Calgary Health Region Policy - Information Technology Resource Security

Subject/Title Information Technology Resource Security	Reference Number: 1487
Subject/Title Information Technology Resource Security	Effective Date: 2004/01/08
Approving Authority: Executive Management	Date Revised: 2006/11/15
Classification: Information Security and Privacy	Last Review: 2006/11/15
Classification: Information Security and Privacy	Next Review: 2008/11/15

Note: The Calgary Health Region is committed to ensuring the accuracy and consistency of the policies on its Regional Policy Website. As policies are reviewed and updated periodically, the information contained in this document is accurate only on the date that it is viewed/printed (2010/09/02). Before relying on the information after this date, please check the Regional Policy Website for any changes to the policy.

If you have any questions regarding this notice or the information presented in this policy, please contact Regional Policy Services using the Feedback link below.

Feedback

Reason For Policy
• To define the security standards, roles, and responsibilities for management of the Calgary Health Region’s (the “Region”) Information Technology (IT) Resources.
• To comply with mandated Information security controls as defined by Alberta Health and Wellness.

Policy Statement
The Region is committed to ensuring the integrity and security of IT Resources used to generate, process, transmit, store, or access Information. All IT Resources shall be used in a secure manner and are subject to access and security controls.

Applicability
This policy applies to all staff (including employees, independent contractors, medical, dental, podiatry, and midwifery staff, and other health professionals), students, volunteers, and other persons acting on behalf of the Region.

Process
1.   SECURITY OFFICE RESPONSIBILITIES
The IT Security Office has the authority to coordinate IT security activities for the Region and is responsible for the implementation of policies, procedures, and processes related to IT Resource security. Additional responsibilities include, but are not limited, to:
• coordination and administration of relationships with the Region’s stakeholders, Contractors, and Users concerning security issues;
• determination of security zones and management of security relationships;
• IT security incident management;
• management of Information Security Incidents involving IT Resources or physical access/security;
• publishing and reviewing the Region’s IT Security Standards;
• managing the Region’s Information Security Education and Awareness Training program;
• administration of IT system access authorization mechanisms;
• assessment and audit of IT security risk levels;
• management of IT audit systems; and
• provision of awareness training for appropriate Information exchange between Users and owners.

2.   USER RESPONSIBILITIES
2.1 Users who access IT Resources shall:
• read the Region’s Information Security and Privacy policies and other relevant IT Security Standards;
• complete any required IT security training, and the Information Security Education and Awareness Training as provided by the Region;
• sign a Confidentiality Agreement and applicable user agreements acknowledging understanding and agreement to comply with the Information Security and Privacy policies and applicable legislation;
• only use IT Resources for Region business purposes;
• report all Information Security Incidents;
• access only the minimum identifiable patient or personal Information necessary to perform job functions; and
• return all IT Resources upon termination of employment, agreement, contract, or appointment with the Region.

2.2 Managers/supervisors (or designates) shall ensure that new or inexperienced staff are adequately supervised to ensure that IT security is enforced.

2.3 In conjunction with applicable collective agreements and the Management/Exempt Terms and Conditions of Employment, a formal discipline process is in place for individuals who violate security policies and procedures.

3.   INVENTORY AND CLASSIFICATION
3.1 The respective Manager/Director (or designate) of each administrative or clinical area shall establish and maintain an inventory of all sensitive, high-, or extreme-sensitive Information generated (see Information Security policy, #1438), and all IT Resources used to generate or store the Information.

3.2 All physical IT Resources (e.g., computers, Mobile Computing Devices) shall be clearly identified with a unique identification tag for tracking and audit purposes. A record of the identification tag, location, ownership, and the security classification of any Information generated by or stored on the Resource shall be included in the inventory.

3.3 The inventory shall be reviewed and updated annually in accordance with the Records Retention Guide, and shall be made available to the IT Security Office or I&P Office on request.

4.   PHYSICAL RESOURCE AND ENVIRONMENTAL SECURITY
4.1 Physical Resource Security
4.1.1 Whenever possible, IT Resources shall be stored in secure Region Facilities. All physical IT Resources shall be placed in areas to maximize physical protection from unauthorized access, security threats, and environmental hazards. The IT Security Office shall conduct annual physical and environmental security assessments of Region Facilities where high- or extreme-sensitive Information is processed and stored in order to ensure that appropriate security measures are in place.
4.1.2 Installing, monitoring, and maintaining equipment, communications wiring and equipment, hardware, electrical wiring and equipment, plumbing, and other utilities and services shall be consistent with the manufacturers’ specifications and shall conform to local industrial sector codes.
4.1.3 Mobile Computing Devices assigned to staff or Contractors must remain in the User’s possession at all times in compliance with the IT Security Standards. Storage of high- or extreme-sensitive Information on portable equipment shall be encrypted or password protected.

4.2   CABLING AND POWER SUPPLY SECURITY
Cabling and power security measures shall be in place to protect physical IT Resources and maintain the integrity of the Region’s power and telecommunication systems. Cabling and power security shall be compliant with the Region’s IT Security Standards.

4.3   IT RESOURCES STORED IN NON-REGION FACILITIES
Any IT Resource stored in a non-Region Facility and that generates, processes, transmits, stores, or accesses Region Information shall be protected from unauthorized access, security threats, and environmental hazards and secured in accordance with the Region’s Information Security and Privacy policies and the IT Security Standards.

4.4   CLEAR DESK AND CLEAR SCREEN
4.4.1 All high- or extreme-sensitive Information, regardless of its medium, shall be stored securely after working hours or while otherwise not in use.
4.4.2 Computers shall be configured with screensavers that automatically lock out monitor screens after a defined period of inactivity and require password validation to be unlocked. Users shall manually lock out monitor screens when leaving a computer unattended and ensure that screensavers are used in accordance with the IT Security Standards.
4.4.3 High- or extreme-sensitive Information shall be cleared from computer printers, scanners, photocopiers, and fax machines as soon as reasonably possible.

4.5   REMOVAL OF PROPERTY
Each Department shall create and maintain an Off Premises Equipment Log, used to document the removal of physical IT Resources. The Log shall form part of the Department’s IT Resource inventory, and shall identify the custodian, date of removal, specific Resource removed, unique asset tag number, destination, and expected date of return.

5.   INFORMATION SECURITY INCIDENTS
All Information Security Incidents shall be assessed for impact and risk, reported, and responded to in accordance with the Region’s Information Security policy (#1438).

6.   NETWORK SECURITY MANAGEMENT
6.1 The IT security infrastructure shall safeguard all Information stored on networks and protect the supporting infrastructure. Network monitoring of internal and external or public network connections, and early detection of malicious network activity, shall be carried out by Advanced Technology in accordance with the IT Security Standards. Advanced Technology shall perform a Risk Assessment to determine the need for message authentication in applications. Controls shall be implemented as necessary.

6.2 Advanced Technology shall have network controls in place to ensure correct and cautious execution of System Utilities. Specific controls, such as enforced path controls, shall be provided to staff and contracted network service providers as necessary.
6.2.1 Remote Access to Health Information is in accordance with the Region’s Granting of Remote Access to Health Information policy (#1472). Remote Access (other than to Health Information) is protected and controlled in accordance with the Region’s IT Security Standards. This includes but is not limited to:
• Region staff require prior approval from their Manager/Director (or designate) for Remote Access;
• Contractors require prior approval from the Region prior to Remote Access being granted;
• unauthorized computers shall not connect to the Region’s network;
• all Remote Access must be authenticated before granting access to Region applications or Information;
• modem connection shall be regulated and approved by the IT Security Office; and
• high- or extreme-sensitive Information shall be encrypted and requires two-factor authentication for access.

6.3 The network shall be separated into zones with associated security controls. The IT Security Office shall determine the network zones and associated security controls, and undertake periodic reviews to ensure relevance and applicability.
6.3.1 Advanced Technology shall set up automatic terminal identification to limit access to a specific computer from a single terminal.

6.4 Audit Logs that record successful and unsuccessful network access attempts by Users shall be maintained and available for review as required by the IT Security Office.

6.5 Software exchange between the Region and a Contractor shall comply with any relevant legislation and copyright laws. Technical standards for ensuring data protection shall be in accordance with the IT Security Standards.

7.   INFORMATION SYSTEMS MANAGEMENT
7.1 Development, Implementation and Review
7.1.1 Advanced Technology shall review all proposed application changes to eliminate potential IT Resource security risks. A formal change control process shall be in place that includes a consistent change window and ample notification to Users.
7.1.2 Prior to the development and implementation of a new information system, or an enhancement to an existing Information System, security control requirements are specified and integrated into the project during the feasibility stage. Advanced Technology shall ensure a separation of duties exists between the groups responsible for the development, operation, review, and administration of Information Systems.
7.1.3 Operational requirements of any new Information System, or any enhancement to an existing Information System, shall be established, documented, and tested prior to acceptance for production.
7.1.4 Advanced Technology shall incorporate validation checks into applications to detect any Information corruption through processing errors or deliberate acts. Both input and output data shall be validated where possible. Information Systems shall be checked regularly by Advanced Technology for compliance.
7.1.5 The IT Security Standards shall address restricted and controlled access to program source code and associated items.
7.1.6 An IT Security Office approved system life cycle methodology, including a security review, is required for the development of any Region application by Advanced Technology or externally developed applications.

7.2   OPERATIONAL AND CLINICAL DATABASES
The use of operational and clinical databases containing high- and extreme-sensitive Information for testing and training purposes shall be avoided.

7.3   SOFTWARE USE
7.3.1 All intellectual property or commercial software purchases are subject to examination for viruses or other malicious features and usage shall comply with applicable legislation, laws, licenses, regulatory and contractual requirements.
7.3.2 Processes for the transfer of software from developmental to operational status shall be defined and documented. Advanced Technology shall develop procedures regarding the installation of software on operating systems, including the requirement for a rollback strategy to be developed before any software changes are implemented.
7.3.3 Advanced Technology shall supervise and monitor all outsourced software development.
7.3.4 Advanced Technology shall make efforts to update software regularly. However, updates are only required when there is a demonstrated business need.

7.4 The IT Security Office shall ensure that all reasonable precautions are taken against virus attacks and incursions, including detection of covert channels and Trojan codes. Virus prevention, detection, and removal mechanisms shall extend to desktop, mobile, and server computer systems.

8.   ENCRYPTION
8.1 The IT Security Office shall develop standards for the use of cryptographic controls, to protect the confidentiality, authenticity, and integrity of electronic Information. Risk Assessments shall be performed to identify the required level of encrypted protection for electronic Information (e.g., confidentiality, integrity/authenticity, non-repudiation).

8.2 When designing and implementing cryptographic controls, the IT Security Office shall ensure that controls comply with applicable legislation, regulations, and Collective Agreements.

8.3 All cryptographic keys shall be protected against modification, loss, destruction, and unauthorized disclosure. IT Resources used to generate, store, and archive cryptographic keys shall be physically and logically protected.

9.   SECURE DISPOSAL OR RE-USE OF EQUIPMENT
The IT Security Office shall inspect all IT Resources that contain or may contain Information prior to disposal or re-use of the Resource to ensure that all Information is removed or overwritten, in accordance with the Records Retention Guide. Improper or inappropriate disposal of Information is considered an Information Security Incident with potentially serious consequences, and may lead to disciplinary action, termination of privileges, or other penalties.
10.   ELECTRONIC MAIL SECURITY
All electronic mail (e-mail) transmissions are the property of the Region. The primary purpose of e-mail is for legitimate business use. Confidentiality of the contents of e-mail messages is not guaranteed. Information transmission by e-mail shall be in accordance with the Transmission of Information by Facsimile and Electronic Mail policy (#1420).
11.   BUSINESS CONTINUITY PLANS
11.1 The Region shall make every effort to minimize the impact of a disaster or other adverse event, while ensuring the timely resumption of essential operations. Business Continuity Plans (BCP) are required, as determined by Internal Audit & Risk Management, the IT Security Office, and Disaster Services, to protect against organizational vulnerabilities resulting from such an event. A single framework for BCPs shall be maintained to ensure consistency.
11.2 Each BCP shall have a specified owner based on the business resources or processes involved. The plan owner shall ensure procedures are in place for carrying out the continuity plan, including the training and education of staff, and shall ensure that:
• BCPs identify all assets involved in critical business performance and address the Information Security requirements needed for business continuity. BCPs shall identify the training and responsibilities of staff and Contractors, and identify acceptable Information and service loss.
• multiple copies of BCPS are stored in locations distant enough so as to not be in danger if a disaster occurs at a particular Facility. Business Continuity Plans shall be protected to maintain the security of organization-specific details.
• BCPs shall be tested and updated regularly to ensure that they are timely and effective.
11.3 Information owners shall ensure regular back up of essential software and Information, to allow recovery following a disaster or system failure. Recovery of Information shall be tested periodically by the Information owner.

Definitions
For the purposes of this policy:

ADVANCED TECHNOLOGY means the department of Advanced Technology.

BUSINESS CONTINUITY PLAN (BCP) means a documented process for identifying and planning for risks and potential disasters, to minimize their impact on patients/clients, staff, Region property, and Information processing and storage facilities. Business Continuity Plans aid in the Region’s recovery from loss of Information or other assets, including IT Resources.

CONTRACTOR means
a) an affiliate (a person performing a service for the Region as an appointee, or under a contract or agency relationship), business partner, consultant, contractor, non-employee, outsourcer, service provider, or third party engaged by the Region to perform services for or on behalf of the Region; or

b) an agent, employee, or third party to the Contractor engaged by the Region to perform services for or on behalf of the Region.

DEPARTMENT means any department, division, unit, program, portfolio, section or service within the Region’s organizational structure.

INFORMATION means knowledge, documents, text, or data of any kind and in any form or medium (e.g., paper, digital, audio-visual, et cetera) derived from recorded, written, verbal, observed, or other forms of communication which is used, created, received, or maintained by the Region or any individual or organization acting on the Region’s behalf.

INFORMATION SECURITY INCIDENT means any incident where a violation or breach of Information security, or a weakness or malfunction of IT infrastructure that could potentially cause a violation or breach, occurs. An Information security breach is a compromise of Information security, whether deliberate or accidental, which could result in the Information being viewed, used or held by unauthorized persons. An Information security violation is a particular incident or system-wide condition that violates the Information security policy, but does not necessarily result in an Information security breach.

INFORMATION SYSTEM means an assembly of components, including machines, Users, and methods, that collect, process, transmit, and disseminate date or Information on behalf of the Region.

IT RESOURCE means any Region owned asset used to generate, process, transmit, store, or access the Region’s Information, which includes but is not limited to IT infrastructure, systems, hardware, software, Information Systems, networks, shared drives, computer equipment and devices, Internet, e-mail, databases, applications, and Mobile Computing Devices.

LOG means an electronic or written record of a network, application, or system’s activity, used for Information, backup, recovery, or review.

MOBILE COMPUTING DEVICE means electronic devices including but not limited to: Portable Digital Assistants (PDA’s), notebook computers, laptops, Tablet PCs, Palm Pilots, Pocket PCs, text pagers, smart phones, and other similar devices.

SYSTEM UTILITIES means programs that have been written to accomplish common tasks such as sorting records or copying disk files onto magnetic tape for backup.

REGION FACILITY means a site owned or operated by the Region.

REMOTE ACCESS means a User’s ability to access Region Information by connecting to the Region’s network from outside of the network’s firewall.

RISK ASSESSMENT means an assessment of threats to, impacts on and vulnerability of Information and Information processing and storage facilities, and the likelihood of their occurrence

USER means any individual who uses or discloses Information, or an individual who uses any Region owned IT Resource.

Cross References to Calgary Health Region Policies
Information Security
Information Technology Auditing, Monitoring, and Reviewing

Additional References
Freedom of Information and Protection of Privacy Act and Regulations Thereunder
Health Information Act and Regulations Thereunder
International Organization for Standardization (ISO) BS 7799-2: 2002