Website được thiết kế tối ưu cho thành viên chính thức. Hãy Đăng nhập hoặc Đăng ký để truy cập đầy đủ nội dung và chức năng.

STANDARD 30: Information Security Management

30.1 General

1. The healthcare organization shall establish and maintain a documented Information Security Management (ISM). This shall address the assets to be protected, the healthcare organization’s approach to risk management, the control objectives and controls, and the degree of assurance required.

2. The ISM policy shall be established and maintained. The policy shall be reviewed regularly, and in case of influencing changes, to ensure it remains appropriate.

3. The ISM policy shall be approved by Top management, published and communicated, as appropriate, to all employees.

30.2 Outsourcing

1. When the responsibility for information processing has been outsourced to another organization the healthcare organization shall maintain the security of information.

2. The security requirements of the healthcare organization outsourcing the management and control of all or some of its information systems, networks and/or desktop environments shall be addressed in a contract agreed between the parties.

30.3 Equipment Security

1. Equipment shall be sited or protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

2. Security procedures and controls shall be used to secure equipment used outside an organization’s premises.

3. Information shall be erased from equipment prior to disposal or re-use.

4. Organizations shall have and implement a clear desk and a clear screen policy in order to reduce the risks of unauthorized access, loss of, and damage to information.

30.4 Access Control

1. The requirements for access control shall be defined and documented, and access shall be restricted to what is defined in the access control policy.

2. There shall be a formal user registration and de-registration procedure for granting access to all multi-user information systems and services.

3. The allocation and use of privileges shall be restricted and controlled.

4. The allocation of passwords shall be controlled through a formal management process.

5. Users shall be required to follow good security practices in the selection and use of passwords.

6. Users shall be required to ensure that unattended equipment has appropriate protection.

NOTE 1 The allocation of passwords should be controlled through a formal management process, the approach of which should:

a) require users to sign a statement to keep personal passwords confidential and work group passwords solely within the members of the group (this could be included in the terms and conditions of employment;

b) ensure, where users are required to maintain their own passwords, that they are provided initially with a secure temporary password which they are forced to change immediately;

c) the use of third parties or unprotected (clear text) electronic mail messages should be avoided. Users should acknowledge receipt of passwords;

d) passwords should never be stored on computer system in an unprotected form.

30.5 Business Continuity Management

1. In order to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters the healthcare organization shall develop a managed process for business continuity.

2. A strategy plan, based on appropriate risk assessment, shall be developed for the overall approach to business continuity.

3. Plans shall be developed to maintain or restore business operations in a timely manner following interruption to, or failure of, critical business processes.

NOTE 1 A business continuity management process should be implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.

NOTE 2 The consequences of disasters, security failures and loss of service should be analyzed. Contingency plans should be developed and implemented to ensure that business processes can be restored within the required timescales. Such plans should be maintained and practiced to become an integral part of all other management processes. Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.