DHHS Home Page NC DHHS On-Line Manuals  
     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback

Previous PageTable of ContentsNext Page

DHHS POLICIES AND PROCEDURES

______________________________________________________________________________________________________________

Section VIII:

Privacy and Security

Title:

Security Manual

Chapter:

DHHS Security Organization

Current Effective Date:

6/15/05

Revision History:

This policy replaces two (2) existing chapters of the DHHS Security Manual: “Development of Security Policies,” and “Security Official.”

Original Effective Date:

5/01/04

______________________________________________________________________________________________________________

Purpose

The purpose of this policy is to establish the structure of the Department of Health and Human Services (DHHS) security organization. This policy specifically addresses the security roles and responsibilities of the DHHS Privacy and Security Office (PSO), Division/Offices and staff within the department. In addition, this policy defines the process for developing, reviewing and communicating security policies, standards, procedures and guidelines for the department.

Policy

DHHS shall ensure that security is implemented properly by establishing the DHHS PSO and a security organization structure within each of the DHHS Divisions/Offices. Under the auspices of DHHS Directive, II-12, The DHHS PSO shall be the DHHS lead office for the enterprise-wide security program. Each DHHS Division/Office shall implement their own information security program, following the directives, procedures, and guidelines from the DHHS PSO, which will be managed by an information security official.

Security policies, standards, and procedures shall be developed at both the enterprise-wide level and at the implementation level by the DHHS PSO and supplemented as necessary by the DHHS Divisions/Offices for their specific use. The DHHS PSO shall be responsible for the development of enterprise-wide security policies, standards, procedures, and guidelines. The Division/Office Information Security Officials shall be responsible for the implementation of those policies, standards and procedures, with the assistance of the DHHS PSO, as needed.

Definitions

For purposes of clarification, the following definitions shall be used in establishing security program:

Roles and Responsibilities


  1. DHHS PSO

    The DHHS PSO shall be managed by the DHHS Security Officer. The DHHS PSO shall be responsible for implementing the enterprise wide-security program. In addition, the office shall be responsible for the development, coordination, enforcement, and monitoring of the enterprise-wide security policies, standards, guidelines and procedures. The responsibilities of the DHHS PSO are:



  1. DHHS Security Officer

    The responsibilities of the DHHS Security Officer shall include, but not be limited to the following:



  1. DHHS Information Security Work Group (SWG)

    The DHHS PSO will establish a DHHS Security Work Group (SWG). The workgroup will consist of representatives assigned by each DHHS Division/Office. The SWG, in an advisory capacity to the DHHS PSO, will assist the DHHS PSO in formulating policies, standards, guidelines, and procedures. These policies, standards, guidelines and procedures shall be: reasonable, based on industry best practices, consistent with federal and state laws, and consistent with current DHHS standards.

    Members will assure that the appropriate personnel within the divisions/offices have the opportunity to review the security policies, standards, procedures and guidelines. Members also serve as a clearinghouse to and from the DHHS Divisions/Offices regarding the DHHS Security Program.



  2. The DHHS Security Work Group membership shall include:


  1. DHHS Division/Offices

    DHHS Divisions/Offices shall be responsible for policies and procedures developed by the DHHS PSO and development of division/offices-specific policies and procedures which may be necessary to supplement those developed by the DHHS PSO. These policies and procedures must be in compliance with the DHHS enterprise-wide security policies, standards and procedures developed by the DHHS PSO.


  2. Each DHHS Division or Office shall:


  1. DHHS Division/Office Information Security Officials

    DHHS Division/Office Information Security Officials shall guide all division or office activities related to adherence to DHHS Security Policies regarding the prevention, detection, containment, and correction of security violations for information technology, in accordance with state and federal laws or rules and as delegated to the DHHS Security Officer.

    The DHHS Division/Office Information Security Officials responsibilities shall also include, but are not limited to, the following:


Implementation

Development of Security policies, standards, procedures and guidelines
The DHHS PSO shall be responsible for the development of enterprise-wide security policies, standards, and procedures. The DHHS PSO will research and develop drafts of enterprise-wide policies, standards, procedures and guidelines. These drafts will be presented to the members of the SWG for review. All comments will be addressed and discussed in SWG meetings. Upon acceptance, the revised draft of the policies will be sent to the DHHS Policy Coordinator for final approval and publication. All DHHS security policies will be maintained in the DHHS On-Line Publications, under Privacy and security.

The DHHS PSO will collect and evaluate all requests for change. Any updates, modification or revisions to enterprise-wide security policies, procedures and standards shall be initiated by the DHHS PSO. The office shall utilize the SWG (see above process) to introduce and review documentation for all revisions.

Due to the sensitivity and confidentiality of security policies, standards and/or procedures there may be limitations placed upon the publication and availability of this documentation to the public. Limitations of access will be in compliance to GS 132 and GS 121.

Enforcement

For questions or clarification on any of the information contained in this policy, please contact DHHS Security Office. For General questions about department-wide policies and procedures; contact the DHHS Policy Coordinator.

Chapter 126 employees who fail to comply with DHHS policies and/or agency procedures shall be subject to the DHHS Disciplinary Action guidelines and related personnel policies except that the sanctions for educators subject to Chapter 115C of the North Carolina General States shall be in accordance with NCGS 115C-325 or 115C-287.1. DHHS volunteers, guests, vendors, and contractors are expected to adhere to security policies, procedures, and standards. Termination procedures for contractors and vendors shall be in compliance with relevant contract policies.

Exceptions

Any exceptions to this policy will require written authorization. Exceptions granted will be issued a policy waiver for a defined period of time. Requests for exceptions to this policy should be addressed to the Director of the Division of Information Resource Management (DIRM). The waiver request will be processed in accordance with the DHHS ITS Waiver and Appeals Policy

References


  1. International Security Organization (ISO) 17799 “Information Technology-Code of Practice for Information Security Management” as mandated by NCGS 147-33.82 and other federal/state regulations as applicable.


  2. 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule.

The HIPAA Security Rule [ 164.308(a)(2)] requires the designation of an individual who is responsible for the development and implementation within the covered entity of security policies and procedures that implement the HIPAA Security requirements.

DHHS Directive II-12 delegates authority to the Director of the Division of Information Resource Management (DIRM) to oversee and coordinate the establishment of a security policy and program for the department's information resources, including hardware, software, telecommunication network, and information. Additionally, the DIRM Director must monitor compliance with the established policies and program. To meet the requirements of DHHS Directive II-12, the DIRM Director has delegated these responsibilities to the DHHS Security Officer.

North Carolina General Statutes (NCGS), as listed below, dictate the direction of DHHS security activities.

Previous PageTop Of PageNext Page



   


     DHHS Manual Home Manual Admin Letters Change Notices Archive Search Index Help Feedback