SlideShare a Scribd company logo

Policy on ia 1st assignment

Timir Shah
Timir Shah

Information Assurance policy

Technology
1 of 18
Download to read offline
University of Mumbai Policy On Information Assurance Prepared b y: Timir Shah 07.01.2014 Timir Shah B/001, silver mist Off yari rd,Versova Andheri(W) Mumbai-61
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 2 of 18 Filename: Policy on IA Specification Revisions History Edition Date Pages Changed Author(s) Short Description of Change 1.0.0 5/1/2014 New Timir Shah Initial version 1.0.1 7/1/2014 1,5,7 Timir Shah Revised 1.02 1.03 1.04 Executive Summary Overview Information assurance is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities. Information assurance as a field has grown from the practice of information security. IA Policy A. It is the policy of University of Mumbai that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information. B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 6 (six) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within University of Mumbai. C. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where 16/6/2013 Proprietary and Confidential Page 2 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 3 of 18 Filename: Policy on IA Specification possible. Existing systems are expected to be brought into compliance where possible and as soon as practical. 1. Scope A. The scope of information security includes the protection of the confidentiality, integrity and availability of information. B. The framework for managing information security in this policy applies to all University of Mumbai entities and workers, and other Involved Persons and all Involved Systems throughout University Of Mumbai as defined below in INFORMATION SECURITY DEFINITIONS. C. This policy and all standards apply to all protected health information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION. 2.Risk Management A. A thorough analysis of all University of Mumbai information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection. B. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level. C. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities. 3. INFORMATION SECURITY DEFINITIONS Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA. Availability: Data or information is accessible and usable upon demand by an authorized person. Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes. HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA 16/6/2013 Proprietary and Confidential Page 3 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 4 of 18 Filename: Policy on IA Specification regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. Integrity: Data or information has not been altered or destroyed in an unauthorized manner. Involved Persons: Every worker at UNIVERSITY OF MUMBAI -- no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc. Involved Systems: All computer equipment and network systems that are operated within the University of Mumbai environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems. Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the University of Mumbai entities which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual. Risk: The probability of a loss of confidentiality, integrity, or availability of information resources. 4. INFORMATION SECURITY RESPONSIBILITIES A. Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of University of Mumbai. Specific responsibilities include: 1. Ensuring security policies, procedures, and standards are in place and adhered to by entity. 2. Providing basic security support for all systems and users. 3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification. 4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation. 5. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems. 16/6/2013 Proprietary and Confidential Page 4 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 5 of 18 Filename: Policy on IA Specification 6. Providing on-going employee security education. 7. Performing security audits. 8. Reporting regularly to the University of Mumbai Oversight Committee on entity’s status with regard to information security. B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the University of Mumbai Information Owner Delegation Form. The owner of information has the responsibility for: 1. Knowing the information for which she/he is responsible. 2. Determining a data retention period for the information, relying on advice from the Legal Department. 3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit. 4. Authorizing access and assigning custodianship. 5. Specifying controls and communicating the control requirements to the custodian and users of the information. 6. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 7. Initiating corrective actions when problems are identified. 8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate. 9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. C. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include: 1. Providing and/or recommending physical safeguards. 2. Providing and/or recommending procedural safeguards. 3. Administering access to information. 4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information. 16/6/2013 Proprietary and Confidential Page 5 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 6 of 18 Filename: Policy on IA Specification 5. Evaluating the cost effectiveness of controls. 6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO. 7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate. 8. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified. D. User Management: University of Mumbai management who supervise users as defined below. User management is responsible for overseeing their employees' use of information, including: 1. Reviewing and approving all requests for their employee’s access authorizations. 2. Initiating security change requests to keep employees' security record current with their positions and job functions. 3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures. 4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc. 5. Providing employees with the opportunity for training needed to properly use the computer systems. 6. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 7. Initiating corrective actions when problems are identified. 8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. E. User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to: 1. Access information only in support of their authorized job responsibilities. 2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian. 3. Refer all disclosures of PHI (1) outside of University of Mumbai and (2) within University of Mumbai, other than for treatment, payment, or health care operations, to the applicable entity’s Medical/Health Information Management Department. In certain circumstances, the Medical/Health 16/6/2013 Proprietary and Confidential Page 6 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 7 of 18 Filename: Policy on IA Specification Information Management Department policies may specifically delegate the disclosure process to other departments. (For additional information, see University of Mumbai Privacy/Confidentiality of Protected Health Information (PHI) Policy.) 4. Keep personal authentication devices (e.g. passwords, Secure Cards, PINs, etc.) confidential. 5. Report promptly to the ISO the loss or misuse of University of Mumbai information. 6. Initiate corrective actions when problems are identified. 5. INFORMATION CLASSIFICATION Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information: A. Protected Health Information (PHI) 1. PHI is information, whether oral or recorded in any form or medium, that: a. is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse; and b. relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and c. includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual. 2. Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious damage to University of Mumbai and its patients or research interests. B. Confidential Information 1. Confidential Information is very important and highly sensitive material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. 16/6/2013 Proprietary and Confidential Page 7 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 8 of 18 Filename: Policy on IA Specification Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords and information file encryption keys. 2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for University of Mumbai, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner. C. Internal Information 1. Internal Information is intended for unrestricted use within University of Mumbai, and in some cases within affiliated organizations such as University of Mumbai business partners. This type of information is already widely-distributed within University of Mumbai, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages. 2. Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information. 3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions. D. Public Information 1. Public Information has been specifically approved for public release by a designated authority within each entity of University of Mumbai. Examples of Public Information may include marketing brochures and material posted to University of Mumbai, entity internet web pages. 2. This information may be disclosed outside of University of Mumbai 6. COMPUTER AND INFORMATION CONTROL All involved systems and information are assets of University of Mumbai are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based. A. Ownership of Software: All computer software developed by University of Mumbai employees or contract personnel on behalf of University of Mumbai or licensed for University of Mumbai use is the property of University of Mumbai and must not be copied for use at home or any other location, unless otherwise specified by the license agreement. 16/6/2013 Proprietary and Confidential Page 8 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 9 of 18 Filename: Policy on IA Specification B. Installed Software: All software packages that reside on computers and networks within University of Mumbai must comply with applicable licensing agreements and restrictions and must comply with University of Mumbai, acquisition of software policies. C. Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems. D. Access Controls: Physical and electronic access to PHI, Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by University of Mumbai. Mechanisms to control access to PHI, Confidential and Internal information include (but are not limited to) the following methods: 1. Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy: a. Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc. b. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the user. 2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI, Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id. a. At least one of the following authentication methods must be implemented: 1. strictly controlled passwords (Attachment 1 – Password Control Standards), 16/6/2013 Proprietary and Confidential Page 9 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 10 of 18 Filename: Policy on IA Specification 2. biometric identification, and/or 3. tokens in conjunction with a PIN. b. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager. c. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes). d. The user must log off or secure the system when leaving it. Data Integrity: University of Mumbai must be able to provide corroboration that PHI, Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity: a. transaction audit b. disk redundancy (RAID) c. ECC (Error Correcting Memory) d. checksums (file integrity) e. encryption of data in storage f. digital signatures 4. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented: a. integrity controls and b. encryption, where deemed appropriate 5. Remote Access: Access into University of Mumbai network from outside will be granted using University of Mumbai approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the University of Mumbai network. 6. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place: a. Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must 16/6/2013 Proprietary and Confidential Page 10 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 11 of 18 Filename: Policy on IA Specification afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations. b. File servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals. c. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will: d. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:  1. Contingency Operations – Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. o 2. Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. o 3. Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. o 4. Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks). 7. Emergency Access a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency. b. Procedures must be documented to address: 16/6/2013 Proprietary and Confidential Page 11 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 12 of 18 Filename: Policy on IA Specification 1. Authorization, 2. Implementation, and 3. Revocation 8. Equipment and Media Controls The disposal of information must ensure the continued protection of PHI, Confidential and Internal Information. Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The following specification must be addressed: 1. Information Disposal / Media Re-Use of: a. Hard copy (paper and microfilm/fiche) b. Magnetic media (floppy disks, hard drives, zip disks, etc.) and c. CD ROM Disks 2. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore. 3. Data backup and Storage: When needed, create a retrievable, exact copy of electronic PHI before movement of equipment 9. Other Media Controls 1. PHI and Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PHI or Confidential Information. Further, external media containing PHI and Confidential Information must never be left unattended in unsecured areas. 2. PHI and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented: 16/6/2013 Proprietary and Confidential Page 12 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 13 of 18 Filename: Policy on IA Specification a. Power-on passwords b. Auto logoff or screen saver with password c. Encryption of stored data or other acceptable safeguards approved by Information Security Officer Further, mobile computing devices must never be left unattended in unsecured areas. 3. If PHI or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of University of Mumbai Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with University of Mumbai 10. Data Transfer/Printing 1. Electronic Mass Data Transfers: Downloading and uploading PHI, Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research purposes that include PHI must be approved through the Internal Review Board (IRB). All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. Applicable Business Associate Agreements must be in place when transferring PHI to external entities 2. Other Electronic Data Transfers and Printing: PHI, Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. PHI and Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. PHI that is downloaded for educational purposes where possible should be de-identified before use 11. Oral Communications 1. University of Mumbai staff should be aware of their surroundings when discussing PHI and Confidential Information. This includes the use of cellular telephones in public areas. University of Mumbai staff should not discuss PHI or Confidential Information in public areas if the information can be overheard. 16/6/2013 Proprietary and Confidential Page 13 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 14 of 18 Filename: Policy on IA Specification Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation. 12. Audit Controls Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews must be documented and maintained for six (6) years. 13. Evaluation University of Mumbai requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection. 14. Contingency Plan Controls must ensure that University of Mumbai can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain PHI, Confidential, or Internal Information. This will include developing policies and procedures to address the following 1. Data Backup Plan: a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information. b. Backup data must be stored in an off-site location and protected from physical damage. c. Backup data must be afforded the same level of protection as the original data. 16/6/2013 Proprietary and Confidential Page 14 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 15 of 18 Filename: Policy on IA Specification 2. Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. 3. Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure. 4. Testing and Revision Procedures: Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary. 5. Applications and Data Criticality Analysis: The criticality of specific applications and data in support of other contingency plan components must be assessed and documented. 16/6/2013 Proprietary and Confidential Page 15 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 16 of 18 Filename: Policy on IA Specification 15. Compliance A. The Information Security Policy applies to all users of University of Mumbai information including: employees, medical staff, students, volunteers, and outside affiliates. Failure to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable University of Mumbai procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with University of Mumbai procedures. Further, penalties associated with state and federal laws may apply. B. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following: 1. Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement. 2. Unauthorized disclosure of a sign-on code (user id) or password. 3. Attempting to obtain a sign-on code or password that belongs to another person. 4. Using or attempting to use another person's sign-on code or password. 5. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review. 6. Installing or using unlicensed software on University of Mumbai computers. 7. The intentional unauthorized destruction of University of Mumbai information. 8. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access 16/6/2013 Proprietary and Confidential Page 16 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 17 of 18 Filename: Policy on IA Specification 16. Annexure -1 Password Control Standards The University of Mumbai Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls. Standards for accessing PHI, CI & Internal Information (II): Users are responsible for complying with the following password standards: 1. Passwords must never be shared with another person, unless the person is a designated security manager. 2. Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed) 3. Passwords must, where possible, have a minimum length of six characters. 4. Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems. 5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them. 6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters are more difficult to guess. Where possible, system software must enforce the following password standards: 1. Passwords routed over a network must be encrypted. 2. Passwords must be entered in a non-display field. 3. System software must enforce the changing of passwords and the minimum length. 4. System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes. 5. System software must maintain a history of previous passwords and prevent their reuse. 16/6/2013 Proprietary and Confidential Page 17 of 18
Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 18 of 18 Filename: Policy on IA Specification 17. Annexure-2 Relevant laws and Regulations 16/6/2013 Proprietary and Confidential Page 18 of 18

Recommended

Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...kikiahadiyat
 
Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...ijtsrd
 
Availability
AvailabilityAvailability
AvailabilitySam Muthoka
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
document
documentdocument
documentmelatimelor
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 

Recommended

Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...
Si pi, 02, kiki kusumayadi ahadiyat, hapzi ali, the application of data and i...kikiahadiyat
 
Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...Ensuring Effective Information Security Management Information Classification...
Ensuring Effective Information Security Management Information Classification...ijtsrd
 
Availability
AvailabilityAvailability
AvailabilitySam Muthoka
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
document
documentdocument
documentmelatimelor
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organizationMohammed Mahfouz Alhassan
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentjenito21
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15Chun Hoi Lam
 
RFC 2196 Site Security Handbook
RFC 2196 Site Security HandbookRFC 2196 Site Security Handbook
RFC 2196 Site Security HandbookDavid Sweigert
 
[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep KaurIJET - International Journal of Engineering and Techniques
 
Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Dejan Jeremic
 
Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...Alexander Decker
 
The Role of Information and Communication Technologies (57)
The Role of Information and Communication Technologies (57)The Role of Information and Communication Technologies (57)
The Role of Information and Communication Technologies (57)Arab Federation for Digital Economy
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_PolicyMrinal Dutta
 
HIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenarioHIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenarioBrian Wong
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Mobileprivacyazahir
MobileprivacyazahirMobileprivacyazahir
MobileprivacyazahirAzahir Hifzalla
 
Case Study
Case StudyCase Study
Case Studylneut03
 
SECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHINGSECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHINGAM Publications
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...Sudan Agriculture
 
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
FUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLEFUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLEVraj Patel
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 

More Related Content

What's hot

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentjenito21
 
RFC 2196 Site Security Handbook
RFC 2196 Site Security HandbookRFC 2196 Site Security Handbook
RFC 2196 Site Security HandbookDavid Sweigert
 
Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Dejan Jeremic
 
Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...Alexander Decker
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_PolicyMrinal Dutta
 
HIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenarioHIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenarioBrian Wong
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Case Study
Case StudyCase Study
Case Studylneut03
 
SECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHINGSECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHINGAM Publications
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
The need for security
The need for securityThe need for security
The need for securityDhani Ahmad
 
Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...Sudan Agriculture
 

What's hot (18)

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
 
RFC 2196 Site Security Handbook
RFC 2196 Site Security HandbookRFC 2196 Site Security Handbook
RFC 2196 Site Security Handbook
 
[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur
 
Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...Zlatibor risk based balancing of organizational and technical controls for ...
Zlatibor risk based balancing of organizational and technical controls for ...
 
Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...Deepening the knowledge on information security management in developing coun...
Deepening the knowledge on information security management in developing coun...
 
The Role of Information and Communication Technologies (57)
The Role of Information and Communication Technologies (57)The Role of Information and Communication Technologies (57)
The Role of Information and Communication Technologies (57)
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_Policy
 
HIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenarioHIPAA compliance MA Healthcare scenario
HIPAA compliance MA Healthcare scenario
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Mobileprivacyazahir
MobileprivacyazahirMobileprivacyazahir
Mobileprivacyazahir
 
Case Study
Case StudyCase Study
Case Study
 
SECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHINGSECURING THE WEB DOMAIN BASED ON HASHING
SECURING THE WEB DOMAIN BASED ON HASHING
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
The need for security
The need for securityThe need for security
The need for security
 
Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...Challenges of institutionalization and strengthening networking and collabora...
Challenges of institutionalization and strengthening networking and collabora...
 

Viewers also liked

WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014
 
FUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLEFUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLEVraj Patel
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@R_Yanus
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 

Viewers also liked (8)

WCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global ContextWCIT 2014 Matt Stamper - Information Assurance in a Global Context
WCIT 2014 Matt Stamper - Information Assurance in a Global Context
 
FUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLEFUNCTION DEPENDENCY AND TYPES & EXAMPLE
FUNCTION DEPENDENCY AND TYPES & EXAMPLE
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 

Similar to Policy on ia 1st assignment

Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxadampcarr67227
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfLarisaAlbanians
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework- Mark - Fullbright
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Security Standards, Policies, and Procedures Manual TemplateInstru.docx
Security Standards, Policies, and Procedures Manual TemplateInstru.docxSecurity Standards, Policies, and Procedures Manual TemplateInstru.docx
Security Standards, Policies, and Procedures Manual TemplateInstru.docxjeffreye3
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxSALU18
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MassEHealth
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...stuimrozsm
 
The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act Kartheek Kein
 
Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...IOSR Journals
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
List of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beList of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beJacob Adams
 
NFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info SecurityNFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info SecurityWesley Moore
 

Similar to Policy on ia 1st assignment (20)

Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Security Standards, Policies, and Procedures Manual TemplateInstru.docx
Security Standards, Policies, and Procedures Manual TemplateInstru.docxSecurity Standards, Policies, and Procedures Manual TemplateInstru.docx
Security Standards, Policies, and Procedures Manual TemplateInstru.docx
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
 
MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15MeHI Privacy & Security Webinar 3.18.15
MeHI Privacy & Security Webinar 3.18.15
 
Pindad iso27000 2016 smki
Pindad iso27000 2016 smkiPindad iso27000 2016 smki
Pindad iso27000 2016 smki
 
R.a 1
R.a 1R.a 1
R.a 1
 
MobileSecurity WhitePaper
MobileSecurity WhitePaperMobileSecurity WhitePaper
MobileSecurity WhitePaper
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...Application of Q methodology in critical success factors of information secur...
Application of Q methodology in critical success factors of information secur...
 
The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act 
The Health Insurance Portability and Accountability Act 
 
Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...Recapitulating the development initiatives of a robust information security s...
Recapitulating the development initiatives of a robust information security s...
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
List of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beList of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue be
 
NFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info SecurityNFA Interpretive Notice on Info Security
NFA Interpretive Notice on Info Security
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
 

More from Timir Shah

ppt ver1.2.compressed
ppt ver1.2.compressedppt ver1.2.compressed
ppt ver1.2.compressedTimir Shah
 
Blue torque contract staffing
Blue torque contract staffingBlue torque contract staffing
Blue torque contract staffingTimir Shah
 
Indoor plants- enhancing workplace envoirnment
Indoor plants- enhancing workplace envoirnmentIndoor plants- enhancing workplace envoirnment
Indoor plants- enhancing workplace envoirnmentTimir Shah
 
Senshi case study india
Senshi case study indiaSenshi case study india
Senshi case study indiaTimir Shah
 
Blue torque corporate presentation
Blue torque corporate presentationBlue torque corporate presentation
Blue torque corporate presentationTimir Shah
 

More from Timir Shah (6)

Bt brochure
Bt brochureBt brochure
Bt brochure
 
ppt ver1.2.compressed
ppt ver1.2.compressedppt ver1.2.compressed
ppt ver1.2.compressed
 
Blue torque contract staffing
Blue torque contract staffingBlue torque contract staffing
Blue torque contract staffing
 
Indoor plants- enhancing workplace envoirnment
Indoor plants- enhancing workplace envoirnmentIndoor plants- enhancing workplace envoirnment
Indoor plants- enhancing workplace envoirnment
 
Senshi case study india
Senshi case study indiaSenshi case study india
Senshi case study india
 
Blue torque corporate presentation
Blue torque corporate presentationBlue torque corporate presentation
Blue torque corporate presentation
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Policy on ia 1st assignment

  • 1. University of Mumbai Policy On Information Assurance Prepared b y: Timir Shah 07.01.2014 Timir Shah B/001, silver mist Off yari rd,Versova Andheri(W) Mumbai-61
  • 2. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 2 of 18 Filename: Policy on IA Specification Revisions History Edition Date Pages Changed Author(s) Short Description of Change 1.0.0 5/1/2014 New Timir Shah Initial version 1.0.1 7/1/2014 1,5,7 Timir Shah Revised 1.02 1.03 1.04 Executive Summary Overview Information assurance is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital but also analog or physical form. These protections apply to data in transit, both physical and electronic forms as well as data at rest in various types of physical and electronic storage facilities. Information assurance as a field has grown from the practice of information security. IA Policy A. It is the policy of University of Mumbai that information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information. B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 6 (six) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within University of Mumbai. C. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where 16/6/2013 Proprietary and Confidential Page 2 of 18
  • 3. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 3 of 18 Filename: Policy on IA Specification possible. Existing systems are expected to be brought into compliance where possible and as soon as practical. 1. Scope A. The scope of information security includes the protection of the confidentiality, integrity and availability of information. B. The framework for managing information security in this policy applies to all University of Mumbai entities and workers, and other Involved Persons and all Involved Systems throughout University Of Mumbai as defined below in INFORMATION SECURITY DEFINITIONS. C. This policy and all standards apply to all protected health information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION. 2.Risk Management A. A thorough analysis of all University of Mumbai information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection. B. From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level. C. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities. 3. INFORMATION SECURITY DEFINITIONS Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA. Availability: Data or information is accessible and usable upon demand by an authorized person. Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes. HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA 16/6/2013 Proprietary and Confidential Page 3 of 18
  • 4. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 4 of 18 Filename: Policy on IA Specification regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards. Integrity: Data or information has not been altered or destroyed in an unauthorized manner. Involved Persons: Every worker at UNIVERSITY OF MUMBAI -- no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc. Involved Systems: All computer equipment and network systems that are operated within the University of Mumbai environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems. Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the University of Mumbai entities which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual. Risk: The probability of a loss of confidentiality, integrity, or availability of information resources. 4. INFORMATION SECURITY RESPONSIBILITIES A. Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of University of Mumbai. Specific responsibilities include: 1. Ensuring security policies, procedures, and standards are in place and adhered to by entity. 2. Providing basic security support for all systems and users. 3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification. 4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation. 5. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems. 16/6/2013 Proprietary and Confidential Page 4 of 18
  • 5. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 5 of 18 Filename: Policy on IA Specification 6. Providing on-going employee security education. 7. Performing security audits. 8. Reporting regularly to the University of Mumbai Oversight Committee on entity’s status with regard to information security. B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the University of Mumbai Information Owner Delegation Form. The owner of information has the responsibility for: 1. Knowing the information for which she/he is responsible. 2. Determining a data retention period for the information, relying on advice from the Legal Department. 3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit. 4. Authorizing access and assigning custodianship. 5. Specifying controls and communicating the control requirements to the custodian and users of the information. 6. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 7. Initiating corrective actions when problems are identified. 8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate. 9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. C. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include: 1. Providing and/or recommending physical safeguards. 2. Providing and/or recommending procedural safeguards. 3. Administering access to information. 4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information. 16/6/2013 Proprietary and Confidential Page 5 of 18
  • 6. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 6 of 18 Filename: Policy on IA Specification 5. Evaluating the cost effectiveness of controls. 6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO. 7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate. 8. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified. D. User Management: University of Mumbai management who supervise users as defined below. User management is responsible for overseeing their employees' use of information, including: 1. Reviewing and approving all requests for their employee’s access authorizations. 2. Initiating security change requests to keep employees' security record current with their positions and job functions. 3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures. 4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc. 5. Providing employees with the opportunity for training needed to properly use the computer systems. 6. Reporting promptly to the ISO the loss or misuse of University of Mumbai information. 7. Initiating corrective actions when problems are identified. 8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information. E. User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to: 1. Access information only in support of their authorized job responsibilities. 2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian. 3. Refer all disclosures of PHI (1) outside of University of Mumbai and (2) within University of Mumbai, other than for treatment, payment, or health care operations, to the applicable entity’s Medical/Health Information Management Department. In certain circumstances, the Medical/Health 16/6/2013 Proprietary and Confidential Page 6 of 18
  • 7. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 7 of 18 Filename: Policy on IA Specification Information Management Department policies may specifically delegate the disclosure process to other departments. (For additional information, see University of Mumbai Privacy/Confidentiality of Protected Health Information (PHI) Policy.) 4. Keep personal authentication devices (e.g. passwords, Secure Cards, PINs, etc.) confidential. 5. Report promptly to the ISO the loss or misuse of University of Mumbai information. 6. Initiate corrective actions when problems are identified. 5. INFORMATION CLASSIFICATION Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information: A. Protected Health Information (PHI) 1. PHI is information, whether oral or recorded in any form or medium, that: a. is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse; and b. relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and c. includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual. 2. Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious damage to University of Mumbai and its patients or research interests. B. Confidential Information 1. Confidential Information is very important and highly sensitive material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access. 16/6/2013 Proprietary and Confidential Page 7 of 18
  • 8. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 8 of 18 Filename: Policy on IA Specification Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords and information file encryption keys. 2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for University of Mumbai, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner. C. Internal Information 1. Internal Information is intended for unrestricted use within University of Mumbai, and in some cases within affiliated organizations such as University of Mumbai business partners. This type of information is already widely-distributed within University of Mumbai, or it could be so distributed within the organization without advance permission from the information owner. Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages. 2. Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information. 3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions. D. Public Information 1. Public Information has been specifically approved for public release by a designated authority within each entity of University of Mumbai. Examples of Public Information may include marketing brochures and material posted to University of Mumbai, entity internet web pages. 2. This information may be disclosed outside of University of Mumbai 6. COMPUTER AND INFORMATION CONTROL All involved systems and information are assets of University of Mumbai are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based. A. Ownership of Software: All computer software developed by University of Mumbai employees or contract personnel on behalf of University of Mumbai or licensed for University of Mumbai use is the property of University of Mumbai and must not be copied for use at home or any other location, unless otherwise specified by the license agreement. 16/6/2013 Proprietary and Confidential Page 8 of 18
  • 9. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 9 of 18 Filename: Policy on IA Specification B. Installed Software: All software packages that reside on computers and networks within University of Mumbai must comply with applicable licensing agreements and restrictions and must comply with University of Mumbai, acquisition of software policies. C. Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems. D. Access Controls: Physical and electronic access to PHI, Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by University of Mumbai. Mechanisms to control access to PHI, Confidential and Internal information include (but are not limited to) the following methods: 1. Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy: a. Context-based access: Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc. b. Role-based access: An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role. c. User-based access: A security mechanism used to grant users of a system access based upon the identity of the user. 2. Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI, Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id. a. At least one of the following authentication methods must be implemented: 1. strictly controlled passwords (Attachment 1 – Password Control Standards), 16/6/2013 Proprietary and Confidential Page 9 of 18
  • 10. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 10 of 18 Filename: Policy on IA Specification 2. biometric identification, and/or 3. tokens in conjunction with a PIN. b. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager. c. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes). d. The user must log off or secure the system when leaving it. Data Integrity: University of Mumbai must be able to provide corroboration that PHI, Confidential, and Internal Information has not been altered or destroyed in an unauthorized manner. Listed below are some methods that support data integrity: a. transaction audit b. disk redundancy (RAID) c. ECC (Error Correcting Memory) d. checksums (file integrity) e. encryption of data in storage f. digital signatures 4. Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented: a. integrity controls and b. encryption, where deemed appropriate 5. Remote Access: Access into University of Mumbai network from outside will be granted using University of Mumbai approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the University of Mumbai network. 6. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place: a. Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must 16/6/2013 Proprietary and Confidential Page 10 of 18
  • 11. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 11 of 18 Filename: Policy on IA Specification afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations. b. File servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals. c. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will: d. Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:  1. Contingency Operations – Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. o 2. Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. o 3. Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. o 4. Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks). 7. Emergency Access a. Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency. b. Procedures must be documented to address: 16/6/2013 Proprietary and Confidential Page 11 of 18
  • 12. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 12 of 18 Filename: Policy on IA Specification 1. Authorization, 2. Implementation, and 3. Revocation 8. Equipment and Media Controls The disposal of information must ensure the continued protection of PHI, Confidential and Internal Information. Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The following specification must be addressed: 1. Information Disposal / Media Re-Use of: a. Hard copy (paper and microfilm/fiche) b. Magnetic media (floppy disks, hard drives, zip disks, etc.) and c. CD ROM Disks 2. Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore. 3. Data backup and Storage: When needed, create a retrievable, exact copy of electronic PHI before movement of equipment 9. Other Media Controls 1. PHI and Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PHI or Confidential Information. Further, external media containing PHI and Confidential Information must never be left unattended in unsecured areas. 2. PHI and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented: 16/6/2013 Proprietary and Confidential Page 12 of 18
  • 13. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 13 of 18 Filename: Policy on IA Specification a. Power-on passwords b. Auto logoff or screen saver with password c. Encryption of stored data or other acceptable safeguards approved by Information Security Officer Further, mobile computing devices must never be left unattended in unsecured areas. 3. If PHI or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of University of Mumbai Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with University of Mumbai 10. Data Transfer/Printing 1. Electronic Mass Data Transfers: Downloading and uploading PHI, Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research purposes that include PHI must be approved through the Internal Review Board (IRB). All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. Applicable Business Associate Agreements must be in place when transferring PHI to external entities 2. Other Electronic Data Transfers and Printing: PHI, Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. PHI and Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. PHI that is downloaded for educational purposes where possible should be de-identified before use 11. Oral Communications 1. University of Mumbai staff should be aware of their surroundings when discussing PHI and Confidential Information. This includes the use of cellular telephones in public areas. University of Mumbai staff should not discuss PHI or Confidential Information in public areas if the information can be overheard. 16/6/2013 Proprietary and Confidential Page 13 of 18
  • 14. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 14 of 18 Filename: Policy on IA Specification Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation. 12. Audit Controls Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews must be documented and maintained for six (6) years. 13. Evaluation University of Mumbai requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection. 14. Contingency Plan Controls must ensure that University of Mumbai can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain PHI, Confidential, or Internal Information. This will include developing policies and procedures to address the following 1. Data Backup Plan: a. A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information. b. Backup data must be stored in an off-site location and protected from physical damage. c. Backup data must be afforded the same level of protection as the original data. 16/6/2013 Proprietary and Confidential Page 14 of 18
  • 15. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 15 of 18 Filename: Policy on IA Specification 2. Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. 3. Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure. 4. Testing and Revision Procedures: Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary. 5. Applications and Data Criticality Analysis: The criticality of specific applications and data in support of other contingency plan components must be assessed and documented. 16/6/2013 Proprietary and Confidential Page 15 of 18
  • 16. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 16 of 18 Filename: Policy on IA Specification 15. Compliance A. The Information Security Policy applies to all users of University of Mumbai information including: employees, medical staff, students, volunteers, and outside affiliates. Failure to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable University of Mumbai procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with University of Mumbai procedures. Further, penalties associated with state and federal laws may apply. B. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following: 1. Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement. 2. Unauthorized disclosure of a sign-on code (user id) or password. 3. Attempting to obtain a sign-on code or password that belongs to another person. 4. Using or attempting to use another person's sign-on code or password. 5. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review. 6. Installing or using unlicensed software on University of Mumbai computers. 7. The intentional unauthorized destruction of University of Mumbai information. 8. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access 16/6/2013 Proprietary and Confidential Page 16 of 18
  • 17. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 17 of 18 Filename: Policy on IA Specification 16. Annexure -1 Password Control Standards The University of Mumbai Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls. Standards for accessing PHI, CI & Internal Information (II): Users are responsible for complying with the following password standards: 1. Passwords must never be shared with another person, unless the person is a designated security manager. 2. Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed) 3. Passwords must, where possible, have a minimum length of six characters. 4. Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems. 5. Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them. 6. When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters are more difficult to guess. Where possible, system software must enforce the following password standards: 1. Passwords routed over a network must be encrypted. 2. Passwords must be entered in a non-display field. 3. System software must enforce the changing of passwords and the minimum length. 4. System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes. 5. System software must maintain a history of previous passwords and prevent their reuse. 16/6/2013 Proprietary and Confidential Page 17 of 18
  • 18. Policy on Information Assurance Doc. Name: Policy on IA Edition: 1.0.1 Date: 07.01.2014 Page: 18 of 18 Filename: Policy on IA Specification 17. Annexure-2 Relevant laws and Regulations 16/6/2013 Proprietary and Confidential Page 18 of 18