Page 12 - Information_Security_Program
P. 12

FACILITY MAINTENANCE AND REPAIR [DP222]
        Back to Table of Contents

        Scope: Enterprise
        Distribution: GESM Leadership team, Security Officer, Directors and Managers
        Purpose: To ensure the same level of facility security is maintained at all times.
        External Regulation or Standard: 45 CFR 164.310(a)(2)(iv) ‐‐ Facility Access
        Controls

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Director Logistics and   DP222.1    When the organization engages outside firms to provide cleaning, maintenance, and
         Facilities Manager,                 repair of the organization's owned or managed facilities, it will use approved
         Retail and Off‐Site                 vendors.
         Directors and
         Managers
         Director Operations,    DP222.2     Cleaning, repair, and maintenance of the organization's facilities where privacy‐
         Facilities                          restricted information is maintained should be done during normal business hours or
         & AP Manager, Retail                under the supervision of an approved escort. Where the work cannot be done during
         and Off‐Site Directors              normal business hours or under the supervision of an approved escort, GESM will
         and Managers                        obtain a Business Associate Agreement with the vendor prior to allowing access to
                                             secure areas containing Protected Health Information. This includes secure areas at
                                             any location where Protected Health Information is stored.
         Director Operations     DP222.3     The Director of Operations, or the Retail store or off‐site location Director or
         and Facilities, Retail              Manager must report to the Chief Financial Officer and Director of Information
         and off‐site Directors              Technology, Privacy and Data Security any repair or modification to the
         and Managers                        organization's facilities that change the nature of access control and monitoring in
                                             that facility.
         Chief Financial Officer   DP222.4   The Chief Financial Officer and Director of Information Technology, Privacy and Data
         and Director or                     Security will ensure that any proposed changes to the organization's facilities will not
         Information                         heighten the risk to the organization's information and will log the nature of such
         Technology, Privacy                 changes for potential future audits.
         and Data Security


































                                                                                                          10| P a g e
        GES CONFIDENTIAL
   7   8   9   10   11   12   13   14   15   16   17