Data Management Plan for Requests involving PHI or Sensitive Data

Users requesting PHI or sensitive data must provide a data management plan (DMP) that addresses how your organization’s policy and procedures meet data management best practices. A list of best practices is provided below (based on NIST 800-171). 

Access Control

  • The administration of user accounts
    • Security and compliance training required prior to allowing access to the system
    • Approval procedures for account creation and privilege assignments
    • Periodic auditing of user accounts to ensure that access is still required
    • Inactivity timeouts to force log off of secure environments
  • Data access and Security
    • Boundary firewalls are set to default deny all. Any access request must be approved by appropriate security and compliance procedure
    • Only authorized users are allowed access to the system
    • Users are not permitted to export information without approval
    • Users are not permitted to import programs or executables without approval
    • Users are only allowed privileges to functions and roles they are authorized to have
    • User capabilities are allocated according to the principle of least privilege
    • Admin and user roles shall adhere to separation of duties by keeping the admin and user roles separate.
    • Users are given a limited number of incorrect access attempts and then are locked out for an appropriate time period
    • Appropriate use banners and notices are displayed to users
    • Endpoint devices are centrally managed and equipped with anti-virus, encrypted drives, and idle lockscreen timeouts
    • Remote/Telework policies cover use of data in public places and wireless access requirements (VPN usage, etc.)
    • Any public release of information abides by the requirements of the APCD DUA and internal policies

Awareness and Training

  • Users receive initial training on cybersecurity and the use of the protected environment, and receive periodic refresher training
  • Privileged users receive training appropriate to their enhanced security role

Audit and Accountability

  • Audit logging will track system access, the usage of protected information, and allow for forensic investigation of any security events.
  • Logs will be maintained in a secure manner to prevent modifications

Configuration Management

  • A baseline configuration will document the environment and the required configuration settings. This will include an up-to-date inventory of the systems in the environment
  • Proper change control processes will be used
  • The addition of new software requires a security review

Identification and Authentication

  • Users must have unique userids and employ multifactor authentication
  • Passwords shall be complex, prevented from reuse, and transmitted securely
  • Temporary passwords shall be changed upon first usage
  • All default passwords must be changed

Incident response

  • The organization will maintain an incidence response program that will document and track incidence, perform forensic investigation, determine extent of incident damage, and handle the reporting of the incident to responsible authorities and the GAPCD.
  • The organization will perform periodic testing and training on the incident response program

Maintenance

  • The organization will require maintenance tools and software to be evaluated with the same diligence as user software placed in the system
  • Any third-party maintenance activities will be managed and overseen by the organization

Media Protection

  • Any physical media must be securely stored in an access restricted location. Physical media must be labeled
  • Inventories of protected data must be maintained
  • Any removal of media (disk drives, hardware, etc.) must be sanitized and disposed according to approved methods
  • The transport of protected data must be done in a secure manner, including approved encryption methods.
  • Backups need to be stored encrypted using approved methods

Personnel Security

  • Personnel must be screened prior to getting access to the protected environment
  • Upon termination, access to the protected environment must disabled. Any authenticators must be revoked

Physical Protection

  • Any physical access to the protected environment must be approved by the appropriate leadership, should only be on an as needed basis, access lists should be periodically audited for continued need for access, physical access events must be logged and these logs audited periodically.
  • Secure physical access should be monitored. Logs and auditing will contain the individual identifier and time of access.

Risk Assessment

  • The organization will conduct periodic risk assessments to assess the risk of loss of protected data. Significant changes to the environment should trigger an assessment of that change in relation to the environment as a whole
  • Active periodic vulnerability scans will be used to identify vulnerabilities in the environment

Security Assessment

  • The organization will use a continuous monitoring strategy for ongoing monitoring and detection of new weaknesses. This will include policies and procedures for documentation of issues, and remediation plans.

System and Communications Protection

  • Networks shall be managed to prevent external intrusions.
  • Audit and logging shall be adequate to detect intrusions and events, and to provide forensic evidence for investigations
  • Access to the protected environment to/from the external networks will be limited to documented approved exceptions and will be set as DENY-ALL by default
  • All data-in-transit and data-at-rest will be encrypted
  • Users shall use individual identifiers and sessions when accessing the protected environment

System and Information Integrity

  • Active Malicious code protection will be used, and periodic scans performed
  • The organization will monitor the environment with active alerts for suspicious activity and other signs of security compromises
  • Security updates will be performed in a periodic manner for software and operating systems.

Planning

  • The organization will use a system security plan to list the specific users and system roles they provide. This plan should be used to document the environment and security requirements

External Services, Vendors, and Supply Chains

  • External services, vendors, and supply chains must be considered as part of the risk assessment process. Appropriate contractual language must be used to recognize the risk of using in a protected environment.