Introduction to Policy Augmentation Process
Due to the fact that both HIPAA and HITECH are non-prescriptive security frameworks HITRUST common security framework (CSF) was leveraged to augment the Heart-Healthy Insurance Information Security Policy. Moreover, HITRUST CSF was chosen as it maps to various other information security frameworks applicable to Heart-Healthy Insurance Company (i.e. HIPAA, HITECH, PCI, ISO 27000-series, etc.). Furthermore, CSF compliance worksheet is an intelligent tool that allows for control mapping to the aforesaid security frameworks based on the scope of assessment (i.e. type of organization, number of insured members, number of system users, number of transactions, etc.).
New-User Policy Augmentation
Using the aforesaid CSF-based logic, the following security controls are applicable to the new user protocols of Heart-Healthy ...view middle of the document...
The request must be made by the requestor’s Manager and approved by the Information Security Department.
• All Heart-Healthy employees will be assigned distinctive user credentials in order to be linked to and will be accountable for their activities.
• It is forbidden for all of Heart-Healthy employees to store cardholder accounts onto detachable electronic media unless it is clearly approved for occupational obligations.
• Users are prohibited from installing additional hardware and software without written permission from the Heart-Healthy Information Security Department as every computer must conform to the company’s set standards.
“All employees, contractors and third party users must conform to the terms and conditions of employment” (HITRUST CSF Continues to Improve with 2012 Release), this includes Heart-Healthy Information Security Policy. Any security breach, or violation will be addressed and disciplinary actions will be taken. These include, but are not limited to, verbal warning, counseling and/or immediate termination of employment.
Password Policy Augmentation
Heart-Healthy password policy guidelines are rules for creating new user passwords. This policy will guide and assist end users in selecting strong passwords that are resistant to brute force attacks. The following security controls are applicable to the password protocols of Heart-Healthy Insurance overarching security policy:
• Heart-Healthy password processes and guidelines will be communicated to all users with system access. One of the following methods; passwords, token devices, or biometrics shall be used by all personnel.
• Passwords shall not be entered and/or transmitted in clear text over the network, as this would violate the security policy.
• All employees shall use strong passwords of at least fifteen alphanumeric characters and ensure the succeeding features are included: lower and upper case characters, numbers, and special characters (e.g. @#%$^&*+>