Security Policies

Policy 1: Personnel Security

The personnel security policy was developed to ensure the protection of sensitive information throughout the employment lifecycle to include pre-employment, employment, and post-employment phases. The policy is based on the following 6 pillars: screening, contracts, security policy acknowledgement, security education, monitoring, and termination procedures.

Policy 2: Physical and Environmental Security

Protecting the physical and environmental aspects of the hospital is vital to ensuring the safety and well-being of sensitive information, people, and equipment. Physical property risk can be from by both natural and man-made disaster. Natural disaster can include fire, flood, tornados, earthquakes, hurricanes, and anything else not otherwise controlled by man and technology. Protecting the physical and environmental aspects of the hospital will result in the compliance of assuring confidentiality, integrity, and availability of all systems and functions of the hospital.

Policy 3: Operational Security Management Policy

The operational security management policy prevents sensitive information from being exposed to unauthorized entities. This policy lays out the groundwork for creating policies that will protect the confidentiality, integrity, and availability of systems and resources of the organization. It covers identifying, protecting, detecting, responding, and recovering protected systems, data, and resources to ensure the survivability and growth of the organization.

Policy 4: Secure Software Development, Access Control, and System Maintenance Policy

This policy outlines several software development security issues that need to be addressed during the software development life cycle (SDLC). It will ensure confidentiality, integrity, and availability (CIA) will be built into the software development process. Written as an Enterprise Information Security Policy (EISP) it will will help set the direction, scope, and tone for access control, software development, and system maintenance.

Policy 5: Business Continuity Management Plan

The Business Continuity Management Policy (BCMP) establishes the necessary policies and procedures to ensure uninterrupted business operations during significant disruptions, it encompasses both physical and logical aspects of the organization, focusing on the critical systems required for day-to-day activities.

Policy 6: Incident Response Procedures

An incident response policy seeks to set up a proper response to an emergency in a way that does not undermine the BCP (business continuity plan) but ensures a quick recovery and assessment of the emergency response.

Policy 7: Security Emergency Plan

The security emergency plan ensures that plans have been created to limit the impact of a major disruption to business in the event of natural or man-made disruptions to the day-to-day function of the organization. This policy includes IT, technical, and data contingency plans along with an outline of a contingency plan template.

Policy 8: Access Request Approval and Password Monitoring Policy

I created a slide show to highlight the need for access request and password monitoring policies. The access request policy creates a paper trail of who has accessed restricted areas of an organization. The password monitoring policy establishes rules on how passwords are to be monitored and ensures that they are being used properly.

Policy 9: Security/Service Desk Control Policy

The security/service desk control policy establishes proper procedures and identification for visitors, employees, vendors, and patients entering a fictitious medium sized hospital.

Policy 10: Password Policy

This password policy was based on a policy template given to me by my instructor. My instructions were to create a password policy with the given template. A password policy establishes a standard for the creation of strong passwords, the protection of those passwords, and the frequency of password change.