Policy

Download United States Federal Code on Computer Crimes Cyber Security Enhancement Act 2002 Description.

Enforces life sentences for hackers who recklessly endanger the lives of others, specifically transportation systems, power companies, or other public services or utilities.
18 U.S.C. § 1029 Fraud and Related Activity in Connection with Access Devices
18 U.S.C. § 1030 Fraud and Related Activity in Connection with Computers
18 U.S.C. § 1362 Communication Lines, Stations, or Systems
18 U.S.C. § 2510 Wire and Electronic Communications Interception and Interception of Oral Communications
18 U.S.C. § 2701 Stored Wire and Electronic Communications and Transactional Records Access

6.11.3 Crimes and Criminal Procedure Section 1029 Subsection (a)

HIPAA’s requirements with respect to business associates are directly relevant to companies and vendors who enter into an outsourcing relationship. HIPAA mandates numerous precautions, restrictions, and obligations of which the vendor as a business associate must be aware. The vendors must agree to comply with the same stringent confidentiality or security requirements and transfer restrictions as those that the HIPAA Rules impose on their clients that are covered entities. For example, being able to respond, within the regulatory time frames, to a patient’s request for an accounting of the disclosures of the patient’s information in the vendor’s custody would require having in place the technology, structure, and personnel necessary to handle the request.

A vendor that offers services to HIPAA-covered entities should take into account the requirements, restrictions, and obligations set forth in the HIPAA Privacy Rule and Security Rule before preparing a proposal for outsourcing services. However, the customer should ensure that the vendor will be able to assist in the compliance, respond to the

List of Health Insurance Portability and Accountability Act (HIPAA) Access Control Policy:
1. Internal network resources, so these resources can all be grouped together.
If a specific resource such as a file share or database requires additional authentication, then this takes place when a user accesses the resource. The only exception to this policy of grouping all resources is a set of HR applications that only a small set of external users is authorized to access. Note that these users may not access the other internal resources that other users can access.

2. List the groups or users.
Most users are in one main group that has network connectivity to all internal resources. A smaller group is composed of external users that have access to the set of HR applications mentioned in the previous step.

3. List the conditions under which the resources should be accessible by the groups.
There are several conditions for accessing resources:

HIPAA (Health Insurance Portability and Accountability Act) Standard requires covered entities to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. The Contingency Plan standard includes five implementation specifications

1. Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

2. Disaster Recovery Plan
Establish (and implement as needed) procedures to restore any loss of data.

Download Free Information Security Policy Assessment Checklist

1. Is there an executive directive/statement to ensure there is an information security architecture that includes risk, governance, ethics, compliance, privacy, and protection of enterprise assets? Are enterprise roles, responsibilities, and accountabilities defined? Are the executive team and the board of directors on the same page?
2. Are there data/information requirements stating that it must be available, accessed by need to know or have, and in the most accurate format?
3. Are staff required to acknowledge policies on new hire and termination, and at regular intervals? Are the staff types of enterprise network access defined? Is an enterprise asset defined?
4. What types of services and applications are permitted on the enterprise network, who is permitted to perform the installs and removals, and who is permitted to perform the monitoring? How are connections (hardwired, wireless, remote) defined to the enterprise network?