Information Security Policy

Executive Summary

The Information Security Policy exists in order to provide the organizations staff with a current set of clear and concise principles for protecting Information in all of its forms.  These policies provide direction for the appropriate protection of the organization’s information and assets.

The Information Security Policy has been created as a component of an overall Information Security Program (“ISP”) for the organization.  The ISP outlines the organization’s mission and objectives as they relate to information security, outlines details that are responsible for information security, documents policies relating to information security, indicates how the program is to be communicated and how people in the organization must be trained on their responsibilities, and includes a roadmap of how the program is to be carried out.  In addition, the program includes strategies for its ongoing evaluation and adjustment, addressing of compliance issues, and management reporting.

Purpose and Guiding Principles

The purpose of this policy is to provide general guidance and specific recommendations for the protection of United Nation Builders  information technology resources and the protected health information stored on those resources.  Additionally Personally Identifiable Information (PII) that exists in hard form is also protected by this policy.  These information security measures are intended to protect the organization’s information and assets and to preserve the privacy of United Nation Builders ’s customer data.

The broad goal of information security at United Nation Builders  is to maintain Confidentiality, Integrity, and Availability of data.  To achieve this goal, United Nation Builders  has identified a set of core security principles.  The policy will, in turn, be supported by detailed operational procedures.  These simple principles make up the foundations of a strong security posture.

• Universal Participation – Every component of an organization could be a potential avenue of entry for unauthorized intruders.  Thus a strong security infrastructure requires the cooperation of all parties in the organization.  Everyone is responsible for security.
• Risk-Based security – An organization’s security is defined by the unique risks it faces.  These risks should be identified regularly and should remain the primary focus of any security policy or program.
• Deny All That is Not Explicitly Permitted – Anything not explicitly allowed is denied.
• Least-Privilege – Users and systems should only have minimum level of access necessary to perform their defined function.  All unnecessary levels of access should be restricted unless explicitly needed.
• Defense-in-Depth – Overall security should not be reliant upon a single defense mechanism.  If an outer security perimeter is penetrated, underlying layers should be available to resist the attack.
• Compartmentalization – If one compartment is compromised, it should be equally difficult for an intruder to obtain access to each subsequent compartment.
• Secure Failure – When a system’s confidentiality, integrity, or availability is compromised, the system should fail to a secure state.
• Defense through Simplicity – A simple system is more easily secured than a complex system, as there is a reduced chance for error.
• Dedicated Function – Systems should be single-purposed to avoid potential conflicts or redundancies that could result in security exposures.
• Need-to-Know – Information will only be circulated to those parties that require it in order to perform their defined business function.
• Effective Authentication and Authorization – Firmly established identity and role-based authorization are essential to making informed access control decisions.
• Audit Integrity – Audit log events that are generated may not be altered by the entity that generated the event.

Scope

This policy applies to all departments within the organization.  It covers all United Nation Builders  information technology resources, that store or process PII.  All creation, processing, communication, storage, distribution and disposal of United Nation Builders  PII is covered by this policy.  Each employee of United Nation Builders , contractor and other related third parties are bound by the guiding principles, statement of policy and related procedures outlined in this policy.

Statement of Policy

The Information Security Policy exists in order to provide the organizations staff with a current set of clear and concise information security policies.  These policies provide direction for the appropriate protection of the organization’s information and assets.

The Information Security Policy has been created as a component of an overall Information Security Program (“ISP”) for the organization.  The ISP outlines the organization’s mission and objectives as they relate to information security, outlines details that are responsible for information security, documents policies relating to information security, indicates how the program is to be communicated and how people in the organization must be trained on their responsibilities, and includes a roadmap of how the program is to be carried out.  In addition, the program includes strategies for its ongoing evaluation and adjustment, addressing of compliance issues, and management reporting.

The Information Security Policy has been reviewed, approved, and is endorsed by United Nation Builders  management.

The Information Security Policy applies to all United Nation Builders  employees, contractors, and any third-party providers that support any of the United Nation Builders ’s services.

The Information Security Policy document contains rules and requirements that must be met in the delivery and operation of the United Nation Builders ’s services.  More detailed standards and specific procedures must be developed as adjuncts to this Information Security Policy to provide implementation level details for carrying out specific operational tasks.  The procedures must be the instrument by which these «Organiztion Name» Security Policies are converted into action.

The Information Security Policy must be located in a central repository that is accessible to all United Nation Builders  employees and related third parties.

The Information Security Policy must be distributed to all new and existing United Nation Builders  employees for review.  All United Nation Builders  employees, contractors and third party providers are required to sign an agreement representing the fact that they have reviewed, and agree to adhere to, all policies within the Information Security Policy document.

Exceptions to the Information Security Policy must be authorized by United Nation Builders  management.  Please refer to  for exception process details.

Procedures

Within this Section, the phrases “must” and “recommended” have specific meanings where highlighted in boldface. If a Covered Entity correctly adheres to the guidelines given as “must”, then it can be considered as meeting the requirements for this policy. If they also adhere to the guidelines given as “recommended”, then they can be considered to be meeting the minimum requirements to be in accordance with generally accepted information security practices.

1. Each Covered Entity must designate a HIPAA Security Officer.
2. Each Covered Entity must conduct a risk assessment on at least an annual basis to quantify and understand potential threats and vulnerabilities of PHI and EPHI.
3. It is recommended that each Covered Entity regularly perform self-assessments and/or audits to detect security vulnerabilities and non-compliance to United Nation Builders ’s security policies and procedures. Upon discovery, each department must initiate corrective actions to ensure that compliance with these policies and procedures is restored.
4. Each Covered Entity must implement reasonable and appropriate controls to protect the confidentiality, availability and integrity of PHI and EPHI. These controls must consist of administrative, physical and technical safeguards.
5. Before conducting business with any third party that stores or processes EPHI, the Covered Entity must have a signed Business Associate Contract in place that outlines provisions with which the third party must comply to protect the organization’s EPHI.
6. No employee owned assets may be used to store or process EPHI.
7. All United Nation Builders employees must abide by clear desk and clear screen policies by appropriately securing PHI and EPHI when the workspace is unattended.
8. Physical access to Information Systems that store or process EPHI must be controlled in a way that prevents unauthorized physical access.
9. All United Nation Builders personnel must be positively identified before being granted access to Information Systems that store or process EPHI.
10. Any and all repairs, alterations or relocations of Information Systems that store or process EPHI must be fully documented for review by the HIPAA Security Officer.
11. Any and all reuse, disposal or recycling of media that was used to store EPHI must be done in a manner by which any data remaining on the media is positively destroyed.
12. Any and all access to United Nation Builders EPHI must be:

    1. Authorized by the appropriate Data Owner
    2. Consistent with the rule of least privilege
    3. Granted to unique users
    4. Authenticated in a way which positively identifies the user
    5. Reviewed on at least an annual basis and revoked when no longer needed to perform necessary job duties.
    6. Logged for review by the HIPAA Security Officer

13. All accounts used to access EPHI must be protected with an appropriately strong password
14. All Information Systems that store or process EPHI must time out after a period of inactivity. It is recommended that this include password protected screen savers, network activity timeouts and application time limits as appropriate.
15. All Covered Entities must monitor Information Systems that store or process EPHI for security events.
16. Any security events must be reported to the HIPAA Security Officer and addressed in a manner that is in line with both the organization’s policies and the law.
17. All Covered Entities must develop appropriate Business Continuity and Disaster Recovery Plans that include Information Systems used to store and process EPHI. These plans must include at least the following:

    1. Maintenance of backup copies of EPHI.
    2. Periodic testing of the backup copies for integrity and availability
    3. Appropriate testing of business continuity and disaster recovery plans on at least an annual basis

18. It is recommended that each Covered Entity encrypt stored EPHI.
19. Each Covered Entity must encrypt EPHI in transit over the Internet or any other network available to unauthorized personnel.

Roles and Responsibilities

Senior Management

United Nation Builders  senior management is responsible for:

1. Promulgating and enforcing the policies, standards, procedures, and guidelines for the protection of IT resources and information.
2. Furnishing necessary funding and other resources or limiting and eliminating services to ensure continued compliance with this policy.
3. Appointing an Information Security Coordinator and/or establishing departmental computer support and system administrators. Providing appropriate training and resources to the person(s) responsible for information security-related tasks.
4. Specifying and applying sanctions consistent with Human Resources policies to individuals and divisions that break provisions of this policy, either willfully, accidentally, or through ignorance.
5. Designating Data Stewards for each significant collection of business information, who in turn are responsible for determining the value of their information and implementing appropriate security measures as specified in the Data Access Policy.
6. Sponsoring internal awareness and training programs to familiarize employees, contractors and third-party providers with the security policy, procedures and recommended practices.
7. Defining guidelines and intervals for the review and update of this policy and to reassess existing risks and to identify potential new risks to United Nation Builders assets and information.

Security Officer

The Security Officer is responsible for:

1. Understanding relevant security and privacy procedures
2. Understanding how PII is used within the organization and any third party providers.
3. Development and implementation of appropriate procedures to support this policy.
4. Ensuring that users receive appropriate Education and Awareness Training as sponsored by Senior Management.
5. Ensuring that any and all exceptions to this policy are formally documented.
6. Coordinating with stakeholders to identify, evaluate and understand risks to PII
7. Coordinating with stakeholders and interested parties to respond to breaches of PII whether suspected or realized.

United Nation Builders  has appointed  as the organization’s Security Officer.

Employees

Each United Nation Builders  employee is responsible for understanding and complying with the policies and procedures relating to information technology security and for fully cooperating with the information security staff at all levels to protect United Nation Builders ’s PII.

Each employee must become familiar with United Nation Builders ’s Acceptable Use Policy.

United Nation Builders  computer and communications systems must be used for business purposes only. Incidental personal use is permissible if the use (a) does not consume more that a trivial amount of resources that could otherwise be used for business purposes, (b) does not interfere with worker productivity, and (c) does not preempt any business activity. Examples of permissible incidental use include – the occasional use of electronic mail (email) or web access for other than official purposes.

Using United Nation Builders  systems to download, use, or re-distribute unlicensed or inappropriate software, copyrighted movies, copyrighted music, or pornographic materials, place the Institute at risk and will not be tolerated. Conduct in violation of this policy may result in sanctions as provided in the Computer and Network Usage Policy. Report all actual or suspected instances of security or policy violations in accordance with the Incident Reporting section of this policy.

Compliance

Any person who uses United Nation Builders ’s information or assets to store or process PII consents to all provisions of this policy and agrees to comply with all of its terms and conditions, as well as with relevant state and federal laws and regulations.  Users have a responsibility to use these resources in an effective, ethical and lawful manner.  Any violation of this policy may result in disciplinary or administrative sanctions including loss of privileges, monitoring of use and up to and including termination depending on the severity and intent of offense.  Additionally, non-compliance with this policy resulting in loss or disclosure of data may result in personal civil and/or criminal liability.

Policy Modifications

This policy may be changed by United Nation Builders  Senior Management at any time, but typically will be modified in response to newly identified threats or risks.  Changes to this policy will be communicated and distributed to all affected parties.  Most major changes to the policy will be made during official policy review sessions on an annual basis, but if required a policy review session may be convened on a special basis.

Communication

Upon approval, this policy is to be distributed to all United Nation Builders  employees, contractors, vendors and related third parties.  Upon subsequent revisions, updates or amendments to this policy affected individuals will be notified of the change along with an office or individual to whom they can direct additional questions.