ApostleTech – Written Information Security Program (WISP)

Added by Kyle Aulerich. Last edited by Kyle Aulerich on April 22, 2016

Objectives

The objectives in the development and implementation of this comprehensive written information security program (“WISP” or “Program”) are:

  • To create effective administrative, technical and physical safeguards for the protection of Confidential Information maintained by ApostleTech, including sensitive personal information pertaining to ApostleTech’s employees, customers and partners, as well as other confidential third party information.
  • To comply with our obligations under law including the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (jointly, “HIPAA”), other applicable Federal and State laws, and regulations promulgated under these laws (collectively, “Privacy Laws”).

Scope of the WISP & Key Program Design and Implementation Features

The WISP provides for, and was designed and developed, and will be implemented, to include the following key features, requirements and components:

  • Identification of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Confidential Information;
  • Assessment of the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Confidential Information;
  • Evaluation of the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks;
  • Design and implementation of safeguards to minimize those risks; and
  • Regular monitoring of the effectiveness of those safeguards.

Applicability

This Program applies to all ApostleTech employees, whether full-time or part-time, paid or unpaid, temporary or permanent, as well as all agents and representatives of ApostleTech.

This Program applies to all ApostleTech Information, including all information collected, stored or used by or on behalf of any operational unit, department and person within ApostleTech in connection with ApostleTech operations.

Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Breach of Security

A Breach of Security means the unauthorized acquisition or disclosure, or unauthorized use, of unencrypted data (or encrypted electronic data and the confidential process or key used to decrypt the encrypted data) that is capable of compromising the security, confidentiality or integrity of ApostleTech Information. A good faith but unauthorized acquisition of personal information for lawful purposes is not considered a breach under law unless the information is used in an unauthorized manner or subject to further unauthorized disclosure.

Confidential Information or “CI”

ApostleTech Information that falls into one of the following categories:

  • Records and information ApostleTech, or any of its employees or units, is required by law to keep confidential.
  • Information ApostleTech is required by contract to keep confidential

Electronic

Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

Encrypted

The transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

Record or Records

Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

Administrative Oversight & Roles Responsibilities

Chief Executive Officer

The Chief Executive Officer (CEO) will create and oversee the WISP and review whenever there is a material change in business practices related to the WISP.

The CEO will also be, directly or through delegation and oversight, responsible for:

  • Overseeing the WISP, which includes the creation, implementation, compliance and ongoing review of the WISP and all related policies.
  • Overseeing development of efficient operational procedures in support of the WISP;
  • Overseeing regular testing of the WISP safeguards;
  • Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing CI;
  • Assuring regular and appropriate training is provided to employees with access to CI;
  • Ensuring that any violations of the WISP are promptly corrected, and that appropriative action is taken to prevent similar violations in the future, and in consultation with the employee’s supervisor or department chair or director, ensure that appropriate disciplinary action is taken against individuals responsible for the violations in appropriate cases;
  • Ensuring that the WISP complies with applicable laws;
  • Oversees an audits of the WISP.

Assessment of Internal and External Risks

The internal and external risks to the confidentiality, security and/or integrity of Records containing Confidential Information were assessed through a thorough, careful process which was led by the CEO. This assessment involved:

  • Consideration of all relevant laws and regulations relating to Confidential Information;
  • An evaluation and assessment of ApostleTech Records and information systems, and the physical, technical and administrative policies and safeguards built into those systems;
  • A discussion with various employees and other administrators of all potential internal and risks including but not limited to possible technological intrusions and security breaches caused by or resulting from individuals utilizing so-called viruses, worms, bots or other technological means to access, obtain, utilize, change or destroy ApostleTech Confidential Information.

Looking forward, ApostleTech, led primarily by the CEO, will continue to assess external and internal risks periodically, and as changes to technology occur which may represent or introduce new kinds or degrees of risk.

Data Classification

ApostleTech Information is classified into the following types of information:

  • Confidential Information
  • Internal Use Information
  • Public Information

Confidential Information Standards & Procedures

General Program Standards

  • Confidential Information must generally be protected to prevent unauthorized access, use, modification, transmission, storage or disclosure, and/or loss, or theft.
  • A copy of the WISP will be made available, and provided physically or electronically, to each employee with access to Confidential Information (CI).
  • Initial and periodic future training and retraining of employees with access to CI will be required by ApostleTech. All participants in such training sessions are required to verify their completion of the training.
  • All security measures shall be reviewed at least annually, or whenever there is a material change in ApostelTech’s business practices that may reasonably implicate the security or integrity of Records containing CI. The CEO shall be responsible for overseeing this review and shall consider for implementation recommendations for improved security arising out of that review.

Information Collection, Access and Use of Confidential Information 

  • The amount of Confidential Information collected must be limited to that amount reasonably necessary to accomplish legitimate business purposes, or necessary to comply with other state or federal regulations.
  • Access to records containing Confidential Information shall, to the full extent feasible, be limited to those persons who are reasonably required to know such information in order to accomplish legitimate business purpose or to enable ApostleTech to comply with other state or federal regulations.
  • Electronic access to databases and files with Confidential Information will be blocked after multiple unsuccessful attempts to gain access have been attempted by the user when such access-blocking technologies are feasible and reasonably available.
  • Physical and electronic access to Confidential Information of a terminated or former employee shall be immediately blocked. Such terminated person shall be required to surrender all keys, IDs or access codes or badges, business cards, and the like, that permit access to ApostleTech premises or information. Moreover, such terminated person’s remote electronic access to Confidential Information shall be disabled and his/her voicemail access, email access, Internet access, and passwords shall be invalidated. The CEO and COO shall maintain a highly secured master list of all passwords and encryption keys.
  • All terminated or former employees who have (or had) access to Confidential Information shall be required to return all records containing Confidential Information, in any form, which may at the time of such termination be in the person’s possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
  • Access to electronically stored CI shall be electronically limited to those employees and other authorized employees having a unique logon.
  • There must be secure user authentication protocols in place, including:
    • Protocols for control of user IDs and other identifiers;
    • A reasonably secure method of assigning unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access to CI
    • Restricting access to records and files containing personal information to those who need such information to perform their job duties.
    • Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
    • Blocking of access to users after multiple unsuccessful attempts by those users to gain access.
    • Access to Confidential Information shall be restricted to active users and active user accounts only.
    • Passwords for current employees shall be changed periodically.
    • All ApostleTech-issued computers, including laptops, will be password protected and require a user name and password.
  • All computer systems will be reasonably monitored for unauthorized use of or access to CI.

Storage and Maintenance of Confidential Information 

  • ApostleTech employees must maintain Records containing CI in locked facilities, secure storage areas or locked containers. Users are encouraged to store other Confidential Information in the same manner, although a somewhat lesser degree of physical security (e.g. storage in a filing cabinet in a limited access office which is locked during evenings and extended periods of non-attendance) shall normally suffice for Confidential Information that does not include CI.
  • ApostleTech employees are prohibited from leaving open files (both electronic and paper) containing CI unattended. Records containing CI must be secured in locked file cabinets or locked drawers. and computers that have access to CI.
  • ApostleTech employees with computer with access to CI shall be configured with automatic locking (requiring re-entry of a password) after a certain time of no activity.
  • Confidential Information shall not be stored on any unencrypted laptops, handheld computers (e.g. iPads) or personal digital assistant (“PDA”) devices (e.g. Blackberry, iPhone, Android) or similar device, and shall not be stored on any unencrypted portable or removable storage media (e.g. CDs, flash drives, USB drives, external hard discs, etc.).
  • When stored in an electronic or other digital format, Confidential Information must be protected with Strong Passwords.
  • In those instances in which Records or media need to be temporarily transported, carried or stored outside of the workplace in connection with an employee’s duties, they shall be held and stored in a secure fashion. For example, paper records shall be stored in a locked briefcase or file drawer whenever possible and/or shall be kept at all times within the physical custody of the responsible employee.
  • There must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the Confidential Information installed on all systems connected to the internet which process Confidential Information.
  • There must be reasonably up-to-date versions of system security agent software, which must include malware protection and reasonably up-to- date patches and virus definitions, installed on all systems processing Confidential Information.

Transmission and Disclosure of Confidential Information 

  • Any disclosure of Confidential Information outside of ApostleTech must be in accordance with law.
  • ApostleTech employees are prohibited from sending any Records containing CI via email, across public networks or wirelessly (whether to internal or external recipients) unless such Records, messages or files are encrypted.

Information Disposal 

  • Paper records containing CI shall be shredded, and electronic records (including records stored on hard drives or other electronic media) shall be destroyed or erased, so that personal data cannot practicably be read or reconstructed. Other Confidential Information should be similarly shredded, destroyed or erased.

Internal Use Information Standards & Procedures

The following standards and procedures shall apply to Internal Use Information

Information Collection, Access and Use of Internal Use Information

  • Internal Use Information should be generally protected from any unauthorized access, modification, transmission or storage.
  • Internal Use Information is restricted to employees of ApostleTech who have a legitimate purpose for accessing such information.

Storage and Maintenance of Internal Use Information 

  • Internal Use Information should be generally protected from any unauthorized storage.
  • When stored in any physical form (i.e., paper), Internal Use Information should be stored in a closed container to protect disclosure such as; filing cabinet, closed office, or desk drawer.

Transmission and Disclosure of Internal Use Information 

  • Internal Use Information should be generally protected from any unauthorized transmission and disclosure.
  • Documents containing Internal Use Information should not be posted publicly.

Information Retention and Disposal

  • Documents containing Internal Use Information should be destroyed by shredding or an alternative process that destroys information beyond recognition or reconstruction (if in hard copy form), or should be sanitized or securely deleted by the appropriate systems administrator or his or her designee.

Responses to Incidents and Breaches

  • Employees and Third Party Service Providers with access to Confidential Information will be encouraged to report any suspicious or unauthorized use of Confidential Information.
  • Whenever there is an information security related incident that constitutes a Security Breach involving CI and requires notification, an immediate mandatory post-incident review of events and actions, with a view to determining whether any changes in security practices are required to improve the security of CI.

Waivers and Exceptions

Individuals subject to the mandatory requirements or standards set forth in this WISP may request that the CEO grant a waiver or exception from a particular requirement or standard that cannot practicably be followed without substantial operational hardship or excessive cost, and the CEO may in his/her discretion grant such waiver or exception provided that

  • the waiver or exception would not result in a violation of applicable law or regulation; and
  • that the CEO imposes, wherever possible, other alternative requirements or standards that serve the purposes of the WISP but are less burdensome on the particular individual or his/her department or unit.

Enforcement and Disciplinary Action

ApostleTech reserves the right to monitor network traffic, perform random audits, and to take other steps to insure the integrity of its information and compliance with the WISP. Violations of the WISP will result in appropriate disciplinary action, which may include temporary or permanent restrictions on access to certain information or networks, or other employment related discipline up to and including suspension or termination of employment, depending on the circumstances and relevant factors such as the nature and severity of the violation and whether the violation was knowing, intentional or repeated.

Revision History

VersionDateResponsible OfficeApproved By
1.004/21/16ExecutiveKyle Aulerich
1.104/22/16ExecutiveKyle Aulerich