Program Policy and Policy Governance
1.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at Mountain States Imaging, LLC, including all personnel affiliated with third parties.
2.0 Policy Statement
The purpose of this policy is to define the means by which subsequent policies in this document will be carried out, and enforced, and altered.
3.0 Policy
3.1 Enforcing Policies
1. All affiliates of Mountain States Imaging, LLC within the scope of this policy, including all employees, will be required to read, understand, and agree to adhere to the policies laid out in this document as a prerequisite for employment or for the completion of business dealings with Mountain States Imaging, LLC
2. Deviation from these policies may be cited as cause for disciplinary action, up to and including termination of employment or breach of contract. If an employee is observed violating United States or Colorado state law, relevant authorities will be notified.
3. This document will be made available to employees at all times, on the company intranet and in printed copies.
3.2 Dealing with Policy Deviations
All deviations from the policies laid out in this document should be reported as soon as possible to the ranking supervisor. Employees will be reprimanded on a per-case basis.
Even if the infraction is minor, or was necessary, and the individual responsible does not need to be reprimanded, the deviation should still be reported; A repeated violation of a particular policy may be grounds for an amendment or alteration of portions of that policy.
3.3 Policy governance
Employees with concerns over portions or the entirety of the policies outlined in this document may make their concerns known at any time, preferably at regularly schedules staff meetings.
Any and all potential changes to the policies herein will be discussed and voted on by the heads of the IT department and Board of Directors.
Information and Resource Classification Policy
1.0 Scope
This policy applies to all documents owned by Mountain States Imaging, LLC, including documents submitted by employees and affiliates at the time of their hiring.
2.0 Policy Statement
The purpose of this data classification policy is to provide a system for protecting information that is critical to the organization. All workers who may come into contact with confidential information are expected to familiarize themselves with this data classification policy and to consistently use it.
3.0 Policy
The organizations data classification system has been designed to support the need to know so that information will be protected from unauthorized disclosure, use, modification, and deletion. Consistent use of this data classification system will facilitate business activities and help keep the costs for information security to a minimum.
Without the consistent use of this data classification system, unduly risks loss of customer relationships, loss of public confidence, internal operational disruption, excessive costs, and competitive disadvantage.
Applicable Information:
This data classification policy is applicable to all information in the Mountain States Imaging’s possession. For example, medical records on patients, confidential information from suppliers, business partners and others must be protected with this data classification policy. No distinctions between the word data, information, knowledge, and wisdom are made for purposes of this policy.
3. Consistent Protection
Information must be consistently protected throughout its life cycle, from its origination to its destruction. Information must be protected in a manner commensurate with its sensitivity, regardless of where it resides, what form it takes, what technology was used to handle it, or what purpose(s) it serves. Although this policy provides overall guidance, to achieve consistent information protection, workers will be expected to apply and extend these concepts to fit the needs of day-to-day operations.
3.1 Classification Labels
Public: This classification applies to information that is available to the general public and intended for distribution outside the organizations. This information may be freely disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.
For Internal Use Only: This classification applies to all other information that does not clearly fit into the other classifications. The unauthorized disclosure, modification or destruction of this information is not expected to seriously or adversely impact the organization, its patients, its employees, or its business partners. Examples include the company telephone directory, new employee training materials, and internal policy manuals.
Confidential: This classification applies to information that is intended for use within the organization. Its unauthorized disclosure could adversely impact the organization, its patients, its employees and its business partners. Information that some people would consider private is included in this classification. Examples include medical information (except that which is restricted confidential), patient medical charts, appointment schedules, patient account records, department financial data, purchasing information, vendor contracts.
Restricted Confidential: This classification applies to the most sensitive medical and business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its patients, its employees and its business partners. For example, statutorily protected medical information such as, mental health treatment, HIV testing, sexually transmitted diseases, abortion, and alcoholism or substance abuse treatment data. Other examples are merger and acquisition documents, corporate level strategic plans, and litigation strategy memos.
Password Management Policy
1.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Mountain States Imaging, LLC facility, has access to the Mountain States Imaging, LLC network, or stores any non-public Mountain States Imaging, LLC information.
2.0 Policy Statement
The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.
3.0 Policy
3.1 General
· All system-level passwords (e.g., root, enable, NT admin, application administration
accounts, etc.) must be changed on at least a quarterly basis.
· All production system-level passwords must be part of the MSI IT DEPARTMENT administered global
password management database.
· All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at
least every six months. The recommended change interval is every four months.
· User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
· Passwords must not be inserted into email messages or other forms of electronic
communication.
· Where SNMP is used, the community strings must be defined as something other than
the standard defaults of "public," "private" and "system" and must be different from the
passwords used to log in interactively. A keyed hash must be used where available (e.g.,
SNMPv2).
· All user-level and system-level passwords must conform to the guidelines described below.
3.2 Guidelines
A. General Password Construction Guidelines
Passwords are used for various purposes at Mountain States Imaging, LLC Some of the more common uses
include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
· The password contains less than eight characters
· The password is a word found in a dictionary (English or foreign)
· The password is a common usage word such as:
o Names of family, pets, friends, co-workers, fantasy characters, etc.
o Computer terms and names, commands, sites, companies, hardware, software.
o The words “Mountain States Imaging, LLC ” "sanjose", "sanfran" or any derivation.
o Birthdays and other personal information such as addresses and phone numbers.
o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o Any of the above spelled backwards.
o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
· Contain both upper and lower case characters (e.g., a-z, A-Z)
· Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-
=\`{}[]:";'<>?,./)
· Are at least eight alphanumeric characters long.
· Are not a word in any language, slang, dialect, jargon, etc.
· Are not based on personal information, names of family, etc.
· Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!
B. Password Protection Standards
Do not use the same password for Mountain States Imaging, LLC accounts as for other non- Mountain States Imaging, LLC access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various Mountain States Imaging, LLC access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account. Do not share Mountain States Imaging, LLC passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential Mountain States Imaging, LLC information.
Here is a list of "don’ts":
· Don't reveal a password over the phone to ANYONE
· Don't reveal a password in an email message
· Don't reveal a password to the boss
· Don't talk about a password in front of others
· Don't hint at the format of a password (e.g., "my family name")
· Don't reveal a password on questionnaires or security forms
· Don't share a password with family members
· Don't reveal a password to co-workers while on vacation
If someone demands a password, refer them to this document or have them call someone in
the Information Security Department.
Do not use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months.
If an account or password is suspected to have been compromised, report the incident to MSI IT DEPARTMENT and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by MSI IT DEPARTMENT or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions.
Applications:
· should support authentication of individual users, not groups.
· should not store passwords in clear text or in any easily reversible form.
· should provide for some sort of role management, such that one user can take over the
functions of another without having to know the other's password.
· should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
For more information click here
|
