Information Security Program Policy

Summary

Responsibilities of the Information Security Program include, but are not limited to:

• Develop policies, procedures, and guidelines for securing AllCode’s systems, networks, and data based on applicable laws, regulations, and best practices
• Monitor the networks that Company Name maintains to identify malicious activity
• Provide incident response for information security incidents
• Use frameworks to ensure that information security is built into current and new systems. Identify risks to the security of information and systems and mitigate these risks to levels acceptable by AllCode’s clients.

Scope

AllCode will have information security responsibilities over systems, data, and networks hosted by AllCode.

Policy Statement

AllCode will implement an Information Security Program to mitigate risk regarding information security. There will be a number of duties performed by AllCode to carry out the responsibilities of the Information Security Program. The Program will include, but is not limited to, the following activities:

Policies, Procedures, and Guidelines

AllCode will draft policies, procedures, and guidelines related to information security.

Security Requirements

AllCode can provide appropriate documentation evidencing compliance with these requirements upon request.

Security Event Logs

Security event-related logs can be preserved and be available online for a minimum of two (2) years and available offline for ten (10) years. This requirement applies to the data sources that are capable of logging data that can be used to enforce accountability, detect a violation of security policy, detect an attempt to exploit vulnerabilities, and/or detect compromises resulting in losses of integrity, confidentiality and availability of the PHI Data, environments, services, systems, and applications.

Password Requirements

At a minimum, passwords must be unique and exclusive, at least 8 characters in length, changed at least every ninety (90) days, and must include at least three of the following character types: numeric, upper- and lower-case letters, and special characters (!@#$%, etc.). Passwords associated with privileged user ids (such as those with administrator/root access privileges) and service accounts (used for machine to machine communications with no humans involved in providing the authentication at time of log in or job submission) must expire within 365 days.  The minimum password length for privileged user IDs is 12 characters and 16 characters for service accounts.

Access and Authorization

AllCode will employ physical and logical access control mechanisms to prevent unauthorized access to AllCode’s facilities and systems associated with PHI Data, applications, and systems and shall limit access to Personnel with a business need to know. Such mechanisms will have the capability of detecting, logging, and reporting access to the system or network or attempts to breach the security of the facility, compartment, system, network, application, and/or data.

• Each person must have an individual account that authenticates the individual’s access to PHI Data. AllCode will not allow sharing of accounts.
• AllCode will maintain a process to review access controls quarterly for all AllCode Personnel who have access to PHI Data, applications, or systems, including any system that, via any form of communication interface, can connect to the system on which PHI Data is stored. AllCode shall revoke access for any Personnel who no longer have a need for such access. AllCode will maintain the same processes of review and validation for any third party hosted systems it uses that contain PHI Data.
• AllCode will utilize two-factor authentication for network access/VPN
• AllCode will revoke Personnel’s access to physical locations, systems, and applications that contain or process PHI data within twenty-four (24) hours of the cessation of such Personnel’s need to access the system(s) or application(s) or immediately if warranted.

Architecture, Engineering, Application/Data Landscape Documentation

AllCode must maintain current, accurate, and complete documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store PHI data. AllCode must employ documented secure programming guidelines, standards, and protocols in the development of applications or systems.

Secure Programming Techniques

All application and system development shall follow industry best practices and processes for secure programming. AllCode shall be responsible for verifying that all software developers working on application and system development under this Agreement have been trained on and are knowledgeable and proficient on secure programming techniques and able to deal with all current application vulnerabilities, including, but not limited to OWASP Top 10, WASC TCv2, and the CWE-25.

Data Transmission and Storage

AllCode shall not transmit or store data outside the United States, or allow its employees or agents to download, extract, store, or transmit data through personally owned computers, laptops, personal digital assistants, tablet computers, cell phones, or similar personal electronic devices.

Change Management

AllCode will employ an effective documented change management program with respect to the Services.  This includes logically or physically separate environments from production for all development and testing.  No data will be transmitted, stored or processed in a non-production environment.

Security Patch Management

AllCode shall maintain and patch/remediate all systems, devices, firmware, operating systems, applications, and other software which are capable of receiving an update, patch, release, or modification.
Patching/remediation time frames must minimally meet Security Patching Standards:

• Critical – as soon as practical and no later than 7 days
• High – within 30 days
• Medium – within 90 days
• Low – within 180 days

Network Security

AllCode will deploy appropriate firewall, intrusion detection/prevention, and network security technology in the operation of the AllCode’s systems and facilities. Traffic between PHI and AllCode will be protected and authenticated and encrypted. Specifically, firewall(s) must be able to effectively perform stateful inspection, logging, support for all IPSec standards and certificates, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti-spoofing. AllCode will review firewall rule sets annually at a minimum to ensure that legacy rules are removed, and active rules are configured correctly. AllCode will deploy intrusion detection or preferably prevention systems (NIDS/NIPS) in order to monitor the network for inappropriate activity. AllCode shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one 1 year unless specified otherwise in this Agreement.

Malicious Code Protection

All workstations and servers must run anti-virus software. Virus definitions must be updated within 24 hours. AllCode will have current anti-virus software configured to run real-time scanning of machines on a regularly scheduled interval not to exceed seven (7) calendar days.
AllCode will scan incoming content for malicious code on all gateways to public networks including email and proxy servers.

Data Encryption

AllCode will minimally utilize the following encryption algorithms and key strengths to encrypt PHI Data when in transit, at rest in any application or system, or transported/stored via any physical media (e.g. tapes, disks, etc.):

• Symmetric encryption: 3DES (≥ 168-bit, CBC mode); RC4 (≥ 128-bit, CBC mode); AES (≥ 128-bit, CBC mode);
• Asymmetric encryption: RSA (≥ 2048-bit); ECC (≥ 160-bit); El Gamel (≥ 1024-bit);
• Hashing: SHA2 with “salt” shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.

If personal computers or mobile devices (e.g. desktops, laptops, mobile phones, tablets) are used to perform any part of the Services, AllCode will encrypt all PHI Data on such mobile devices.
Where encryption is utilized, AllCode will maintain a key management process that includes appropriate access controls to limit access to private keys (both synchronous and asynchronous) and a key revocation process. Private keys must not be stored on the same media as the data they protect.

Perform Security and Risk Assessments

AllCode will perform risk assessments of systems hosted by AllCode to determine gaps where additional security controls are needed. If gaps are discovered, recommendations will be made to mitigate potential risk.

Security Assessments

Vulnerability Scans

AllCode shall perform internal and external host/network vulnerability scans at least quarterly and after any material change in the host/network configuration.

Application Security Tests & Assessments

AllCode shall perform a security assessment on all applications and systems, and any modifications, updates, new versions or releases, or any other changes to such applications or systems prior to delivery.  The security assessments shall include, at a minimum, penetration tests, source code reviews, and other tests and assessments necessary to identify security vulnerabilities as identified by industry-recognized organizations (i.e. OWASP Top 10 Vulnerabilities; CWE/SANS vulnerabilities).

Perform Network Monitoring

AllCode will monitor the AllCode hosted networks for malicious activity. These can include, but are not limited to, the presence of viruses and malware, users transmitting or receiving larger than normal amounts of data, and systems being used to relay spam, and internal or external individuals attempting to break into the systems.

Lead Security Incident Response

AllCode will provide security incident response in the event of breaches on AllCode hosted systems. AllCode will monitor for Security Incidents on the basis of 24 hours per day by 7 days per week by 365 days year.
AllCode will have a Security Incidence response process in place to manage and take immediate corrective action for Security Incident. AllCode will implement a disaster/business recovery plan to protect AllCode hosted critical business processes from failing as a result of the effects of any major failure or disaster.
AllCode will inform clients promptly in writing of the occurrence of any unauthorized use, violation, compromise or breach of security (electronic or physical), involving or related to information of other customers or third parties (without being obligated to identify third parties by name) involving the computer environment, information or communication systems, facilities or transportation means involved in processing client’s information.

Provide Security Policies, Awareness, Training, and Communication

AllCode will raise the awareness of information security through policy materials, website presence, and awareness.

Password Policy

Approved Allcode employees and authorized third parties (customers, vendors, etc.) will be given training and materials on password construction requirements, password deletion protocols and password protection standards.

Virtual Private Network (VPN) Policy

Approved Allcode employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a “user managed” service.
Additionally,

• It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Allcode’s internal networks.
• VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.
• When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped.
• Dual (split) tunneling is NOT permitted; only one network connection is allowed.
• VPN gateways will be set up and managed by Allcode’s network operational groups. SANS Institute 2014 – All Rights Reserved Page 2 Consensus Policy Resource Community
• All computers connected to Allcode’s internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard (provide URL to this software); this includes personal computers.
• VPN users will be automatically disconnected from Allcode’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
• The VPN concentrator is limited to an absolute connection time of 24 hours.
• Users of computers that are not Allcode -owned equipment must configure the equipment to comply with Allcode’s VPN and Network policies.
• Only Infosec-approved VPN clients may be used.
• By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Allcode’s network, and as such are subject to the same rules and regulations that apply to Allcode-owned equipment, i.e., their machines must be configured to comply with Infosec’s Security Policies.

Remote Access Policy

AllCode will provide training and materials regarding remote access. The following policies and procedures apply to employees managing and using remote access:

• Employees shall contact the management for approved methods and software to remotely connect to Allcode systems.
• Employees accessing systems remotely are responsible for ensuring their mobile device is compliant with applicable Allcode policy.
• All devices shall be inspected be the Allcode management prior to use to ensure the device is up to date with all applicable security patches and virus/malware protection software.
• Users with remote access privileges shall ensure that their remote access connection is used explicitly for work business and used in a manner consistent with their on-site connection to the Allcode network.
• Secure remote access shall be strictly controlled.
• Information security shall determine the appropriate access methodology and hardening technologies up to and including two factor password authentication, smart card, or PKI technology with strong passphrases.
• All user passwords shall be strong and follow guidelines and procedures in the Allcode Password Policy.
• SEmployees shall ensure that devices used for work purposes are not shared in a multi-user capacity, violate AUP conditions, or used in any inappropriate activity.
• Users shall bear full responsibility for any access misuse.
• Allcode users with remote access privileges shall ensure their remotely connected workstation, does not bridge or share another private or public internet connection.
• A home routed and firewalled, internal private network using network address translation (NAT) technology is excepted from this clause provided said network is under the complete control of the user.
• Personal equipment shall not be used to connect to the Allcode network using remote connection software and exceptions require management written approval.

Confidential Data Policy

AllCode will provide training and materials to employees and authorized third parties (customers, vendors, etc.) on treatment of confidential data, security controls of confidential data, destruction of confidential data, emergency data access and examples of confidential data. Alllcode will give notification to employee or authorized third party when they have access to confidential data.

Physical Security Policy

AllCode will raise the awareness of information security by tracking physical access to the office, office equipment, removal/addition of hardware, retaining possession of computer hardware at all times and general best practices.

Use Security Frameworks to Provide a Consistent Security Posture

The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (http://www.nist.gov/cyberframework/) to address the security posture of AllCode’s client security assessments and recommendations across systems, data, and networks.

Who is Governed by this Policy:

AllCode Employees, Contractors, and any other person allowed access to AllCode information assets.

Who Should Know This Policy:

All AllCode personnel and external parties involved with using, requesting, approving, or accessing AllCode information assets.