Date: February 3, 2010
Person in charge of compliance: Karen J. Sealund
In order to protect our clients’ privacy and personal information, GISC has developed this Written Information Security Policy (WISP).
This set of comprehensive guidelines and policies are implemented in compliance with Massachusetts General Laws 201 CMR 17 “Standards for the Protection of Personal Information of Residents of the Commonwealth.”
This WISP is reviewed periodically and amended as necessary to protect our staff, contractors and clients’ personal information.
II. Designated Employee to Maintain our Security Plan.
GISC has appointed Karen Sealund to be the designated employee in charge of maintaining, updating and implementing our information security program.
III. Internal and External Risk Assessment [201 CMR 17.03.2(b)]
In order to assess any risk of access to personal information, we have evaluated where that information may be present. GISC may ONLY keep electronic information or other sensitive information on the File Server Computer, which are password protected and located in the Server Room.
Personal information residing on non-electronic media (HR documents, contracts, medical and dental claims, underwriting files, census information, enrollment forms, change forms, COBRA forms, Weekly Income forms, Flex claim forms, etc.) are kept in our office areas, which is protected by locking mechanisms on all doors.
All GISC computers / server are protected behind a Sonicwall Firewall. Due to our business requirements, GISC’s employees need access to personal information which is contained in the documents that we process for our clients. In order to ensure that none of this information is vulnerable to a breach, we have implemented the following policies:
a. Employee Training [201 CMR 17.03 (b)(i)]
All employees are responsible for maintaining the privacy and integrity of personal information. Any paper record containing personal information about any employee, client, insured or third party individual must be kept behind lock and key when not in use.
Any computer containing personal information about any employee, client, insured or third party individual will be kept password protected. No personal information is to be disclosed without fully authenticating the receiving party.
When disposing of paper records containing personal information, a paper shredding disposal container will be used as provided by a shredding service. The containers are strategically placed throughout the office and are emptied by the shredding service on a monthly basis.
Our appointed information security coordinator, Karen Sealund, is responsible for training all new employees on this policy and insures periodic reviews for existing employees.
WHAT IS SENSITIVE INFORMATION?
Sensitive information is information that is not lawfully available to the public and could be used to damage our employees, insureds/members of our clients, or our business. This information includes:
Personal information most commonly used to commit identity theft and similar crimes, such as a person’s name, and any of the following:
-Personal identification, including a number or other identifying information from social security, state ID card, driver’s license, passport or employee ID.
-Financial account identification, including bank account number or credit card number.
-Other identifying information to access financial accounts or non-public records.
-Employee records including payroll, pension and insurance.
-Business-private information for legitimate business purposes, including business plans, vendor and customer lists, contracts, and account information of vendors, clients, and customers.
-Financial transactions with our clients, employees and vendors including checks and ACH transfers.
b. Employee Compliance (201 CMR 17.03 (b)(ii))
Any employee who discloses personal information or fails to comply with these policies will face immediate disciplinary action including the possibility of termination.
c. Detecting and Preventing Security System Failures (201 CMR 17.03 (b)(iii))
GISC in conjunction with Technical Support International, Inc. will conduct regular network security audits in which all servers and computer system logs are evaluated for any possible electronic security breach. These audits will be performed randomly.
GISC has instructed all its employees to watch and report any possible physical security breach, such as unauthorized personnel accessing file cabinets or computer systems.
IV. Keeping, Accessing, and Transporting Personal Information (201 CMR 17.03 (c))
GISC is taking all possible measures to ensure that employees are trained to keep all paper and electronic records containing personal information securely on-premises at all times. There should be no exception to this rule.
When there is a business need for a GISC employee to take records containing personal information off-site, only the minimum information necessary will be brought; electronic records will be password protected and encrypted, paper records will be kept under lock and key and returned to GISC’s office as soon as possible. Under no circumstances are documents, electronic devices or digital media to be left unattended in an employee’s car, or in any other potentially insecure location.
V. Prevention of Terminated Employees from Accessing Information (201 CMR 17.03 (e))
Any terminated employees’ computer access passwords will be disabled before the employee is terminated. Physical access to any documents or resources containing personal information will also be immediately discontinued.
VI. Third-Party Service Providers (201 CMR 17.03 (f))
In order to successfully perform our jobs and service our clients, we routinely share sensitive information with government agencies, financial institutions, and third party service vendors (Trizetto, Phia Group, Restat, CVS/Caremark to name a few).
Each year, we require our vendors to confirm in writing that they follow a written Information Security Plan that fully complies with all governmental laws and regulations for this location, including Massachusetts information security regulations (201 CMR 17) as well as supply us with the most recent SAS70 report as prepared by their Certified Public Accountants.
All government agencies and data collection bureaus (Dirago Health/NH & ME, Medicare Secondary Payer Contractors, etc.) we assume follow information security policies that are legally compliant and over which we have no control.
VII. Physical Access Restrictions (201 CMR 17.03 (g))
GISC’s offices and computer network offices are kept locked – third parties are not allowed access to records containing personal information. In addition, electronic records are kept in databases on servers which are behind multiple layers of electronic safeguards.
VIII. Monitoring and Upgrading Information Safeguards (201 CMR 17.03 (h))
Our appointed information security coordinator, Karen Sealund, will monitor and will annually assess all of our information safeguards to determine when upgrades may be necessary.
IX. Annual Review (201 CMR 17.03 (i))
Our appointed information security coordinator, Karen Sealund, will also perform an annual review of our information security plan.
X. Documenting and Reviewing Breaches (201 CMR 17.03 (j))
Our information security coordinator, Karen Sealund, will thoroughly document and review any breach that may occur. Records of this will be kept on file with our Written Information Security Plan.
XI. Computer System Requirements (201 CMR 17.04)
To combat external risk and security of our network and all data, we have implemented the following policies:
a. Secure user authentication protocols: (201 CMR 17.40 (1) (a,b,c,d,e)
-User ID’s and passwords will only be given to employees on a “need to know” basis.
-Unique strong passwords are required for all user accounts; all employees receive their own user accounts and will use unique, secure passwords.
-Written or printed passwords must be kept behind lock and key.
-Only active employees will have user accounts.
-Accounts are locked after 3 successive failed password attempts.
b. Secure access control measures (201 CMR 17.04 (2) (a,b))
-Only HR staff that needs access the personal information in personnel files is given access to proper folders containing this information.
-Each person has a unique password to the computer network. These passwords are not assigned by vendors and must comply with minimum complexity requirements (6 letters + number +special character).
c. Encryption on Public Networks (201 CMR 17.04 (3)
We do not allow the transmission of unencrypted personal information across public networks under any circumstances. If a document needs to be send via email to a client or third party vendor, we apply the following guidelines:
- Password protect the document
- Encrypt the document
- Attach the document to an email and send to the recipient.
d. Reasonable monitoring (201 CMR 17.04 (4)
We enable auditing on all folders and files containing personal information. Our security log monitoring system reports detailed information on who accessed these files. Our information security coordinator, Karen Sealund, reviews the results with our consultants, Technical Support International, Inc. on a regular basis.
e. Laptops and Portable Devices (201 CMR 17.04 (5))
No laptop or portable devices are allowed to be utilized by any GISC employee at any time.
f. Security Updates and Patches (201 CMR 17.04 (6))
GISC uses a Sonicwall business class firewall, which is regularly monitored by our IT support vendor, Technical Support International, Inc. Operating system patches and security updates are reviewed and installed by our IT staff. In the event of a critical security patch that is deemed “urgent”, our IT support vendor will contact Karen Sealund and ask her permission to deploy that patch.
g. Antivirus and Updates (201 CMR 17.04 (7))
GISC uses the latest version of Anti-Virus Software on all servers, and workstations. The product we use is Kaspersky Anti-Virus.
h. Education and training of employees on a proper use of the computer security system and the importance of personal information security (201 CMR 17.04 (8))
All GISC employees are responsible for maintaining the privacy and integrity of personal information that they may access during the course of their functions at GISC. All employees have been trained that any paper record containing personal information about any insured/member or employee must be kept behind lock and key. Computers must be password protected. Our information security coordinator, Karen Sealund, trains all new employees on this policy, and there are also periodic reviews for existing employees.
i. Remote Access Policies
This remote access policy defines security standards for computers that are allowed to be connected to the GISC network. Any remote access using VPN or any other remote access to the organizational network must be reviewed and approved by our designed employee in charge of security, Karen Sealund. VPN Authentication and Encryption must be used for all computers connecting to GISC. Remote users are not authorized to use GISC’s public IP address.
All employees by default will have account setting set to deny remote access. Only upon approval by Karen Sealund will the account settings be changed to allow remote access. All computers connecting remotely to GISC’s network, including home computers, must have Anti-Virus software installed and configured to:
-Operate in real time on the computer. The product shall be configured for real time protection.
-The anti-virus library definitions shall be updated at least once per day.
-Anti-virus scans shall be done a minimum of once per week.