A Security Policy Template

developed by the
Mobile Memory Task Force
of the
NCHICA Privacy and Security fficials !ork"roup
Au"ust #$ %&&'
Page 1 of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
Managing Sensitive Electronic Information (SEI) Managing Sensitive Electronic Information (SEI)
on on
Portable Devices and Removable Media Portable Devices and Removable Media
Preamle!
Template for Mana"in" Sensitive (lectronic Information
)S(I* on Portable +evices and ,emovable Media
Introd"ction!
In the pring of !""#$ the Chief Information %fficers &CI%' Roundtable of the North Carolina
Healthcare Information and Communications Alliance$ Inc( &NCHICA' chartered a Tas)
*orce of the NCHICA Privac+ and ecurit+ %fficials ,or)group to stud+ and recommend
policies and procedures for protecting ensitive -lectronic Information &-I' that could be
moved from inside an enterprises fire.all via portable devices and removable media
including laptops$ P/As$ 01 drives$ C/2/3/s$ etc( This .as 4udged to be an immediate
and pressing issue facing each member organi5ation of NCHICA and others in healthcare(
The Tas) *orce developed a series of polic+$ standards$ and procedure templates based
upon best practices that could be tailored to each organi5ations specific needs( This
document reflects the collective )no.ledge and efforts of the members of the Tas) *orce
and bears the endorsement of the NCHICA Privac+ and ecurit+ %fficials ,or)group and
the CI% Roundtable and has been revie.ed b+ the NCHICA 1oard of /irectors( The reader
should be a.are that neither NCHICA nor an+ of the organi5ations .hose staff participated
in this .or) ma)e an+ claim that this document is ade6uate to meet the needs of ever+
entit+ but onl+ that it is provided for consideration and possible adoption$ after consultation
.ith appropriate counsel$ b+ organi5ations needing to address this critical issue(
This document addresses securit+ issues surrounding the deplo+ment and use of portable
devices and removable media that collect$ store$ access$ receive$ or transmit &-I'$
specificall+ in the healthcare environment( ,hile ris)s and deplo+ment methodolog+ ma+
differ in other domains$ the principles are ver+ similar(
#e$initions!
Sensitive (lectronic Information )S(I* 7 Includes all classes of sensitive data including
Protected Health Information &PHI' and an+ other information considered confidential b+ the
organi5ation(
Portable +evice 7 includes an+ non8fi9ed device that contains an operating s+stem that
ma+ be used to create$ access$ or store -I &i(e( laptop computers$ tablet computers$
personal digital assistants &P/As'$ smart phones$ etc('
,emovable Media 7 includes$ but is not limited to$ C/s$ /3/s$ :P; pla+ers$ removable
memor+$ and 01 drives &thumb drives'
Page ! of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
%as& 'orce (emers!
NCHICA gratefull+ ac)no.ledges the e9pertise and effort contributed b+ representatives from
the follo.ing member organi5ations .ho made this document possible<
Alamance Regional Health System Alamance Regional Health System
Carolinas HealthCare System Carolinas HealthCare System
D!e Clinical Research Institte D!e Clinical Research Institte
D!e "niversity Health System D!e "niversity Health System
#orsythe Soltions $ro% #orsythe Soltions $ro%
Halifa& Regional Medical Center Halifa& Regional Medical Center
Intel Intel
'abCor% 'abCor%
Mission Hos%itals Mission Hos%itals
Moses Cone Health System Moses Cone Health System
(ovant Health (ovant Health
Pitt Conty Memorial Hos%ital Pitt Conty Memorial Hos%ital
Re& Healthcare Re& Healthcare
Sotheastern Regional Med Center Sotheastern Regional Med Center
"(C Healthcare "(C Healthcare
"(C)CH School of Medicine "(C)CH School of Medicine
"niversity of *irginia Health System "niversity of *irginia Health System
*C" Health System+ACE *C" Health System+ACE
,a!e #orest "niversity -a%tist Medical Center ,a!e #orest "niversity -a%tist Medical Center
* listed alphabetically
Page ; of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
%he Challenge!
The NCHICA Tas) *orce members follo.ed a ris) management methodolog+ to address
the challenge of protecting -I on portable devices and removable media$ including .hen
those items are outside the control of the organi5ations protected infrastructure( The
follo.ing assumptions .ere used in the formulation of this document<
Toda+s technolog+ allo.s -I to be accessed$ stored and transmitted from 4ust
about an+.here using devices that are becoming smaller in ph+sical si5e but can
store gigab+tes of data(
The .or)force continues to mobili5e and e9pects to have immediate access to data(
:an+ organi5ations are not encr+pting data on portable devices= so$ .hen e6uipment
has gone missing$ the+ are faced .ith the dilemma of ho. to determine .hat data
ma+ have been stored on the device and .hat to report(
-nd users continue to introduce and use personall+ o.ned removable media and
portable devices to create$ access$ and store -I(
Reg"latory Re)"irements!
The /epartment of Health and Human ervices released a securit+ guidance
document on 1!2!>2!""6 to address the .a+s a covered entit+ ?must@ protect -I
.hen it is accessed or used outside of the organi5ations ph+sical purvie.(
The NC Identit+ Theft Act of !""A addresses the protection of personal information
that can be used to gain access to financial data( Items that ma+ impact ho. .e deal
.ith personal information are<
o Individuals must be notified of securit+ breaches .hen thereBs a reasonable
li)elihood that their Cidentif+ing informationC .as compromised(
o Identif+ing information covers a .ide range of data$ including Ns$ ban)
account numbers$ driverBs license numbers$ biometric data &fingerprints$ retina
scans$ etc('$ pass.ords$ and parentBs legal surname prior to marriage(
*"mmary o$ %as& 'orce (eeting #isc"ssions!
The organi5ation should create a listing of approved Removable :edia /evices
Ho. .ould +ou police the organi5ation to determine complianceD
Ho. do +ou deal .ith e9isting unapproved devicesD
,ould the organi5ation suppl+ the .or)force .ith the approved devicesD
,ould the organi5ation offer a trade8in option to eliminate non8compliant removable
mediaD
The organi5ation should install a solution that encr+pts all -I as it is transferred to removable
media
:ost organi5ations are e9periencing an increase in device theft from both inside and
outside the facilit+= therefore$ the control needs to include all -I removed from the
organi5ations protected infrastructure(
Page E of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
The consensus is that the organi5ation should restrict the individuals abilit+ to remove -I from
the net.or) or install a solution that forces all -I transferred to removable media from the
organi5ations protected infrastructure be encr+pted(
%as& 'orce Recommendations!
The Tas) *orce reached a consensus that the best .a+ to manage the .or)force using
removable media or portable devices is to follo. five ma4or recommendations<
Create four class of users$ based on ris) and organi5ational re6uirements<
1( 0sers .ho do not need to have access to 01 drives
!( 0sers .ho do not store data on a local device
;( 0sers .ho store data$ but not -I$ on a device or removable media
E( 0sers .ho store -I on a portable device or removable media
Create group policies to loc) do.n the 01 ports and hard drives on machines assigned
to$ or for use b+ class C1C F ?!@ users listed above( Create a .aiver process for granting
e9ceptions on a case8b+8case basis(
Create a process .here access can be granted to 01 ports and hard drives for users
that .or) .ith non8-I data( Include an education re6uirement to ensure .or)ers
understand data classifications(
Purchase encr+ption solutions for all devices used b+ class ?E@ users that are capable of
forcing encr+ption on all information that is transferred$ created or stored on portable
devices or removable media attached to the device(
%rgani5ations should consider implementing a centrali5ed approach in managing -I
devices( /etailed considerations for evaluating encr+ption solutions are included in the
associated Vendor RFP Template for Meeting HIPAA Secrity Re!irements" Portable
#e$ice %ncryption Vendor A##%&#'M()
+endor R'P %emplate Addend"m!
NCHICAs Privac+ and ecurit+ %fficials ,or)group and ecurit+ ,or)group previousl+
published a +endor R'P %emplate $or (eeting HIPAA *ec"rity Re)"irements$ containing a
list of standard 6uestions that organi5ations ma+ use in the ac6uisition process to select a
suitable vendor( The Tas) *orce created additional 6uestions specific to encr+ption vendors
that ma+ be used in addition to the e9isting template( 1oth the 3endor R*P Template and the
ne. A//-N/0: related to -I are posted on the NCHICA ,eb site in pro9imit+ to this
document &http<22...(nchica(org2HIPAAResources2amples2Portal(asp'(
Page A of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
Introd"ction

Portable +evices and ,emovable Media
Policy$ Standard$ Procedures$ and -uidelines
It is a re6uirement for Health care organi5ations to demonstrate compliance .ith securit+
re6uirements through the implementation of reasonable and appropriate policies and
procedures( In response to the gro.ing threat to portable devices$ the North Carolina
Healthcare Information and Communications Alliance$ Inc( &NCHICA' has developed a draft
Removable :edia and Portable /evices Polic+$ tandard$ and Procedures to serve as a
starting point for both member and non8member organi5ations to address these issues at an
enterprise level(
No discussion of policies$ standards$ procedures$ and guidelines can ta)e place .ithout first
understanding the frame.or) in .hich the+ are to be used( *or this reason$ NCHICA has
adopted best practices from the National Institute of tandards and Technolog+ &NIT' and the
+sAdmin$ Audit$ Net.or)$ ecurit+ Institute &AN'$ I% 1##GG<!""A and I% !#""1<!""A in
defining these terms and their associated documents(
+(FINITINS
A Policy is a formal statement b+ an organi5ations e9ecutive management of the overall
intention and direction( It is not intended to be detailed$ but rather serve as the capstone
principle b+ .hich subordinate documents support( Policies do not normall+ direct individual
behavior but rather state an organi5ations intention( It is through these subordinate documents
that a desired behavior is accomplished( An organi5ations policies are mandator+ in nature and
designated members of the .or)force shall be educated on the intent( Policies must also be
available to all .ho fall .ithin the scope(
A *tandard supports a polic+ b+ providing specific boundaries( tandards are not intended for a
.ide audience$ but rather serve to establish a set of mandator+ decision criteria for s+stems and
processes( tandards are intended for a ver+ limited audience$ such as program managers or IT
technical implementation staff$ and can be used for purchasing hard.are$ soft.are$ or even
configuring s+stems( tandards are mandator+ b+ definition= ho.ever$ there should be a
documented .aiver process to allo. a designated individual the authorit+ to ma)e changes(
tandards do not normall+ re6uire e9ecutive management approval and therefore are more fluid
and can adapt to technolog+ changes( There ma+ be multiple sets of standards supporting a
polic+$ as in the case of the attached Removable :edia and Portable /evices Polic+( NCHICA
has supplied an -ncr+ption tandard addressing onl+ the data at rest as part of this document(
%rgani5ations .ill also .ant to develop a .ireless encr+ption standard to address acceptable
.ireless securit+ controls &e(g($ ,PA$ ,-P$ H-AP$ etc('(
Proced"res contain a detailed set of mandator+ or discretionar+ instructions for various groups
of individuals$ such as the general .or)force$ management$ audit$ training$ etc( These
Page 6 of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
procedures should directl+ support an organi5ations policies( ,ell .ritten procedures .ill
outline the detailed steps$ establish timelines$ and document specific behaviors for all .or)force
members .ho are bound .ithin a polic+s scope to be in compliance( Procedures .ill use the
terms ?shall@ to denote mandator+ behavior to achieve compliance( Procedures ma+ also use
the terms ?should@ or ?.ill@ to denote a strongl+ desired$ but not mandator+ behavior( An
organi5ation ma+ elect to develop multiple procedures$ depending upon the target audience and
sensitivit+ of information( In practice$ some procedures ma+ contain sensitive information &e(g($
encr+ption )e+ing instructions' that .ould not be appropriate to release to the general .or)force
and .ould re6uire protection(

,"idelines are documents that support a polic+ but are not directive in nature( Iuidelines are
designed to provide members of the .or)force a recommended path to achieve compliance .ith
an organi5ations polic+( Iuidelines should use terms li)e ?should@ and ?ma+@ .hen describing
actions( Iuidelines alone cannot be used to correct undesirable behavior as it assumes the
user ma+ e9ercise 4udgment(
Page # of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
Sample Policy Items needed to achieve compliance around the use of S(I .hen it is
accessed or used outside the or"ani/ations physical purvie.0
TIT1(
Appropriate use of portable devices and removable media polic+
N2M3(,
4CAH F2NCTINS I:
APP1I(S T -ntire .or)force
I0 SCP( 5 P2,PS(
The purpose of this polic+ is to address the appropriate protection of sensitive
electronic information &-I' .hen it is stored$ transferred or accessed on portable
devices such as< Haptops 2 P/As 2 mart Phones &devices .ith operating s+stems' or
removable media such as< 01 *lash drives 2 :emor+ cards 2 *lopp+ /is)s 2 C/s 2
/3/s( This polic+ is not intended to address non8classified data(
This polic+ covers all JHospital NameK8o.ned$ leased$ or managed portable devices or
removable media( At the discretion of the organi5ation$ it also ma+ appl+ to an+ third8
part+ &e(g($ staff member or contractor' o.ned or managed devices or media as a pre8
condition for being granted authori5ation to JHospital NameK8managed -I(
II0 P1IC6
The .or)force shall ta)e all reasonable and prudent measures to ensure the safet+ and
confidentiall+ of all -I that is do.nloaded to an+ removable media or portable device(
e(g( P/A$ laptop$ etc( Reasonable measures include but are not limited to< storing
large files and databases onl+ on net.or) shares$ pass.ord protecting sensitive files or
using an approved encr+ption method(
The .or)force shall ta)e all reasonable and prudent measures to ph+sicall+ secure all
removable media or to portable devices( 0sers shall not open or attempt to open the
encasement of an+ removable media or portable devices nor other.ise circumvent an+
loc) s+stem that secures the device or its components( 0ser should ta)e reasonable
measure to secure device at all time and report an+ lost or stolen removable media or
portable devices immediatel+(
III0 +(FINITINS
!orkforce 7 This term applies to all individuals .or)ing on behalf of the corporation in
an+ capacit+ and includes$ but is not limited to$ emplo+ees$ independent contractors$
students$ volunteers$ and members of the medical staff$ consultants and vendors(
S(I 7 ensitive -lectronic Information includes all classes of sensitive data including
Protected Health Information &PHI' and an+ other information considered confidential
b+ the organi5ation(
Page > of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
I80 ,(1AT(+ +C2M(NTS
Sanction Policies 8 %rgani5ation must have sanction policies in place and effectivel+
communicated so that the .or)force members understand the conse6uences of failing
to compl+ .ith the securit+ policies and procedures of the covered entit+ related to
appropriate use of removable media ad mobile devices(
,eportin" !ron"ful 2se of Handheld Mobile Computin" +evices 9 The
organi5ation should have a documented process that allo.s the reporting of .rong
doing
1oss of a device 9 The organi5ation should have a defined process for reporting lost 2
missing devices
Transportin" lar"e files 8 The organi5ation should develop a process for securel+
transferring large files
+estruction of Information System (:uipment 5 (lectronic data 7 The organi5ation
should ensure the destruction of portable devices and removable media is addressed
Pass.ord Polic+ 7 The organi5ation should have a documented polic+ describing the
age$ length and reuse of pass.ords
Pass.ord5Authentication policy and standards 7 The organi5ation should address
authentication re6uirements to -I( The organi5ations should loo) at multi8factor
authentication vs( single factor authentication and consider the use of biometrics as a
possible authentication method(
Asset Mana"ement Process 7 The organi5ation should ensure that a documented
process is in place to maintain an inventor+ of hard.are and electronic media$ .hich
includes portable devices(
Patch mana"ement standards 7 The organi5ation should ensure that securit+
updates are addressed for remote and mobile computing(
8irus protection standards 7 The organi5ation should ensure that virus protection is
addressed for remote and mobile computing(
Mobile device confi"urations standard 7 The organi5ation should ensure that secure
configurations are addressed such as defining session terminations 2 time8out on
inactive portable or remote devices$ personal fire.all soft.are on laptops(
3ackup and recovery standards 7 The organi5ation should ensure that bac)up and
recover+ are addressed for -I stored on portable and remote devices(
,emote access policy and procedures 7 The organi5ation should address the
remote access recommendations in the C: ecurit+ Iuidance for :obile and
Remote Computing in a separate Remote Access Polic+(
(;ception Policy 7 The organi5ation should have a documented process in place for
re6uesting and approving polic+ .aivers
80 ,(F(,(NC(S
HIPAA Privac+ and ecurit+ Rule &EAC*R 16"$ 16! and 16E'
/estruction of Information +stem -6uipment
Pass.ord Polic+
/ata Classification
8I0 INITIA1 (FF(CTI8( +AT(
A11 +AT(S ,(8IS(+
A11 +AT(S ,(8I(!(+
%rgani5ations must set standard increments for revie.ing and updating policies(
Page G of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
ATTACHM(NT I< STAN+A,+S
TIT1(
-ncr+ption tandardsL 7Portable /evices and Removable :edia
**Applies to data at rest only+
N2M3(, Attachment I to Appropriate "se o$ portale devices and removale media policy
4CAH F2NCTINS
APP1I(S T -ntire ,or)force$ 1usiness Associates$ and all others as re6uired b+ Contract
I0 SCP( 5 P2,PS(
The purpose of this tandard is to define a minimum set of encr+ption controls to
protect the ?data at rest@ for an+ portable device that ma+ contain sensitive electronic
information &-I'( The purpose of encr+ption standards is to protect the confidentiality$
integrity$ and athenticity of -I( -ncr+ption also provides the fondation to support
non,repdiation and secre access controls( *inall+$ the level of encr+ption standards
is selected in order to ensure that the effort to compromise the controls are higher than
the value of the data being protected(
The information contained in this tandard incorporates the best practices and ma+
change .ithout prior notice(
This tandard shall not be used to address classified data as defined b+ the
/epartment of /efense(
II0 STAN+A,+
-ncr+ption is one control to protect the confidentiality$ integrity$ and athenticity of -I(
The strength of encr+ption standards var+ .idel+ and man+ are incorporated in a
variet+ of commercial and open8source products( JHospital NameK has determined
through a ris) assessment that all -I stored or accessed on portable devices must be
protected using a minimum set of encr+ption( These encr+ption standards have been
selected in order to ensure that the effort to compromise the controls are higher than
the value of the data being protected(
=* MANA-(M(NT STAN+A,+S
An+ encr+ption solution must also support other controls$ specificall+ maintainability$
and abilit+ to adit( As such$ Central Mana"ement is a )e+ element of this tandard(
As such$ encr+ption solutions shall include the follo.ing )e+ attributes<
the abilit+ to centrall+ and automaticall+ deplo+ an+ solution to all devices$
configured according to JHospital NameKs policies$
the abilit+ to provide audit data validating that all impacted devices have been
encr+pted$ and
the abilit+ to enforce mandator+ )e+ escro. or master )e+s(
Page 1" of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
%* (NC,6PTIN STAN+A,+S
The follo.ing are acceptable encr+ption standards for portable devices<
a* +ata (ncryption Standard
The /ata -ncr+ption tandard$ or /-$ .as invented b+ I1: in 1G#6 and provides a
6E8bit input and output bloc) si5e( /- can be implemented in both the bloc) &file' and
stream &communication' modes( -ach mode has different possible implementations$
but some offer higher protections( /- can be implemented in a ?Triple /-@ mode
and is more secure than the standard /-( ?/ouble /-@ is N%T approved for use
because of the potential for ?meet in the middle@ attac)( /- ma+ be used on a
portable device .hen Triple /- is not available( All devices must be Triple /-
capable b+ Manuar+ 1$ !"1" or removed from service(
The follo.ing /- modes are approved for use<
1loc) :ode< Cipher 1loc) Chaining &C1C'
tream :ode< Cipher *eed 1ac) &C*1'
tream :ode< Counter &CTR'
The follo.ing /- modes are N%T approved for use<
1loc) :ode< -lectronic Code 1oo) &-C1'
tream :ode< %utput *eed 1ac) &%*1'
b* Advanced (ncryption Al"orithm )A(S* )a0k0a0$ ,i>ndael*
The Advanced -ncr+ption Algorithm &A-' .as published in 1GG> as a result of a NIT
contest to replace the /- algorithm( The A- standard has been published in the
*ederal Information Processing tandard &*IP 1G#' in !""1 and is the desired
algorithm for use in portable devices( The A- algorithm uses either a 1!>$ 1G!$ or
!A68bit )e+ si5es( A- has been incorporated in a variet+ of commercial and open
source soft.are products( All modes of A- are approved(
c* International +ata (ncryption Al"orithm )I+(A*
The International /ata -ncr+ption Algorithm &I/-A' .as originall+ published in 1GG1 as
a replacement for /- and contains a 1!>8bit )e+( It is highl+ optimi5ed for general
purpose computers( All modes of I/-A are approved(
d* ther (ncryption Standards
There are other encr+ption standards that are used less than the three approved
standards( These shall be used onl+ if one of the above three standards are not
supported b+ the portable device(
3lo.fish< This standard .as developed in 1GG; and uses variable )e+ si5e of ;! to
EE> bits( The smaller )e+ si5es increase the potential for brea)ing the cipher= therefore
if this standard is used$ it should be used .ith a )e+ si5e of greater than 1!> bits$
.henever possible(
T.ofish< This standard is similar to 1lo.fish but it uses a )e+ si5e of up to !A6 bits(
Page 11 of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
III0 Approved Commercial Products
JHospital NameK recogni5es that protecting the confidentiality$ integrity$ and athenticity
of -I are three important goals= ho.ever$ there are other important goals that must
also be considered( *or the supporting staff$ maintainability is an e6uall+ important goal
and can be best achieved .hen products are selected that reduce JHospital NameKs
cost and resource re6uirements to deplo+$ operate$ and support portable devices( *or
this reason$ JHospital NameK has limited the number of commercial products that .ill be
approved b+ the Information Technolog+ department(
The follo.ing commercial products are approved for use .ithin the JHospital NameKs
domain .hen configured .ith one of the approved encr+ption standards( An+
department or use re6uiring a portable device shall contact the Information Technolog+
department for installation and training prior to deplo+ing an+ portable device that ma+
access or store -I(
-.ist approved sol"tions here/
Page 1! of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
ATTACHM(NT II< P,C(+2,(S
TIT1(
Procedures 7Portable /evices and Removable :edia
N2M3(, Attachment II to Appropriate "se o$ portale devices and removale media policy
4CAH
F2NCTINS
APP1I(S T -ntire ,or)force$ 1usiness Associates$ and all others as re6uired b+ Contract
Procedures for the protection of removable media and portable devices0
A0 (very member of the .orkforce<
hall understand and ac)no.ledge the provisions contained in the Appropriate
0se o$ Portale #evices and Removale (edia Policy$ including the polic+$
hall understand that their actions$ activities$ and information recorded in$
transmitted b+ or other.ise enabled .hile using JHospital NameKs s+stems$
portable devices$ or removable media .ill be available to JHospitals NameK
.ithout restriction JNT(< %rgani5ations should consider the application of this
principle to .or)force8o.ned portable devices and removable mediaK$
hall onl+ use removable media and2or portable devices approved to store or
access ensitive -lectronic Information &-I' as defined b+ JHospital NameK$
hall not use removable media and2or portable devices .ithout encr+ption to
create$ store$ or access -I unless a .aiver has been obtained from the
information securit+ officer$
hall use pass.ords or other authentication techni6ues to protect the -I on
removable media and2or portable devices$
hall ensure that an+ -I stored on removable media or portable devices is
destro+ed in accordance .ith established procedures$
hall not ta)e an+ removable media or portable devices containing -I from
JHospital NameKs premises .ithout an approved business purpose and onl+
after receiving authori5ation from a manager or the information securit+ office$
hall not attempt to circumvent$ reverse engineer$ or other.ise b+pass an+
securit+ controls re6uired b+ JHospital NameK$
hall ph+sicall+ protect$ to the ma9imum e9tent practical$ an+ removable media
and2or portable device containing -I$
hall not connect or other.ise use removable media &e(g($ memor+ stic)s$
flopp+ dis)s$ C/$ /3/$ iP%/ or other :P8; pla+ers$ or intelligent cell phones
such as 1lac)berr+ or Treo$ etc(' to an+ JHospital NameK device that ma+
contain -I unless it has been previousl+ approved b+ the information securit+
office$
hall report violations of this polic+$ including the loss or discover+ of
unauthori5ed access to an+ removable media and2or portable device$
immediatel+ to the appropriate office per the sec"rity and privacy incident
policy$ and
hall return an+ removable media or portable devices containing -I .hen no
longer authori5ed &e(g($ termination$ transfer$ etc'$ or shall present an+
personall+8o.ned media or portable device for inspection if those items .ere
previousl+ approved to create$ store$ or access -I(
Page 1; of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
30 Mana"ers$ +irectors$ and Administrators<
hall define and document business purposes that re6uire removable media
and portable devices containing -I to be removed from JHospital NameKs
premises$
hall obtain .aivers for the removal of removable media and2or portable
devices that are not pre8approved b+ the information securit+ officer$
hould suggest changes to polic+$ standards$ and procedures that enhance the
protection of -I$ and
hall ensure that all subordinates .ho ma+ have access to -I are a.are of the
polic+ and these procedures(
C0 The Chief of Contracts<
hall serve as the single point of contact for ensuring all vendors and2or
1usiness Associates follo. JHospital NameKs securit+ policies$ as appropriate$
hall develop appropriate standard contract language for inclusion into an+
contract that re6uires a vendor or 1usiness Associate to create$ store$ or access
JHospital NameKs -I using removable media or portable devices$
hall develop a matri9 of appropriate securit+ controls related to the protection
of -I on removable media and portable devices that shall appl+ to vendors
and2or 1usiness Associates$
hall develop and maintain a list of all vendors and 1usiness Associates .ho
are e9pressl+ authori5ed to create$ store$ or access -I on behalf of JHospital
NameK$
hould ensure that all vendors train all emplo+ees$ subcontractors$ or
associates about the re6uirements or this polic+$
hould .or) .ith the Training /epartment to develop an approved training
curricula specific to removable media and portable devices for vendors and2or
1usiness Associates$
hould .or) .ith the %ffice of Corporate Compliance to develop a vendor 2
1usiness Associate compliance program$ and
hall develop and maintain a process for securit+ event reporting from vendors
and2or 1usiness Associates(
+0 The ?Hospital Name@ Trainin" +epartment<
hall develop a training curricula for the protection of -I on removable media
and portable devices$ in coordination .ith the information securit+ officer$ for all
members of the .or)force$
hall conduct training for all members of the .or)force$
hall maintain training records for all members of the .or)force$ and
hould periodicall+ evaluate the training effectiveness(
(0 The ffice of Internal Audit<
hould develop audit procedures to measure the effectiveness of this polic+ and
procedures$ and
hall conduct routine and event8driven audits to ensure compliance of all
departments(
Page 1E of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
F0 The Chief Information fficer )or IT +irector*<
hall assign and train ade6uate resources to manage removable media and
portable devices$
hould develop and maintain specific procedures for the management and
operations of removable media and portable devices$ to include the
implementation of t.o8factor authentication$
hall onl+ procure and configure removable media and portable devices on the
approved list maintained b+ the information securit+ officer$
hall establish and manage all technical access controls for JHospital NameKs
removable media and portable devices$
hould provide technical support for non8JHospital NameK o.ned removable
media and portable devices that are authori5ed to store or access -I$
hould 4ustif+ and appl+ for .aivers &from the information securit+ office' to the
approved -ncr+ption tandard .hen there is a valid business reason$
hall suspend service for an+ member of the .or)force$ vendor$ or 1usiness
Associate .ho is found to be in violation of the polic+$
hall verif+ that all JHospital NameK -I has been removed from an+ removable
media or portable device$ including those devices not o.ned b+ the JHospital
NameK .hen those devices and o.ners .ere previousl+ authori5ed access to
-I$
hould conduct periodic validation audits of devices and media .hen brought in
for maintenance actions$ and
hould develop and maintain appropriate metrics to validate the business needs
and cost of securit+ controls for removable media and portable devices(
-0 The Information Security fficer<
hall manage the removable media and portable devices process$
hall develop and maintain removable media and portable device encr+ption
standards for both data at rest and data in motion$
hall develop$ maintain$ and publici5e criteria for authori5ing removable media
and portable devices off JHospital NameKs premises$
hould develop and manage a ris) management process for evaluating and
approving various t+pes2classes of removable media and portable devices that
ma+ process -I$
hall develop and maintain the definitive list of approved removable media and
portable devices that are authori5ed for use .ith JHospital NameKs -I$
hould develop learning ob4ectives$ in coordination .ith the JHospital NameKs
training department$ that .ill serve as the baseline for changing .or)force
behavior$
hall develop and manage a process for processing .aivers to an+ to the
removable media and portable device polic+$ standard$ or procedures$
hould develop and maintain metrics on the effectiveness of securit+ controls
related to the polic+$
hould coordinate .ith JHospital NameKs Internal Audit to develop effectiveness
monitoring plans$
Page 1A of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions
hall periodicall+ report to senior management on the effectiveness of the
removable media and portable device control$ and
hall periodicall+ revie. and maintain the polic+$ standards$ procedures$ and
guidelines applicable to this polic+(
H0 The (;ecutive Mana"ement Team<
hall assign responsibilities for managing removable media and portable
devices to the appropriate members of the .or)force$
hall approve the process for selecting securit+ controls to protect -I on
removable media and portable devices$ and
hould periodicall+ revie. the effectiveness of the polic+(
Page 16 of 16
Copyright 2007, NCHICA, Inc. All Rights Reserved
Approved for Public Release under NCHICAs Terms and Conditions