IS Security Policy

Highlights

Signing this policy is a requirement for obtaining access to KHS data systems and network.

Policy Applies to: employees, volunteers, vendors, contractors, Board members, affiliates, and others who have access to information.

Information resources include: electronic data, written or printed information, and any other intellectual property of KHS.

Manager Responsibilities

  • Approve/Deny requests for system access (User Ids).
  • Management must report all relevant changes in employment status or duties, to adjust account access.
  • Management must report all terminations of employment for removal of ID, e-mail account, and to determine who will need his/her files.
  • After an employee has left KHS, their files will remain on the file server for four weeks. Managers must decide what to do with their files, and let the IS Department know.
  • Report to IS Department any PC loss or damage.

User Responsibilities

User Access
Participate in information security training and awareness efforts.
Request access from their supervisor.
Report all suspicious activity and security problems.
Sign confidentiality agreement & IS security policy before being given their user ID.
No one can work under your login other than yourself.
When your computer is unattended for an extended length of time, it must be logged off the network or password protected.
Passwords must never be shared with anyone, including the IS Department. Nor can they be written down where someone may find them.
Internet Use
We encourage Internet use for business purposes.
Never download anything from the Internet without IS Department permission.
Avoid viewing objectionable or obscene websites.
E-mail Use
E-mail is to be used for business purposes.
If you send Secret or Confidential information by e-mail, it must be encrypted.
Never use another person's e-mail to send or receive e-mail.
If you need to view another person's mail or appointment, use Proxy access.
E-mail attachments are a primary carrier for computer viruses. Be suspicious of any unexpected, or out of the ordinary attachments.
Hardware
All employees must use Keystone purchased equipment.
Any purchasing of software, computers or computer related equipment will be done by or through the IS Department.
Viruses
If you are aware of a virus on your machine, shut down your PC, disconnect it from the network, and call the IS Department at 717-232-7509 Ext. 150 or 888-377-6504 Ext. 150, or you may email us at solutioncenter @ keystonehumanservices.org.
You must keep the virus scan software enabled and running on your PC.
Software
You must never load software on your PC or the network.
If you need additional software, contact the IS Department.
Never load company software on another computer without permission of the IS Department.
If unauthorized software is discovered on your PC, it will be removed immediately.
Do not alter your Keystone computer by adding memory, processors, or any other equipment.
No non-Keystone computer equipment or peripherals (keyboards, mice, printers, scanners, digital cameras, etc.) are to be brought to Keystone offices without prior authorization by the CIO.
All software must be properly licensed and purchased by or through the IS Department.
Reporting Problems
All employees have a duty to report security violations to the IS Department.
You must report computer loss or damage to your manager.
Any attempt to prevent, obstruct, or dissuade a staff member from reporting a violation is cause for disciplinary action.

HIPAA Regulations

HIPAA requires the following media controls for data integrity and security. These criteria must be met to assure data is protected.

  • Access control - unique user ID and password
  • Accountability (data trail)
  • Data backup
  • Data storage
  • Disposal

Removable disks (flash/jump drives, floppy, CD, etc) and the C: drive of computers do not meet these requirements and therefore can NOT be used to hold any data or information covered under HIPAA.


Non-Compliance with this policy is grounds for disciplinary actions up to and including dismissal.

  • First Offense - verbal warning
  • Second Offense - written warning in personnel file
  • Third Offense - 5-day suspension without pay
  • Fourth Offense - termination
  • Willful or intentional violations - disciplinary actions up to and including dismissal.