Overview
Policy Statement
your organization promotes a Security-First culture. This is done through proper Policies and Procedures, Training and Awareness Programs, Technical documentation, and Systems Audit.
This document establishes the Information Security Program Policy for your organization. It helps your organization address future changes in the information security landscape, including new or amended regulations, and to minimize the risk of damage by preventing security incidents and reducing their potential impact. For the information security policies to provide value they must be approved by management and adopted throughout the organization.
your organization's Information Security Program covers:
- Assist in compliance with regulatory requirements such as GDPR, SOC 2, HIPAA, ISO 27001, etc.;
- Inventory and protection of all IT assets;
- Ensure that appropriate measures are taken to protect the confidentiality, integrity, and availability of information entrusted to the organization by its customers, business partners, and stakeholders;
- Protection of data-at-rest and data-in-transit;
- Provide management with assurance that the organization is doing what it should concerning information security;
- Centralized identity and access management;
- Ensure Secure Software Development Lifecycle;
- Plan for business continuity, disaster recovery, and emergency response.
Purpose
The your organization Information Security Program is developed on the principle that security is everyone's responsibility and that rewarding positive behavior reinforces and encourages repeating it.
Scope
This policy applies to all Information Systems and Information Resources owned or operated by or on behalf of your organization. All your organization related Persons with access to Information or computers and systems operated or maintained on behalf of your organization are responsible for adhering to this policy, including full-time and part-time employees, contractors, interns, and other 3rd Parties.
Procedures
Procedures and mapped controls
Organizational Concepts
your organization makes use of cloud services and infrastructure. The network components and supporting network infrastructure are contained within the cloud service provider's infrastructures and managed by the provider. your organization does not have physical access to the network components.
Within the your organization platform and supporting services all data storage and transmission is encrypted. your organization assumes data may contain ePHI, PHI, or PII and provides appropriate protections based on that assumption.
your organization has implemented access controls and only authorized personnel is given access to the Productions environments. The database servers and/or data repositories, where the ePHI, PHI, or PII resides, can only be accessed through a secure connection. For more info, please read the Identity and Access Management Policy.
Risk Assessments
Risk assessments are conducted at least annually to identify existing and potential safeguards to mitigate foreseeable risks to covered assets. Risk assessments are used to inform the selection and implementation of safeguards. Identified risks without mitigating or compensating safeguards are documented and tracked in a central risk registry according to the Risk Management Policy.
Frequency of Policy Review
In the your organization Information Security Program, policies, procedures, and controls are reviewed regularly. This should happen at least annually or when a significant event causes the need for a policy change.
It is the responsibility of the Chief Information Security Officer and the Chief Privacy Officer to maintain this policy and ensure the contents of the policy are continually monitored and enforced.
Contact with Authorities
Appropriate contact with relevant authorities must be maintained. Remember when adapting this control to think about the legal responsibilities for communicating with authorities such as the Police, the Information Commissioner's Office, or other regulatory bodies e g. around GDPR. Consider how that contact is to be made, by whom, under what circumstances, and the nature of the information to be provided.
Query logic
These are the stored checks tied to this policy.
No stored query bodies are attached to this entry.
