Information Security Roles and Responsibilities

advertisement
DEPARTMENT: Information Security
POLICY DESCRIPTION: Information Security
Roles and Responsibilities
PAGE: 1 of 4
REPLACES POLICY DATED: 6/1/04, 1/15/10
EFFECTIVE DATE: November 1, 2012
REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee
SCOPE: All Company-affiliated facilities.
PURPOSE: To outline information security roles and responsibilities, which establish authority and
guidance for each Company-affiliated facility to have a Facility Information Security Official (FISO);
for each Company Division to have a Director of Information Security Operations (DISO); and for
the Company to have a Chief Information Security Officer (CISO) to meet the requirements of the
Company’s and facility’s Information Security Program.
Each Company-affiliated facility is required to have an assigned individual whose role is to ensure
compliance with Information Security Standards and Policies and oversee the facility’s Information
Security program. This is required by the Health Insurance Portability and Accountability Act
(HIPAA), Security Standards for the Protection of Electronic Protected Health Information (Security
Standards), 45 CFR Parts 160, 162, and 164.
POLICY:
1. Each Company-affiliated facility must appoint a Facility Information Security Official (FISO) to
implement and oversee the Company and facility Information Security Programs and work to
ensure the facility’s compliance with the IT&S Information Security Policies and Standards. The
FISO must be notified of all complaints regarding matters of information security that are
received by the facility. This role is required by HIPAA Security Rule provisions (see above).
2. A single individual who is appointed as an FISO may serve at multiple facilities as a Zoned, or
Market, FISO. A single individual may also serve multiple roles within a facility. For example, a
FISO may also serve as a Facility Privacy Official (FPO).
3. Each Company Division must have a Division Information Security Official, or Director of
Information Security Operations (DISO) to implement and oversee the Company and Division
Information Security Programs; and to oversee and support facilities’ compliance with the IT&S
Information Security Policies and Standards.
4. The Company must have a Chief Information Security Officer (CISO) to implement and oversee
the Company-wide Information Security Program and serve as the Responsible Executive for
Information Security. This role is required by the Payment Card Industry (PCI DSS v2; 12.5
Information Security Policy) requirement for Information Security Management.
9/2012
DEPARTMENT: Information Security
POLICY DESCRIPTION: Information Security
Roles and Responsibilities
PAGE: 2 of 4
REPLACES POLICY DATED: 6/1/04, 1/15/10
EFFECTIVE DATE: November 1, 2012
REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee
PROCEDURE:
Facility Information Security Official (FISO):
1. Each FISO must oversee and implement the Facility’s Information Security Program. The FISO
will use Corporate Information Security policies, procedures, standards, and processes provided
by Information Security, and follow the direction of the DISO, to implement the Facility
Information Security Program. The Facility Information Security Program must include
implementation and ongoing maintenance of all components of facility information security (e.g.,
system security, physical protection of computer systems and related buildings and equipment) as
developed by Information Security.
2. The FISO must participate in existing committees, including, but not limited to, the Facility
Ethics and Compliance Committee (FECC) and Facility Security Committee (FSC) to facilitate
implementation, education and support of the Facility Information Security Program. See the
Information Security – Security Committees Policy, IS.SEC.007.
3. The FISO’s responsibilities include, but are not limited to:
a. Implementing and overseeing a Facility Information Security Program;
b. Serving as primary facility contact for all information security concerns;
c. Monitoring security compliance using existing tools as directed by Corporate Information
Security;
d. In conjunction with the Facility and/or Division IT&S staff, implementing Information
Security policies, procedures, standards, and toolkits to ensure facility compliance;
e. Ensuring the facility has an ongoing Information Security Training and Awareness
Program;
f. Ensuring a complete Information Security Incident Response Plan is developed and
implemented. Investigate and document all facility Information Security incidents and
respond according to Information Security Standards;
g. In conjunction with department managers, ensuring appropriate departmental security
procedures are in effect which support Information Security requirements;
h. Ensuring appropriate physical security process for Information Security assets, including
but not limited to, laptop and workstation security, appropriate access to controlled areas,
and adequate environmental controls for equipment;
i. Working with the Facility Privacy Official to ensure alignment between information
security and privacy practices;
j. Working with the Ethics & Compliance Officer to ensure alignment between information
security and Company compliance requirements; and
k. Facilitating any additional Information Security initiatives as directed by the Company.
Division Information Security Official or Director of Information Security Operations (DISO):
1. Each DISO must oversee and implement the Division and facilities’ Information Security
Programs at the Division level. The DISO will use Corporate Information Security policies,
9/2012
DEPARTMENT: Information Security
POLICY DESCRIPTION: Information Security
Roles and Responsibilities
PAGE: 3 of 4
REPLACES POLICY DATED: 6/1/04, 1/15/10
EFFECTIVE DATE: November 1, 2012
REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee
procedures, standards, and processes provided by Information Security to implement the
Division security program and to oversee and assist the facilities within the Division with the
facilities’ security programs.
2. The DISO should utilize existing committees, including, but not limited to, the FSCs and the
Division Security Committees (DSCs), to facilitate implementation of the Division and
Facilities’ Information Security Programs.
3. The DISO’s responsibilities include, but are not limited to:
a. Overseeing and implementing a Division Information Security program in accordance
with Corporate Information Security Policies, Standards, guidance and initiatives;
b. Serving as primary Division contact for all information security concerns;
c. Facilitating vendor assessments and Information Security Agreements (ISAs) as
outlined in the Information Security – Vendor Information Security Agreement Policy,
IS.SEC.008;
d. Working with business units and business owners to identify areas of non-compliance
with Information Security Standards and to develop and document mitigation plans
and Risk Acceptance strategies as defined in the Information Security Risk
Acceptance and Accountability Policy, IS.SEC.009;
e. Leading and driving all information security activities within a Division, as a
component of the enterprise-wide Information Security (IS) program;
f. Identifying, developing, implementing, and monitoring Information Security
initiatives;
g. Serving as liaison for all FISOs on all Information Security initiatives, issues, and
projects, including, but not limited to, all responsibilities listed in FISO duties;
h. Overseeing and directing security work performed by FISOs; and
i. Working with the Division Ethics & Compliance Officer to ensure alignment between
information security and Company compliance requirements.
Chief Information Security Officer (CISO):
1. The CISO oversees and implements the company-wide Information Security Program and
serves as Responsible Executive for Information Security. The CISO is responsible for all
company Information Security policies, procedures, standards, processes, infrastructures, and
operations necessary to protect company IT systems and ensure regulatory compliance. In
addition, the CISO must oversee and assist business units and facilities with information
security and related compliance program implementation.
2. The CISO’s responsibilities include, but are not limited to:
a. Overseeing and implementing an enterprise Information Security program in
accordance with Corporate Information Security Policies, Standards, guidance and
initiatives;
9/2012
DEPARTMENT: Information Security
POLICY DESCRIPTION: Information Security
Roles and Responsibilities
PAGE: 4 of 4
REPLACES POLICY DATED: 6/1/04, 1/15/10
EFFECTIVE DATE: November 1, 2012
REFERENCE NUMBER: IS.SEC.006
APPROVED BY: Ethics and Compliance Policy Committee
b. Serving as primary enterprise contact for all information security concerns;
c. Facilitating vendor assessments and Information Security Agreements (ISAs) as
outlined in the Information Security – Vendor Information Security Agreement Policy,
IS.SEC.008;
d. Working with business units and business owners to identify areas of non-compliance
with Information Security Standards and to develop and document mitigation plans
and Risk Acceptance strategies as defined in the Information Security Risk
Acceptance and Accountability Policy, IS.SEC.009;
e. Leading and driving the enterprise-wide Information Security (IS) program;
f. Identifying, developing, implementing, and monitoring Information Security
initiatives;
g. Serving as liaison for all DISOs on all Information Security initiatives, issues, and
projects, including, but not limited to, all responsibilities listed in DISO duties;
h. Overseeing and directing security work performed by DISOs; and
i. Working with the Chief Ethics & Compliance Officer to ensure alignment between
information security and Company compliance requirements.
REFERENCES:
1. Health Insurance Portability and Accountability Act, Security Standards for the Protection of
Electronic Protected Health Information
2. Payment Card Industry – PCI DSS v2 – 12.5 Information Security Policy – Information Security
Management
3. Information Security - Program Requirements Policy, IS.SEC.001
4. Information Security - Security Committees Policy, IS.SEC.007
5. Information Security – Vendor Information Security Agreement Policy, IS.SEC.008
6. Information Security Risk Acceptance and Accountability Policy, IS.SEC.009
7. IR.RISE.01 – Incident Reporting Standard
8. IR.IRM.01 – Incident Response Procedures Standard
9. WS.SWB.02 – Security Awareness & Training Standard
10. Company Code of Conduct
11. Risk Acceptance Form (RAF)
12. Submitting a RAF
9/2012
Download