Policy, Procedures and Standards

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello everybody, and welcome back to
00:00
the HCISPP certification course with
00:00
Cybrary policies, procedures, and standards.
00:00
My name is Schlaine Hutchins and
00:00
I will be your instructor for this course.
00:00
Today we're going to talk about policies, procedures,
00:00
and standards, and the importance
00:00
of them in the healthcare industry.
00:00
According to dictionary.com, a policy is a course or
00:00
principle of action adapted or
00:00
>> proposed by a government,
00:00
>> party, business, or individual.
00:00
In any organization policies are created to
00:00
set the direction for where the org is going.
00:00
In information security it's important to have policies,
00:00
procedures, and standards and sometimes guidelines.
00:00
In simple terms policies are the highest level,
00:00
and describe the what that needs to be done.
00:00
They typically have a must,
00:00
and shall or shall not statements in them.
00:00
In my experience working in large corporate organizations
00:00
policies are dictated and
00:00
governed by the leaders in the organization,
00:00
and disseminated down to the workforce.
00:00
In smaller startup organizations,
00:00
sometimes a bottom-up approach is
00:00
used whereby the workforce through their efforts to
00:00
create solutions or products
00:00
begin to build policies based
00:00
on the feedback from
00:00
their interactions with various customers and clients.
00:00
Being in a heavily regulated environment
00:00
such as healthcare,
00:00
the expectation is for
00:00
any covered entity and its business associates to
00:00
have formerly document policies and
00:00
procedures for how the organization is run.
00:00
Many policies are categorized into different areas,
00:00
such as: security, privacy, and/or compliance.
00:00
There may be operational policies,
00:00
HR policies, financial policies, etc.
00:00
Within each area, there may be
00:00
policies specific to different functions or needs.
00:00
For instance, our comprehensive
00:00
information security policy is made up of
00:00
all the underlying policies for components of security
00:00
such as an email policy or a remote access policy,
00:00
an encryption policy,
00:00
an SDLC policy just to name a few.
00:00
As a certified HCISPP
00:00
professional it's important that you understand,
00:00
and are able to articulate,
00:00
and distinguish the difference between
00:00
policies, procedures, and standards.
00:00
Oftentimes when called to
00:00
perform or assist in assessing an organization,
00:00
these documents are part of the administrative controls.
00:00
HIPAA requires healthcare organizations
00:00
to have administrative,
00:00
physical, and technical controls.
00:00
The policy sets the stage for
00:00
the physical and/or technical controls to be implemented.
00:00
Policies can be very long and drawn
00:00
out or can be a set of small statements.
00:00
The format can vary widely.
00:00
There are standards for how
00:00
policies are typically created within
00:00
some organizations especially within
00:00
the public or government sector.
00:00
Templates are available through
00:00
various security organizations such as
00:00
sands.org for creating
00:00
specific security-related policy documents.
00:00
[NOISE] If within your role as
00:00
an HCISPP you're called to create policies,
00:00
you have a great opportunity to
00:00
influence how the organization will be directed.
00:00
Policies must include management support and approval,
00:00
and policy should also identify the regulations, laws,
00:00
and other requirements that it is meeting
00:00
and state consequences for failing to comply.
00:00
These can be used as
00:00
a legal foundation when employees fail
00:00
to comply with the policy and disciplinary actions taken.
00:00
It's important to communicate policies
00:00
at least annually and ensure that
00:00
employees acknowledge receiving and
00:00
reading the policy documents.
00:00
Procedures are the how to,
00:00
to do the what statements within the policy document.
00:00
They may vary by business unit, technology, etc.
00:00
I find that working with those who will
00:00
actually be performing the tasks that
00:00
are set forth by the policy to
00:00
draft the procedures is very supportive.
00:00
Most policy creators are not subject matter experts,
00:00
and typically will not be performing
00:00
the mandates set forth in the policies.
00:00
So working with those who will make sense in order to
00:00
ensure the policies are reasonable and will be
00:00
successful in achieving
00:00
compliance throughout the organization.
00:00
Working with those doing the work will
00:00
enable them to become familiar with the policy,
00:00
and they'll know the procedures because they
00:00
created them and it's a win-win situation all around.
00:00
Procedures may change frequently
00:00
due to changes in the environment,
00:00
the business rules, business needs,
00:00
or technology while the policy will likely remain fairly
00:00
consistent year-over-year
00:00
unless there's a significant organizational,
00:00
legal, or regulatory change.
00:00
Standards provide the boundaries
00:00
or the guardrails for the how.
00:00
For instance, we have a policy that says we will use
00:00
encryption for data at rest and in transit.
00:00
There may be procedures for
00:00
various transmission methods such as: email,
00:00
SFTP, API integration, etc.
00:00
For each mode, there are
00:00
procedures describing how to encrypt.
00:00
The standards say that we will use nothing less than
00:00
AES-256 bit at rest and no less than TLS 1.2 in transit.
00:00
Standards tell you what is allowed,
00:00
and what isn't within
00:00
your organization or a particular organization.
00:00
Standards must be derived from
00:00
the policy or else they
00:00
won't support the mission of the policy.
00:00
Guidelines are similar to standards yet provide
00:00
different options for how a control can be achieved.
00:00
For example, we have password guidelines to document,
00:00
and assist users in
00:00
creating passwords that will
00:00
be in compliance with the policy.
00:00
The policy says that users must use a password
00:00
as part of their credentials
00:00
to access information systems.
00:00
The standards are the GPO rules
00:00
we've implemented based on
00:00
NIST 800-63B in which
00:00
we've removed the complexity requirements,
00:00
and extended the password reset time period,
00:00
and extended the minimum password length
00:00
from 8-15 characters.
00:00
The guidelines provide examples on how to create
00:00
passwords to meet this requirement
00:00
by using pass phrases,
00:00
and recommend steering away from things that are
00:00
easily guessable or contained in the dictionary.
00:00
In summary, we've reviewed policies,
00:00
procedures, and standards, and sometimes guidelines.
00:00
Thanks for watching and I'll see you in the next video.
Up Next