Operational Policy

A security policy is a document that states how an organization protects its assets from external or internal threats. It sets the stage for secure control of information. It is the "who does what to whom and when" document. It reflects what leadership commitments are to protecting information.A security policy must identify all of organization's assets as well as all the potential threats to those assets. Employees need to be kept updated on the organization security policies. The policies themselves should be updated regularly as well. As a future information security professional, one must understand and abide the rules and regulations outlined in the the security policies. The security policy must establish a culture of trust and emphasize the employee's expectation to be treated to fair business practices.

Laws, Regulations and Standards

Information security law is the body of legal rules, codes, and standards that require you to protect that information and the information systems that process it, from unauthorized access. The legal risks are potentially significant if you don't take a pragmatic approach.Mandatory rules or standards adopted by government administrative agencies to interpret, implement, and enforce laws. Regulations are legally enforceable HIC is a covered entity; meaning an organization that handles health information according to the government classification, is bound by EHR protection laws.
Standards
An established industry norm or method, which can be a procedural standard or a technical standard implemented organization-wide
Laws
Rules that mandate or prohibit behavior, enforced by governing authority (courts)- Laws carry sanctions of governing authority, ethics do not
​
Ethics
Rules that define socially acceptable behavior, not necessarily criminal, not enforced (via authority/courts)
Compliance
HIC as a health organization can be bound to comply to different laws, regulations, and standards, the following four, I thought, are the minimum: HIPAA, HITECH, PCI-DSS, SOX and COBIT.
HIPAA
Health Insurance Portability and Accountability Act of 1996, HIPAA is a law passed by the US Congress. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared. Security control includes administrative, physical and technical. In the same token, the rules specify that health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form "must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit"
HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.Specifically, the use of electronic health records (EHRs) by healthcare providers.
PCI-DSS
Payment Card Industry Data Security Standard
PCI-DSS is a mandatory standard that HIC must comply with for credit card processing. I assume HIC will be processing credit card transaction for those patients who will be making their payment using credit cards.Sarbanes-Oxley(SOX)
SOX is about how a company reports its earning and it's more about financial transparency (public disclosure to investors). HIC Inc, should adopt SOX in order to improve the quality of financial reporting.COBIT
COBIT is created by ISACA, formerly known as the Information Systems Audit and Control Association. This is more about improving the efficiency of the operations and reducing the cost hence its HIC, Inc should adopt this framework for streamline purpose.Reference
U.S. Department of Health & Human Services (n.d), Summary of the HIPAA Security Rule. Retrieved from hhs.gov website:
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Privacy Policy

Today HIC, Inc creates, collects, processes, and store various forms of data from its patients, employees, third-party firms, partners, and contractors. HIC, Inc. has to take care of privacy issues since it deals with sensitive and confidential information. HIC, Inc. privacy policy covers areas like PHI, Employee records, Internal systems, corporate mobile devices (smartphones/laptops), laws & regulations, handling of customers information, consequences for violating the policy, and reporting of a security breach. As a first step, HIC, Inc. will identify information that needs privacy protection; this process requires an in-depth analysis of the information life cycle. For example, HIC, Inc must know when the information was created or consumed or shared, and what did the original intend purpose for its creation?In the next step, HIC, Inc will categorize the information into the privacy domain. The privacy domain helps in managing privacy rules for a separate set of information. For example, PHI privacy rules would be different than employee records within HIC, Inc. The following HIC, Inc privacy domains were enabled:
​HIC, Inc Privacy Domains
PHI and PII Privacy Domain

• ​​PHI and PII privacy domain have to do with the collection and handling of PHI (Protected Health Information) and Personally Identifiable Information (PII). Like other health insurance companies HIC, Inc. use, store, maintain, or transmit patient healthcare information; hence, it's required to comply with the privacy regulations of the HIPAA law. Additionally, for PII, HIC Inc must comply with COPPA (The children's Online Privacy Act). HIC, Inc.'s information security team will have access to the PHI and PII privacy domain and have the authority to grant access to individuals or groups. As an organization, HIC, Inc controls the privacy of data.

Note: HIPAA: Health Insurance Portability and Accountability Act for protection and confidentiality handling of health information.
Corporate Privacy Domain

• Corporate privacy domain has to do with collecting and handling corporate data such as employee records, HIC, Inc., confidential documents, financial information meeting minutes, memos, agreements, etc. HIC, Inc offers business services. Hence it must comply with GLBA's rules and regulations. HIC, Inc. controls the privacy of corporate data. HIC, Inc.'s information security team will have access to the corporate privacy domain and have the authority to grant or revoke access.

PCI Privacy Domain

• PCI privacy domain will be dealing with credit card information. HIC, Inc has pharmacies, gift-shops, and cafeterias used for ordering and account management, which require the data to comply with PCI requirements. HIC, Inc. controls the privacy of corporate data.

Reference
CSOL-540 Fall 2019 Readings

Policy Implementation, Enforcement and Compliance

HIC, Inc. had developed the mobile device, anti-malware, information classification, and privacy policies. Policies are just a piece of paper, and it doesn't protect or detect any breaches or attacks unless its effectively implemented. Well-implemented security policies build brand confidence and help an organization like HIC, Inc., to achieve its goals. Poorly implemented security policies lead to breaches, fines, and damage to brand value, and they undermine confidence in the organization.1 HIC, Inc. must ensure that all the above policies must earn employee's acceptance, which is critical for success. A good implementation process educates, creates support, and integrates the policy into daily operations. HIC, Inc. must use the standard process approach that ensures that business risks, compliance, and threat vectors are considered in all policy changes, which is a best practice.
HIC, Inc. Executive Buy-in & Sponsorship
Without executive management sponsorship, employees will be less likely to be eager to participate in awareness training and to support policy implementation. Since security policy is for all the stakeholders and its application so consequential, leaders are to be involved heavily right from the very beginning of the development and the involvement to be seen throughout. They must also be the first to observe all the items prescribed in the policy and be the leading example as this will be critical to force or encourage the rest of the employees to follow suit.
Implementation - Training & Awareness Campaign
HIC, Inc must ensure all the employees get trained on the policies. The training program must be run as an essential "training and awareness" campaign. Its goal is to ensure that individuals are equipped with the tools necessary for the implementation of security policies. The training must be consistent across the board so that all the employees will be on the same page, which will bring teamwork spirit within them. During the campaign, HIC, Inc's management must push their employees for 100% attendance.
The training material and delivery must be very solid and professional. The material must be simple, clear, and engaging for all types of audiences. At the end of the section or chapter, there must be questions: e.g., What new (e.g., task, tool, skill) did you learn from the program? How will you apply this newly-acquired knowledge on the job or in daily life? It's tough to gain employee's attention unless they can correlate training with their interest. For example, if they learn something interesting about BEC (Business Email Compromise) or real state phishing campaigns, it would be interesting for them to share this knowledge with their friends and family.
This program will be more like an on-going effort that reinforces key security concepts to employees. Here are some of the additional details:

• Training is to be conducted at least once per year. The following action must be taken into account for well-rounded awareness:
• New employee and contractor: To be done at the time of hire before access to data is granted
• Promotion: As employees get promoted to higher roles, security awareness must be provided
• All users: At least once per year, all employees must be reminded via training of the policy
• Post-incident: After major security incidents occurred or when misunderstanding was notice
• Make employees sign the Acceptable Use Policies.

Communication
HIC, Inc. must use the following most common methods to communicate the security policy information to its employees:

• Email
• Newsletters
• Training Course
• Corporate Intranet - Internal HIC, Inc. website
• Posters, Videos, Presentations
• Who Communicates
• Target Audience

Enforcement
Once the initial phase of HIC, Inc. awareness and training campaign is completed, then the enforcement of IT Security Policy will start. During the enforcement process, HIC, Inc, the InfoSec team and the legal team must collaborate to understand each other's domain to serve the larger interest of the organization.
Executives play a vital role in enforcing the policies and HIC, Inc. CISO is in charge of leading the implementation, compliance, and enforcement of the security policy for HIC, Inc. The policies are enforced through various committees, and these committees can monitor employee's various activities, and if they are not conformed to the policies, then management can take action.
Compliance
HIC, Inc. will follow the best practice for monitoring IT security compliance policy which start with:

1. Written policies -HIC, Inc. (mobile device, anti-malware, information classification and privacy policies)
2. Security Baseline: Build security baselines and apply them to security policies. Example: Configuring the servers to use AD to authenticate and ensures that passwords meet standard requirements.
3. Monitoring & Reporting IT Security - In order to ensure the system is compliant with security baseline, the system should be monitored and tracked regularly through automated tools, random audits and other methods.
4. Track and update regulatory and compliance rule change
5. Audit system regularly - after baseline deployment.
6. Enable automation - Check the systems with tools/scripts
7. Manage Change

HIC, Inc. compliance officer takes the lead in developing and overseeing an organization's compliance program, implementing the recommendations from compliance audits and risk assessments and setting the best practices to ensure adherence to all governmental standards.
References
CSOL-540 Fall 2019 Readings
Johnson, Robert. Security Policies and Implementation Issues (Jones & Bartlett Learning Information Systems Security & Assurance) (p. 362). Jones & Bartlett Learning. Kindle Edition.

Reflection

Implementing an acceptable use policy (AUP), which by definition regulates employee behavior, requires tact and diplomacy. Employee training is commonly overlooked or under appreciated as part of the AUP implementation process. But, in practice, it's probably one of the most useful phases. It not only helps you to inform employees and help them understand the policies, but it also allows you to discuss the practical, real-world implications of the policy. End users will often ask questions or offer examples in a training forum, and this can be very rewarding. These questions can help you define the policy in more detail and adjust it to be more useful. During my research on security policy implementation, enforcement and compliance, I found that user embracement is critical. As the users or employees embrace security policies in their daily life, it changes the culture. As a cybersecurity professional one should assist organizations in implementing an ethical practice as part of security policy. After formulating a clear policy, engaging employees in the ethics conversation by offering training and guidance would be a good practice. Aside from their employees, businesses themselves must fulfill certain ethical and legal obligations in the process of a security policy implementation, enforcement and compliance.