116 Information Systems Policy

Original Approval Date: July 15, 2009
Revision Effective:
Supersedes:
 
Any misuse of Tri-County Board computers or violation of this policy may result in disciplinary action up to and including termination.

A. Virus Protection:
  1. All media and/or software must be approved by the Director of Information Services prior to usage.
  2. Portable media must be scanned if used off-site before usage on any of the Board’s computers.
  3. Computers shall have current anti-virus software, and are to be configured to perform a complete system scan nightly.
  4. If a virus is detected, immediately contact the Director of Information Services or your Supervisor.

B. Copying of Software:
  1. The Board does not permit the illegal copying of software.
  2. All software is to be installed by the Director of Information Services.

C. Data Integrity and Backup Procedures:
  1. A full backup of all data is performed nightly.
  2. An additional full backup is done weekly and stored offsite.
  3. Backup media will be kept in a secure location.
  4. Backups are tested periodically to insure backup equipment is working properly and data is being backed up accurately.
  5. Any media holding Electronic Protected Health Information (EPHI) that are to be discarded should be physically destroyed.

D. Security:
  1. Systems shall be accessed by passwords that meet or exceed HIPAA requirements.
  2. Staff members will not share individual passwords with others or post passwords.  If they become locked out of systems or forget their password, they will report to a network administrator to have passwords reset.
  3. Staff members should close all applications or lock their workstation when leaving the Board office.  Applications containing Protected Health Information (PHI) should be closed if the staff member leaves their individual office.
  4. Systems should be set to auto-lock after a maximum of 15 minutes of inactivity (per HIPAA).  All offices are locked every evening.
  5. The server shall remain in a separate, locked room and will be accessed only by authorized personnel.
  6. HIPAA-acceptable standards will be met or exceeded in the transmission of EPHI data.  Data transferred between the Board and State entities will also comply with protocol requirements for usage on the State provided network.  Data transferred between the Board and other contracted entities shall follow Board-developed procedures
  7. Fax transmissions of data are currently allowed under state and/or HIPAA guidelines. The Board shall continue to adhere to these state guidelines for fax transmissions.
  8. When an employee is hired or terminated, the security officer shall assure that access to system resources and data have been set up and terminated.  Further, security officer shall contact other agencies and providers to complete this process of access authorization and termination.  State agencies shall be notified immediately of all terminations so that access into State systems can be terminated.

E. Internet Access:
  1. Internet access is available via the connections with established monitoring and security.  Board Computers shall not access the internet by any other means.
  2. No unauthorized use of the internet for commercial purposes will be allowed, nor anything which is considered to be offensive or harassing to another person.
  3. No programs shall be downloaded and installed from the internet unless authorized by the Director of Information Services, with the exception of program updates for operating system, anti-virus, and others as defined by the Director of Information Services.

F. Protecting of hardware and software from environmental damage.
  1. All computer systems and other network communication equipment are protected by an uninterruptable power supply with automatic voltage regulation.  Other computer peripherals will be plugged into UPSs or surge protectors.
  2. All programs and driver disks will be stored in a secure location with a copy of each program to be stored in the fireproof safe.
 
G. Disaster Recovery Plan
  1.  In case of an emergency, the Director of Information Services will be contacted to assess the situation and implement any required recovery procedures.
  2. The Director of Information Services will maintain records of all hardware purchased with configurations, acquisition date, software installed and warranty information.
  3. The Board may utilize computer consultants as needed.
  4. On-site and off-site back-ups as well as software and support documentation will be kept in a secure location.
  5. The Allen-Auglaize-Hardin Board has agreed to provide temporary access to the State’s data network in emergency situations.
 
H. Insurance Coverage
  1. The Tri-County Board holds a property insurance policy which covert loss of computer equipment.