Information Security Policy, IS.SEC.000 by YH4H4F

VIEWS: 16 PAGES: 3

									 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       Roles and Responsibilities
PAGE: 1 of 3                           REPLACES POLICY DATED: 6/1/04
EFFECTIVE DATE: January 15, 2010       REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee

 SCOPE: All Company-affiliated facilities.

 PURPOSE: To outline information security roles and responsibilities, which establish authority and
 guidance for each Company-affiliated facility to have a Facility Information Security Official (FISO);
 and for each Company Division to have a Director of Information Security Operations (DISO) to
 meet the requirements of the Company’s and facility’s Information Security Program.

 Each Company-affiliated facility is required to have an assigned individual whose role is to ensure
 compliance with Information Security Standards and Policies and oversee the facility’s Information
 Security program. This is required by the Health Insurance Portability and Accountability Act
 (HIPAA), Security Standards for the Protection of Electronic Protected Health Information (Security
 Standards), 45 CFR Parts 160, 162, and 164.

 POLICY:

 1. Each Company-affiliated facility must appoint a Facility Information Security Official (FISO) to
    implement and oversee the Company and facility Information Security Programs and work to
    ensure the facility’s compliance with the IT&S Information Security Policies and Standards. The
    FISO must be notified of all complaints regarding matters of information security that are
    received by the facility. This role is required by HIPAA Security Rule provisions (see above).

 2. A single individual who is appointed as an FISO may serve at multiple facilities as a Zoned, or
    Market, FISO. A single individual may also serve multiple roles within a facility. For example, a
    FISO may also serve as a Facility Privacy Official (FPO).

 3. Each Company Division must have a Division Information Security Official, or Director of
    Information Security Operations (DISO) to implement and oversee the Company and Division
    Information Security Programs; and to oversee and support facilities’ compliance with the IT&S
    Information Security Policies and Standards.

 PROCEDURE:

 Facility Information Security Official (FISO):

 1. Each FISO must oversee and implement the Facility’s Information Security Program. The FISO
    will use Corporate Information Security policies, procedures, standards, and processes provided
    by Information Security, and follow the direction of the DISO, to implement the Facility
    Information Security Program. The Facility Information Security Program must include
    implementation and ongoing maintenance of all components of facility information security (e.g.,
    system security, physical protection of computer systems and related buildings and equipment) as

12/2009
 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       Roles and Responsibilities
PAGE: 2 of 3                           REPLACES POLICY DATED: 6/1/04
EFFECTIVE DATE: January 15, 2010       REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee

    developed by Information Security.
 2. The FISO must participate in existing committees, including, but not limited to, the Facility
    Ethics and Compliance Committee (FECC) and Facility Security Committee (FSC) to facilitate
    implementation, education and support of the Facility Information Security Program. See the
    Information Security – Security Committees Policy, IS.SEC.007.

 3. The FISO’s responsibilities include, but are not limited to:
       a. Implement and oversee a Facility Information Security Program;
       b. Serve as primary facility contact for all information security concerns;
       c. Monitor security compliance using existing tools as directed by Corporate Information
           Security;
       d. In conjunction with the Facility and/or Division IT&S staff, implement Information
           Security policies, procedures, standards, and toolkits to ensure facility compliance;
       e. Ensure the facility has an ongoing Information Security Training and Awareness Program;
       f. Ensure a complete Information Security Incident Response Plan is developed and
           implemented. Investigate and document all facility Information Security incidents and
           respond according to Information Security Standards;
       g. In conjunction with department managers, ensure appropriate departmental security
           procedures are in effect which support Information Security requirements;
       h. Ensure appropriate physical security process for Information Security assets, including but
           not limited to, laptop and workstation security, appropriate access to controlled areas, and
           adequate environmental controls for equipment;
       i. Work with the Facility Privacy Official to ensure alignment between information security
           and privacy practices;
       j. Work with the Ethics & Compliance Officer to ensure alignment between information
           security and Company compliance requirements; and
       k. Facilitate any additional Information Security initiatives as directed by the Company.

 Division Information Security Official or Director of Information Security Operations (DISO):

    1. Each DISO must oversee and implement the Division and facilities’ Information Security
       Programs at the Division level. The DISO will use Corporate Information Security policies,
       procedures, standards, and processes provided by Information Security to implement the
       Division security program and to oversee and assist the facilities within the Division with the
       facilities’ security programs.

    2. The DISO should utilize existing committees, including, but not limited to, the FSCs and the
       Division Security Committees (DSCs), to facilitate implementation of the Division and
       Facilities’ Information Security Programs.

    3. The DISO’s responsibilities include, but are not limited to:
12/2009
 DEPARTMENT: Information Security      POLICY DESCRIPTION: Information Security
                                       Roles and Responsibilities
PAGE: 3 of 3                           REPLACES POLICY DATED: 6/1/04
EFFECTIVE DATE: January 15, 2010       REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee

           a. Oversee and implement a Division Information Security program in accordance with
              Corporate Information Security Policies, Standards, guidance and initiatives;
           b. Serve as primary Division contact for all information security concerns;
           c. Facilitate vendor assessments and Information Security Agreements (ISAs) as outlined
              in the Information Security – Vendor Information Security Agreement Policy,
              IS.SEC.008;
           d. Work with business units and business owners to identify areas of non-compliance
              with Information Security Standards and to develop and document mitigation plans
              and Risk Acceptance strategies as defined in the Information Security Risk
              Acceptance and Accountability Policy, IS.SEC.009. Lead and drive all information
              security activities within a Division, as a component of the enterprise-wide
              Information Security (IS) program;
           e. Identify, develop, implement, and monitor Information Security initiatives;
           f. Serve as liaison for all FISOs on all Information Security initiatives, issues, and
              projects, including, but not limited to, all responsibilities listed in FISO duties;
           g. Oversee and direct security work performed by FISOs; and
           h. Work with the Division Ethics & Compliance Officer to ensure alignment between
              information security and Company compliance requirements.

REFERENCES:
1. Health Insurance Portability and Accountability Act, Security Standards for the Protection of
    Electronic Protected Health Information
2. Information Security - Program Requirements Policy, IS.SEC.001
3. Information Security - Security Committees Policy, IS.SEC.007
4. Information Security – Vendor Information Security Agreement Policy, IS.SEC.008
5. Information Security Risk Acceptance and Accountability Policy, IS.SEC.009
6. IR.RISE.01 – Incident Reporting Standard
7. IR.IRM.01 – Incident Response Procedures Standard
8. WS.SWB.02 – Security Awareness & Training Standard
9. Company Code of Conduct
10. Risk Acceptance Form (RAF)
11. Submitting a RAF




12/2009

								
To top