02info_security_management - DHHS POLICIES AND PROCEDURES...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
DHHS POLICIES AND PROCEDURES Section VIII: Privacy and Security Title: Security Manual Chapter: Information Security Management Policy Current Effective Date: 6/15/05 Revision History: Original Effective Date: Purpose To define an information security management infrastructure that will adequately protect the Department of Health and Human Services (DHHS) information, assets, and personnel and ensure compliance with federal and state regulations. Policy This policy defines the security management requirements for the DHHS Privacy and Security Office (PSO) and the DHHS Divisions/Offices. Information security management shall include but not be limited to the following areas: 1. Security budgeting and staffing; 2. Information security governance and organization of the security program, including roles and responsibilities; 3. Risk management programs; 4. Information security programs; 5. Security compliance; 6. Incident management; 7. Physical and environmental security; 8. Business continuity and disaster recovery; 9. Security training and awareness program; 10. Information Technology Services (ITS) Contract Administration and oversight; and 11. DHHS Security Work Group Support. Roles and Responsibilities DHHS PSO shall implement and maintain a comprehensive information security program that includes security management processes and procedures. The DHHS PSO will establish and maintain the framework to ensure that information security strategies within the DHHS Divisions/Offices are aligned with the DHHS mission and objectives and comply with the applicable federal and state laws.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
DHHS Divisions/Offices shall ensure that all members of the workforce are trained in security matters. The divisions/offices shall develop the specific security procedures to address their specific circumstances, as required. Implementation Policy implementation shall be based upon the use of management-approved security standards and industry best practices (see references). The following paragraphs specify the requirements for information security management: 1. Security Budget and Staffing The DHHS PSO shall provide assistance with the DHHS Divisions/Offices in ensuring adequate budget and staffing levels for information security. The PSO will regularly review budgets and staffing levels and make recommendations. 2. Information Security Programs The DHHS PSO shall develop and implement a comprehensive Information Security Program (ISP) to meet the business, operational, regulatory, and programmatic requirements of DHHS. The DHHS Divisions/Offices or their designated affiliates shall: Ensure that information resources are properly managed; Determine the sensitivity and criticality of all data used; Implement data classification and control procedures in the work environment; Create and maintain information security plans; Develop information security control baselines for network, application or information systems in order to objectively evaluate division/office security;
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 09/25/2010 for the course SIT 284 taught by Professor Lei during the Two '08 term at Deakin.

Page1 / 6

02info_security_management - DHHS POLICIES AND PROCEDURES...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online