Department of Public Health O F S A N F R A N C I S C O

Transcription

1 PAGE 1 of 10 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: CISSPCISSP/C Distribution: DPH-wide Other: n/a phil.mcdown@sfdph.org 1. POLICY INTENT This document is intended to avoid the need for remedial security measures as a result of implementing new, or modifying existing, systems or software. It defines the specific responsibilities related to including security considerations and measures as part of the planning, development, acquisition and implementation processes for all information systems and software used at the San Francisco Department of Public Health (SFDPH). This policy requires that all system security mechanisms in new or modified information systems follow SFDPH policy. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The sections that relate to Assigned Security Responsibility and Relations with Third Parties are CFR (a)(7) & (8). 2. POLICY STATEMENTS The consideration of security is a standard part of any and all SFDPH system or software development, procurement or enhancement processes. Inclusion of adequate security measures is mandatory as part of any system purchase or installation that will use, transmit or process Restricted data. 2.1 Security is an integral part of the system development process Security will be included as part of the Information Systems Analysis process. Assessment of the risks resulting from the deployment of newly developed, revised or procured systems is a requirement of the analysis process Security measures will be an integral part of the original system design and specifications Security measures that are compliant with SFDPH policy, HIPAA, HITEC and other State and Federal regulations will be integral to the installed version of all systems Security measures will be part of all system acceptance and performance testing of programs, systems and projects.

2 2.2 Security is an integral part of the system procurement process. PAGE 2 of Security issues will be included as part of the System Requirement Analysis process Security will be given equal weight to the other primary factors in the product selection or proposal review process Future maintenance of the operating system, including the anticipated degree of patching and configuration hardening, will be criteria when procuring information systems Security measures must be an integral part of the system design or product selected for procurement Security measures that are compliant with SFDPH policy, HIPAA, HITEC and other State and Federal regulations will be integral to the installed version of all purchased or third-party developed information systems Security measures will be part of all purchased or third-party developed system s acceptance and performance testing programs and projects. 2.3 Security is an integral part of the system enhancement and modification process Security will be included as part of the analysis process for the enhancement or modification for existing systems Security issues will be given equal weight to other factors in the product or project proposal review process Security measures must be an integral part of the system design, specifications, project plan or product selected Security measures that are compliant with SFDPH policy, HIPAA, HITEC and other State and Federal regulations will be integral to the installed version of all enhanced or revised information systems.

3 PAGE 3 of Security measures will be part of all system enhancement or modification acceptance and performance testing programs and projects. 3. STANDARDS and GUIDELINES 3.1. Internal system development projects: Analysis: Access control, information availability and preservation of data integrity will be given weight equal to any other factors during the preliminary system analysis process Design: Measures for ensuring appropriate access-control, system availability and preservation of data integrity will be part of the final system design. These measures will be compliant with all relevant SFDPH Security Policies and Government laws and regulations Development: Measures for ensuring appropriate access-control, system availability and preservation of data integrity will be part of any system developed and implemented for SFDPH Testing: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are to be installed as part of any system will be included in the performance, failure and acceptance testing program for the system Documentation: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are installed as part of any system will be included in the system documentation, both written and web-based Third Party system development: Information Systems developed for SFDPH use by third parties (contractors, vendors, business partners etc.), (See preceding sections)for the processing of SFDPH data, are subject to the same security policies as those developed internally by SFDPH Analysis: Access control, information availability and preservation of data integrity will be addressed as part of the preliminary system analysis process; whether undertaken by SFDPH prior to requesting proposals or by the selected third-party vendor/contractor.

4 PAGE 4 of Design: Measures for ensuring appropriate access-control, system availability and preservation of data integrity will be part of the final system design and specifications. These measures will be reviewed for compliance with all relevant SFDPH Security Policies and Government laws and regulations as part of the project approval process Development: Measures for ensuring appropriate access-control, system availability and preservation of data integrity will be part of any system developed for SFDPH Testing: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are to be installed as part of any system developed for SFDPH will be included in the performance, failure and acceptance testing program for that system Documentation: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are installed as part of any system will be included in the system documentation, both written and web-based Developing and providing this documentation will be part of any contract for information systems developed for SFDPH by any outside party or contractor Vendor provided documentation will be subject to editorial review and testing by SFDPH staff prior to product acceptance Off-the-Shelf system selection and installation: Information Systems and software that are to be purchased off-the-shelf (i.e., as a product marketed to the general business community) are subject to the same security policies as information systems and software developed originally by or for SFDPH Analysis: The availability and capabilities of the built-in measures for ensuring appropriate access-control, system availability and preservation of data integrity will be addressed as part of the preliminary technology assessment and cost-benefit analysis process for changes and enhancements The availability and/or ability of the vendor to provide these measures will be part of the selection criteria for off-the-shelf information systems or software.

5 PAGE 5 of The availability and/or ability of the vendor to provide system documentation, including the use and management of security sub-systems, will be part of the selection criteria for off-the-shelf information systems Installation: Activation and configuration of the product s built-in measures for ensuring appropriate access-control, system availability and preservation of data integrity will be part of the installation of any system purchased for use by SFDPH Testing: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are to be installed as part of any system will be part of the performance, failure and acceptance testing program for the system Documentation: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are installed as part of any system will be included in the purchased system s documentation, both written and web-based The availability and/or ability of the vendor to provide this documentation will be part of any purchase contract for off-the-shelf information systems Modifications of- and Enhancements to- existing systems: Changes to- or enhancement ofexisting information systems are subject to the requirements of SFDPH Security policies. Information Systems that do not currently meet SFDPH security policy requirements will be brought into compliance at the earliest opportunity (either as part of their next modification, enhancement, replacement or as a stand-alone project) after publication of the policy Analysis: The impact of the change or enhancement on measures for ensuring appropriate access-control, system availability and preservation of data integrity that are already installed as part of the affected system will be considered in the planning process Change Control: Modifications and enhancements to existing information systems may not be allowed to degrade system access-control, system performance, availability and preservation of system data The process of implementing the change will be planned so as to limit degradation of system response time or performance to its user community

6 PAGE 6 of The process of implementing the change will be planned so as to limit loss of system availability to its user community The process of implementing the change will be planned so as to minimize the vulnerability of the system to damage or misuse during the process The process of implementing the change will be planned so as to prevent the loss of system data or of data integrity during the process Testing: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are to be installed as part of any system will be part of the performance, failure and acceptance testing program for the system changes Documentation: The measures for ensuring appropriate access-control, system availability and preservation of data integrity that are installed as part of any system change or enhancement will be added to the system documentation, both written and web-based at the same time as the other system documentation is updated Security Provisions for Legacy Systems that lack Security Features: Existing production systems or software for which there are no expectations of near-term modification or replacement and which lack adequate security features to comply with SFDPH Security Policy may be left in production, subject to the following provisions: When removed from production, they must be replaced with systems or software applications that comply with all SFDPH Security Policies, Rules and Standards While in production, all feasible alternatives to current built-in security provisions must be applied, these include, but are not limited to: Isolation from all or part of the Enterprise Data Network. Operation in stand-alone mode. Limiting of all network physical access to only those workforce members with rolebased need to use the system or software. Physical control of output data and media.

7 4. RESPONSIBILITIES PAGE 7 of 10 Use of all available logging and tracking capabilities, including manual records as necessary SFDPH Executive Management shall establish guidelines and procedures for the software acquisition, systems development and upgrade processes within SFDPH The existing City policies for hardware and software acquisition and purchase will be followed in these procedures When applicable, the City Store requirements and procedures will be followed If contractors are involved, the City procedures and requirements and the applicable MOUs regarding outsourcing software and hardware development and acquisition will be followed DPH Chief Information Officer/Chief Information Security is responsible for: Advocating and supporting DPH-IT security needs, concerns and projects to Chief Officer and Division Director level Senior management Directing and overseeing the development of standards and procedures for the system design-development-testing-deployment-documentation cycle and ensuring that security concerns are an integral part of each stage of the process Directing the development and promulgation of training and orientation materials to enable and encourage employee awareness of the security problems and issues involved in the development or purchase of software for use in the SFDPH SFDPH Information Technology (DPH-IT) is responsible for : The development and implementation of standards and procedures for Security Policy for: Following management decisions and directives concerning hardware and software acquisition and purchase will be followed in these procedures.

8 PAGE 8 of Acting in accordance with SFDPH policy, HIPAA, HITEC and other State and Federal regulations, and advising Management of any apparent or potential violation of these requirements Acting in accordance with City Store requirements and procedures Supervising and collaborating with contractors involved in any software and hardware development and acquisition in accordance with Management decisions and directives Ensuring that changes and additions to the existing SFDPH systems infrastructure do not impact the performance of existing data systems Developing, instituting and maintaining an effective Change Control system SFDPH Information Technology (DPH-IT) is responsible for: System needs, feasibility, technology and cost-benefit analysis processes System design, review and approval processes System performance, failure and acceptance testing processes System implementation/deployment processes Third-party Developers, Contractors and Vendors are responsible for: Developing information systems that are in compliance with SFDPH Security policy and the use of System Development standards and procedures compatible with the goals of the ones used by SFDPH internally Local department managers are responsible for: Cooperating with the project team and assisting in the development of performance, process and output standards for the systems and needs analysis processes Developing procedures for local staff to properly utilize the new or upgraded systems capabilities in the performance of their job functions.

9 PAGE 9 of Workforce members are responsible for Cooperating with the new or revised systems and/or software project team and providing information for the development of needs and performance of the proposed system or upgrade, and output standards for performance of their job functions. 5. PENALTIES FOR VIOLATIONS: 5.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations. 6. PENALTIES FOR VIOLATIONS: 6.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions

10 PAGE 10 of 10 provided under the terms and conditions of the agreement(s) whereby their services are provided Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations 6.4. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations. 7. ATTACHMENTS: Samples and So-On 7.1. Procedures to be Developed: Change Control Procedure.