Page 9 - Information_Security_Program
P. 9
SECURITY POLICIES [DP211]
Back to Table of Contents
Scope: Enterprise (all GESM)
Distribution: Executive Leadership Team, Director of Information Technology, Privacy and Data Security
Purpose: To document the Data Security Steering Committee’s direction with regard to information security.
External Regulation or Standard: 45 CFR 164.316(a) and (b)(1);45 CFR 164.316(b)(2)(i); 45 CFR 164.316(b)(2)(ii); 45 CFR
164.316(b)(2)(iii) ‐ Documentation Time Limit; Documentation Availability; Documentation Updates
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Director of Information DP211.1 The Director of Information Technology, Privacy and Data Security will maintain the
Technology, Privacy organization's information‐security documentation in a way that is up to date and
and Data Security easily accessible by the organization.
Director of Information DP211.2 The organization's information‐security policies will be organized according to the ISO
Technology, Privacy 27001 framework, HIPAA Security Rule, PCI DSS, and other applicable regulations and
and Data Security standards.
Director of Information DP211.3 The organization will retain the most recent version of its data security policies if they
Technology, Privacy are in effect, plus an additional year.
and Data Security
Director of Information DP211.4 The Director of Information Technology, Privacy and Data Security will administer
Technology, Privacy policy waivers and exceptions, consulting the Data Security Steering Committee as
and Data Security appropriate.
Director of Information DP211.5 The Director of Information Technology, Privacy and Data Security will initiate an
Technology, Privacy annual review of the organization's information‐security policies to determine and
and Data Security propose to the Data Security Steering Committee if new risks or compliance
obligations merit policy changes or additions.
7| P a g e
GES CONFIDENTIAL
