1
|
Company Name/Logo
|
Company name or logo of organization.
|
2
|
Last Revision Date
|
Last revision date of the Information Security Policy.
|
3
|
Document Owner
|
Document owner of the policy. This is usually someone at an executive level.
|
4
|
Approval Date
|
Date that the policy has been officially approved
|
5
|
Effective Date
|
Effective date of the policy. This can be a different than the approved date if needed.
|
6
|
Company Name
|
Company/Practice name. No logo used for this particular part of the policy.
|
7
|
Outside Agencies
|
List any outside agencies or organizations, if applicable, whose laws, mandates, directives, or regulations were included in the policy, i.e. CMS, DHHS, VHA, etc.
|
8
|
Privacy Officer
|
List the name and phone number of the person designated as the Privacy Officer.
|
9
|
CST Team
|
List the title and name of the individuals that will become part of Confidentiality and Security Team.
|
10
|
Contractor Access
|
For contractors that enter the building, specify what identifying badge is given to them during their visit into your facility.
|
11
|
Screen Lock
|
When a user leaves a computer unlocked, specify how long until the screen automatically locks. This value will need to be enforced.
|
12
|
Electronic Communication, E-Mail, Internet Usage
|
Specifies allowable and prohibited uses of electronic communications, e-mail and the Internet. Oftentimes, an organization will maintain computer, Internet and e-mail usage policies in other HR policies or the employee handbook. Please refer to these sources and modify this section accordingly.
|
13
|
Audit of Login ID’s
|
Specify how often user IDs are audited. This includes network and EHR user accounts.
|
14
|
User Lockout
|
Specify how many unsuccessful login attempts a user has before the account becomes locked out.
|
15
|
Password Length
|
Specify the minimum password length. This should be the same for network and EHR access but if different, be sure to specify this.
|
16
|
Password Change
|
Specify how many days before the password must be changed.
|
17
|
Password Reuse
|
Specify how many previous passwords cannot be used.
|
18
|
Antivirus Software
|
Specify the name of the antivirus software being used at the Practice.
|
19
|
Antivirus Company
|
Specify the name of the antivirus company that makes the product being used.
|
20
|
Antivirus Updates
|
Specify what time antivirus updates are scheduled to perform. If this is not an option, then ensure it updates at least daily.
|
21
|
Security System
|
Specify the security method being used to protect the facility during non-working hours.
|
22
|
Business Hours
|
Specify the business hours of when the reception area is staffed. This may or may not be the hours of operation for the Practice.
|
23
|
Secure Doors
|
Specify how access to secure areas of the facility is controlled, i.e. swipe cards, standard locks, or cipher locks.
|
24
|
Motion Detectors
|
Specify whether motion sensors/detectors are used. If not, then just remove this information.
|
25
|
Glass Sensors
|
Specify whether glass breakage sensors are used. If not, then just remove this information.
|
26
|
Security Cameras
|
Specify whether security cameras are used. If not, then just remove this information.
|
27
|
Password Change
|
Specify how many days before the password must be changed for those users who work remotely, if different than internal users.
|
28
|
Provided Equipment
|
List all the equipment that is provided to users that work from home whether full time or even occasionally.
|
29
|
Screen Lock
|
When a user leaves a computer unlocked, specify how long until the screen automatically locks for users that work remotely.
|
30
|
Record Retention
|
Specify how long documents are kept related to uses and disclosures, notice of privacy practices, complaints, etc.
|
31
|
Misc. Values
|
Values that can be adjusted as necessary as appropriate for the Practice.
|
32
|
Contact Number
|
Enter the contact number for the Privacy Officer for the purposes of reporting a breach.
|
