AGS Health's Information Security Policy PDF

Summary

This document is an information security policy focused on employee awareness. It details information security, risk management, compliance, and governance. The document covers various aspects including confidentiality, integrity, and availability of information, and how to meet information security requirements.

Full Transcript

INFORMATION SECURITY EMPLOYEE What is ISO/IEC 27001:2013? 7. Change Management Policy
ISO/IEC 27001:2013 specifies requirements 8. Data Retention Policy
AWARENESS TRAINING
for organization on list of stringent 9. Ecommerce Policy
controls and standards defined to enforce 10. HIPAA and Compliance Policy
AGS HEALTH'S INFORMATION SECURITY POLICY
optimum level of Information Security 11. HR Security Policy
and Privacy protection. 12. Information Classification Policy
What is Information Security?
How does it impact AGS Health? 13. Incident Management Policy
Preservation of Confidentiality, Integrity,
AGS Health had adopted ISO/IEC 27001 14. IT Security Policy
and Availability (CIA) of information from
standard from the first year of its 15. Mobile Device Acceptable Use and Security
unauthorized entities
operation (2011) Policy
What is Confidentiality?
Successfully completed third party audit 16. Password Policy
Protecting information from
& certification since January-2012 17. Physical Security Policy
unauthorized parties
Certified by an accredited third-party 18. Risk Management Policy
What is Integrity?
audit company 19. Security Assessment Policy
Protecting information from modification
We are committed to enforce optimum 20.Vendor Security Policy
by unauthorized users.
levels of Corporate Governance, Risk 21. Patch Management Policy
What is Availability?
Management, Information Security, 22. Automation Security policy
Making the information available to
Privacy and Compliance in our operations 23.Work from Home Policy
authorized users
by complying with all applicable
Why do we need to meet information Security
information security requirements of all Governance Risk Information Security
requirements
interested parties through defining, Compliance (GRIC)
Information security is essential for
monitoring, measuring and continually 1. AGS Emergency Evacuation Procedure
protecting sensitive and valuable data
improving our Information Security 2. AGS Procedure for Communication
from unauthorized access, use, disclosure,
Management System 3. AGS Procedure For Risk Management
disruption, modification, or destruction,
This policy is applicable to Management, 4. Procedure For Storage Media Sanitization
per HIPAA and per our client
Employees, Contractors, Vendors & 5. AGS Procedure for Vulnerability Assessment
requirements.
Service Providers who have access to and Penetration Testing
sensitive information of AGS Health or its 6. BCP Run Book
How do we enforce our commitment to ISMS?
clients 7. Breach Notification procedure
By adopting ISO/IEC 27001:2013 Standards
8. Incident Handling Procedure
and Controls
What is GRIC? 9. AGS Coding Compliance Audit Procedure
What is ISO?
stands for Governance, Risk Management, 10. AGS Procedure for Privilege approval
The International Organization for
Information Security & Compliance Procedure
Standardization (ISO) is an international
11. AGS Procedure for Documented Procedures
standard-setting body composed of
Governance Risk Information Security 12. Governance -Compliance tracking procedure
representatives from various national
Compliance (GRIC) document
standards organizations.
1. Acceptable Use Policy 13. Cyber Security Incident Recovery Procedure
India is represented by Bureau of Indian
2. Anti-Malware Policy
Standards (BIS) out of 168 member
3. Application Security Policy Desktop/Laptop Usage
countries
4. Asset Management Policy Ensure that the company approved anti-virus
5. Internal Audit Policy software (Kaspersky, McAfee Endpoint Protection)
6. Business Continuity Policy
or crowd strike is installed in your system and the information, an email authorization from the
virus signature is updated Internet Usage employee's Department Head to AGS Health's IT
Log-off or Lock the desktop/laptop when you are All employees have only limited internet access. Help Desk will be required with name of person
away from your desk Internet access is provided based on work requiring access and the expected duration
Do not store confidential/sensitive information requirement. Avoid opening/downloading suspicious files -
such as PHI in your Desktop/laptop - Exceptions must be approved by the GRIC Core may contain virus or other malware
Mobile Device Usage Team.
Employees and consultants except for the TTLs Use internet wisely. Any abusive, unethical or Asset Handling
and above are not permitted to carry or use cell inappropriate use of the internet can lead to - Assets including headsets need to be handled
phones in AGS Health's disciplinary action including termination. carefully and gently. No asset can be moved or
Access controlled area. shifted or disposed without following Asset
Devices with camera and/or storage provisions Client Application & Software Usage Management Policy
like iPad, iPod, MP3 Player, Memory card, USB The Client billing system, other applications and Drop papers containing PHI/sensitive
drive, etc... cannot be brought into the payer portals should be accessed only via AGS information that must be disposed in the
access-controlled area at AGS Health environment. Shredding boxes
Exceptions must be approved by the GRIC Core Use only the Login ID and Password allocated to Ensure that desktops, monitors, keyboards,
Team you to access Client Billing system and other mouse or telephones assigned to a particular
applications. Do not share the credentials with workstation are shifted only with the assistance of
Password Usage anyone. the IT infrastructure team after raising a Ticket on
Never share passwords with others & Don't write Do not access the internet or public email using Pulse
down passwords on paper the client's computing infrastructure without Client Application & Software Usage
Create passwords with a minimum length of 12 client's approval. No Bag Policy applies to all staff except Assistant
digits, with at least 1 uppercase and a Should adhere to the Client's Acceptable Usage Managers and above and any exception laptop
numeric/special character. Policy users.
Password expires every 42 days All bags and cell phones must be stored in the
Last 3 passwords cannot be used for subsequent Email Usage lockers
password change Official email should only be used for official - All employees need to bring their own locks and
Account will be locked after 5 incorrect attempts purposes/business use use it while storing their personal belongings in
When a user forgets his/her password, he/she Use the AGS Health Standard Signature the lockers.
should report to Technology by calling the IT template which includes a disclaimer when Hazardous/inflammable/valuable ornaments -
support team or he/she can unlock his/her sending emails should not be stored
password using Password Self Service Portal Do not send confidential/sensitive information Non-adherence to this policy will leads to
(https://unlock.agshealth.com/pwm/private/Login) via email unless the message and contents are disciplinary action
User must raise an incident ticket or email GRIC encrypted using a company approved encryption
team immediately and change the password, technique. Encryption is very simple. Encrypt Physical Access
when he/she suspects that an account or using Keywords (Encrypt, Encrypt: or Secure, Access Card
password is known to somebody Secure:) Wear and display your ID card whenever you are
Never use the 'Remember Password' feature of Use only your email box. Do not share email inside AGS Health's Access Controlled area/Secure
application programs such as Browser, email password. zone
program or any other program. For access to another user's mailbox in Forgot your ID card? Get a temporary card from
Always select 'No', if a system offers to Remember' unexpected circumstances - where there is an the Security Desk.
a username and password. immediate business need to have access to this
 Do not use someone else's access card to enter New user's login credentials request & Do not host or create web pages or social media
the access-controlled area - Piggybacking deactivation request for client billing system pages / channels with our company name, project
Access to Data Center will be restricted to should happen only through CAM team. name / process name
authorized users as decided and approved by the Register and send CAM token number to All media enquiries about the company must be
GRIC Core Team from time to time. [email protected] for processing the request directed to the Branding & Communications
Visitors will be permitted access only for Scheduled & Unscheduled audits will be department ([email protected]) with a
business purposes and after getting the approval conducted to ensure login compliances across mandatory copy to the Corporate Affairs
from the GRIC Core Team and will need to be processes by CAM team Department ([email protected])
escorted within the Secure zone during their visit. Isernase
Visitors should sign 'CDF, if required to carry their Username Password Top Ten Violations
laptops, mobiles or other restricted storage GAN Bringing restricted mobile devices without
devices FAX Process approval
Fax process is undertaken for clients where Sharing of client access passwords
Every information handled in AGS has to be appeals or auth is initiated with the payer. This Storing PHI/Sensitive information in desktop and
appropriately handled: process is undertaken by CAM team. in shared systems
Public Internal Sensitive Confidential Ensure finance approval is obtained for Fax Transfer of PHI/Sensitive information without
Intended General Employee Employees Privilege process for the client. proper encryption/protection
Users Public, consultants of users,
Outside AGS health authorized Ensure the right documents are transmitted. Storing passwords in excel or word files
organization external
stakeholders
Improper disclosure of PHI without
Disclosure Freely Across all Respective Authorized
Business Continuity Plan (BCP) authorization, i.e. Not following instructions
Limit sites of AGS projects users only AGS Health has a BCP in place to take care of Not wearing ID card & Not using access card to
Health members
Critical business operations during a crisis / enter into secure zone
Impact, if No harm No serious or Influence Serious and
disclosed adverse company;s adverse emergency / disaster. Leaving PHI printouts unattended. Not
impact operational impact on
effectiveness, Organization, What can you do? shredding PHI papers
financial loss, employees, Be aware that such a plan is in place Not classifying information
significant business
gain to partners, Remember that alternate arrangements would Disclosure in Social Media
competitor, legal, financial
major drop in and be made to continue critical operational activities
customer reputational
confidence impact
during a crisis / emergency. So, contact your What is your responsibility?
Examples Information Company Training Client
leader to understand what is expected from you Read and understand all GRIC Policies (Internal
on company’s telephone material, contracts, during a such crisis / emergency situations. Classified)
website, directory, new employee vendor
Employment employee data, PHI, contracts, Applicable Information security do's & don'ts Follow security guidelines for creation, access &
opportunities orientation patient merger and
announceme material, account acquisition should be followed even during business termination of client access
nts, internal policy records, client documents,
Marketing manuals, financial data corporate
interruption/disaster. Read and understand client instructions and
material, contingency level strategic periodic updates. There may be HIPAA related
press releases plans plans,
litigation Social Media Guidelines instructions
strategy
memos Client names should not be disclosed in any Participate actively in GRIC reviews and audits
social media Participate actively in Compliance training and
CAM - Client Access Management Do not quote the company name (or divulge any awareness activities. Ask your TL for a refresher if
Purpose - To streamline the process of work-related information) while providing there is a need
managing client system login credentials across comments in any media Participate actively in organization vide
all processes compliance program. You can participate as
Compliance Champion, Internal Auditor.
 Report incidents to GRIC of any violations or GRIC ICRM in Pulse (Anonymous reporting is Information Security Event - Event of failure of
non-compliance you come across through also available) one or more of safeguard/control applied to
authorized channels. Email to [email protected] information
Call the Compliance Hotline Information Security Incident - Unexpected
What is the leader's responsibilities? India Hotline# 1 800 102 0129 | US Hotline# 1 877 information security events that could very likely
Ensure your team members attended GRIC 235 3570 compromise the security of information and
Awareness Training without fail, ensure they are Any issue / complaint identified by client or weaken business operations
aware of Do's and Don'ts on ISMS internally, which can be a potential HIPAA LAN - Local Area Network
Ensure annual HIPAA refresher training is violation or breach needs to reported to GRIC PHI/ePHI - Protected Health Information (Paper &
attended by your team. team immediately Electronic), refers to any information that may
Ensure login compliance individually identify a patient
Ensure all login requests are routed through
CAM team only KEY GLOSSARY Phishing - Way of attempting to acquire sensitive
Ensure client logins are used as per accepted Asset Inventory & Labelling - Inventory should information such as usernames, passwords and
guidelines. be maintained for all assets and labelled for easy credit card by masquerading as a trustworthy
Ensure login deactivations are performed for the identification & traceability person Piggybacking - When an authorized
exit employee on a timely basis. Asset Owner - Responsible for functioning of person allows (intentionally or unintentionally)
Ensure all exceptions are approved by GRIC core assets without interruption others to pass through a secure door.
team. BYOD - Bring Your Own Device only with approval Risk Management - Process of identifying,
Perform periodic review of process manual, of GRIC Team analyzing and evaluating risk which might
project handbook, and quality objectives Backup - Making copies of data which may be adversely affect the realization of organization's
Participate actively in GRIC reviews and audits. used to restore the original after a data loss event business objectives. Treatment of evaluated risk
Report incidents to GRIC of any violations or CDF - Confidentiality Declaration Form, also involves controlling, avoiding, accepting or
non-compliance you come across through known as NDA transferring them to a third party
authorized channels. Clear Desk - Avoid keeping unattended sensitive Secure Zone - Workspaces at AGS Health's
(PHI)/confidential information on desk facilities wherein mission critical or sensitive
Disciplinary Action Clear Screen - Avoid storing sensitive business transactions are performed
Based on the severity & impact, following actions (PHI)/confidential information on computer Shoulder Surfing - Technique used for looking
will be taken: screen over someone's shoulder, to get information, such
Verbal warning Compliance - Conforming to applicable as passwords, PINs, security codes, and similar
Warning Letter regulations and ethical/business standards data Spam - Use of electronic messaging systems
Loss of Pay (3 to 5 days) Governance - Describes the overall management to send unsolicited bulk messages
Termination approach through which leadership team direct Threats - Potential event, which may threaten
Few examples are provided below and control the entire organization, using a assets to become non-functional/non-operational:
Employee not displaying ID cards combination of management information and Vulnerabilities - An asset's weaknesses, can be
Sharing system and client password hierarchical management control structures exploited by one or more threats
Leaving PHI unattended GRIC - Governance, Risk, Information Security and
Compliance Hacker - Who seeks and exploits
All employees and vendor staff are encouraged to weaknesses in a computer system HIPAA - Health
report incidents/Events /Vulnerabilities in the Insurance Portability and Accountability Act of
system as and when they come across. They can 1996
report the incidents via