DEPARTMENT: Information Security POLICY DESCRIPTION: Information Security Roles and Responsibilities PAGE: 1 of 4 REPLACES POLICY DATED: 6/1/04, 1/15/10 EFFECTIVE DATE: November 1, 2012 REFERENCE NUMBER: IS.SEC.006 APPROVED BY: Ethics and Compliance Policy Committee SCOPE: All Company-affiliated facilities. PURPOSE: To outline information security roles and responsibilities, which establish authority and guidance for each Company-affiliated facility to have a Facility Information Security Official (FISO); for each Company Division to have a Director of Information Security Operations (DISO); and for the Company to have a Chief Information Security Officer (CISO) to meet the requirements of the Company’s and facility’s Information Security Program. Each Company-affiliated facility is required to have an assigned individual whose role is to ensure compliance with Information Security Standards and Policies and oversee the facility’s Information Security program. This is required by the Health Insurance Portability and Accountability Act (HIPAA), Security Standards for the Protection of Electronic Protected Health Information (Security Standards), 45 CFR Parts 160, 162, and 164. POLICY: 1. Each Company-affiliated facility must appoint a Facility Information Security Official (FISO) to implement and oversee the Company and facility Information Security Programs and work to ensure the facility’s compliance with the IT&S Information Security Policies and Standards. The FISO must be notified of all complaints regarding matters of information security that are received by the facility. This role is required by HIPAA Security Rule provisions (see above). 2. A single individual who is appointed as an FISO may serve at multiple facilities as a Zoned, or Market, FISO. A single individual may also serve multiple roles within a facility. For example, a FISO may also serve as a Facility Privacy Official (FPO). 3. Each Company Division must have a Division Information Security Official, or Director of Information Security Operations (DISO) to implement and oversee the Company and Division Information Security Programs; and to oversee and support facilities’ compliance with the IT&S Information Security Policies and Standards. 4. The Company must have a Chief Information Security Officer (CISO) to implement and oversee the Company-wide Information Security Program and serve as the Responsible Executive for Information Security. This role is required by the Payment Card Industry (PCI DSS v2; 12.5 Information Security Policy) requirement for Information Security Management. 9/2012 DEPARTMENT: Information Security POLICY DESCRIPTION: Information Security Roles and Responsibilities PAGE: 2 of 4 REPLACES POLICY DATED: 6/1/04, 1/15/10 EFFECTIVE DATE: November 1, 2012 REFERENCE NUMBER: IS.SEC.006 APPROVED BY: Ethics and Compliance Policy Committee PROCEDURE: Facility Information Security Official (FISO): 1. Each FISO must oversee and implement the Facility’s Information Security Program. The FISO will use Corporate Information Security policies, procedures, standards, and processes provided by Information Security, and follow the direction of the DISO, to implement the Facility Information Security Program. The Facility Information Security Program must include implementation and ongoing maintenance of all components of facility information security (e.g., system security, physical protection of computer systems and related buildings and equipment) as developed by Information Security. 2. The FISO must participate in existing committees, including, but not limited to, the Facility Ethics and Compliance Committee (FECC) and Facility Security Committee (FSC) to facilitate implementation, education and support of the Facility Information Security Program. See the Information Security – Security Committees Policy, IS.SEC.007. 3. The FISO’s responsibilities include, but are not limited to: a. Implementing and overseeing a Facility Information Security Program; b. Serving as primary facility contact for all information security concerns; c. Monitoring security compliance using existing tools as directed by Corporate Information Security; d. In conjunction with the Facility and/or Division IT&S staff, implementing Information Security policies, procedures, standards, and toolkits to ensure facility compliance; e. Ensuring the facility has an ongoing Information Security Training and Awareness Program; f. Ensuring a complete Information Security Incident Response Plan is developed and implemented. Investigate and document all facility Information Security incidents and respond according to Information Security Standards; g. In conjunction with department managers, ensuring appropriate departmental security procedures are in effect which support Information Security requirements; h. Ensuring appropriate physical security process for Information Security assets, including but not limited to, laptop and workstation security, appropriate access to controlled areas, and adequate environmental controls for equipment; i. Working with the Facility Privacy Official to ensure alignment between information security and privacy practices; j. Working with the Ethics & Compliance Officer to ensure alignment between information security and Company compliance requirements; and k. Facilitating any additional Information Security initiatives as directed by the Company. Division Information Security Official or Director of Information Security Operations (DISO): 1. Each DISO must oversee and implement the Division and facilities’ Information Security Programs at the Division level. The DISO will use Corporate Information Security policies, 9/2012 DEPARTMENT: Information Security POLICY DESCRIPTION: Information Security Roles and Responsibilities PAGE: 3 of 4 REPLACES POLICY DATED: 6/1/04, 1/15/10 EFFECTIVE DATE: November 1, 2012 REFERENCE NUMBER: IS.SEC.006 APPROVED BY: Ethics and Compliance Policy Committee procedures, standards, and processes provided by Information Security to implement the Division security program and to oversee and assist the facilities within the Division with the facilities’ security programs. 2. The DISO should utilize existing committees, including, but not limited to, the FSCs and the Division Security Committees (DSCs), to facilitate implementation of the Division and Facilities’ Information Security Programs. 3. The DISO’s responsibilities include, but are not limited to: a. Overseeing and implementing a Division Information Security program in accordance with Corporate Information Security Policies, Standards, guidance and initiatives; b. Serving as primary Division contact for all information security concerns; c. Facilitating vendor assessments and Information Security Agreements (ISAs) as outlined in the Information Security – Vendor Information Security Agreement Policy, IS.SEC.008; d. Working with business units and business owners to identify areas of non-compliance with Information Security Standards and to develop and document mitigation plans and Risk Acceptance strategies as defined in the Information Security Risk Acceptance and Accountability Policy, IS.SEC.009; e. Leading and driving all information security activities within a Division, as a component of the enterprise-wide Information Security (IS) program; f. Identifying, developing, implementing, and monitoring Information Security initiatives; g. Serving as liaison for all FISOs on all Information Security initiatives, issues, and projects, including, but not limited to, all responsibilities listed in FISO duties; h. Overseeing and directing security work performed by FISOs; and i. Working with the Division Ethics & Compliance Officer to ensure alignment between information security and Company compliance requirements. Chief Information Security Officer (CISO): 1. The CISO oversees and implements the company-wide Information Security Program and serves as Responsible Executive for Information Security. The CISO is responsible for all company Information Security policies, procedures, standards, processes, infrastructures, and operations necessary to protect company IT systems and ensure regulatory compliance. In addition, the CISO must oversee and assist business units and facilities with information security and related compliance program implementation. 2. The CISO’s responsibilities include, but are not limited to: a. Overseeing and implementing an enterprise Information Security program in accordance with Corporate Information Security Policies, Standards, guidance and initiatives; 9/2012 DEPARTMENT: Information Security POLICY DESCRIPTION: Information Security Roles and Responsibilities PAGE: 4 of 4 REPLACES POLICY DATED: 6/1/04, 1/15/10 EFFECTIVE DATE: November 1, 2012 REFERENCE NUMBER: IS.SEC.006 APPROVED BY: Ethics and Compliance Policy Committee b. Serving as primary enterprise contact for all information security concerns; c. Facilitating vendor assessments and Information Security Agreements (ISAs) as outlined in the Information Security – Vendor Information Security Agreement Policy, IS.SEC.008; d. Working with business units and business owners to identify areas of non-compliance with Information Security Standards and to develop and document mitigation plans and Risk Acceptance strategies as defined in the Information Security Risk Acceptance and Accountability Policy, IS.SEC.009; e. Leading and driving the enterprise-wide Information Security (IS) program; f. Identifying, developing, implementing, and monitoring Information Security initiatives; g. Serving as liaison for all DISOs on all Information Security initiatives, issues, and projects, including, but not limited to, all responsibilities listed in DISO duties; h. Overseeing and directing security work performed by DISOs; and i. Working with the Chief Ethics & Compliance Officer to ensure alignment between information security and Company compliance requirements. REFERENCES: 1. Health Insurance Portability and Accountability Act, Security Standards for the Protection of Electronic Protected Health Information 2. Payment Card Industry – PCI DSS v2 – 12.5 Information Security Policy – Information Security Management 3. Information Security - Program Requirements Policy, IS.SEC.001 4. Information Security - Security Committees Policy, IS.SEC.007 5. Information Security – Vendor Information Security Agreement Policy, IS.SEC.008 6. Information Security Risk Acceptance and Accountability Policy, IS.SEC.009 7. IR.RISE.01 – Incident Reporting Standard 8. IR.IRM.01 – Incident Response Procedures Standard 9. WS.SWB.02 – Security Awareness & Training Standard 10. Company Code of Conduct 11. Risk Acceptance Form (RAF) 12. Submitting a RAF 9/2012