For the three-policy statements below please reference the two REFS below
A. ISO/IEC: 27002
B. ISO/IEC: 27001
Organizational policy statement
1. System breach prevention
When an employee leaves the company, the company will update their CRL and ACL (certificate revocation list and access control list). This way a previous employee will not have access to company systems. Previous employees having account access to the company’s virtual private networks (VPN) from home or remote locations will be terminated immediately upon employee termination. See ref A, Annex A.8.3.3, pg. 16
a. Any employee going on company approved travel that will require him/her to
access company networks remotely, will request access tens days prior to travel.
b. Any employee requesting access to the company’s VPN will request access via the proper channels. See ref ...view middle of the document...
See ref A, Annex A.8.3.3, pg 16
All company access requests will be ignited and finalized by human resources. This way the company will be able to keep track of all personnel with internal and external access to the company networks.
2. Account time restriction
Each employee account will have time of day restrictions. Time restrictions will be based on employee work hours. If any employee comes in before the prescribed working hours, he or she will not have access to the network or to his or her account. Only authorized personnel will be allowed to have access to his or her account or access to any network accounts or files after his or her shift. Network administrators will not have access or permission to change time of day restriction. Time of day restriction changes can only be changed by Department heads and approved by human resources. The company Network Monitoring Team will monitor all network activity 24 hours a day and report any activity or misuse/abuse of this policy. Setting these new restrictions on all accounts from basic users to CEO will ensure we are safeguarding all company information at all levels. See ref A, Annex A.10.6 Network security management pg 20, A.10.10.2, pg 21 A.10.10.4, pg 21 and A.11.5.6
3. Electronic health record audit logging, See ref A, Annex A.11.6.1 pg 24
To ensure that we are properly logging all user activity and adhering to company policy and reporting all activity, each department will submit record usage/access reports at the end of each workday to include the following information listed below:
a. Number of Files accessed by total department
b. Number of individuals in each department
c. Number of files accessed by each individual
d. Reason for individuals exceeding maximum number allowed files per day
a. Number of Files accessed - 725
b. Employees - 3
c. John – 250, Sarah- 275, Drew – 200
D. Individuals exceeding maximum number –N/A