Policy and Procedures

HIPAA Policy and Procedures

Policy and Procedures

Regulatory Compliance and Information Security start with sound corporate Policy and Procedure standards.  A policy establishes who is authorized to access various types of information and provides guidelines for necessary security measures. Procedures outline methods for implementing those standards and guidelines in order to carry out the established policy.

Almost every organization has some information security policy in place.  In some cases, the policy is not written, but has been established by tradition and the general performance of the organization. Relying on unspecific or unofficial policies can be dangerous. Compliance gaps, security incidents and even data breaches often stem from unclear, incomplete, or absent policy and procedure documentation. Not only is such ambiguity dangerous, it is also not compliant with regulations pertaining to certain industries.

Our Policy and Procedure Approach

Loricca provides a comprehensive approach to help you create, maintain appropriate policies and then communicate effectively to ensure employee awareness and application of policies and procedures.

Many existing compliance gaps within an organization can be resolved simply by implementing appropriate policies and procedures. Each organization’s needs will be different but the policies and procedures that you should have in place, up to date, and implemented may include:

  • Acceptable Use Policy
  • Accountability
  • Annual workforce review and signature acknowledgement of SP&P
  • Annual risk assessment
  • Application and data criticality analysis
  • Audit logs / Audit trails (showing access: who, what, where, when, how long?)
  • Business Associate requirement for compliance (‘right to audit’)
  • Change control procedures (update)
  • Compliance violation Sanction Policy
  • Data access privileges (approval process prior to granting access)
  • Data retention and destruction
  • Disaster Recovery Plan – DRP policy
  • Emergency mode operation plan
  • Encryption/decryption and data transmission
  • Facility visitor control plan (sign-in and badges)
  • File integrity monitoring
  • Incident response policy (annual testing)
  • Individual security & compliance management responsibilities
  • IT Hardening policy (with configuration standards and system security parameters)
  • Log-in monitoring
  • Log review (daily)
  • Maintenance records
  • Management of Encryption Keys
  • Media use and re-use
  • Mobile Device Security Policy
  • Network diagram/documentation (to be kept current)
  • Network infrastructure / firewall management
  • Network scans / Penetration testing
  • Off-site data / tape media handling procedures
  • Password management (change every 90 days; define strong; min. 8 characters)
  • Patch management (process & frequency)
  • Policy concerning work rules on confidentiality
  • Protection from malicious software
  • RBAC (physical and logical)
  • Remote Access policy and procedures
  • Removal of sensitive data (company-approved products/hardware)
  • Risk Management Policy
  • Secure management of network components (including wireless routers)
  • Security awareness / security reminders
  • Sensitive data stored on tape media (secure handling)
  • Session timeout policy
  • Sign-on and log-in account maintenance (employees, contractors, temporary staff)
  • Software Development Policy
  • Tape media inventory logs (annual inventory check)
  • Corporate Information security policy (update)
  • Testing and revision procedures
  • Transfer of PCI data (prohibit end-user messaging technologies)
  • Transfer of PHI / e-PHI / PII / business-sensitive data
  • Unique user IDs
  • Usage policy for sensitive data (complete)
  • User authentication management (access provisioning)
  • Web application security assessment
  • Workstation use

Security Policies and Procedures typically cover the following critical control areas:

Contact Loricca TodayThese are extensive lists. For help determining what types of policies and procedures your organization needs or help implementing them appropriately, contact us today.