Department of Public Health OF SAN FRANCISCO

Transcription

1 PAGE 1 of 6 1. POLICY INTENT This document establishes the policy for the disciplinary and contractual sanctions to be applied in the event of violations of San Francisco Department of Public Health (SFDPH) Security Policy, Standards, Guidelines, Rules or Procedures. It intends to protect SFDPH resources and data from security threats, provide uniform disciplinary guidelines and merge Information Security with existing disciplinary concerns. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The sections of the code which relate to Sanctions for Violations of Security Policy are: CFR (a)(1) & (3). DEFINITIONS Employee a member of the City and County of San Francisco Civil Service or other persons subject to the terms and conditions of City Employment. Workforce member any person who performs work or provides services to the SFDPH and is subject to the provisions of SFDPH Security Policies and Rules. Workforce members include employees, volunteers, contractors and any other person who comes into contact with or uses information, systems or equipment subject to security policies and rules. Third party workforce member a person who performs work or provides services to the SFDPH, whose employment is part of an agreement with a third party (examples are UCSF employees, contractors and others) who comes into contact with or uses information, systems or equipment subject to security policies and rules. Trusted workforce member a workforce member who is given greater than routine access to and control of critical information systems and data. Examples include Managers, System Engineers, System Administrators, Operators and so on. 2. POLICY STATEMENTS 2.1 Security violation sanctions are part of the normal disciplinary processes of the City and County of San Francisco: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH. 2.2 Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed

2 PAGE 2 of 6 through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided. 2.3 Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations. 2.4 Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations. 3. STANDARDS AND GUIDELINES 3.1. DEFINITIONS: General Violations of Security are actions that: Are performed by a properly informed and trained workforce member, Are contrary to the security policies, rules and guidelines with which they have agreed to comply and Provide grounds for formal disciplinary proceedings (for example the violation is: a misuse of SFDPH resources, or causes significant inattention to duties etc.) Serious Violations of Security are actions that are contrary to published security policy, rules, procedures and guidelines and which have the potential of causing: Disruption of SFDPH operations: Such as loss of communications, access to patient records, diagnostic tools, billing and accounting services and so on. Damage to Information Systems: Such as system failures, physical damage, virus infestation, corruption of data and so on.

3 PAGE 3 of 6 Disclosure of Critical Information to unauthorized persons or entities. Exposing SFDPH to Civil or Criminal legal action Severe Violations of Security are any actions that are contrary to published security policy, rules, procedures and guidelines and that also: Are caused by malicious or culpably negligent actions or inaction on the part of a workforce member, or Are caused by illegal activities or intent on the part of a workforce member or Result in any of the adverse results noted in above or Are covered under and 3.1.2, above, but are done by a Trusted Workforce Member or Members ENFORCEMENT GUIDELINES: General Violations of Security fall within management discretion and under the relevant Civil Service regulations, M.O.U.s and other bargaining agreements. These violations are part of and subject to the CCSF Civil Service progressive discipline process or whatever other disciplinary procedures apply Serious Violations of Security in addition to the sanctions covered in above, may result in immediate sanctions (such as termination of all access to systems, ejection/exclusion from secure areas and/or termination of employment) Severe Violations of Security in addition to the immediate sanctions in above may be subject to civil and criminal actions and penalties provided for by federal, State and local Law and the charter of the City and County of San Francisco. 4. RESPONSIBILITIES 4.1. SFDPH Executive Management is responsible for:

4 PAGE 4 of Developing, reviewing, approving and publishing this policy and its associated standards and guidelines Establishing Standards and Guidelines for the Enterprise-wide application of this policy Coordinating Procedure development and implementation efforts across divisional lines Developing and including in all contracts, standardized language concerning the applicability of SFDPH Security Policy and the personal and organizational penalties for violations DPH IT Security Officer and IT Security Committee in coordination with DPH Executive Administration and Human Resources are responsible for: Advising Management and the Chief Information Officer of those aspects of compliance responsibilities that may constitute a particular level of policy violation (see 3.1.1,.2 &.3) Reviewing and approving Information Security related orientation, training and awareness program materials and/or curricula that are not involved with electronic information processing, transmission and storage DPH Chief Information Officer / Information Security Officer is responsible for: Reviewing and recommending to management all exceptions to this Information Security policy Directing and overseeing the development of standards and procedures for this policy Reviewing and approving Information Security related orientation, training and awareness program materials and/or curricula Appointing Authority / Local-Unit Management is responsible for: Establishing local operational standards and procedures for detecting and reporting violations

5 PAGE 5 of Providing for adequate training of their staff in the general and specifically relevant security policies, procedures, rules and guidelines for the staff s responsibilities Maintaining personal and unit security awareness detecting violations and initiating disciplinary actions if required Personnel and Human Resources are responsible for: Ensuring that each new workforce member is provided adequate training and orientation materials at the time of their appointment to familiarize them with SFDPH policies, standards and practices regarding Information Security Ensuring that each workforce member is informed of the requirements, authorizations and limitations of their particular access profile and of the consequences of attempts to exceed or circumvent them Administering the uniform progressive discipline program as it applies to Security Violations Workforce members are responsible for: Familiarizing themselves with Information Security policies and to consistently use them in their SFDPH business activities Vendors or Contractors are responsible for: Ensuring that their workforce members and subcontractors are aware of this policy and of the penalties for violation of SFDPH Information Security policy U.C.S.F. is responsible for: Ensuring that their SFDPH workforce members and subcontractors are aware of this policy and of the penalties for violation of SFDPH Information Security policy Chain of Trust participants are responsible for: Ensuring that their workforce members and subcontractors are aware of this policy and of the penalties for violation of SFDPH Information Security policy Security Audit Team is responsible for: Notifying management (Enterprise or Local as appropriate) of any violations of Information Security Policy that they detect during their normal activities.

6 PAGE 6 of Recommending remedial measures to prevent or reduce the risk of reoccurrence of detected violations Incident Response Team is responsible for: Detecting and responding to serious violations of security, controlling them and reporting to management the nature and extent of the problem and its aftermath. 5. ATTACHMENTS: Samples and So-On 6. PROCEDURES: 6.1. Procedures to be Developed: Identifying Trusted Workforce Members (I.A ) Reporting Suspected Violations of Security Policy (I.A ) Reporting Unusual or Anomalous Access Attempts or System Changes (I.A ) Investigating Security Incidents.