for violations;
            d. Monitor available security reports (e.g., SAPortal, SATracker).
            e. Establish, procedures, guidelines, tools, and reports, for monitoring security
                functions;
            f. Provide guidance for mitigating violations and recommend appropriate sanctions;
            g. Provide guidelines and communication for implementing company, division, zone,
                market, and facility Information Security policies, procedures, standards, toolkits,
                and initiatives;
            h. Develop, review and communicate local facility Information Security policies,
                procedures, standards, toolkits, and initiatives;
            i. When security issues affect a zone, market or division, communicate to the next
                higher level such as Multi-Facility Security Committee, and/or Division Security
                Committee as designated by division leadership.

REFERENCES:
1. Information Security - Program Requirements Policy, IS.SEC.001
2. Information Security Roles and Responsibilities Policy, IS.SEC.006
3. Information Security Risk Acceptance and Accountability Policy, IS.SEC.009
4. Code of Conduct
5. Information Security Guidance: Division Security Committee (DSC)

3/2011

								
To top