11/14/2018

Information security
policy for Manipal
Hospitals” a chain of
multi-specialty hospitals
India.

Group 4
MIS 6130
 RESTRICTED

Contents
1.0 Overview of Information Security Governance.................................................................................2
1.1 The Desired Outcomes..................................................................................................................2
1.2 Knowledge and protection of information assets...........................................................................3
1.3 Benefits of information security governance for the hospital.........................................................3
1.4 Process integration.........................................................................................................................3
1.5 Information Security Structure......................................................................................................3
3.0 INFORMATION SECURITY POLICIES.............................................................................................5
3.1 Technical Security.............................................................................................................................6
3.1.1 Access Control Policy:................................................................................................................6
3.1.2 Patching Policy:..........................................................................................................................6
3.1.3Antivirus Malware Policy:...........................................................................................................6
3.1.4 Identification and Authentication Policy:....................................................................................6
3.1.5 Secure Configuration Policy:......................................................................................................6
3.1.6 Network Security Policy:............................................................................................................7
3.2 Operational Security..........................................................................................................................8
3.2.1 Acceptable Use Policy................................................................................................................8
3.2.2 Clear Desk and Screen Policy.....................................................................................................9
3.2.3 Data Handling Policy..................................................................................................................9
3.2.4 Removable Media Policy..........................................................................................................11
3.2.5 Sanitization, Reuse, Disposal and Destruction Policy...............................................................12
3.2.6 Business Continuity / Disaster Recovery..................................................................................12
2.2.7 Bring Your Own Device Policy................................................................................................13
2.2.8 Social Media Policy..................................................................................................................13
2.3. Security Management.....................................................................................................................13
2.3.1 Education and Awareness Policy..............................................................................................13
2.3.2 Incident Management Policy....................................................................................................15
2.3.3 Audit and Vulnerability Assessment Policy..............................................................................15
2.3.4 System Acquisition Policy........................................................................................................16
2.3.5 Personnel security Policy..........................................................................................................16
Enforcement..............................................................................................................................................19

1|Page
RESTRICTED
 RESTRICTED

1.0 Overview of Information Security Governance.

Information security governance shall be the responsibilities of the board of directors and senior
executives of Manipal hospitals. IS governance is an integral and transparent part of the governance of
the Manipal hospitals and must be aligned with the IT governance framework of the hospitals. The board
therefore will make information security governance an intrinsic part of governance while the senior
executives must respond to concerns and sensitive issues raised by information security in the daily
activities of the hospitals. The board as well as the executive must consider information security one
among the critical organizational resources.
Board and senior executives must have a clear understanding of their expectation of the Manipal
Hospitals enterprise information security program such that they can be effective in their governing roles.
The governance of the information security for Manipal hospital will focus on the following specific
areas:

 Desired outcome of information security for the governance for the hospitals
 Knowledge and protection of information assets
 Benefits of information security governance for the hospital
 Process integration
This document has been developed to address the following information security issues:

Confidentiality Data can only be accessed by those with specified authority;

Integrity All system assets operate correctly according to specification and in the way
the current user believes them to be operating
Availability Information is made available to the right persons at the right time.

The Policy sets out to ensure the following:

• All information systems belonging to the Manipal Hospital are properly assessed for
security;
• The maintenance of confidentiality, integrity and availability;
• Staff are aware of their roles, responsibilities, and are accountable; and
• Procedures to detect and resolve security breaches are in place.

1.1 The Desired Outcomes

The leadership of the Manipal hospital, the organizational structure and processes that safeguard
information shall constitute security governance. All parties involved must ensure clear and effective
communication. The hospital shall focus on the following measures of outcome.

 Strategic alignment of information security with business strategy to support the objectives of
the hospitals
 Risk management by executing appropriate measures to measure and manage risks.
 Resource management by utilizing information security knowledge and infrastructure
efficiently and effectively

2|Page
RESTRICTED
 RESTRICTED

 Performance measurement accessed by measuring, monitoring and reporting information

security governance metrics in line with organizational objectives
 Value delivery by optimizing information security investments in support of organizational
objectives.
To facilitate the above outcomes the hospital shall ensure that:
I. Information security is on the agenda of the board
II. Identify information security leaders, give them the required support and hold them
accountable
III. Make effective the hospital’s information security by carrying out consistent reviews and
approvals
IV. Create and assign information security to key committee while according the said committees
support.

1.2 Knowledge and protection of information assets

Information and the knowledge based on it have increasingly become the information assets of the
hospital, thus a business-critical asset, without which the hospital would not function properly. It has
been recognized as the business enabler of the hospital and world be accorded adequate protection.
Thus the management of knowledge and information will be addressed always by the board of
directors.
1.3 Benefits of information security governance for the hospital
Information security governance generates significant benefits for the hospital which include value of
the hospital is in the mind of its clients. Protection from civil and legal liabilities, sure policy
implementation, firm foundation for effective risk management, accountability for all stakeholders
and others.
1.4 Process integration
Information systems ensures the integration of the hospital processes and procedures and thus must be
protected from the highest level of the hospital leadership.
1.5 Information Security Structure
The following figure shows the structure and order of the governance of information security for
Manipal hospitals

3|Page
RESTRICTED
 RESTRICTED

The following are the responsibilities of various stakeholders

4|Page
RESTRICTED
 RESTRICTED

3.0 INFORMATION SECURITY POLICIES

To address the challenges facing this hospital, the broad categories have been discussed as below:
Technical Security
1. Access control
2. Patching
3. AV & Malware
4. Identification and Authentication
5. Secure configuration
6. Network security
Operational Security
1. Operational Security
2. Acceptable Use Policy
3. Clear Desk and Screen Policy
4. Data Handling Policy
5. Mobile and Remote Working Policy
6. Password Management Policy
7. Removable Media Policy
8. Sanitization, Reuse, Disposal and Destruction Policy
9. Business Continuity Policy and Disaster Recovery Policy
10. Social Media Policy
Security Management
1. Education and Awareness Policy
2. Information Security Policy
3. Asset Management Policy
4. Audit Policy
5. Vulnerability Assessment Policy
6. Supply Chain Security Policy
7. System Acquisition Policy
8. Contract and Supplier Security Policy

5|Page
RESTRICTED
 RESTRICTED

3.1 Technical Security

3.1.1 Access Control Policy:
• Access to Manipal Hospitals’ Information and Information Systems resources shall be by
authorized users only who have a need for the Information or Information System resource.
• Information owners are responsible for classifying their information.

3.1.2 Patching Policy:

• Security patches shall be applied to all Information System resources in the Hospitals’
Intranet through certified downloaded updates. These downloads will be stored in
appropriate media and securely stored by the Chief Information Security Officer. An
appropriate mechanism to ensure timely and speedy updates will be employed accordingly
by the CISO.
• All information systems connected to the internet will have all updates managed by a central
server.
• No individual without the express authority of the CISO, is allowed to carry out any security
update.
• Anyone contravening these requirements shall be subject to disciplinary action.

3.1.3Antivirus Malware Policy:

 All computers and information system devices must be installed with anti-malware software
which must always be updated.
 An appropriate update schedule for the software must be kept by the CISO to ensure that there is
no interference with normal operational activities.
 The CISO is responsible for the selection and application of the best antimalware software
solution in the market.
 All users must be educated on dangers of opening unsolicited emails and clicking on links from
unknown or unidentified sources. Downloading files from the internet using Hospital Information
Systems resources is prohibited except from specific computers or resources identified and set
aside by the Network Administrator/Manager.
 Use of external rewritable storage devices on the Network is prohibited except for only
authorized devices which must be clearly marked and owners/custodians identified/known.
 Any person who, in any way, introduces a malicious software in to the hospitals’ information
system resources shall face disciplinary action.

3.1.4 Identification and Authentication Policy:

 All hospital employees, contractors and visitors shall be properly identified using uniform,
appropriate identification material.
 Only employees, contractors or visitors with a legitimate need for access to information or
information system resource will be authorized access.
 The CISO shall put in place candid classification, identification and authorization mechanisms for
all persons.
 Anyone found to have accessed information or information system resource without proper
authorization shall be liable to disciplinary action.

6|Page
RESTRICTED
 RESTRICTED

3.1.5 Secure Configuration Policy:

 All Hospital Information System resources shall be, upon purchase/acquisition, be subjected to a
thorough configuration check to ensure security.
 All computers, laptops, PDAs and other devices shall be formatted and reinstallation of Operating
Systems done prior to being connected to the Hospitals’ network.
 In the case of a specialized information system resource, the vendor must, together with the CISO
or his/her appointee, audit the resource to ensure only needed software or hardware is included. In
such cases, a thorough system hardening process, in line with well-known industry standards like
SANS, shall be undertaken by the CISO or his/her appointee, on the resource.
 No person, without the express authority of the CISO and proper justification of the need, shall be
allowed to conduct any installation or configuration to the information system resources of the
Hospitals.
 A whitelist of all software and hardware components allowed in the Hospitals’ Information
Systems shall be provided and kept by the CISO.
 Anyone contravening these provisions shall face disciplinary action.

3.1.6 Network Security Policy:

 The Hospital Information System’s resources network shall be designed and implemented in a
secure manner factoring in Network Compartmentalization and Reduced exposure through
separation of services either physically or logically, e.g. through VLANS.
 Only authorized personnel shall be issued with proper Network Identification and authentication
credentials. Access to servers and maintenance of all network components, software and
information objects is restricted to only authorized persons. The network must log all the user and
device activities.
 A clear password guideline shall be issued by the Network Manager/Administrator and must be
adhered to by all. And a password policy enforcement mechanism, e.g. use of Active Directory
Services or any appropriate mechanism.
 All default accounts must be disabled.
 Privileged accounts shall be kept at the necessary minimal, their passwords being only known by
top management and stored in locked cabinet/safe, besides the administrators. All accounts that
remain inactive or locked for up to 90 days or less, depending on their access rights, must be
disabled.
 The Network Manager/Administrator shall be responsible for properly configured Hospital
Networks. He/she shall keep all the Networks’ documentation including network diagrams,
configurations, IP addressing details, Firewall rules and Access control lists.
 All network devices must be properly labelled with device names, IP and MAC addresses and
any other information important for its identification and employment.
 Firewalls, Intrusion Detection/Prevention Systems (NIDS/NIPS) must be incorporated in to the
Networks to enforce the Hospitals’ Information Security requirements. Such will be properly
hardened by following known standards like SANS and employing strict access control lists
where applicable. Unnecessary ports, services or files will be removed or blocked.
 NIDS and NIPS will also be used in Hospital Intranets.
 No classified information containing highly confidential information shall be allowed to be
transmitted in clear, through the Network outwards without the knowledge and/or authorization
of top management. Such information can be transmitted only within the Intranets. The respective

7|Page
RESTRICTED
 RESTRICTED

information owner shall be responsible for such information. Information flowing outward from
the Hospitals shall be highly filtered to ensure it complies with this policy.
 Access to Network resources from outside the Hospitals shall be limited to fewest users possible
and shall be enabled through Virtual Private Network (VPN) technology.
 All Network devices must be disposed of in a secure manner. Hard disks and other storage
devices must be securely erased or destroyed before disposal.
 A yearly Network security Testing exercise must be conducted to ensure that policy is complied
with.
 Any person found to be contravening these requirements shall face disciplinary action.

3.2 Operational Security

3.2.1 Acceptable Use Policy
 Use of the internet by employees is permitted and encouraged where such use supports the goals
and objectives of the business.
 However, employees must ensure that they:
a. comply with current legislation
b. use the internet in an acceptable way
c. do not create unnecessary business risk to the company by their misuse of the internet
Unacceptable behavior
The following is deemed unacceptable use or behavior by employees:
a. visiting internet sites that contain obscene, hateful, pornographic or otherwise illegal
material
b. using the computer to perpetrate any form of fraud, or software, film or music piracy
c. using the internet to send offensive or harassing material to other users
d. downloading commercial software or any copyrighted materials belonging to third
parties, unless this download is covered or permitted under a commercial agreement or
other such license
e. hacking into unauthorized areas
f. publishing defamatory and/or knowingly false material about Manipal Hospital your
colleagues and/or our customers on social networking sites, ‘blogs’ (online journals),
‘wikis’ and any online publishing format
g. revealing confidential information about Manipal Hospital in a personal online posting,
upload or transmission - including financial information and information relating to our
customers, business plans, policies, staff and/or internal discussions
h. undertaking deliberate activities that waste staff effort or networked resources
i. introducing any form of malicious software into the corporate network
Company-owned information held on third-party websites
 If you produce, collect and/or process business-related information in the course of your work,
the information remains the property of Manipal Hospital. This includes such information stored
on third-party websites such as webmail service providers and social networking sites, such as
Facebook and LinkedIn.

8|Page
RESTRICTED
 RESTRICTED

Monitoring
 Manipal hospital accepts that the use of the internet is a valuable business tool. However, misuse
of this facility can have a negative impact upon employee productivity and the reputation of the
business.
 In addition, all of the company's internet-related resources are provided for business purposes.
Therefore, the Hospital maintains the right to monitor the volume of internet and network traffic,
together with the internet sites visited. The specific content of any transactions will not be
monitored unless there is a suspicion of improper use.
Sanctions
 Where it is believed that an employee has failed to comply with this policy, they will face the
company's disciplinary procedure. If the employee is found to have breached the policy, they will
face a disciplinary penalty ranging from a verbal warning to dismissal. The actual penalty applied
will depend on factors such as the seriousness of the breach and the employee's disciplinary
record.
Agreement
 All company employees, contractors or temporary staff who have been granted the right to use
the company's internet access are required to sign this agreement confirming their understanding
and acceptance of this policy.

3.2.2 Clear Desk and Screen Policy

 Employees with physical possession of documents containing Personally Identifiable Information
(PII) or any other confidential information must store those documents in a locked filing cabinet,
locked desk or office when not actually working on them, when away from their desks, or when
leaving for the day. Employees must ensure that no documents are left on their desks unattended
overnight. Employees working in cubicles must turn work papers face-down before leaving their
cubicles temporarily.
 All employees may not dispose of sensitive information or any document containing PII in the
trash. Management must delegate the task of ensuring that all copier/printer areas are free from
sensitive information at the end of every day. Any documents not retrieved by employees must be
disposed of in the secure shredding bins designated by the firm. Employees must ensure that no
documents containing sensitive information or PII remain in the copy/printer areas overnight.
 All workstations, when feasible, should be positioned to limit the ability of unauthorized
individuals to view ePHI or any other sensitive data.
 Unattended computers should be locked or logged off so that the information displayed on the
screens cannot be viewed by anyone other single user of the computer. Computers should be
configured to automatically lock or engage password protected screensaver after an unattended
duration of 15 minutes.

3.2.3 Data Handling Policy

 When handling data, all users shall do so in accordance with and be responsible for adherence to
the Data Handling Policy and the Manipal Hospitals Physical Security Policy. Periodic auditing
of adherence to this policy shall be the responsibility of Manipal Hospitals Information
Governance Team.
 An approved level of protection shall be used in the transfer of data in relation to its level of
security classification and privacy requirement.

9|Page
RESTRICTED
 RESTRICTED

 Users shall ensure data is transferred only to named individuals and those who need to know and
that data shall be kept to the minimum required.
 Any mishandling of data in transfer or at rest shall be reported as an incident.
 Users shall have authority (in writing) from the Information Asset Owner (IAO) to undertake the
transfer.
 A Data Access Agreement (DAA) or Data Sharing Agreement (DSA) or Non-Disclosure
Agreement (NDA) should be produced, agreed and signed by all parties prior to any Manipal
Hospitals’ data containing Personally Identifiable Information (PII) or OFFICIAL-SENSITIVE
data/information being passed or shared with any non-government or non-public authority body.
 The Manipal Hospitals Security Team should be approached where there is difficulty identifying
a suitable method of transfer.
Data Classification:
 Manipal Hospitals has classified its data/applications/systems in two categories in critical
data and non-critical data.
 Critical data is considered a system or systems that are paramount to the effective operation
of resolution and those if impacted will have catastrophic impact to the business.
 These systems are our medical management system with its dependencies as well as the
general business system with its dependencies.
 Non critical is considered a system or systems that are important to the effective operation of
resolution but those if impacted will not cause a major impact to the business and maybe
rebuilt over time without drastically impacting processes.
 To ensure business continuity Manipal Hospitals has to have multiple levels of viable data
redundancy that ensure operational recovery in the case of a logical or physical incident
impacting systems.
Safe Havens
The term ‘Safe Haven’ is used to denote either a secure physical location or the agreed set of administrative
arrangements that are in place to ensure security classified, personal or other sensitive information is
communicated safely and securely.
Safe Havens should be established, where:

 Information can be securely received and transferred.

 Paper-based information is stored securely in approved containers, as soon as practical.
 IT is not on view or accessible to unauthorized persons.
 All waste potentially containing security classified, personal or other sensitive information is
securely retained until it can be securely disposed of or destroyed.
 Conversations discussing security classified, personal or other sensitive information can be held
where they cannot be overhead by unauthorized persons.
Digital/Internet Data Transfers
In addition to the general principles above, digital transfers shall adhere to the following:
 Only approved transfer methods shall be used and in accordance with the Security Classification
of data.

10 | P a g e
RESTRICTED
 RESTRICTED

 An approved method of encryption shall be used for the transfer of OFFICIAL – SENSITIVE
data that is sent outside the secure network.
 An approved method of encryption should be used for the transfer of OFFICIAL data that is sent
outside the secure network.
Where possible data transfers should always be carried out over existing, protected and trusted NHS
networks, however, there may be occasions where data will need to be transferred over other networks.
On these occasions the data files must be protected by encryption in order to protect the data should it fall
in to the hands of unauthorized persons.
Physical Data Transfers
Physical transfers include paper and portable physical media (USB, hard disks, CDs, DVDs, etc.) In
addition to the general principles above, physical transfers shall adhere to the following,
 A Manipal Hospitals management approved method of transfer shall be determined for the type
of data being transferred.
 A record of custody of transfers shall be kept.
 All data (with the exception of hard copy transfers) shall be stored encrypted (using a Manipal
Hospitals approved method) for transfer regardless of classification.
 An approved method of transfer shall be determined for the type of data being transferred.
 Portable media shall only be authorized when there is a valid business requirement.
 Only official Manipal Hospitals’ approved removable media shall be used.
 Where information is transferred via mail the outer envelope/package shall not be marked with its
Security Classification.
Transfers of data in hard copy form will need to be protected, by using such methods as approved couriers
or Royal Mail Track and Trace. Where data is to be transferred by memory stick, CD/DVD or removable
hard drive, the media should be encrypted, which will provide adequate protection should it become lost
or fall in to the hands of unauthorized persons.]
Data Disposal
 Information held on ICT systems shall be securely erased in accordance with HMG mandated
requirements and the Manipal Hospitals’ Sanitization, Reuse, Disposal and Destruction Policy.
 Information held in paper form shall be securely destroyed in accordance with the company’s
Records Management Policy.
Other Data Handling
 Where there are occasions when new pieces of work require one time only data transfers or data
storage, Manipal Hospitals staff should request guidance from a member of the Information
Security Team
3.2.4 Removable Media Policy
 For the purposes of definition, the following items shall fall under the category of removable
media:
a. Flash (Jump) Drives and flash memory storage
b. SD Storage

11 | P a g e
RESTRICTED
 RESTRICTED

c. Removable fixed drives and portable caddies

d. R/W Compact Disk or DVD media
e. USB remote storage devices
 Removable media storage of any type shall generally be disallowed in any form or function
within the [LEP] operational environment. Personal storage devices shall not be used for storage
of any [LEP] information or be used with [LEP] hardware. Exceptions to this policy shall be
considered only in unique and rare cases. These requests shall require written approval of the
[Insert Appropriate Role] and be granted only for justifiable business purposes.
3.2.5 Sanitization, Reuse, Disposal and Destruction Policy
 The transfer or disposition of data processing equipment, such as computers and related media,
shall be controlled and managed according to [Insert Appropriate Standards] guidelines. Data
remains present on any type of storage device (whether fixed or removable) even after a disc is
“formatted”, power is removed, and the device is decommissioned. Simply deleting the data and
formatting the disk does not prevent individuals from restoring data. Sanitization of the media
removes information in such a way that data recovery using common techniques or analysis is
greatly reduced or prevented.
Data Disposal Procedures
All computer desktops, laptops, hard drives, and portable media must be processed through [Insert
Appropriate Department] for proper disposal. Paper and hard copy records shall be disposed of in a
secure manner as specified by the archiving and destruction policy. The [Insert Appropriate Role] shall
ensure procedures exist and are followed that:

 Address the evaluation and final disposition of sensitive information, hardware, or electronic
media regardless of media format or type.
 Authorize personnel to dispose of sensitive information or equipment. Such procedures may
include shredding, incinerating, or pulp of hard copy materials so that sensitive information
cannot be reconstructed. Approved disposal methods include:
 Physical Print Media shall be disposed of by one (or a combination) of the following methods:
a. Shredding - Media shall be shredded using issued cross-cut shredders
b. Shredding Bins - Disposal shall be performed using locked bins located on-site using a
licensed and bonded information disposal contractor
c. Incineration – Materials are physically destroyed using licensed and bonded information
disposal contractor
d. Electronic Media (physical disks, tape cartridge, CDs, printer ribbons, flash drives,
printer and copier hard-drives, etc.) shall be disposed of by one of the methods:
e. Overwriting Magnetic Media - Overwriting uses a program to write binary data sector by
sector onto the media that requires sanitization
f. Degaussing - Degaussing consists of using strong magnets or electric degaussing
equipment to magnetically scramble the data on a hard drive into an unrecoverable state
g. Physical Destruction – implies complete destruction of media by means of crushing or
disassembling the asset and ensuring no data can be extracted or recreated
 IT documentation, hardware, and storage that have been used to process, store, or transmit
Confidential Information or PII shall not be released into general surplus until it has been
sanitized and all stored information has been cleared using one of the above methods

12 | P a g e
RESTRICTED
 RESTRICTED

3.2.6 Business Continuity / Disaster Recovery

 Each department in the Company is responsible for preparing current and comprehensive
business continuity plans (BCP) for its operations. Certain departments, such as Information
Technology (IT), are also responsible for disaster recovery plans (DRP) to ensure that any
damage or disruptions to critical assets can be quickly minimized and that these assets can be
restored to normal or near-normal operation as quickly as possible.
 When a plan is completed, approved and implemented, each plan will include procedures and
support agreements which ensure on-time availability and delivery of required products and
services. Each plan must be certified annually with the business continuity policy compliance
process through the BC/DR Team.
 Each department in the Company is responsible for preparing current and comprehensive
business continuity plans (BCP) for its operations. Certain departments, such as Information
Technology (IT), are also responsible for disaster recovery plans (DRP) to ensure that any
damage or disruptions to critical assets can be quickly minimized and that these assets can be
restored to normal or near-normal operation as quickly as possible.

2.2.7 Bring Your Own Device Policy

 Jailbroken and rooted devices are not allowed
 Devices must be protected by screen lock passwords
 Devices must be regularly updated with latest OS and patches
 Business data and personal data must be kept separate
 Corporate data should be encrypted
 Custom profiles for each device type and manufacturer
 Require VPN (Application or Device) for connectivity
 Require periodic re-authentication
 Prevent offline access

2.2.8 Social Media Policy

 If approved within an agency, social media sites are to be used for business purposes only in
serving the interests of Manipal Hospital.
 All electronic communications created, received, or stored on the hospital’s electronic
communications systems are not the sole property of the author, recipient, or user. Furthermore,
any intentional misuse of social media communications systems is a violation of this policy.
 Misuse of social media and prohibited activities include, but are not limited to:
a. Sending and responding to private messages that are not related to state business;
b. Engaging in vulgar or abusive language, personal attacks of any kind, or offensive terms
targeting individuals or groups;
c. Endorsement of commercial products, services, or entities;
d. Endorsement of political parties, candidates, or groups;
e. Lobbying; and
f. Posting photos or videos that are not related to the mission of the agency.
 All employees and/or contractors representing Manipal Hospital are responsible for the content
they publish on social media sites.
 Wherever possible, links to more information should direct users back to official websites for
more information, forms, documents or online services necessary to conduct business with the
State/agency.

13 | P a g e
RESTRICTED
 RESTRICTED

2.3. Security Management

2.3.1 Education and Awareness Policy
 Manipal Hospital’s management is charged with ensuring all the hospital’s employees are
knowledgeable and following best practice protocols for managing data. As such, a high priority
is given to effective security awareness and training throughout the organization. This includes
implementing a viable information security program comprised of a strong awareness and
training component. The Chief Information Security Officer (CISO) is ultimately responsible for
the security of data and assets of the hospital. The CISO in cooperation with senior Hospital
management shall ensure that a consistent, Hospital -wide, well-supported and effective security
program is implemented and maintained.
 The CISO shall be responsible for developing, implementing, and maintaining a Security
Awareness and Training Plan. This plan shall document the process for staff security training,
education, and awareness and ensure that all hospital employees understand their role in
protecting the confidentiality, integrity, and availability of data assets. The plan shall cover what
information to communicate, when to communicate it, with whom to communicate, responsibility
for communication, and the process by which communication shall be effected.
 Secondly, the plan shall ensure that staff are provided with regular training, reference materials,
supports, and reminders that enable them to appropriately protect the hospital’s data assets.
Training shall include, but is not limited to:
a. Responsibilities for protecting sensitive information
b. Risks to information assets and resources
c. Data encryption and access management
d. Secure use of data and information assets
e. The Hospital’s information security policies, procedures, and best practices
f. Protecting assets and identities
Training Plan Requirements
The training plan shall ensure:

 All Hospital Staff attend an approved security awareness training class within 30 days of
being granted access to the hospital’s resources.
 Staff receive training appropriate for specific job roles and responsibilities. After such
training, staff must verify through certificate completion and assessment that he or she
received the training, understood the material presented, and agrees to comply with it.
 Staff are trained on how to identify, report, and prevent security incidents and data breaches.
 Appropriate security policies, procedures, and manuals are readily available for reference and
review.
 Staff annually attend security awareness refresher training.
 Users sign an acknowledgement stating they have read and understand the hospital’s
acceptable use requirements regarding computer and information security policies and
procedures.
 Staff must be provided with sufficient training and supporting reference materials to allow
them to protect the hospital’s data and assets.
 The CISO or his/her designee shall prepare, maintain, and distribute an information security
manual that concisely describe information security policies and procedures.

14 | P a g e
RESTRICTED
 RESTRICTED

 Cloud computing and outsourcing security awareness training shall address multi-tenant,
nationality, and cloud delivery models.
 Staff are aware and accept the risks, responsibilities, and limitations related to the Bring Your
Own Device (“BYOD”) Policy.

Management Implementation
The CISO or his/her designee shall:

 Develop and maintain a communications process to communicate new security programs and
items of interest.

 Ensure that staff responsible for implementing IT security controls safeguards receive
training in security best practices.

 Ensure periodic security reminders (flyers or posters, emails, verbal updates at meetings)
keep the hospital’s staff up-to-date on new and emerging threats and security best practices.
The frequency and method of delivery of such reminders shall be determined by the [Insert
Appropriate Role].
Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for this operational
policy as part of the hospital’s internal operations. Examples of management controls include:

 Documented information security training plan with evidence of consistent update and version
control of the document

 On-demand review of existing training program information and implementation within the
organization

 Completion and employee acceptance logs for completed education

 Completion rate statistics

 On-demand evidence of continuing education and reminders are in place

Enforcement
Staff members found in policy violation may be subject to disciplinary action, up to and including
termination.

2.3.2 Incident Management Policy

 Management responsibilities and procedures should be established to ensure a quick, effective,
and orderly response to Security Incidents.
 The objectives for Security Incident management should be agreed upon with Manipal hospital
management, and it should be ensured that those responsible for Security Incident management
understand the hospital priorities for handling Security Incidents.
 Security Events should be reported to the Chief Information Security Officer.

15 | P a g e
RESTRICTED
 RESTRICTED

 Security Events should be assessed, and it should be decided if they are to be classified as
Security Incidents. This can be decided by the Security Operations Officer
 Knowledge gained from analyzing and resolving Security Incidents should be used to reduce the
likelihood or impact of future incidents.

2.3.3 Audit and Vulnerability Assessment Policy

 Assessment scans are to be conducted on Manipal hospital IP address space periodically and the
networked assets are to be assessed from time to time.
 The vulnerability assessment system is to be managed from a central point. If need be, there
could be use of other tools to assess the vulnerability, but they must be approved by the Chief
Information Security Officer with the assistance of the Security Operations Officer through the
use of a Security Assessment Authorization Form.
 The vulnerability assessment exercise is the joint responsibility of the Information Security
Department and the department handling the networked asset in the hospital. The hospital
personnel are expected to fully co-operate with the security department when conducting this
exercise to ensure the best results. They are also expected to co-operate with the Security
Department in formulation of a remediation plan.
 Any vulnerability scan is follow up activities that are not carried out in the centrally managed
vulnerability assessment system must be approved by the Chief Information Security Officer and
put in writing via the Security Assessment Authorization Form.
 The CISO may hire a third-party company to conduct external vulnerability assessment scans in
the even that that all internal mechanisms fail to exhaustively scan vulnerabilities in the hospital.

2.3.4 System Acquisition Policy

 Business requirements for new systems shall be reviewed and shall specify requirements for
security controls.
 In procuring new systems, Manipal Hospital shall ensure that they are of high quality and caliber
compared to similar existing equipment that carry out similar functions.
 Manipal Hospital shall develop an acceptance criterion for the acquisition of any system in the
hospital.
 Software installation on the new systems must be carried out by the Software engineer in charge
to avoid any corruption of data.
 Third party software in systems shall be maintained by the vendor and updated periodically.

2.3.5 Personnel security Policy

2.3.5.1 Personnel Security Policy and Procedures
The Hospital:

Develops, documents, and disseminates to hospital personnel a Personnel Security policy that addresses
purpose, scope, roles, responsibilities, management commitment, coordination among hospital entities,
and compliance; and Procedures to facilitate the implementation of the personnel security policy and
associated personnel security controls; and Reviews and updates the current Personnel security policy and
Personnel security procedures.

16 | P a g e
RESTRICTED
 RESTRICTED

2.3.5.2 Position Risk Designation

The Hospital will:

 Assigns a risk designation to all hospital positions;

 Establishes screening criteria for individuals filling those positions; and
 Reviews and updates position risk designations.

2.3.5.3 Personnel Screening

The Hospital:

 Screens individuals prior to authorizing access to the information system; and

 Rescreens individuals according to the hospital’s-defined conditions requiring rescreening and,
where rescreening is so indicated, the frequency of such rescreening.

2.3.5.4 Classified Information

Manipal Hospitals ensures that individuals accessing their information system processing, storing, or
transmitting classified information are cleared and indoctrinated to the highest classification level of the
information to which they have access on the system.
2.3.5.5 Formal Indoctrination
Manipal Hospitals ensures that individuals accessing their information system processing, storing, or
transmitting types of classified information which require formal indoctrination, are formally
indoctrinated for all of the relevant types of information to which they have access on the system.
2.3.5.6 Information with Special Protection Measures
Manipal Hospitals ensures that individuals accessing their information system processing, storing, or
transmitting information requiring special protection:

 Have valid access authorizations that are demonstrated by assigned official hospital duties; and
 Satisfy the hospital’s-defined additional personnel screening criteria.
2.3.5.7 Personnel Termination

Manipal Hospitals, upon termination of individual employment:

 Disables information system access within a defined time period;

 Terminates/revokes any authenticators/credentials associated with the individual;
 Conducts exit interviews that include a discussion of hospital-defined information security topics;

 Retrieves all security-related Hospital’s information system-related property;

 Retains access to the hospital’s information and information systems formerly controlled by
terminated individual; and
 Notifies the hospital’s staff member within a defined time period.

17 | P a g e
RESTRICTED
 RESTRICTED

2.3.5.8. Post-Employment Requirements

The Hospital:

 Notifies terminated individuals of applicable, legally binding post-employment requirements for

the protection of the hospital’s information; and
 Requires terminated individuals to sign an acknowledgment of post-employment requirements as
part of the hospital’s termination process.
2.3.5.9 Automated Notification

The hospital employs automated mechanisms to notify hospital staff upon termination of an individual.

2.3.5.10 Personnel Transfer

The Hospital:

 Reviews and confirms ongoing operational need for current logical and physical access
authorizations to information systems/facilities when individuals are reassigned or transferred to
other positions within the hospitals;
 Initiates defined staff transfer or reassignment action within a defined time period following the
formal transfer action;
 Modifies access authorization as needed to correspond with any changes in operational need due
to reassignment or transfer; and
 Notifies the hospital staff within a defined time period.
2.3.5.11 Access Agreements

The hospital:

 Develops and documents access agreements for the hospital’s information systems;
 Reviews and updates the access agreements and
 Ensures that individuals requiring access to the hospital’s information and information systems:
 Sign appropriate access agreements prior to being granted access; and
 Re-sign access agreements to maintain access to the hospital’s information systems when access
agreements have been updated.

2.3.5.12 Classified Information Requiring Special Protection

The hospital ensures that access to classified information requiring special protection is granted only to
individuals who:

 Have a valid access authorization that is demonstrated by assigned official hospital duties;
 Satisfy associated personnel security criteria; and
 Have read, understood, and signed a nondisclosure agreement.

18 | P a g e
RESTRICTED
 RESTRICTED

2.3.5.13 Post-Employment Requirements

The hospital:

 Notifies individuals of applicable, legally binding post-employment requirements for protection

of the hospital’s information; and
 Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of
granting initial access to covered information.

2.3.5.14 Third-Party Personnel Security

The Hospital:

 Establishes personnel security requirements including security roles and responsibilities for third-
party providers;
 Requires third-party providers to comply with personnel security policies and procedures
established by the hospital;
 Documents personnel security requirements;
 Requires third-party providers to notify the hospital of any personnel transfers or terminations of
third-party personnel who possess the hospital’s credentials and/or badges, or who have
information system privileges within a defined time period; and
 Monitors provider compliance.

2.3.5.15 Personnel Sanctions

The Hospital:

 Employs a formal sanctions process for individuals failing to comply with established
information security policies and procedures; and
 Notifies hospital staff member within a defined time period when a formal employee sanctions
process is initiated, identifying the individual sanctioned and the reason for the sanction.

Enforcement
An employee found to have violated provisions of this guideline policy will be subject to disciplinary
action, up to and including termination of employment. A violation of this policy by a temporary worker,
contractor or vendor may result in the termination of their contract or assignment with Manipal Hospital
Data leakage incidents such as disclosure of non-public information, or making inappropriate public
statements about or for Manipal Hospital, or using the hospital’s resources for personal uses, and
harassing or inappropriate behavior toward another employee can be grounds for reprimand or dismissal.
Any employee found to have violated any provisions of this policy may be subject to disciplinary action,
up to and including termination of employment. Deliberate, unauthorized disclosure of non-public
information may result in civil and/or criminal penalties.

19 | P a g e
RESTRICTED