Skip to content

Latest commit

 

History

History
41 lines (29 loc) · 3.38 KB

employees_policy.md

File metadata and controls

41 lines (29 loc) · 3.38 KB
Raw

##TODO - determine necessary aspects of Policy

Employees Policy

Pact is committed to ensuring all workforce members actively address security and compliance in their roles at Pact. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards from the HITRUST Common Security Framework

  • 02.e - Information Security Awareness, Education, and Training
  • 06.e - Prevention of Misuse of Information Assets
  • 07.c - Acceptable Use of Assets
  • 08.j - Controls Against Malicious Code
  • 01.y - Teleworking

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) - Security Awareness and Training

Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
    • Records of training are kept for all workforce members.
    • Upon completion of training, workforce members complete this form.
    • Ongoing security training is conducted monthly.
    • Current Pact training is hosted here.
  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
  3. The Pact Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices and social media usage.

Why??

  1. Catalyze does not allow mobile devices to conned to any of its production networks.

  2. All workforce members are educated about the approved set of tools to be used with PHI on workstations.

  3. All new workforce members are given HIPAA training within 60 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for Pact and its Customers and Partners.

  4. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to production systems with access to ePHI data.

##Not sure about this - is this necessary? 8. All Catalyze-purchased and -owned computers are to display this message at login and when the computer is unlocked: This computer is owned by Catalyze, Inc. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://catalyze.io/policy/) and have completed this training (https://training.catalyze.io/). Please contact us if you have problems with this - [email protected]. ##TODO - this is really cumbersome, necessary? 9. Access to internal Catalyze systems can be requested using this form. All requests for access much be granted to the Catalyze Security Officer.

  1. Request for modifications of access for any Catalyze employee can be made using this form.