Computer security policy and procedures template by 3U8ccel

VIEWS: 72 PAGES: 35

									1
2
3
RACGP Computer security guidelines – A template to develop a policy and procedure manual   5
RACGP Computer security guidelines – A template to develop a policy and procedure manual   1
1. Staff roles and responsibilities
This section details the various roles and responsibilities of staff, their access levels to
practice systems, and important contact details.




1.1 Practice computer security coordinator

People or person responsible




Role
(See RACGP Computer security guidelines Appendix A)




Responsibilities
(See RACGP Computer security guidelines Appendix A)




1.2 Other staff roles and responsibilities
Other staff may also be assigned tasks related to computer security.


Task                                 People or person responsible
Perform backups
Update software




RACGP Computer security guidelines – A template to develop a policy and procedure manual       1
1.3 Technical Support
This will include all hardware and software supplier contact details.


Name                                         Support for                            Contact Details
Joe Brown, Company Name                      Server                                 0400 000 000




1.4 Staff access levels
Staff should only have access to the systems and information required to enable them to
perform their role in the practice. All staff require a detailed position description that clearly
outlines their roles and responsibilities and the required access to either clinical or business
information. Restricting access reduces the opportunity for accidents and errors. Staff will
require appropriate training in the relevant computer software and the potential risks before
access and passwords are provided. Additionally, unique Healthcare Identifiers (HI):
Healthcare Provider Identifier – Individual (HPI-I) and Healthcare Provider Identifier –
Organisation (HPI-O) should be recorded.


 Staff member                   Identifier                   Program                       Access level
                                                             (Name of software)            (Restricted information
                                                                                           only or full user access)
 Practice nurse                 HPI-I




 Practice unit (Name of the practice)                        Identifier
                                                             HPI-O




RACGP Computer security guidelines – A template to develop a policy and procedure manual                          2
1.5 Practice policies and procedures manual
This template is intended to guide the development of the computer security guidelines for
your general practice and form part of the practices policy and procedures manual.
Appendix B (RACGP Computer security guidelines) details the elements that the computer
security policies and procedures manual should cover.




RACGP Computer security guidelines – A template to develop a policy and procedure manual     3
2. Business continuity and disaster recovery plans
The business of general practice relies on a properly functioning computer system. A
disaster recovery plan will detail the actions to be taken when the computer system, or any
part of it, either stops functioning or is inefficient and impacts on the ongoing work of the
practice. Business continuity refers to keeping the practice going, eg. making appointments
and writing clinical notes. The development of a disaster recovery plan is to be executed in
consultation with practice staff and the external technical support consultant. The computer
security coordinator is responsible for this task and this responsibility is reflected in their
position description.

An effective disaster recovery plan will bring the computer system back to working order,
including the restoration of any data. This is an increasingly technical and difficult area, and
practices are well advised to consult an external technical advisor.

Some failures in the computer system can be very simple. However, a disaster implies a
major crash in the functioning of the computer system, such as the server failing. It is very
important to know as rapidly as possible when a computer problem can be fixed ‘in house’
and when it requires assistance from an external technical support consultant.

A business continuity plan requires two further items:
 an asset register that details all hardware, software licences, manuals and technical
   support in the practice
 a ‘fault log book’ that is a record of computer faults, errors or failures of the system.



2.1 Asset register
Developing an asset register will require consultation with the practice’s external technical
support consultant. The asset register will document clearly the computer hardware and
software belonging to the practice, and where it is used or stored.

The asset register is to be updated as each new item or service is purchased by the
practice. The computer security coordinator is responsible for the asset register and keeping
it current (eg. items are replaced). This responsibility should be in the position description of
the computer security coordinator.

The following items need to be documented in the asset register:
 hardware and operating system
 network configuration
 software versions, licence keys and configuration details
 software and database locations on the network
 email and internet details
 location of manuals, discs and backup media.

The creation of a good asset register can be exhaustive and would benefit from input from
the practice external technical support consultant (see Appendix A).




RACGP Computer security guidelines – A template to develop a policy and procedure manual           4
2.2 Fault log book

Any fault or incidence should be recorded in the table below.


Date          Fault noted                              Remedial action performed               By whom




2.3 Business continuity and disaster recovery plans
Business continuity and disaster recovery plans are best written in consultation with an
external technical expert. It is therefore suggested that you work through the steps below
with this person.

2.3.1 Convert to manual procedures for critical practice functions
Each critical function in the practice requires a contingency plan so that when things go
wrong the practice can continue to operate, and this includes the computer systems. Critical
functions can be divided into either administrative or clinical. The practice needs to identify
the major functions that are required to run the practice and how these will continue should
the computer system be inoperable.


Function                                Contingency Plan                         Person responsible
Billing patients                            Manually swipe Medicare             Reception staff
                                             cards
                                            Manually issue receipts
                                            Retain copies of all receipts
                                             in a secure location to be
                                             entered into the system
                                             later




2.3.2 Assess the computer problem
An assessment of the computer problem should be documented and include the
following items:
   writing down or capturing (‘print screen’) any error messages
   note anything that has changed since the system last worked correctly
   check that all power and network connections and cables are plugged in and that the
    devices are turned on (check that lights are on).




RACGP Computer security guidelines – A template to develop a policy and procedure manual                 5
2.3.3. Perform corrective action (with or without technical support)
This step might involve the restoration of data from the most recent backup.

2.3.4 Test the functionality of all systems
This test involves establishing procedures to test that the systems are functional. Systems
checks will vary depending on the identified malfunction.

2.3.5 Resuming normal practice
This will include recording what information will need to be entered or re-entered into the
computer system, how this will be done and who will undertake this task. There should be
plans for both entering data that was processed manually and includes re-entering data if
the system had to be restored from a previous backup.


Data entry from manual
                                        What needs to be entered?                Person responsible
processing




2.3.6 Review following recovery

Review the reason for the problem and ascertain how the recovery was executed, update
the computer set up, document any important lessons, and update the Policy and
Procedures Manual. This step might involve modifying the software, backup process or
acquiring new components.




RACGP Computer security guidelines – A template to develop a policy and procedure manual              6
2.4 Corrective action for incidents and disasters
These are some common computer ‘disaster’ scenarios in general practice. Complete the
tables and add any further items from your experience. Discuss them with your external
technical support consultant. The most important disaster to plan for is server failure. In this
case, disaster recovery first involves server recovery, and then data restoration.

In many cases disasters can be prevented. Preventive measures include physical actions,
e.g. attention to a dust free environment, climate control, and heeding warnings such as a
high pitched noise from the server or illuminated warning lights on the server.

2.4.1 Server failure
Immediate action                        Recovery procedure                       Person responsible
Implement contingency plan              • Write down or capture                  Practice computer security
                                          any error messages                     coordinator
                                        • Check that no computers
                                          are accessing the server
                                          (log off all computers)
                                        • Reboot the server (by
                                          authorised staff only)
                                        • If the server does not
                                          reboot correctly:
                                          – write down or capture any
                                               error messages
                                          – call technical support
                                        • If the server does reboot
                                          correctly:
                                          – check that the last
                                          transactions that are entered
                                          (eg. in a patient record) are
                                          correctly recorded on the
                                          system




2.4.2 Virus detection
Immediate action                        Recovery procedure                       Person responsible




RACGP Computer security guidelines – A template to develop a policy and procedure manual                      7
2.4.3 Power failure
Immediate action                        Recovery procedure                       Person responsible
                                        • Install an uninterruptible
                                          power supply (UPS) with
                                          sufficient capacity for all
                                          mission critical devices
                                        • Check the UPS batteries
                                          on a periodic basis




2.4.4 File corruption or loss
Immediate action                        Recovery procedure                       Person responsible




2.4.5 Network problem
Immediate action                        Recovery procedure                       Person responsible




RACGP Computer security guidelines – A template to develop a policy and procedure manual              8
3. Backup
Backup and data restoration procedures are a vital component of the business continuity
plan. However, as the optimal method of backup and restoration is quite technical, you
would be well advised to consult with an external technical expert on these matters.
Any data and files that change should be backed up. This includes practice management
and clinical systems data as well as documents, email files, internet favourites and
bookmarks. You may require different backup and recovery procedures for each of these.
While you do not need to backup your operating system or programs as these can be
restored from the original media, it is a good idea to periodically backup the entire server.
This can be done using disk imaging software as it takes an identical copy, or ‘image’ of
your computer hard drive.
Note: It is important to keep a copy of the computer practice and policy procedure manual offsite so
that if there is a systems failure, there is ready access to the restoration and business continuity
procedures.

Further information on a step by step procedure for assessing and improving the procedures
for backup can be found in articles such as Williams PAH. A practical application of CMM to
medical security capability. Information Management and Computer Security 2008;16:58–
73.


Backup           Activity                      When         Person                Media           Offsite
procedure                                                   responsible           cycling         storage
                                                                                                  procedure
For an           At the end of the day         Daily        Receptionist          • Daily
automated        • Insert backup                                                  backup
backup                                                                            media
                 media for the day in
                 the server                                                       • Weekly
                 • Ensure that all                                                • Monthly
                 other computers                                                  • Annual (end
                 have logged out of                                               of financial
                 the server                                                       year)
                 Next morning
                 • Check for any error
                 messages on the
                 server
                 • Check that the files
                 on the backup media
                 look correct (name,
                 size and date)
                 • Remove backup
                 media and store in
                 secure location




RACGP Computer security guidelines – A template to develop a policy and procedure manual                      9
3.1 Backup media cycling
It is important to be observant for potential problems within the systems that manage data
including backups. It is useful to have a series of backups so that you can restore a file from
a point before the problem occurred. Having a system of daily, weekly, monthly and annual
backups enables you to do this.
Daily backups – use a different tape, CD, DVD or hard drive. Label them by the day of the
week, and use the appropriately named tape or hard drive, eg. Monday data is always
backed up (overwritten) on the media marked Monday.
Weekly backups – have backup media labelled ‘Week # 1’, ‘Week # 2’. This should be
used once every week of the month, eg. every Friday. Therefore ‘Week # 1’ would be used
on the first Friday of the month, ‘Week # 2’ on the second Friday of the month and so on.

Monthly backups – have one backup media labelled ‘Monthly’. This should be used once
every month, eg. on the first working day of the month.
Annual backup – this should be done at the end of the financial year.



3.2 Documenting rotation of backup media
The table below is an example of documenting the rotation of back up media.
The table can be adjusted and printed each month as a reminder of which tape to use and
record that the backup has been executed and checked.

            Mon             Tues            Wed             Thurs           Fri            Sat         Sun
Week 1      Mon             Tue             Wed             Thu             Week#1         Sat         Sun
            Done           Done           Done           Done           Done          Done       Done 
            Checked        Checked        Checked        Checked        Checked       Checked    Checked 
Week 2      Mon             Tue             Wed             Thu             Week#2         Sat         Sun
            Done           Done           Done           Done           Done          Done       Done 
            Checked        Checked        Checked        Checked        Checked       Checked    Checked 
Week 3      Mon             Tue             Wed             Thu             Week#3         Sat         Sun
            Done           Done           Done           Done           Done          Done       Done 
            Checked        Checked        Checked        Checked        Checked       Checked    Checked 
Week 4      Mon             Tue             Wed             Thu             Week#4         Sat         Sun
            Done           Done           Done           Done           Done          Done       Done 
            Checked        Checked        Checked        Checked        Checked       Checked    Checked 
Week 5      Mon             Tue             Wed             Thu             Week#5         Sat         Sun
            Done           Done           Done           Done           Done         Done       Done 
            Checked        Checked        Checked        Checked        Checked       Checked    Checked 




RACGP Computer security guidelines – A template to develop a policy and procedure manual                     10
3.3 Restoring data
In the event that the backup needs to be used to restore all or part of your practice data and
programs, you need to document the process. In most instances this process will need to be
actioned by your external IT service provider or at least under their guidance. The practice
policy on backup process should also include the procedures for keeping archived data (eg.
yearly backups) to ensure that they are able to be read by current hardware.


Restoring procedure in the event of a server failure                      Person responsible
 Locate backup media for the previous day                                Practice computer security
 Insert backup media in the server                                       coordinator or technical support
                                                                          consultant
 Ensure that all other computers have logged out of the
  server
 Perform restore for particular system/files
 Check that the system/files restored look correct (name,
  size and date)
 Check that the system functions correctly
 Remove backup media and store in secure location




Check/Test recovery procedure When                                               Person responsible
   Restore file/system on a different        Quarterly and when                 Practice computer security
    computer to the one on which              system changes are made            coordinator or technical support
    the system normally runs                                                     consultant
   Check that the restored system
    functions correctly
   Compare the records to ensure
    that the restored files contain the
    latest information




RACGP Computer security guidelines – A template to develop a policy and procedure manual                       11
4. Internet and email usage
The practice policy will inform and guide staff on how to manage and use the internet and
email. For example is occasional personal use of the internet allowed? The policy must
provide guidance to staff on the responsible use of these resources. The following may be
included:

Internet use
   Internet use for business, clinical and research purposes only
   All downloads accessed from the Internet must be scanned for viruses
   All sites accessed must comply with legal and ethical standards
   Web browser security settings are not to be changed without authorisation
   Consequences of violations of the policy.

Email use
   Email use that breaches ethical behaviours and/or violates copyright is prohibited
   Do not send or forward unsolicited email messages, including the sending of ‘junk mail’
    or other advertising material (email spam)
   All patient information sent via email must be encrypted
   All email communications should be treated as confidential
   Do not use email for broadcast messages on personal or political, nonbusiness matters.




RACGP Computer security guidelines – A template to develop a policy and procedure manual    12
5. Access control and management
The practice will need to establish an access and password policy that defines the user
access level, password structure (number of characters) and the frequency with which
passwords are required to be changed. All staff should create their own login passwords,
and be responsible for keeping them secure.

It is also important for the practice to consider the implications of staff that terminate their
employment, to ensure the decommissioning of passwords, and the return of entry devices
(keys) to the practice.

The policies that comprise access control include a:
   password policy
   management of guest account and remote access accounts
   termination of staff access policy.




5.1 Password policy
The password policy should include the following aspects of password management:
   change password at regular intervals, eg. every 3 months
   minimum length (number of characters)
   use a mixture of alphabetic and numeric characters
   do not use familiar and family names or words that be found in a dictionary
   do not reuse passwords
   do not disclose your password to anyone or allow others to use your login.




5.2 Management of guest account and remote access accounts
This may include:
   The process to establish guest accounts
   The process to remove unused or unnecessary guest accounts.




5.3 Termination of staff access policy
This policy will detail the disabling or removal of access passwords and the return of entry
devices (keys) to the practice management upon termination of the working relationship.




RACGP Computer security guidelines – A template to develop a policy and procedure manual       13
6. Malware and virus protection
This policy is to guide protection from malware. It should include:
   all computers attached to the practice network must have installed and enabled virus
    and malware checking software
   malware protection software must not be disabled or bypassed, nor the settings adjusted
    to reduce their effectiveness
   automatic update of the malware protection software and its data files must be enabled
    for daily updating
   all email attachments must be scanned
   all documents imported into the computer system must be scanned
   weekly scanning of all computers should be set up
   training for staff on dealing with and reporting malware incidents.
A record of the antivirus and antimalware software should be recorded.
Malware and virus protection record


Software            Computers           Support              Upgrade             Person        Annual
(name and                                                    procedure           responsible   subscription
version)                                                                                       renewed




RACGP Computer security guidelines – A template to develop a policy and procedure manual                14
7. Network perimeter controls
This policy and associated procedure will include access to network perimeter control
hardware and software, its configuration and appropriate settings for the practice. This will
need to be developed with assistance from technical experts in this area.

All hardware and software perimeter controls used and their settings should be documented.



7.1 Intrusion detection system

Name and                Hardware                Software                 Maintenance       Support
version                                                                  required




7.2 Firewall

Name and                Hardware                Software                 Maintenance       Support
version                                                                  required




7.3 Other controls
Other controls may include:
   use of hidden network addressing
   antimalware software installation on firewall.




RACGP Computer security guidelines – A template to develop a policy and procedure manual             15
8. Portable devices and remote access security
8.1 Portable devices
Portable devices may contain sensitive information or enable access to the practice server
through remote means (wired or wireless internet connections). Ensure that your network
cannot be hacked into by unauthorised people. Seek external technical advice on how these
can be secured.

Policy must include what devices are authorised to be used in the practice.


List the portable devices                                    Briefly describe the mechanism for
(eg. laptops, portable hard drives)                          securing their data




8.2 Remote access
The practice policy on remote access and use of wireless systems should be well
documented. Technical assistance may be required with this. Aspects that should be
considered include:
   allowable access channels (guest accounts, wireless, modem access)
   resources and system access allowed when using remote access
   disallow downloading and installing additional programs or utilities
   vendor access rights and confidentiality agreements.




RACGP Computer security guidelines – A template to develop a policy and procedure manual          16
9. Physical security
In addition to protecting information you must also protect the computer systems physically.
There are several components to this policy and associated procedures:
   prevent unauthorised viewing of patient records and other confidential information, eg.
    using screen savers and the physical positioning of monitors
   restrictions of physical access to the server
   securing equipment from theft
   limiting damage by power interruptions
   safe disposal of hardware and practice information.



9.1 Prevent unauthorised viewing of patient records and other
confidential information
There should be a policy on how to minimise and prevent unauthorised and accidental
viewing of patient and practice information. This policy can include:
   the physical positioning of monitors in open access areas, consulting rooms and
    reception
   appropriate use of screen savers.



9.2 Restrictions of physical access
Your computers and network are valuable and therefore limiting unauthorised personnel
access to this equipment is recommended. The practice policy will document which
personnel have authorisation to access such equipment.



9.3 Securing equipment from theft
All removable computer equipment should be secured from theft or damage. This is
particularly important where equipment is in areas which are frequented by patients and
visitors to the practice. This policy should include items such as:
   the use of cable device locks for notebook and laptop computers, and other mobile
    devices when in use in the practice
   lock laptop and similar equipment away at night if left on the premises
   do not leave USBs and software media in an insecure environment.




RACGP Computer security guidelines – A template to develop a policy and procedure manual      17
9.4 Uninterruptible power supply
The practice policy and procedures will document the use and maintenance of the
uninterruptible power supply (UPS). The procedure for a controlled shutdown of the
computer system should be clearly defined.

9.4.1 UPS details
Type                    Equipment               Maintenance              Battery life      Support
                        attached                required                                   contact




9.4.2 Procedure for controlled shutdown of computer system
When is it necessary to                 What to do?                              Person responsible
use this procedure?




9.5 Safe disposal of hardware and practice information
The practice policy and procedures should document the disposal of old, decommissioned
and replaced hardware; particularly devices with any data on them. This could include:
   securely deleting all data on a device or media. Reformatting the media is not sufficient
    as forensic techniques can still access data on the device and media
   disposal of equipment through destruction.




RACGP Computer security guidelines – A template to develop a policy and procedure manual              18
10. Computer and network maintenance
There are certain maintenance procedures which, if performed regularly, will ensure that
computers and other equipment run smoothly. The practice policy and procedures for these
can be addressed as three separate areas.
1. Physical maintenance
2. System maintenance (eg. the amount of free space on a hard disk)
3. Software maintenance (eg. updates and patching).



10.1 Procedures
10.1.1 Physical maintenance
Clean around the back of computers and other equipment so that dust does not accumulate
near the fans and power supplies.

10.1.2 System maintenance
   Check hard drive capacity for the server
   Defragment hard disk at regular intervals
   Delete temporary files
   Check error logs
   Check that antivirus software is up-to-date and working effectively on all computers
   Keep a system maintenance log.

System maintenance log
Date              System maintenance task performed                             By whom




RACGP Computer security guidelines – A template to develop a policy and procedure manual   19
10.1.3 Software maintenance
   Add the latest patches to your operating system and application software
   Upgrade software as required
   Check for installation of unauthorised programs
   Create a procedure log
   Keep a software maintenance log.

Procedure log
Task                          Person responsible             Frequency                     Procedure




Software maintenance log

Date              Software maintenance task performed                           By whom




RACGP Computer security guidelines – A template to develop a policy and procedure manual               20
11. Security management and reporting
The practice security management policy and procedures includes:
   risk assessment
   monitoring for compliance
   breach procedures.




11.1 Risk assessment
The practice policy on risk assessment should detail the frequency and the planning for the
identification and assessment of potential risk and vulnerabilities to security.




11.2 Monitoring for compliance
The practice policy will document the procedures for monitoring compliance by staff in line
with regulations as required.




11.3 Breach procedures
The practice policy will document the procedures on the detection and reporting of breaches
of security. This policy will also incorporate identified ongoing training needs of staff,
reporting procedures and consequences for noncompliance with the policy.




RACGP Computer security guidelines – A template to develop a policy and procedure manual      21
12. Secure electronic communication
If more than one electronic communication method is used (for communication with different
health organisations) each one should be documented separately.


Secure messaging system used by practice                       Purpose




12.1 Practice Website
The general practice website is a communication method that requires maintaining to ensure
that the information held within the site is current and correct. The documentation includes
identifying the timeframe for regular review of the website. The practice will need to identify
which staff member is responsible for the practice website and document this in the staff
member’s position description.




RACGP Computer security guidelines – A template to develop a policy and procedure manual    22
Appendix A
Asset register
This register could be completed using an excel spreadsheet to enable all assets to be
recorded.

Computer server
Computer server 1
Name
Internet Protocol (IP) Address
Location
Central Processing Unit (CPU)
Random access memory (RAM)
Hard disk drive (HDD)
CD/DVD
Internal devices
(eg. modem, network card)
External devices attached
(eg. printer, scanner)
Operating System (OS)
and version
OS serial number/Licence key
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support




RACGP Computer security guidelines – A template to develop a policy and procedure manual   23
Computers
                                       Computer 2                            Computer 3
Name
IP Address
Location
CPU
RAM
HDD
CD/DVD
Internal devices
(eg. modem, network card)
External devices attached
(eg. printer, scanner)
Operating system – OS
OS serial number
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support




RACGP Computer security guidelines – A template to develop a policy and procedure manual   24
Peripherals and network equipment
                            Printer 1                   Printer 2                   Printer 3
Name
IP Address
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support



                            Scanner                     Modem                       Network hub/Router
Name
IP Address
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support




RACGP Computer security guidelines – A template to develop a policy and procedure manual                 25
Network
Type (eg. client server, peer-to-peer)
IP address range
Subnet mask
Domain/Workgroup
Windows internet name service
(WINS) server IP
Domain name system (DNS) server IP
Dynamic host configuration protocol
(DHCP) server IP
Gateway
Number of nodes
Locations of nodes                                 1.
(and identification)                               2.
Could be cross referenced to network               3.
diagram
Maintenance details




Shared software databases
These are the databases or other files that reside on the server and are accessible by other
workstations in the practice.


Shared database name
eg. \\Server\C\program




RACGP Computer security guidelines – A template to develop a policy and procedure manual   26
 Network diagram
 If you have hubs and/or routers, a network diagram can assist in locating equipment and
 diagnosing problems.

 All equipment, including printers, should be shown on the diagram.




Figure 1. An example of a network diagram from
http://en.wikipedia.org/wiki/File:EPN_Leased_Line_and_dial-up_Network.svg




 RACGP Computer security guidelines – A template to develop a policy and procedure manual   27
Email
Practice email address
Incoming mail server
(eg. POP3)
Outgoing mail server
(eg. simple mail transfer
protocol [SMTP])
Other details

Internet
Provider (ISP)
Dial-up number
(if appropriate)
Access plan
Proxy server
Transmission control
protocol (TCP)/IP
address
DNS
Secondary DNS
Modem type
Support details




RACGP Computer security guidelines – A template to develop a policy and procedure manual   28
Software
Include all clinical and practice management software, as well as email, firewall, backup,
virus checking and other utilities. Original software media and manuals should be stored
securely.

Name/Version
Description
Serial numbers/Licence
codes
(might require annual updates)
Which computers
Location of media
Location of manuals
Location of licence codes
and agreements
Date purchased/upgraded
Supplier
Support details



Name/Version
Description
Serial numbers/Licence
codes
Which computers
Location of media
Location of manuals
Location of licence codes
and agreements
Date purchased/upgraded
Supplier
Support details




RACGP Computer security guidelines – A template to develop a policy and procedure manual     29

								
To top