Page 25 - Information_Security_Program
P. 25

DOCUMENT SECURITY [DP271]
        Back to Table of Contents

        Scope: Enterprise
        Distribution: All employees with access to privacy‐restricted documents
        Purpose: To ensure information is securely destroyed after its useful life.
        External Regulation or Standard: 45 CFR 164.310(d)(2)(i); 45 CFR 164.310(d)(2)(ii) ‐‐ Device and Media Controls; PCI DSS 4.3

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Employees               DP271.1     Organization documents containing Privacy Restricted information must be stored in
                                             a secured location.

         Employees               DP271.2     Organization documents containing Privacy Restricted information must be delivered
                                             in a trackable manner and hand‐delivered, such as through certified mail or other
                                             approved method and marked “Confidential”, to the intended recipient.
         Employees               DP271.3     Organization documents containing Privacy Restricted information that need to be
                                             delivered in an expedited manner should be sent through encrypted e‐mail or secure
                                             file‐transfer protocol.  If these methods are not available, a Privacy Restricted
                                             document can be faxed if the sender and intended recipient are standing at their
                                             respective fax machines during the transmission.
         Employees               DP271.4     Organization documents containing Privacy Restricted information must be rendered
                                             unreadable, such as through shredding using an approved shredder or shredding
                                             company, such that there is reasonable assurance the hard‐copy materials cannot be
                                             reconstructed when they no longer have a business or legal purpose. Strip shredders
                                             are not allowed. Shredding companies must be approved through the Director of
                                             Information Technology, Privacy and Data Security, and the organization must have a
                                             valid Business Associate Agreement in place with that organization if Protected
                                             Health Information is involved.

         Employees              DP271.4a     Containers for hard copy documents to be shredded must be locked, preventing
                                             access to its contents

         Employees               DP271.5     The organization will follow applicable laws and the Board Retention Policy regarding
                                             the retention of document records.

































                                                                                                         24 | P a g e
        GES CONFIDENTIAL
   20   21   22   23   24   25   26   27   28   29   30