...
- Request is submitted and goes to the
CISOHIPAA Liaison for approval. - Building manager receives approved request and removes access.
- Building manager closes the ticket. (If not closed within 24 hours or creation, Security Office is alerted). An email is sent to the person who lost access, their manager, the building manager, and the
CISOHIPAA Liaison.
Providing Access for non-Emergency Maintenance
...
- The building manager submits a request with a description of the maintenance request.
- The
CISOHIPAA Liaison approves or rejects the request. - If approved, the building manager submits a work order to F&S.
- The building manager provides an escort(s) who is a part of the NCSA Staff with ACHE Access and who stays with the maintenance person while in the secured area.
- After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
- The workflow is closed by the building manager. An email is sent to the
CISOHIPAA Liaison and building manager.
...
The response must be documented and given to the CISO HIPAA Liaison. This documentation must include:
...
A request to modify physical security controls can start with the building manager, Security Office or CISO HIPAA Liaison. The workflow is as follows.
- The building manager makes sure the request has sufficient detail and forwards it to the Security Office for approval.
- The Security Office reviews the changes and evaluates the impact of the change. The request is then rejected or approved and forwards approved requests to the
CISOHIPAA Liaison for approval. - The
CISOHIPAA Liaison approves or rejects the request. - If approved, the building manager submits a work order to F&S.
- The building manager provides an escort(s) who is a part of the NCSA Staff with ACHE Access and who stays with the maintenance person or vendor while in the secured area doing the work.
- After the work is completed, the building manager records when it was completed and by whom along with the identity of the escort.
- The workflow is closed by the building manager. An email is sent to the
CISOHIPAA Liaison, Security Office, and building manager.
...
- A request to move equipment with dates and customer impacts is submitted to the
CISOHIPAA Liaison. - The
CISOHIPAA Liaison works with the appropriate offices to ensure the schedule works for the customers impacted. - If applicable, data is backed up using a unique encryption key known to the person making the backup and the
CISOHIPAA Liaison. - If leaving the secured facility, sensitive data will be securely wiped and verified by the Security Office.
- The system will be powered-off and moved.
- The system will be restored and verified by system administrators.
- The ticket is closed by system administrators and an email is sent to the building manager,
CISOHIPAA Liaison, and others involved in the ticket or workflow.
...
- A request with the reason for removal is sent to the
CISOHIPAA Liaison who approves or rejects. The requestor will place the media in the provided secure container.
Container shall be locked with a key kept in the secure area.
Security team will transport secure container for wiping / destruction.
The security team will unlock with second key kept at wiping / destruction station.
Each device will be wiped or destroyed per Security Office policy
The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container to the secure area.
- If the drive has no ability to be wiped because it has had a hardware failure, it will be marked for destruction and tested on the wiping machine at least once.
- The drive will need to be inventoried into a failed drive inventory, and sent to surplus for destruction.
- All media that comes from Nightingale or ACHE will be labeled with stickers requesting destruction by campus surplus.
The media is given to the building manager who closes the workflow and sends the drive on. If necessary, they have the original requestor fill out the RMA paperwork.
...