We have addressed the 3 major components of a cyber security policy (physical, administrative and technical) in previous blogs. We can now use these 3 components to create a comprehensive outline of a sample cyber security policy for your LTPAC facility.
Organization and Components
While your cyber security policy will drastically vary from facility to facility, there are some general standard best practices for organizing your policy into a cohesive, coherent, document.
Generally speaking, you will want to start the document with an overview of the scope and sequence of the document as well as address who the intended audience is. In some organizations, each employee receives the cyber security policy, while in other organizations employees who do not work in IT would receive a modified version.
Roles and Responsibilities
The next section will define the roles and responsibilities within the organization. It is a good idea to provide contact information such as name, phone number, and email address for relevant individuals who employees will contact with questions or concerns about IT-related issues.
Security Solutions, Requirements, and Considerations
The third section should describe the existing network infrastructure, hardware and software in use, current operational and security protocols, and address any external regulations that are being met (for example, HIPPA). It should address, in-depth, the defense protocols, the layers of security, cloud computing protocols, mobile device protocols, and software licensing and usage.
Note: This will be the longest and most detailed section and in many cases, will not be included in the general cyber security policy that most employees receive due to its length and the fact that most content will not be understood by employees outside of the IT department.
Email and Internet Guidelines, Responsibilities, and Acceptable Use
This section will detail how employees are and are not authorized to use email and the Internet as well as inform them that all email messages and accounts subject to audit by the company or authorized government agencies or third-party affiliates.
Network Guidelines, Responsibilities and Acceptable Use
This section will identify how employees are and are not allowed to use the network. For example, it will require that they use a password to log in, identify what documents and files can be stored on the network, etc.
Social Media Guidelines, Responsibilities, and Acceptable Use
With millions of people using social media every day, a company should identify whether or not employees may use social media at work and if so, in what capacity.
Note: If a company does not want employees to access certain social media sites via work computers, they should block them as well.
Workstation, Laptop, and Device Security and Care
This section should detail procedures for the physical security and care of hardware. It might include requirements for turning off workstations, locking laptops, and returning mobile devices to a secure location. It should also detail how to best care for the hardware (i.e. keep food and drink away from hardware).
Personally Identifiable Information (PII), Protected Health Information (PHI) and Personally Identifiable Financial Information (PIFI) Requirements
This section should review HIPAA and other legal requirements for the transmission, storage, and access of PHI and PIFI. For more information on this topic, please visit: http://www.nist.gov/healthcare/security/hipaasecurity.cfm.
As always, this outline is just a starting point. If you want to know more about creating a cyber security policy for your company or using a secure, efficient, and state-of-the art software for your LTPAC facility, please contact us today to learn more about what LINTECH can offer you.