Computer Security Policies Template

Published on July 2016 | Categories: Documents | Downloads: 52 | Comments: 0 | Views: 235
of 22
Download PDF   Embed   Report

Computer Security Policies Template

Comments

Content

Computer Security Policies and
Procedures Manual

A Template
1st Edition

Date manual developed:
Date last updated:

1 | Page

CONTENTS
1. STAFF ROLES AND RESPONSIBILITIES...................................4
2. ACCESS CONTROL................................................................5
3. CONSULTING ROOM AND ‘FRONT DESK’ SECURITY...............6
4. DISASTER RECOVERY PLAN...................................................7
5. ASSET REGISTER................................................................10
6. BACK-UP AND RESTORING PROCEDURES............................16
7. VIRUS CHECKING................................................................19
8. FIREWALL............................................................................ 19
9. MAINTENANCE....................................................................20
10. SECURE ELECTRONIC COMMUNICATION...........................21

2 | Page

How to use this template
This document is a template to be completed by the practice computer security coordinator
with assistance from other practice staff or technical support person. It could form a part of
the general practice policies and procedures manual
.
The template is designed to be completed electronically. It should be used in conjunction with
the GPCG computer security guideline and check- list.
1.
2.
3.
4.

Save this document on your hard drive.
Place your cursor where you want to add information.
Where there are not enough boxes you can select the table, copy and paste it.
Similarly, where there are not enough rows or lines in a table you can insert
additional ones.
5. There may be items that are not relevant to your practice (e.g. you may not have a
scanner). These items can be either deleted or left blank in case they are needed in the
future.
6. Some examples have been provided in shaded areas to help clarify what you might
include in that section.
7. There may be technical information that you do not know. Your technical support
person will be able to assist you in completing some sections of the manual.
8. You may wish to import into this manual (by copying and pasting) the policies and
procedures proformas and security check- list contained in the GPCG Guideline
which can also be downloaded from the GPCG website.
9. Put the date you complete the document on the front page.
10. Remember to modify the manual when there are changes to staff responsibilities or
the computer set-up at the practice. Change the date on the front page to show when
the manual was last updated.

Acknowledgement
Full acknowledgement for the GPCG computer security guideline and check-list, of which this
template is a part, can be found in the guideline itself. However, special thanks are due to Ms
Leslie Stanger of the Monash Division as well as several other divisions of general practice that
provided significant input into the design of this template.
A/Prof Peter Schattner
Monash University
February 2004

3 | Page

1. STAFF ROLES AND RESPONSIBILITIES
Practice computer security co-ordinator
Person(s) responsible:

Role:

Responsibilities: (See Appendix A of the GPCG for suggested
responsibilities)

Other staff roles and responsibility
Other staff may also be assigned tasks related to computer security
Task
e.g. do back-ups
e.g. update software

Person(s) Responsibility

Technical Support
Name

Support for

Contact Details

4 | Page

2. ACCESS CONTROL
Staff should only have access to the system and information required by
their role in the practice. Restricting access reduces the opportunity for
accidents and errors. Staff should be properly trained in the software
before they are given access to it.
All staff should create their own password, and should be responsible for
changing them periodically and keeping them secure.

Staff Member
e.g. practice nurse

Program
e.g. name of
prescribing software

Access Level
e.g. clinical information
only or full user access

5 | Page

3. CONSULTING ROOM AND ‘FRONT DESK’ SECURITY
Record the installation of screen savers and/or other automated privacy
protection devices (see column three below)

Computer

Screensaver
Installed

Shortcut/activation
key
(this is a function key
or combination of
keystrokes which, when
pressed, will activate
the screen saver
immediately)

6 | Page

4. DISASTER RECOVERY PLAN
This is a written plan which explains what should be done when the
computer system, or any part of it, goes down or does not function
properly for some reason.

Step 1: Switch the manual procedures for critical
practice functions
For each critical function in the practice there should be contingency plan
so that the practice can continue to operate in the event of a disruption to
the computer system. This is the ‘business continuity’ part of the plan.
Critical functions can be divided into administrative and clinical ones.
Function 1
e.g. billing patients
Contingency Plan
e.g. swipe Medicare card
e.g. Issue manual receipt
e.g. Retain copies of all receipts to
be entered into the system later
Person Responsible
e.g. receptionist
Function 2
Contingency Plan

Person Responsible
Function 3
Contingency Plan

Person Responsible
7 | Page

Step 2: Make an assessment of the computer problem
Example might include:




Writing down any error messages
Noting anything that has changed since the system last worked
correctly
Checking that all power and network connections are plugged in

Step 3: Perform remedial action (with or without
technical support)
This step might involve the restoration of data from the most recent backup

Step 4: Test the functionality of all systems
Step 5: Return to normal practice procedures and enter
data recorded manually during downtime
Step 6: Assess the reason for the problem, how the
recovery was done, update the computer setup and
document and important lessons

Remedial Action
These are some common computer ‘disaster scenarios in general practice.
Complete the boxes and add any additional items from your experience
Immediate Action
Implement contingency plan
Recovery Procedure
e.g.
Write down and error messages
Check that no computers are
accessing the server
Reboot the Server
(If the server does not reboot
correctly):
 Write down any error
messages
 Call technical support
8 | Page

(if the server does reboot correctly)
 Check that the last
transactions entered are
correctly recorded on the
system
Person Responsible

Virus Detected:
Immediate Action
Recovery
Procedure

Person
Responsible
Power Failure
Immediate Action
Recovery
Procedure

Person
Responsible
File Corruption of Loss
Immediate Action
Recovery
Procedure

9 | Page

Person
Responsible
Network Problem
Immediate Action
Recovery
Procedure

Person
Responsible

5. ASSET REGISTER
Hardware
Computer: server
Sever / Computer 1
Name
IP Address
Location
CPU
RAM
HDD
CD/DVD
Internal devices
e.g. modem,
network
External devices
e.g. printer,
scanner
10 | P a g e

Operating System
(OS)
OS Serial Number
Make
Model
Serial Number
Supplier
Cost
Purchase Date
Warranty
Support

Computer 2

Computer 3

Name
IP Address
Location
CPU
RAM
HDD
CD/DVD
Internal devices
e.g. modem,
network
External
devices
e.g. printer,
scanner
Operating
System (OS)
OS Serial
11 | P a g e

Number
Make
Model
Serial Number
Supplier
Cost
Purchase Date
Warranty
Support

Printer 1

Printer 2

Printer 3

Name
IP Address
Location
Make
Model
Serial
Number
Supplier
Cost
Purchase
Date
Warranty
Support
12 | P a g e

Scanner

Modem

Network
Hub / Router

Name
IP Address
Location
Make
Model
Serial
Number
Supplier
Cost
Purchase
Date
Warranty
Support

Network
Type (client server, peer to
peer)
IP Address Range
Subnet Mask
Domain / Workgroup
WINS Server IP
DNS Server IP
DHCP Server IP
Gateway
Number of Nodes

13 | P a g e

Location of Nodes (and
Identification)
Could be cross-reference to
network diagram

1.
2.
3.

Maintenance Details

Software Database
These are the databases or other files that reside on the server and are
accessible by other workstations in the practice
Shared Database Name
e.g. //Server/C/Program

Network Diagram
If you have a hub and/or router, a network diagram can assist in locating
equipment and diagnosing problems
All equipment, including printers, should be shown on the diagram

Email
Practice email address
Incoming Mail Server
e.g. POP 3
Outgoing Mail Server
e.g. SMTP
Other Details
14 | P a g e

Internet
Provider (ISP)
Dial-up number (if
applicable)
Access plan
Proxy server
TCP/IP Address
DNS
Secondary DNS
Modem Type
Support Details

Software
Include all clinical and practice management software, as well as email,
firewall, back-up, virus checking and other utilities
Name/Version
Description
Serial Number / Licence codes
Which computers
Location of media
Location of manuals
Location of licence codes and
agreements
15 | P a g e

Date purchased / Upgraded
Supplier
Support Details

Name/Version
Description
Serial Number / Licence codes
Which computers
Location of media
Location of manuals
Location of licence codes and
agreements
Date purchased / Upgraded
Supplier
Support Details
Note: Original software media and manuals should be stored securely

6. BACK-UP AND RESTORING PROCEDURES
Any data and files that change should be backed-up. This includes
practice management and clinical systems data as well as documents,
email files, Internet favourites and bookmarks, etc. You may need different
back-up and recovery procedures for each of these.
You do not need to back-up your operating system or programs as these
can be restored from the original CDs.
NOTE: You should also keep a copy of this manual backed up and offsite so
that systems can be restored in the event of a theft or fire at the practice.
Back-up procedure
16 | P a g e

1.
e.g. for an automated back-up
At the end of the day:
2.
 Insert back-up media for
3.
the day in the server
 Ensure that all other
computers have logged out 4.
of the server
5.
Next Morning:
 Check for any error messages
on the server
 Check that the files on the
back-up media look correct
(name, sizes and date)
 Remove back-up media and
store in secure location
When
e.g. daily
Person Responsible
e.g. receptionist
Media Cycling
e.g.
 Daily discs/CDs
 Weekly
 Monthly
 Annual (end of financial year)
See an example below
Offsite Storage Procedure

Back-up media cycling
Sometimes problems occur with data or files (or even back- ups) that are
not noticed immediately. It is useful to have a series of back- ups so that
you can restore a file from a point before the problem occurred. Having a
system of daily, weekly, monthly and annual
back-ups enables you to do this.
Daily back-ups: Have a different tape/disc/CD for each day of the week.
Label them Mon,

17 | P a g e

Tue, Wed, etc. Monday’s tape is always used on Monday night. The data
from the previous
Monday is overwritten. The weekly, monthly and annual back- ups replace
these daily backups.
Weekly back-ups: On a particular night of the week (e.g. Friday) have a
different tape/disc/CD for each week of the month (labelled Fri#1, Fri#2,
etc.). These replace the
daily back- ups. Fri#1 is used on the first Friday of the month, etc.
Monthly back- ups: Have one tape/disc/CD labelled “Monthly”. This should
be used once
every month, for example, on the first Monday of the month (replacing the
daily back-up).
Annual back- up: This should be done at the end of the financial year. It
should be done to a
CD or tape that can be retained for at least a year.

Worked example for a practice working 7 days a week
The following table can be adjusted and printed each month as a reminder
of what tape/disc/CD to use and as a record that the back-up has been
done and checked. If the working week does not being on a Monday, the
monthly back-up can replace the Monday back-up in Week 2.
Monday

Tuesday

Week
1

Monthly

Tue

Week
2

Mon

Week
3

Mon

Week
4

Mon

 Don
e
 Chec
k
 Don
e
 Chec
k
 Don
e
 Chec
k
 Don
e
 Chec

 Don
e
 Chec
k

Tue
 Don
e
 Chec
k

Tue
 Don
e
 Chec
k

Tue
 Don
e
 Chec

Wednes
day
Wed
 Don
e
 Chec
k

Wed
 Don
e
 Chec
k

Wed
 Don
e
 Chec
k

Wed
 Don
e
 Chec

Thursda
y
Thu

Friday

Saturday Sunday

Fri

Sat

 Don
e
 Chec
k

Thu

 Don
e
 Chec
k

Fri

 Don
e
 Chec
k

Thu

Thu
 Don
e
 Chec

Sat
 Don
e
 Chec
k

Fri

 Don
e
 Chec
k

Sun

 Don
e
 Chec
k

Sun

 Don
e
 Chec
k

Sat
 Don
e
 Chec
k

Fri

 Don
e
 Chec
k

Sun

 Don
e
 Chec
k

Sat
 Don
e
 Chec

 Don
e
 Chec
k

 Don
e
 Chec
k

Sun

 Don
e
Check

 Don
e
 Chec

18 | P a g e

k

Week
5

Mon
 Don
e
 Chec
k

k

Tue
 Don
e
 Chec
k

k

Wed

k

Thu

 Don
e
 Chec
k

Restoring procedure
e.g.
 Locate back-up media
for the previous day
 Insert back-up media in
the server
 Ensure that all other
computers have logged
out of the server
 Perform restore for
particular system/files
 Check that the restored
system/files look correct
(name, date, size)
 Check that the system
functions correctly
 Remove back-up media
and store in a secure
location
When
e.g. as required
Person Responsible
e.g. practice computer security coordinator
Check/Test Recovery procedure
e.g.
 Restore file/system on a
different computer to the one
on which the system normally
runs
 Check that the restored
system functions correctly
 Compare the records to
ensure that the restored files
contain the latest information

 Don
e
 Chec
k

k

Fri

k

Sat
 Don
e
 Chec
k

Sun

 Don
e
 Chec
k

 Don
e
 Chec
k

1.
2.
3.
4.
5.

1.
2.
3.
4.
5.

19 | P a g e

When
e.g. quarterly and when system
changes are made
Person Responsible
e.g. practice computer security
coordinator

7. VIRUS CHECKING
Software, name and version
(see software register)
Computers
Support
Upgrade procedure
Person responsible
Annual subscription renewed

8. FIREWALL
name and version
Hardware
Software
Maintenance Required
Support

20 | P a g e

9. MAINTENANCE
There are certain maintenance procedures which, if performed regularly,
will help to keep computers and other equipment running smoothly.
These procedures include:






Adding the latest patched to your operating system and application
software
Upgrading software
Deleting temporary files
‘Defragging’ the hard disc
Cleaning around the back of the computer and other equipment so
that dust, etc. Does not accumulate near the fans and power
supplies.

Item 1
Person responsible
Frequency
Procedure

Item 2
Person responsible
Frequency
Procedure

21 | P a g e

Maintenance Log
(Attach as a separate page to be completed as maintenance is
performed)
Date

Task performed

By whom

Uninterruptible power supply (UPS)
Type
Equipment
Attached
Maintenance
Required
Battery life
Support

10.

SECURE ELECTRONIC COMMUNICATION

If more than on method is used (for communication with different health
organisations) each one should be detailed separately.
Encryption method
used by practice

End of document

22 | P a g e

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close