TP Information Security Policy
POLICY: THIRD-PARTY VENDOR INFORMATION SECURITY POLICY |
POLICY NUMBER: 10.179 |
SECTION: IT SECURITY |
DEPARTMENT: IT SECURITY |
This policy defines the specific information security requirements to implement the Third-Party information security program and applicable policies. To be effective, information security must involve the participation and support of every Medcor Third-Party who deals with information and information systems.
This policy applies to all Medcor Third Parties with access to Medcor information, networks, or computer systems.
Management Support for Information Security
Critical Business Function – Information and information systems are necessary for the performance of just about every essential activity at Medcor. If there were to be a serious security problem with this information or these information systems, Medcor could suffer serious consequences including lost customers, reduced revenues, and degraded reputation. As a result, information security must continue to be a critical part of the Medcor business environment.
Information Security Program
Information Security Program – Companies must implement a comprehensive, written information security program that will secure information assets in a manner commensurate with each asset’s value as established by risk assessment and mitigation measures. The information security program must be updated and re-approved by management annually or whenever there is a material change in the organization or infrastructure.
Information Security Policies – Written acceptable use and information security policies and procedures must be implemented and enforced to assure the security, privacy, reliability, integrity, and availability of information assets.
Risk Assessments – The information security program must be updated, as appropriate, based on the results of the company’s risk assessment.
Vendor Management – Companies must implement a vendor management program to evaluate the security controls of their third-party vendors. The program must include the evaluation of security controls for new and existing vendors.
Asset Management
Asset Ownership – All production information assets possessed by or used by company must have a designated owner with ownership responsibilities clearly documented.
Asset Inventory – The company must prepare an annual inventory of production information systems detailing all existing production hardware, software, and virtual assets.
Information Classification and Handling
Consistent Information Handling – Companies that collect information on behalf of Medcor must protect in a manner commensurate with its sensitivity and criticality. Security measures must be employed regardless of the media on which information is stored, the systems that
process it, or the methods by which it is moved. Information must be protected in a manner that is consistent with its classification, no matter what its stage in the life cycle from origination to destruction.
Access to Systems
Remote Access – All remote access to Medcor systems as well as remote access to company networks must use standard remote access systems that uses token or certificate- based authentication (i.e. VPN) with industry supported encryption standards. Remote access method must use Multi-Factor (MFA) authentication and be granted only to those users who have a demonstrable business need for such access. Permission to remote access must be approved and routinely reviewed. An annual VPN rule review must be conducted to ensure rules are reviewed.
Authentication – All accounts must use standard authentication methods (i.e. Active Directory, SSO – Single Sign-On, etc.).
Personal E-mail – Use of personal e-mail systems (i.e. Google, Yahoo, and Microsoft etc.) must not be used where Medcor sensitive data is stored.
System Security
Web Application Firewall – All public facing systems (web applications, e-mail server, etc.) must be protected by a web application firewall.
Security Software – All computers that are under the control of company must be protected with the following security software:
-
Endpoint Security – All computer systems must use endpoint security to stop malware, viruses, malicious operations, intrusions, ransomware, etc.
-
E-mail Security – All e-mail systems must use e-mail security to stop spam, viruses, malware, and phishing attempts.
-
Web Security – All computer systems must use web security to stop malicious activities from websites.
System Hardening – All company systems must use industry hardening standards for securing the systems prior to deployment.
Personal Computer Systems – If company uses personal computer systems to access systems company must implement equivalent or greater security measures as it would for company owned computer systems. Examples of security measures include the following:
-
All connected personal computers have adequate security protection such as up to date anti-virus software.
-
All connected personal computers have the latest software updates installed.
-
Personal routers and other devices on the network are password protected.
-
Personal routers have WPA2 enabled for Wi-Fi.
-
Personal routers and other devices must have the latest updates installed.
-
Personal devices must meet the company's minimum device requirements in order to be used.
-
Personal devices that access company systems are required to have mobile device management software installed.
Information Access Control
Need to Know – Employees with access to Medcor information or Medcor information collected on behalf of Medcor must be provided based on the need to know. Information must be disclosed only to individuals who have a legitimate business need for the information. Prior to access, appropriate agreements must be in place that specifies what information may be accessed.
Access Approval – Companies that collect information on behalf of Medcor must adopt an access request and owner approval process. Employees must not attempt to access sensitive information unless there is a need to know. When employees change job duties, including termination, transfer, promotion and leave of absence, the company must make changes accordingly. The privileges granted to all employees must be periodically reviewed by the information owners and custodians to ensure that only those with a current need to know presently have access. Employees that do not perform administrative functions must have their access restricted (ex. removal of local admin permissions) on their computers.
Role-Based Access – Employees with access to Medcor information or Medcor information collected on behalf of Medcor must have role-based privileges enabled to limit access based on role.
User Access Review – Employees with access to Medcor information or Medcor information collected on behalf of Medcor must have their accounts reviewed at minimum on an annual basis to ensure access is required and is appropriate.
User IDs and Passwords – To implement the need-to-know process, companies must require that each employee accessing multi-user information systems have a unique user ID and a private password. These user IDs must be employed to restrict system privileges based on job duties, project responsibilities, and other business activities. Each employee is personally responsible for the usage of their user ID and password. Separate accounts should be used for privileged accounts. An account removal process must be used and each employee that no longer requires access must have access removed within 24 hours. If company employees have access to Medcor systems, Medcor must be informed immediately so that access can be removed. Default passwords must be removed and replaced with the company’s password standard.
User Authentication – All production information system user IDs must have a linked password or a stronger mechanism such as a dynamic password token, to ensure that only the authorized user is able to utilize the user ID. Users are responsible for all activity that takes place with their user ID and password or other authentication mechanism.
Password Requirements – All companies must have a password policy that includes the following:
-
Minimum of 12 characters in length.
-
Use of both upper-case and lower-case letters.
-
Must be a Non-Dictionary word.
-
Inclusion of one or more numbers or special characters.
-
Passwords must not include account names or parts of the employee’s full name.
-
Password must be changed every 90 days.
-
Passwords must not contain personal information such as birthdates, SSN numbers, etc.
-
The same password must not be used on multiple systems, websites, etc.
-
Passwords must never be shared with anyone else.
-
Passwords must not be easily guessed.
-
Passwords must not be stored in plain sight.
-
Passwords must not be stored in browsers.
-
Passwords must not be stored in files on company computers.
-
Passwords must only be reused within the time specified by the system.
-
Passwords must never be sent to anyone through unsecured means such as e-mail.
-
Password must never be used to login to unfamiliar systems.
-
Invalid password attempts beyond the maximum amount specified by the system will lock the account.
-
All first-time temporary passwords must follow the same password requirements and be changed upon first login.
-
The company must have an incident response procedure for reporting compromised passwords.
-
Use of generic or shared accounts is prohibited. Accounts must only be unique to the user.
-
Multi-Factor Authentication is required to be enabled for all systems that support it.
-
Use of 20-character passwords for privileged accounts (i.e. administrator, service accounts).
-
Special administrator accounts are required to use their assigned special administrator accounts to login to servers and systems.
Personnel Security
Background Checks – Background checks must be performed on all company employees with access to Medcor information, networks, or computer systems.
Security Training – All new and existing company employees and contractors must complete an approved Security and Data Privacy awareness course on new hire and at minimum on an annual basis. Training must cover these topics: Business e-mail compromise, Social Engineering, Computer Security Incident Reporting, Protecting PHI and PII, Information Security Program, Mobile Device Protection, Virus, Malware, and Ransomware, Phishing, Physical Security. All employees must also review and acknowledge all company policies on an annual basis. Company must have a program in place to address training for security violations identified for each employee. Company must have a phishing testing program in place to routinely test employees’ awareness to phishing. All developers employed by the company must complete an approved developer security awareness course on an annual basis.
Agreements
Agreements – Depending on the business relationship with Medcor, company will be required to sign applicable agreements Non-Disclosure (NDA), Business Associate Agreement (BAA), Data Access Agreement, etc. Information released to companies must be limited to the topics directly related to the involved project or business relationship, and the disclosure must be approved in advance by the involved information owner and Medcor’s Legal department.
Third-Party Security Requirements – Companies with access to Medcor sensitive information must secure its own systems so that they are equal or greater than the security requirements of Medcor. Medcor reserves the right to audit the security of company systems. Medcor also reserves the right to immediately terminate the business relationship with all companies not meeting such requirements.
Physical Security
Physical Security to Control Information Access – Access to every office, data center, and other company work area containing sensitive information must be physically restricted to those individuals with a need to know. When not in use, sensitive information must always be protected from unauthorized disclosure. When left in an unattended room, sensitive information in paper form must be locked away in appropriate containers. Each company location should always be locked and secured when a company employee is not present.
Access Control – All company employees and company third parties must have access controls in place for areas containing sensitive information. Employees must be identified using an identification system. Access control for employees and third parties must be removed when access is no longer required.
Tailgating – Company must routinely educate employees regarding tailgating.
Visitors/Guests – Company must have visitor management policy and procedures.
Clear/Clean Desk and Screen – Company must have a clear/clean desk and screen policies and procedures.
Teleworker Locations – If the company uses Teleworker locations it is the responsibility of the employee to keep their location secured, company assets secured, and company computer equipment always locked. If locked cabinets are in the location, it is the responsibility of the employee to make sure those cabinets are securely locked when the location is unoccupied. Company assigned equipment which includes but is not limited to Laptops, All- In-One or Computers, Cell Phones, Tablets, External Hard Drives, Memory Sticks, VPN Appliances, Data Internet Cards are not permitted to be used by anyone other than Company employees.
Network Security
Firewalls Required – All connections between company internal networks and the Internet or any other publicly accessible computer network must include an approved firewall or related access control system. The privileges permitted through this firewall or related access control system must be based on business needs and must be defined in an access control standard issued by the company. An annual firewall rule review must be conducted to ensure rules are reviewed.
Internal Network Connections – All company computers that store sensitive information, and that are permanently or intermittently connected to internal computer networks must have a password-based access control system. Regardless of the network connections, all stand-
alone computers handling sensitive information must also employ an approved password- based access control system. All systems that contain sensitive data collected on behalf of Medcor must be stored on a separate protected network.
Session Security – All company employees working with all other types of computers must employ the screen lock passwords that are provided with operating systems, so that after a period of no activity the screen will lock until the correct password is again entered. Employees must lock their computers whenever they leave their computers for extended periods of time. Employees must logoff multi-user systems when they have completed their work to terminate that user’s session.
Encryption
Encryption – Medcor Confidential or Sensitive information that is sent over a public computer network like the Internet must use encryption methods to protect it. All company systems must use encryption in storage, transit, and at rest. All databases that contain Medcor sensitive data must use AES 256-Bit Data Encryption. Medcor sensitive information must not be shared via unencrypted methods such as e-mail and file sharing systems. Medcor sensitive information must be shared using secure methods that use encryption.
Application and Systems Development
System Development – If company develops software for Medcor company must have a documented System Development Life Cycle that includes security. The company must follow security standards such as OWASP. This methodology must ensure that the software will be adequately documented and tested before it is used for critical Medcor information. The System Development Life Cycle also must ensure that production systems include adequate control measures. The company must perform periodic risk assessments of production systems to determine whether the controls employed are adequate. All developers must adhere to company policies, standards, procedures, testing, training, and documentation.
Access Control – All production systems must have an access control system to restrict who can access the system and restrict the privileges available to these users. A designated access control administrator who is not a regular user on the system must be assigned for all production systems. A review of each user’s access must be conducted on a routine basis, and appropriate changes must be completed and documented for each user.
Product, Development, and Test Environments – There must be a separation between the production, development, and test environments. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. All production software testing must proceed with sanitized information where Confidential or Sensitive information is replaced with test data. All security fixes provided by software vendors must go through the systems development methodology testing process and must be promptly installed. Developers must not be given access to production information. All data used in the testing environment must not contain production data collected on behalf of Medcor.
Change Management – A formal and documented change control process must be used to restrict and approve changes to production systems. All application program-based access paths other than the approved user access paths must be deleted or disabled before software is moved into production.
Testing – All company developed software must be security tested prior to production. All discovered vulnerabilities must be remediated prior to release to production. All company
developed software must be penetration tested at minimum on an annual basis. All vulnerabilities discovered during the penetration must be remediated.
Change Control
Unauthorized Installation or Use of Software – Company must restrict systems to only the intended approved use of the system. Company must restrict the installation or use of new or upgraded operating systems or software on computers and other systems used to process Medcor information.
Audit Logging
Production Application System Logs – All company computer systems must include logs that record, at a minimum, user session activity including user IDs, logon date and time, logoff date and time, as well as applications invoked, changes to critical application system files, changes to the privileges of users, and system start-ups and shut-downs.
Business Continuity Plan Development
Business Contingency Plans Preparation – Company must prepare, periodically update, and regularly test a business recovery plan that specifies how alternative facilities (offices, computers, telephones, etc.) will be provided so employees can continue operations in the event of a business interruption.
Computer Incident Response
Computer Emergency Response Plans – Company must prepare, periodically update, and regularly test emergency response plans that provide for the continued operation of critical computer and communication systems in the event of an interruption or degradation of service.
Mandatory Reporting – The company must have a process for reporting security incidents that might jeopardize the company or Medcor information or Medcor information systems. The company must report all confirmed data breaches to compliance@medcor.com.
Data Loss Prevention
Data Loss Prevention – Company must use Data Loss Prevention to protect it from data loss. Systems may include but are not limited to detection and prevention of e-mail and file sharing systems.
Security Testing
Penetration Testing – Company must conduct at minimum annual penetration testing of external network, internal network, and web applications. Company must remediate all findings discovered in the penetration test. If Critical or High vulnerabilities are identified, Medcor must be notified of a remediation time frame for those vulnerabilities. At the request of Medcor a penetration testing attestation letter may be requested.
Vulnerability Scanning – Company must conduct at minimum quarterly internal and external vulnerability scanning on its systems. Vulnerabilities identified must be remediated.
Patch Management
Patch Management – Company must use a patch management system to routinely patch its systems. Patching should include all endpoint systems, servers, and network devices.
Change Management
Change Management – Company must have a formal Change Management process. The Change Management process should include all Information Technology infrastructure systems and applications.
Mobile Devices
Mobile Security – Company must use mobile security to protect all mobile devices used at the company.
Data Storage
Storage Location – If company is collecting data on behalf of Medcor company must store data in a U.S. location.
Data Location Change – If company is collecting data on behalf of Medcor and decides to move the data to a different location, company must notify Medcor of the new location and receive Medcor’s approval prior to the movement of the data.
Audit Reports
Independent Third-Party security audit – Company must conduct at minimum annual independent third-party audits (i.e. SOC 2, ISO). At the request of Medcor an independent third-party audit report may be requested. If an independent third-party audit is not available Medcor may request the completion of a security questionnaire.
Security Violations
Security Violation Policy and Procedure – Company must have a security violation policy and procedure that addresses security policy violations.
Data Retention and Disposal
Retention – Company must contact Medcor prior to disposing any data collected on behalf of Medcor. If Medcor requests data, company must provide data in a format that is acceptable to Medcor.
Disposal – Prior to destruction of any Medcor data, Medcor must be notified. All company electronics that may have contained data collected on behalf of Medcor and are determined no longer fit for this purpose must be sanitized using NIST SP 800-88 Rev. 1 or equivalent standards for data destruction.
Termination of Agreement
Notwithstanding anything to the contrary in the Agreement, Medcor may terminate the business relationship with company if Medcor determines (as a result of a Security Incident, results of a third-party security assessment, results of a SOC 2 report, etc.) that company has failed to meet Medcor's security requirements in this policy or that company will not make changes to accommodate any security requirements.
Owner |
Title |
Date |
Signature |
|
Anthony Vivardo |
Executive Director of Security and IT Operations |
05/31/2024 |
|
|
Approved By |
Title |
Date |
Signature |
|
Tim Sahouri |
Chief Information Officer |
05/31/2024 |
|
Version |
Description |
Revision Date |
Review Date |
Reviewer/Approver Name |
1.0 |
Draft Version |
06/07/2021 |
06/07/2021 |
Anthony Vivardo |
2.0 |
Final Version |
06/07/2021 |
06/07/2021 |
Anthony Vivardo |
2.1 |
Revisions to sections: Password Requirements Personnel Security Computer Incident Response Termination of Agreement |
06/01/2022 |
06/01/2022 |
Anthony Vivardo |
2.2 |
Revisions to sections: Policy (name changed from 10.179-Third-Party Information Security Policy to 10.179-Third-Party Vendor Information Security Policy) Access to Systems Information Access Control Personnel Security Computer Incident Response Network Security Application and Systems Development Data Retention and Disposal |
06/01/2023 |
06/01/2023 |
Anthony Vivardo |
2.3 |
Revisions to sections: Information Security Program Information Access Control Personnel Security Physical Security Change Control Security Testing |
05/30/2024 |
05/30/2024 |
Anthony Vivardo |