Calgary Health Region Policy - Information Technology Auditing, Monitoring, and Reviewing

Subject/Title Information Technology Auditing, Monitoring, and Reviewing	Reference Number: 1625
	Effective Date: 2006/11/16
Approving Authority: Executive Management	Date Revised:
Classification: Information Security and Privacy	Last Review: 2006/11/15
Classification: Information Security and Privacy	Next Review: 2008/11/15

Note: The Calgary Health Region is committed to ensuring the accuracy and consistency of the policies on its Regional Policy Website. As policies are reviewed and updated periodically, the information contained in this document is accurate only on the date that it is viewed/printed (2010/09/02). Before relying on the information after this date, please check the Regional Policy Website for any changes to the policy.

If you have any questions regarding this notice or the information presented in this policy, please contact Regional Policy Services using the Feedback link below.

Feedback

Reason For Policy
• To articulate the Calgary Health Region's (the "Region") Auditing, Monitoring, and Reviewing controls for Information Technology (IT) Resources.
• To comply with the Freedom of Information and Protection of Privacy Act (FOIPP), the Health Information Act (HIA), and mandated controls as defined by Alberta Health and Wellness.

Policy Statement
Access to and use of the Region’s IT Resources shall be subject to Auditing, Monitoring, and Reviewing controls. These controls shall be used to help the Region protect and maintain the security of Information and IT Resources, and aid in determining compliance with and measuring the effectiveness of the Region’s Information Security and Privacy policies and processes, and the IT Security Standards.

Applicability
This policy applies to all staff (including employees, independent contractors, medical, dental, podiatry, and midwifery staff, and other health professionals), students, volunteers, and other persons acting on behalf of the Region.

Process
1.   MONITORING
1.1 The IT Security Office shall establish processes for the Monitoring of IT Resources to ensure the integrity of such resources while providing protection from potential threats. The IT Security Office shall assign a designate to monitor, track, and review the Region¡¦s IT Security Standards. The IT Security Office, in consultation with the relevant Department (where applicable), shall perform a Threat-Risk Assessment to determine the required level and frequency of Monitoring.

1.2 As part of the Monitoring process, security controls, audit trails, and activity logs shall be employed wherever possible for IT Resources. Monitoring of IT Resources shall include, but is not limited to:
• system access and system use controls;
• application systems;
• controlled access to software that monitors or modifies network configurations or devices;
• equipment maintenance records of suspected or actual equipment faults and maintenance activities;
• fault logs and reports;
• internet use;
• external network connections and remote access networks;
• entry control logs recording entry statistics (e.g., name, affiliation, date, and time, et cetera) to the Region¡¦s IT Resources;
• internet audit trails (where required); and
• the maintenance of synchronized clock settings.

1.3 Electronic access controls shall be employed to protect IT Resources in accordance with the Region's Access Control policy (#1270) and IT Security Standards. Electronic access privileges are monitored and audited to detect potential vulnerabilities or access privilege abuse.

1.4 The IT Security Office shall ensure that controls are in place for the Monitoring and early detection of malicious network activity.

1.5 Region electronic mail (e-mail) accounts may be monitored as a result of an Information Security Incident or if unacceptable use is suspected (see Information Technology Acceptable Use policy, #1410). The IT Security Office may monitor an e-mail account when requested to do so by the account holder¡¦s Manager/Director. Prior to account Monitoring, approval is required from People and Learning, and where applicable the Information and Privacy (I&P) Office. E-mail accounts may be monitored without notification to the account holder.

2.   REVIEWING
2.1 Advanced Technology shall coordinate and conduct assessments and reviews to ensure the Region¡¦s Information Security and Privacy policies and the IT Security Standards are updated appropriately to correspond with technological changes. Recorded events shall be reviewed and remedies incorporated into these documents as necessary to ensure vulnerabilities are appropriately addressed.

2.2 Logs shall be protected to maintain integrity and to prevent unauthorized access. Logged Information shall be filtered by Advanced Technology to ensure that only relevant Information is reviewed. The individual(s) Reviewing the Log shall have a segregation of duties from the activities being monitored. Fault Logs are reviewed to ensure faults have been satisfactorily resolved and corrective actions taken.

2.3 An impartial annual security review or audit of the Region¡¦s security practices shall be conducted by a qualified independent Department, manager, or third-party organization in order to measure compliance with the Region¡¦s Information Security and Privacy policies and IT Security Standards.

3.   AUDITING
3.1 All audit tools shall be protected to safeguard integrity and to prevent misuse. The IT Security Office shall develop system audit controls, including maintenance of audit trails for employee access attempts to intranet, internet, applications, browsing, and directories.
3.1.1 Contractors shall maintain a log of all successful and unsuccessful requests for physical, environmental, or electronic access to the Region¡¦s Information and IT Resources. The log shall be available, upon request, to the IT Security Office for Auditing purposes.

3.2 The IT Security Office shall maintain audit trails of Advanced Technology checks and controls, including those that are in place for Information accesses, changes, additions, and deletions.

3.3 Infrastructure Services shall perform periodic computer audits to ensure that software is licensed. Non-approved software shall be removed and reported to the IT Security Office.

3.4 At the request of the I&P Office, Information System Owners shall perform audits of the systems for which they are responsible.

4.   THREAT-RISK ASSESSMENT
The IT Security office shall conduct a Threat-Risk Assessment of any new applications or modifications to existing high-risk systems. The results of the Threat-Risk Assessment shall be considered when determining the need for a Privacy Impact Assessment. The Threat-Risk Assessment at a minimum shall include:
• records of change-of-state for corporate Information and transactions;
• defined and documented record of the audit requirements for all applications during the design and development phases; and
• the identification and recording of Information accessed and changed by users.

5.   SECURITY RESPONSE
The Region has established security response processes to minimize damage from Information Security Incidents (see Information Security policy, # 1438). To monitor responses to Information Security Incidents and learn from such Incidents, audit trails and relevant Information shall be collected for:
• problem analysis;
• use in arbitration, civil or criminal proceedings; and
• negotiating for compensation from software and service providers, and other Contractors.

6.   CAPACITY PLANNING
6.1 Advanced Technology shall have capacity planning exercises in place to monitor and project capacity demands for adequate processing power and storage.

6.2 System performance shall be routinely monitored by Advanced Technology in order to ensure excess capacity. Utilization Monitoring shall be as often as determined by workload and resource demand.

6.3 Network Monitoring and performance analysis shall be established on a regular basis as part of capacity planning.

7.   ELECTRONIC MEDIA MANAGEMENT
7.1 To minimize the potential for an Information Security Incident, Electronic Media shall be securely disposed of in accordance with the IT Security Standards.

7.2 Advanced Technology shall establish management practices for removable media, including documentation and role delineation for the effective Monitoring of media removal.

7.3 Information stored on electronic media shall be permanently erased and made unrecoverable by authorized IT technicians only. Certificates of Electronic Media destruction shall be retained by Advanced Technology for Auditing purposes.

8.   DATABASE MANAGEMENT
8.1 All database discrepancies such as lost records or potential security exposures shall be reported to the IT Security Office immediately.

8.2 Database audit checks shall be conducted periodically by the IT Security Office to verify logical and physical database consistency. Where feasible, a backup strategy shall be employed to restore lost records.

8.3 A Log shall be kept for the use of all enterprise database utilities including recording the utility name, date, time, and user-id. Whenever possible, the type of access (e.g., read, update, delete) to an enterprise database and the record accessed is recorded. Changes made to all enterprise databases shall be tracked in accordance with the Advanced Technology Change Management Process.

9.   ACTIVITY LOGS
To maintain the integrity and availability of Information Systems, Advanced Technology personnel shall maintain either manual or automated system Logs of their activities. Personnel Logs shall be subject to regular independent checks against operating procedures to ensure that adequate processes are logged. Logs shall include:
• system starting and finishing times;
• system errors or warnings identified and corrective actions taken;
• when automated paging of errors is used, a record of the time an error occurred, when the page was sent, and the pager/cell phone number;
• confirmation of the correct handling and classification of data files and computer output; and
• the name or user-id of the individual making the log entry.

Definitions
For the purposes of this policy:

ADVANCED TECHNOLOGY means the department of Advanced Technology.

AUDITING means the examination of recorded activities to ensure compliance with established controls, policies, and procedures. Auditing may include providing recommendations for changes in security, policies, standards, controls, or procedures.

CONTRACTOR means
a) an affiliate (a person performing a service for the Region as an appointee, or under a contract or agency relationship), business partner, consultant, contractor, non-employee, outsourcer, service provider, or third party engaged by the Region to perform services for or on behalf of the Region; or

b) an agent, employee or third party to a Contractor engaged by the Region to perform services for or on behalf of the Region.

DEPARTMENT means any department, division, unit, program, portfolio, section or service within the Region’s organizational structure.

ELECTRONIC MEDIA means any magnetic or storage device used to record electronic data. Electronic media devices may include, but are not limited to, computer memory, hard disk, and removable memory such as memory sticks, CD-ROM, DVD, tape, and floppy disks.

INFORMATION means knowledge, documents, text, or data of any kind and in any form or medium (e.g., paper, digital, audio-visual, et cetera) derived from recorded, written, verbal, observed, or other forms of communication which is used, created, received, or maintained by the Region or any individual or organization acting on the Region’s behalf.

INFORMATION SECURITY INCIDENT means any incident where a violation or breach of Information security, or a weakness or malfunction of IT infrastructure that could potentially cause a violation or breach, occurs. An Information Security Breach is a compromise of sensitive Information security, whether deliberate or accidental, which could result in the Information being viewed, used or held by unauthorized persons. An Information Security Violation is a particular incident or system-wide condition that violates Information security policy, but does not necessarily result in an Information Security Breach.

INFORMATION SYSTEM means an assembly of components, including machines, Users, and methods, that collect, process, transmit, and disseminate date or Information on behalf of the Region.

INFORMATION SYSTEMS OWNER means the individual responsible for management of an Information System, including maintenance of the System’s security.

IT RESOURCE means any Region owned asset used to generate, process, transmit, store, or access the Region’s Information, which includes but is not limited to IT infrastructure, systems, hardware, software, Information Systems, networks, shared drives, computer equipment and devices, Internet, e-mail, databases, applications, and Mobile Computing Devices.

LOG means an electronic or written record of a network, application, or system’s activity, used for Information, backup, recovery, or review.

MONITORING means the collection of network, application, or system activity for the purposes of review.

REVIEWING means the analysis of network, application, or system activity collected through the Monitoring process; or, the process of analyzing policies, procedures, and standards to ensure compliance with the Region’s and other applicable standards.

THREAT-RISK ASSESSMENT means the process of formally evaluating the degree and nature of a threat to an information system or other IT Resource. This may include a formal assessment of vulnerabilities, threats, the likelihood of occurrence, potential losses or impact, and the effectiveness of security measures employed to mitigate risks.

Cross References to Calgary Health Region Policies
Information Security
Information Technology Resource Security

Additional References
International Organization for Standardization (ISO) BS 7799-2: 2002