Computer And Information Security Standards-Books Pdf

Computer and information security standards
08 Apr 2020 | 22 views | 0 downloads | 100 Pages | 1.55 MB

Share Pdf : Computer And Information Security Standards

Download and Preview : Computer And Information Security Standards


Report CopyRight/DMCA Form For : Computer And Information Security Standards



Transcription

Computer and information,security standards, For general practices and other office based practices. Second edition, The Computer and information security standards provide guidance to assist. general practices comply with professional and legal obligations and are. designed to make compliance with best practice information security easier. Disclaimer, The Computer and information security standards and accompanying. Computer and information security templates each a publication is copyright. to The Royal Australian College of General Practitioners RACGP ABN 34 000. 223 807 The information set out in each publication has been sourced from. providers believed to be reputable and reliable The information was current as. at the date of first publication however the RACGP recognises the changing. and evolving nature of medicine and does not warrant these publications. are or will remain accurate current or complete Nor does the RACGP make. any warranties of any kind expressed or implied including as to fitness of. purpose or otherwise Instead the information is intended for use as a guide. of a general nature only and may or may not be relevant to particular patients. conditions or circumstances Acting in accordance with the information in. the publications cannot and does not guarantee discharge of any duty of. care owed Persons acting on information contained in the publications must. at all times exercise their own independent skill and judgement and seek. appropriate professional advice where relevant and necessary. Whilst the text is primarily directed to health professionals it is not to be. regarded as professional advice and must not be considered a substitute for. seeking that professional advice relevant to a person s circumstances nor can. it be regarded as a full consideration of particular circumstances faced by the. user based on then current knowledge and accepted practices. The RACGP accepts no liability to anyone in relation to the publications for. any loss or damage including indirect special or consequential damages. cost or expense incurred or arising by reason of any person using or relying. on the information contained in the publications whether caused by reason of. any error any act or omission whether negligent or not or any inaccuracy or. misrepresentation in the information in each publication. Published by, The Royal Australian College of General Practitioners. 100 Wellington Parade,East Melbourne VIC 3002 Australia.
Tel 03 8699 0414,Fax 03 8699 0400,www racgp org au. ISBN 978 0 86906 349 1,First published 2011 Second edition 2013. 2013 The Royal Australian College of General Practitioners. Healthy Profession Computer and information security standards. Healthy Australia For general practices and other office based practices iii. Acknowledgements, This edition of The Royal Australian College General Practitioners RACGP Computer and. information security standards CISS and the accompanying Computer and information security. templates have been developed by the RACGP, The RACGP gratefully acknowledges the following people who were involved in the development. review and writing of this version of CISS, Dr Patricia Williams PhD eHealth Research Group School of Computer and Security Science.
Edith Cowan University Perth Western Australia, Members of the RACGP Computer and Information Security Standards Taskforce. This project has been funded by the Australian Government Department of Health and Ageing. The information security compliance indicators for each Standard have been adapted from the work. of Dr Patricia Williams Capability Maturity Matrix for Medical Information Security Williams PAH A. practical application of CMM to medical security capability Information management and computer. security 2008 16 58 73 The intellectual property relating to these capability matrices remains the. property of Dr Patricia Williams, Computer and information security standards Healthy Profession. iv For general practices and other office based practices Healthy Australia. Preamble v,How to use the Standards 1,The Standards 2. Compliance checklist for computer and information security 3. Section 1 5,Standard 1 Roles and responsibilities 5. Section 2 10,Standard 2 Risk assessment 10,Section 3 18.
Standard 3 Information security policies and procedures 18. Section 4 22,Standard 4 Managing access 22,Section 5 31. Standard 5 Business continuity and information recovery 31. Section 6 38,Standard 6 Internet and email usage 38. Section 7 44,Standard 7 Information backup 44,Section 8 50. Standard 8 Malware viruses and email threats 50,Section 9 54. Standard 9 Computer network perimeter controls 54,Section 10 61.
Standard 10 Mobile electronic devices 61,Section 11 64. Standard 11 Physical facilities and computer hardware software and operating system 64. Section 12 71,Standard 12 Security for information sharing 71. Glossary of computer and information security terms 76. Appendix A List of related standards principles and legislation 82. Appendix B National eHealth system security requirements 84. Appendix C Data incident breach report 85, Healthy Profession Computer and information security standards. Healthy Australia For general practices and other office based practices v. Background, In Australian general practice the use of clinical desktop systems and the electronic management. of information have become vital tools in the delivery of safe and high quality healthcare and good. practice management Secure computer and information management systems are essential for the. necessary protection of business and clinical information and are therefore critical to the provision of. safe high quality healthcare and the efficient running of a general practice. Implementing appropriate computer and information security can be challenging and general. practice has specific requirements to consider Finding the right IT support and a technical. service provider with appropriate security expertise who understands the business of delivering. healthcare in the general practice environment can be difficult To help general practices meet. these challenges the RACGP developed the first edition of the Computer and information security. standards in 2011, This second edition of the RACGP Computer and information security standards CISS takes into.
account developments such as, increased use of laptops remote access devices e g personal digital assistants PDA tablet. devices USB flash drives and removable hard drives and wireless Wi Fi connections. widespread uptake of broadband internet and secure messaging and particularly the. implementation of the national eHealth record system and the Healthcare Identifier Service which. underpin many of the e health initiatives, Improving computer and information security in your practice requires adapting to an evolving. technical environment fostering awareness of contemporary security issues and monitoring and. improving your security protection processes, Computer and information security is not optional it is essential It should be considered a fixed. cost of doing business that requires financial and human resources being allocated to ensure the. protection of information assets, Computer and information security standards Healthy Profession. vi For general practices and other office based practices Healthy Australia. The purpose of the CISS, This second edition of CISS incorporates changes to Australian legislation and the Office of the.
Australian Information Commissioner directives including legislative requirements for a national. eHealth record system the personally controlled electronic health record PCEHR system. The Standards are designed to assist general practices and other office based healthcare. organisations to meet their professional and legal obligations in computer and information security. Information security obligations, Computer and information security is not optional it is an essential professional and legal. requirement for using computer systems in the delivery of healthcare. The Standards address the legal and professional obligations in computer and information security. in core areas,Information management processes, Managing the use and ongoing availability of information requires fundamental information security. processes such as, backup procedures that are documented and tested it is important to ensure that the backup. system functions correctly and that data can be restored promptly if there is an incident such as a. server failure, business continuity and information recovery planning documented business continuity plans. that include information recovery procedures are essential to maintaining information availability. so that in the event of an information disaster there is an adequately planned response and. potential loss or corruption of information is minimised These plans detail how to maintain the. critical functions of the business when there is an unexpected system event. access control and management control of who has access to business and clinical information. is essential to the protection of all practice data Access management password and or. biometrics ensures accountability without this it can be difficult to ascertain who has entered. or altered data Without these controls the practice is vulnerable to unauthorised information. Risk analysis, It is important to understand the security risks and threats to business and clinical information.
This includes the requirement for effective information security practices by identifying gaps in. security and implementing strategies to lessen security risks Ensuring the security of information. held in practice systems is essential to the running of a general practice to maintaining professional. responsibilities to patients and to ensuring that practice information is accurate and available when. it is needed, Healthy Profession Computer and information security standards. Healthy Australia For general practices and other office based practices vii. Security governance, Governance implies accountability responsibility monitoring and reporting to demonstrate legal and. ethical compliance to sound information security and to ensure that all computer and information. security processes are documented and followed To enable this responsibility should be allocated. to one or more staff in the practice Staff who are allocated this responsibility should coordinate. security related activities and assist in identifying the need for external technical service providers. and when it is appropriate to engage their services Computer and information security requires. regular attention at a practice level and the practice team need to be aware of their responsibility in. protecting practice information,Organisational governance. To contribute to good practice governance practice principals owners should be able to answer the. following questions, What are the legal and professional requirements for the protection of the information for which. the practice is custodian, What capabilities does the practice have in terms of security knowledge and expertise.
Who makes the decisions about the security protections to be put in place. What processes are in place to assist in decision making regarding the use of the information for. purposes other than what it was collected for for example providing health information to external. organisations for research or population planning secondary use. Developing a security culture, It is beneficial to promote a security culture within the practice This includes educating the practice. team about the risks to the practice information systems and the maintenance of practice policies. that direct staff in their management of security risks. Format of CISS,There are three components to CISS,1 Compliance checklist. This checklist is designed to help practices determine whether the practice has established and. maintained reasonable computer and information security measures to protect the security of. clinical and business information on an ongoing basis. 2 Twelve computer and information security standards. For each Standard there is,a user friendly compliance indicator matrix. explanatory notes for each compliance indicator The explanatory notes are designed to. explain each Standard and the actions required to minimise potential risks to computer and. information systems,3 Templates, The accompanying templates consist of sample tables and forms to assist practices to develop. and record their own policies and procedures for computer and information security. Computer and information security standards Healthy Profession. viii For general practices and other office based practices Healthy Australia. CISS describes professional and legal obligations for computer and information security and details. policies and procedures designed to help general practices protect their computer and information. These Standards have been developed in accordance with recognised best practice and are. aligned with the requirements of international and Australian standards current Australian legislation. and legislative instruments the National Privacy Principles and national standards in health. information security see Appendix A, The computer and information security requirements that relate to the Healthcare Identifier Service and.
participation in the national eHealth record system have been included in this edition of CISS. Out of scope, The Standards do not cover separate issues such as patient access to their own health information. patient identification personal identification and validation of the Individual Healthcare Identifier or. the content of patient health records, The Standards also do not cover all the necessary technical aspects of computer and information. security It is generally assumed practices will engage expert technical advice and support to. establish and maintain computer and information security on a day to day basis. The Standards are not designed to impose new professional obligations over and above recognised. best practice,Compliance with Australian legislation. The Standards are aligned with relevant legislation including the following. Privacy Act and National Privacy Principles, The Privacy Act 1988 Cwlth and National Privacy Principles stipulate that reasonable steps must. be taken to protect and secure personal information which includes personal health information. Reasonable steps are explained further by the Office of the Australian Information Commissioner. OAIC When investigating compliance the OAIC considers the reasonable steps that were taken to. protect the information and whether those steps were reasonable in the circumstances including. the processes followed if a privacy breach occurred. Reasonableness is considered in relation to the organisational context and the context in which the. information is collected and used Health information is regarded as sensitive information by the. OAIC and there is an expectation that such information will be given a higher level of protection than. non sensitive information See the OAIC website www oaic gov au. The Standards are designed to help practices meet the requirements for OAIC definition of. reasonable steps, Healthy Profession Computer and information security standards.
Healthy Australia For general practices and other office based practices ix. Healthcare Identifiers Act and Personally Controlled Electronic Health Records Act. To participate in the Australian national eHealth record system also known as the PCEHR. system practices must comply with the Healthcare Identifiers Act 2010 Cwlth and the Personally. Controlled Electronic Health Records Act 2012 Cwlth and PCEHR Rules 2012 The PCEHR system. Participation Agreement that practices must agree to prior to using the eHealth record system is. derived from this legislation and consequently incorporates compliance with these Acts There. are many requirements of a participating healthcare organisation pursuant to the PCEHR system. legislation and the related Participation Agreement. The Standards are designed to help practices meet the requirements of the national eHealth record. system further detail is in Appendix B,Terminology. The terminology used in CISS is designed to enhance the clarity of the text. Availability of information Information is available and accessible to authorised individuals. when it is needed, Confidentiality The non disclosure of information except to another authorised person or the. act of keeping information secure, Health information All health information and health data about a patient that is collected during. a consultation with a health professional, Integrity of information Maintaining the accuracy and consistency of information which. requires that only authorised people can modify the information. Organisation Any healthcare organisation operating in the Australian primary healthcare sector. Practice team All members of a general practice including clinicians and non clinicians working. in the Australian primary healthcare sector whether as a solo practitioner a member of a single. discipline practice team or a member of a multidisciplinary practice team. Privacy A person s privacy is maintained by control over what and how information is disclosed. Implementation and review, This edition of CISS was published in June 2013 and will be reviewed by the RACGP from time to.
time in consultation with key stakeholders, Healthy Profession Computer and information security standards. Healthy Australia For general practices and other office based practices 1. How to use the Standards, The Standards are designed to assist practices to meet their legal and professional obligations in. protecting computer and information systems The diagram below shows the step by step cyclical. process for using these Standards to achieve best practice in maintaining computer and information. Use compliance checklist, Assess the status of your current information security and risk. analysis against all 12 Standards, Address identified risks in decreasing order of importance. Assess compliance indicators for each Standard, Use the compliance indicators to assess the level of information.
security your practice is at for each Standard, Use explanatory notes and implement policy Standard. Refer to explanatory notes for advice on each Standard. Implement processes and procedures to meet policy requirements. Use associated templates to implement each Standard. Use templates to assist in developing and recording policies and. procedures, Computer and information security standards Healthy Profession. 2 For general practices and other office based practices Healthy Australia. The Standards,Standard 1 Roles and responsibilities. Our practice has designated practice team members for championing and managing computer. and information security and these practice team members have such roles and responsibilities. documented in their position descriptions,Standard 2 Risk assessment. Our practice undertakes periodic structured risk assessments of computer and information security. and implements improvements as required, Standard 3 Information security policies and procedures.
Our practice has documented policies and procedures for managing computer and information. Standard 4 Managing access, Our practice establishes and monitors authorised access to health information. Standard 5 Business continuity and information recovery. Our practice has documented and tested plans for business continuity and information recovery. Standard 6 Internet and email usage, Our practice has processes in place to ensure the safe and proper use of internet and email in. accordance with practice policies and procedures for managing information security. Standard 7 Information backup, Our practice has a reliable information backup system to support timely access to business and. clinical information,Standard 8 Malware viruses and email threats. Our practice has reliable protection against computer malware and viruses. Standard 9 Computer network perimeter controls, Our practice has reliable computer network perimeter controls.
Standard 10 Mobile electronic devices, Our practice has processes in place to ensure the safe and proper use of mobile electronic devices in. accordance with practice policies and procedures for managing information security. Standard 11 Physical facilities and computer hardware software and operating system. Our practice manages and maintains our physical facilities and computer hardware software and. operating system with a view to protecting information systems. Standard 12 Security for information sharing, Our practice has reliable systems for the secure electronic sharing of confidential information. Healthy Profession Computer and information security standards. Healthy Australia For general practices and other office based practices 3. Compliance checklist for computer,and information security. This compliance checklist is designed to help general practices assess achieve and sustain. compliance with the 12 Standards that comprise good practice in computer and information. security This checklist is a guide only and does not describe the complete list of security activities. that should be undertaken, If you are unsure whether your practice complies with a particular Standard then you should tick no. and focus on relevant risk mitigation activity until you are sure. Standard Compliance indicators Yes No, Standard 1 Do you have designated practice team members for championing and.
Roles and managing computer and information security and do these practice. responsibilities team members have such roles and responsibilities documented in their. position descriptions, This will include a written policy that is communicated to practice team. members the assignment and training of a Computer Security Coordinator. the assignment and training of the Responsible Officer and Organisation. Maintenance Officer and the national eHealth record system training where. applicable, Standard 2 Risk Have you undertaken a structured risk assessment of information. assessment security and identified improvements as required. This will include recording assets in the practice a threat analysis reporting. schedule and data breach recording procedures, Standard 3 Do you have documented policies and procedures for managing. Information computer and information security, security policies This will include a policy to cover each Standard It will also include practice. and procedures team and external service provider agreements and where applicable an. eHealth records system policy, Standard 4 Do you have well established and monitored authorised access to health.
Managing information, access This will include a clearly defined and communicated policy that contains. direction on access rights password maintenance password management. remote access controls and auditing and appropriate software configuration. Standard 5 Do you have documented and tested plans for business continuity and. Business information recovery, continuity and This will include tested practical and implementable business continuity. information and information recovery plans to ensure business continuation and prompt. recovery restoration of clinical and business information systems. Standard 6 Do you have processes in place to ensure the safe and proper use of. Internet and internet and email in accordance with practice policies and procedures. email usage for managing information security, This will include details of configuration and usage of the internet and email. together with practice team education in good internet and email use.

Related Books

The attached DRAFT document (provided here for HISTORICAL ...

The attached DRAFT document provided here for HISTORICAL

DRAFT . Draft NISTIR 7622 Notional Supply Chain Risk Management Practices for Federal Information Systems Jon Boyens Celia Paulsen Nadya Bartol Rama Moorthy Stephanie Shankles . DRAFT Draft NISTIR 7622 Notional Supply Chain Risk Management for Federal Information Systems Jon M. Boyens Computer Security Division Information Technology Laboratory National Institute of Standards and Technology ...

Guidelines for securing Wireless Local Area Networks (WLANs)

Guidelines for securing Wireless Local Area Networks WLANs

Special Publication 800-153 . NIST Special Publication 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs) Recommendations of the National Institute of Standards and Technology Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 ...

Computer Security Incident Handling Guide

Computer Security Incident Handling Guide

Computer Security Incident Handling Guide . Recommendations of the National Institute of Standards and Technology . Paul Cichonski . Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD . Tom Millar . United States Computer Emergency Readiness Team National Cyber Security Division Department of Homeland Security . Tim ...

Guide to Enterprise Patch Management Technologies

Guide to Enterprise Patch Management Technologies

Guide to Enterprise Patch Management Technologies . Murugiah Souppaya . Computer Security Division . Information Technology Laboratory . Karen Scarfone . Scarfone Cybersecurity . Clifton, VA . July 2013 . U.S. Department of Commerce . Penny Pritzker, Secretary . National Institute of Standards and Technology

Technical guide to information security testing and ... - NIST

Technical guide to information security testing and NIST

Technical Guide to Information Security Testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh NIST Special Publication 800-115 C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory

NIST SP 800-53, Revision 1 CNSS Instruction 1253

NIST SP 800 53 Revision 1 CNSS Instruction 1253

NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Introduction 2. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY A Unified Framework For Information Security The Generalized Model Common Information Security ...

Teacher) (052) - ERIC

Teacher 052 ERIC

PUB TYPE Guides Classroom Use Teaching Guides (For. Teacher) (052) EDRS PRICE MFOI/PCO2 Plus Postage. DESCRIPTORS Adult Basic Education; Adult Literacy; *Blueprints; Inplant Programs; *Job Skills; *Learning Activities; Literacy Education; *On the Job Training IDENTIFIERS *Automobile Industry; Workplace Literacy. ABSTRACT. This document contains the instructional materials developed and ...

Mother Tongue Teaching at School Comp French and Turk M

Mother Tongue Teaching at School Comp French and Turk M

e teaching act ore about lac ongue teachin portant value tic and gramm e Saussure (19 ication and co has emerged age. Oral lang mploys speak ly. It is acquir vironment. Ch e (Delacroix, ound him an a systematic s written langu er tongue teac his separates this vein, the e teaching m ng and candid ocument ana rom a master ngue materne g at Scho M Ebub tan Professor, ted: March 8, RL: https://do ...

Waes thu Hael, Good Health! This summer brought many ...

Waes thu Hael Good Health This summer brought many

knows.This was a busy summer for a lot of folks, and we If you loved only what were worth your love,even busier fall with all the events coming up in our area and in Love were clear gain, and wholly well for you: Make the low nature better by your throes! Give earth yourself, go up for gain above! -Robert Browning (1864) Robert Browning (1864) Waes thu Hael, Good Health! This summer brought ...

HerbalGram - Utah Sports & Wellness

HerbalGram Utah Sports amp Wellness

Camellia sinensis (L.) Kuntze, Theaceae, while infusions made from herbs such as rooibos have been called tisanes. Over time, however, the common use of the word tea has been extended to include herbal infusions, and this relaxed usage is followed here. Rooibos is often referred to as red tea because it makes a vibrant red-