Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

DPSP Information Security and Privacy Best Practices

advertisement 
DATA PRIVACY SAFEGUARD PROGRAM
INFORMATION SECURITY AND PRIVACY BEST PRACTICES
Information Security and Privacy Best Practices for organizations with access to personally
identifiable information (PII)
Information Security and Privacy are broad industry fields spanning all aspects of data protection. The
industry best practices for these fields are numerous. The National Institute for Standards and
Technology (NIST) has developed documents to provide guidance to Federal agencies on how to protect
their data. This document is meant to serve as an educational material for healthcare research
organizations using personally identifiable information (PII), and specifically the subset of PII that is
protected health information (PHI), that will provide key information security and privacy best practices
an easily-digestible form.
These best practices were compiled using NIST’s “Common IT and Privacy Security Practices” as listed
in its Special Publication 800-14: Generally Accepted Principles and Practices for Securing Information
Technology Systems1, Security Controls for Federal Information Systems and Organizations (NIST
Special Publication 800-53, Revision 3)2, NIST Special Publication 800-53 DRAFT APPENDIX J
Security and Privacy Controls for Federal Information Systems and Organizations 3, and the Privacy Best
Practices from the Privacy Rights Clearinghouse’s Checklist of Responsible Information-Handling
Practices.4 In addition, they are structured to closely relate to the areas that the questions asked on CMS’
Data Management Plan address.
What is a best practice?
A best practice is a method or technique that can be implemented by multiple organizations that has
consistently, over time, proven to produce results or accomplish given goals or tasks more effectively
than other methods or techniques. Best practices are used often when no specific formal method or
technique is established, or when the existing method or technique is not adequate to produce the desired
results or accomplish the desired goal.
Best practices also arise to fill in gaps where legislation or requirements may not cover every aspect of a
business process or need. As such, best practices are not required by law, but are considered an extra step
in achieving high quality standards for a business process or need. Additionally, best practices are everevolving as better improvements are discovered or when legislation, technology and/or industry-specific
advancements prompt a change.
Organizations desiring to be industry leaders implement the best practices associated with their industry.
Best practices are not mutually exclusive with legislation and requirements. In fact, many legal
requirements were first considered best practices before they were enacted into law.
Hierarchy of Requirements and Best Practices
Federal legislation
requirements
Requirements legally mandated by Federal law that an organization must comply
with in order to avoid legal repercussions.
1
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
3
http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
4
https://www.privacyrights.org/fs/fs12-infohandling.htm
2
1
Rev. No: 01.14.13
Hierarchy of Requirements and Best Practices
State legislation
requirements
Agency-specific
requirements
Best practices
Requirements legally mandated by state law that an organization must comply with
in order to avoid legal repercussions. These requirements do not supersede Federal
requirements.
Requirements developed by an organization with which the organization is expected
to comply. These requirements do not supersede Federal or state requirements.
A method or technique, not legally required of an organization that is proven to
produce results and accomplish goals more effectively than other techniques.
Key areas in information security and privacy
• Policies
• Standard Operating Procedures (SOPs)
• Program Management
• Risk Management
• Data Protection Planning
• Physical and Environmental Security and Privacy
• Data and Network Security and Privacy
• Contractual Agreements Among Business Partners & Associates
• Education, Awareness and Training
• Users Access
• Authorization
• Information Sharing and Transmission
• Data Retention and Disposal
Key best practices for information security and privacy5
For ease of cross-reference, each best practice section detailed below will contain a reference to the
relevant section(s) on the Data Management Plan (DMP)6. The cross-reference will be denoted via the
question number on the DMP.
Policies
(Relevant sections on the DMP: 1.7, 2.1, 2.3, 4.1, 4.2, 4.3, 4.4)
Policies are written documents that serve as guidance for an organization. Information security and
privacy policies are the internal guidance for an organization to properly protect data.
•
•
•
•
•
•
Policies should be developed, disseminated, and implemented at both the organization-level and
the group/team-level
Once policies and procedures are developed, the organization should also develop a privacy plan
for the implementation of the policies, procedures, and applicable privacy controls
Policies and procedures should be in written form and easily accessible to employees at an
organization
Policies are most effective when employees are trained and educated about an organization’s
policies
Policies should contain roles and responsibilities within them
All policies should be consistent with one another and not in conflict with any others
5
This list of best practices is not meant to be comprehensive, but rather serve as a guide for several best practices in
the key areas of information security and privacy.
6
A copy of the Data Management Plan is included in the CMS Data Request Executive Summary, which can be
located on ResDAC’s website. Please click here to access the Data Management Plan.
2
Rev. No: 01.14.13
•
•
Policies should govern the appropriate privacy and security controls for programs, information
systems, or technologies involving PII
The privacy plan, policies, and procedures should be regularly reviewed and updated
Program Management
(Relevant sections on the DMP: 1.1, 1.2, 1.3, 1.4, 1.8, 2.6, 3.1, 3.2, 4.3)
Management comprises the planning, organizing, staffing, leading, and controlling of an organization to
achieve desired results. Strong management within an organization will typically lead to a stronger data
protection program (among other programs) within that organization.
•
•
•
•
•
Designation of a Senior Official for Privacy and Security
Management should take place at an executive (organization-wide) level and a front-line
(group/team) level
Mission statements for an organization help to drive the goals and purpose of management within
an organization.
Information security and privacy often cuts across several disciplines and offices/groups within
an organization, so it is important for the management of these varied offices/groups to work
together and have formal liaisons
Information security and privacy requires management at each step of the process and
management should be involved from the beginning planning phase to the later implementation
and continuous operation phases
Risk Management
(Relevant sections on the DMP: 1.3, 1.6, 1.9, 2.5, 3.1, 3.2, 3.3, 3.4, 4.2)
Risk is the likelihood or possibility of something occurring with an adverse result. Assessing the
likelihood of these events occurring and taking actions to reduce or limit the adverse results is the process
known as risk management.
•
•
•
•
•
All projects contain risks and it is important to collect, review and analyze the nature of a project
to determine potential risks
Once potential risks are identified, the likelihood of that risk occurring should be estimated
The level of a risk is determined by the likelihood as well as the potential adverse impact (low
likelihood and low impact is low risk; high likelihood and high impact is high risk) and the high
risk items should be prioritized for mitigation action
When risks are identified, actions should be taken or plans put in place to minimize the risk and
mitigate potential adverse impact
Information security and privacy safeguards are a great way to implement items that can reduce
risk that later may result in costly remediation activities vice a substantially smaller investment
upfront
Data Protection Planning
(Relevant sections on the DMP: 1.6, 1.9, 2.5, 3.1, 3.2, 4.1, 4.2, 4.4)
Information privacy and security is not a one-time action. It must be planned and implemented
throughout all phases of a data or system life cycle, which is typically described by five phases:
initiation, development/acquisition, implementation, operation, and disposal.
3
Rev. No: 01.14.13
•
•
•
All projects should have a security plan before they are implemented, including data protections
from when data is first received
Security and privacy controls and safeguards should be tested in advance of a project kickoff, to
determine effectiveness in protection and appropriateness for the level of sensitive data that will
be used
Destruction and disposal policies and procedures should be planned in advance of reaching the
disposal phase of a project
Physical and Environmental Security and Privacy
(Relevant sections on the DMP: 1.6, 1.7, 1.9, 2.1, 2.3, 2.5, 2.7, 4.1, 4.4)
Physical and environmental security and privacy are the first line of defense in information protection.
These protections include the physical facilities housing the information, the system resources
themselves, and the facilities used to support operation.
•
•
•
•
•
Physical access controls should be implemented to restrict and monitor the entry and exit into
physical facilities housing information. These facilities include the locations housing the data
itself as well as the locations that provide virtual access to the data.
Data should be safeguarded against environmental factors such as fire, flood, earthquake or other
potential for destruction of hardware and hardcopy data.
Data should also be protected against service disruption, due to power outage or power surge,
failures of heating and/or air conditioning systems, or any other potential occurrence that could
damage hardware and/or software.
Organizations should protect against interception of data, which can occur via any of the three
methods: direct observation, interception of data transmission, or electromagnetic interception.
Special precautions should be taken when information is stored on mobile or portable devices,
and could include locking away mobile and portable devices, as well as encrypting data that is
stored on mobile and portable devices.
Data and Network Security and Privacy
(Relevant sections on the DMP: 1.6, 1.8, 1.9, 2.1, 2.2, 2.3, 2.4, 2.5, 4.2, 4.3)
Data should be protected in all forms, softcopy and hardcopy, and in all locations, whether stored on a
network server or accessed remotely via a desktop. A breach of information can occur at any stage of
data possession, including data in transit over a network system.
•
•
•
•
•
•
•
•
•
•
Networks should be secured with industry standard technical protections
Penalties should be in place for intentional or major breaches of network security
Incident response plans and breach management procedures should be established
Password guidelines (including frequent changing of passwords and password character
requirements) should exist and password protections should be required for all access points to
the network
System penetration tests should be conducted regularly to ensure network security
Virus protection policies and practices should be in place and reviewed regularly to check for
necessary updates
Procedures to prevent former employees from gaining access to a network should be established
Physical security and privacy controls should exist for all physical locations that either house data
or allow access to data on a network
Data should be limited on a network to de-identified data or limited data sets when possible
All data on a network should be inventoried and tracked
4
Rev. No: 01.14.13
Contractual Agreements
(Relevant sections on the DMP: 1.3)
Binding agreements, such as Data Use Agreements, Memoranda of Understanding, Confidentiality
Agreements, and even Rules of Behavior and other documents, help to control the privacy and security of
data by holding all individuals and organizations responsible for upholding the controls and policies and
practices that they agree to by signature.
•
•
•
Organizations should require binding agreements (e.g. Data Use Agreement or other) to be
entered into and signed for any project involving sensitive information and more than one
organization
Organizations should also require binding agreements to be used internally; for example,
requiring all employees working on a project to sign a confidentiality agreement and Rules of
Behavior
These binding agreements should be updated regularly
Education, Awareness and Training
(Relevant sections on the DMP: 1.5)
Policies, procedures and practices are important pieces of a privacy and security program, but they are
useless unless the personnel know and understand them. This is why it is crucial to develop and
implement awareness and training programs and initiatives in order to educate staff on how to protect the
privacy and security of information.
•
•
•
•
•
Training modules should be developed for all staff as needed. This will include general
awareness training modules as well as system-specific or role-based trainings that are more
detailed and likely pertain only to a subset of the entire staff.
It is important to consider appropriate methods of training as they pertain to the subjects of the
training. For example, a webinar or slideshow format may be appropriate for general training but
a hands-on, instructor-led training session may be appropriate for system manipulation or
database security and privacy training.
Training programs should be periodically evaluated for effectiveness.
Training programs should also be evaluated regularly for currency, as technology and the privacy
and security fields are constantly changing.
An organization should educate and train its staff on the authorized uses and sharing of PII with
third parties and ensure that such training occurs at the third-party organizations as well
Data Users
(Relevant sections on the DMP: 1.1, 1.3, 1.5, 1.8, 2.2, 2.4, 2.5, 2.6, 4.2, 4.3)
There are many different types of personnel involved in projects that involve sensitive data. These users
can include managers, programmers, system administrators, researchers, analysts, and more. Each user
has a unique need to access sensitive data and the levels of access can vary greatly.
•
•
•
User roles and access privileges should be determined on a role-based or individual basis, and
should align with their responsibilities
Users should be assigned responsibilities and privileges based on the “least privilege” principle7
Users should receive role-based training associated with their job functions
7
Least privilege refers to the security objective of granting users only those accesses they need to perform their
official duties. Data entry clerks, for example, may not have any need to run analysis reports of their database.
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
5
Rev. No: 01.14.13
•
User access should be terminated as soon as there is no longer a need to access data for business
purposes
Access
(Relevant sections on the DMP: 1.1, 1.4, 1.8, 1.9, 2.2, 2.4, 2.5, 2.6, 2.7, 4.2, 4.3)
Access is the availability to view or use data and can refer to both logical (system-based) access and
physical access. Access must be restricted and controlled at all times to protect the security and privacy
of data.
•
•
•
•
•
•
•
•
Access should be controlled by a reliable source of identity (e.g. UserID) to provide individual
accountability for accessing or viewing data
Access should be restricted and controlled based on a user’s role and responsibilities
The location of access (whether logical or physical) should be controlled via technical safeguards
and physical security measures
Access should be restricted by service and capability (e.g. “Read” access versus “Read and
Write” access)
Access should be tracked and logged, and these tracking systems or logs should be available for
review if needed
Secure gateways and firewalls are standard technical safeguards implemented to control access to
data
Encryption is another standard technical safeguards implemented to control access to data
The organization identifies the minimum PII elements that are relevant and necessary to
accomplish the authorized purpose of access and use
Information Sharing and Transmission
(Relevant sections on the DMP: 2.1, 2.3, 2.7)
Data is just as vulnerable in transmission as it is at rest. Data needs to be secured during both physical
transmission and virtual transmission.
•
•
•
•
•
•
•
•
Email policies and procedures should be established to help control virtual transmission of data
via email
Physical transmission controls (such as certified mail carrier services and secure packaging)
should be established
Sensitive data in transmission should be encrypted
When sending sensitive data, the recipient should be notified in advance of the delivery and
should also confirm receipt once the data arrives
Sensitive data should only be physically delivered to secure locations (e.g. an access-controlled
facilities building)
Limited data sets and/or de-identified data (instead of raw sensitive data) should be used in
transmission, when possible
Shares PII with third parties, including other public and private sector entities, only for the
authorized business purposes identified or in a manner compatible with those purposes
When appropriate, the organization should enter into Memoranda of Understanding, Memoranda
of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with
third parties that specifically enumerate the purposes for which PII may be used and the data
protections that should be upheld by all involved organizations
6
Rev. No: 01.14.13
Retention and Disposal
(Relevant sections on the DMP: 1.1, 1.2, 2.2, 2.7, 4.1, 4.4)
Data should not be retained longer than is necessary for the business purpose. The timelines for retention
and destruction of data are important measures in ensuring the privacy and security of data.
•
•
•
•
•
•
•
•
•
The organization limits the retention of PII to the minimum elements identified for the purposes
and for a specific and limited period of time
The organization conducts an initial evaluation and performs periodic evaluations of its holdings
of PII to ensure that only PII necessary and authorized for the business purpose is retained, and
that the PII continues to be necessary to accomplish the authorized business purpose
Data should be either returned or destroyed as soon as possible after it is no longer needed to
complete a business purpose
A records retention schedule should be developed for all data used for any project
Organizations should complete a Certificate of Data Destruction for all instances of destroying
sensitive data
If data is lent to another organization and is not to be destroyed, then all of that data (and all
copies of that data) should be returned to the organization maintaining ownership at the end of the
loan period
Destruction of data policies should be specific for all forms of data, whether it be hardcopy,
laptop, disk files, thumb drives, servers, etc.
The organization should systematically (by established and documented methods) destroy, erase,
and/or anonymize the PII, regardless of the method of storage (e.g., electronic, optical media, or
paper-based) in accordance with a record retention schedule and in a manner that prevents loss,
theft, misuse, or unauthorized access
Audits and appropriate technology should be employed to ensure secure deletion or destruction of
PII (including originals, copies, off-site backup copies, and archived records)
APPENDIX: REFERENCES
•
•
•
•
•
•
Computer Security Resource Center: http://csrc.nist.gov/
NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information
Technology Systems http//csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
NIST SP 800-53 Recommended Security Controls for Federal Information Systems and
Organization http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3final_updated-errata_05-01-2010.pdf
NIST Special Publication 800-53 DRAFT APPENDIX J Security and Privacy Controls for
Federal Information Systems and Organizations http://csrc.nist.gov/publications/drafts/800-53Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf
Privacy Rights Clearinghouse Checklist of Responsible Information-Handling Practices
https://www.privacyrights.org/fs/fs12-infohandling.htm
CMS Data Privacy Safeguards Program Data Management Plan Template (a copy of the Data
Management Plan is included in the CMS Data Request Executive Summary, which can be
located on ResDAC’s website. Please click here to access the Data Management Plan.
7
Rev. No: 01.14.13
Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
PPT - Oregon Connections Telecommunications Conference
PPT - Oregon Connections Telecommunications Conference
Instance Based Social Network Representation
Instance Based Social Network Representation
Dynamic Access Control and IRM in Windows 2012
Dynamic Access Control and IRM in Windows 2012
Download
advertisement