Information Security Program Policy
This policy establishes Burgess’s Information Security Management System (ISMS) as the Information Security & Compliance Program and lays out the requirements for its creation and operation. The Information Security Program is aligned with the requirements of the following: ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements; ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls; NIST 800-53 rev 4, Security and Privacy Controls for Federal Information Systems and Organizations; Health Insurance Portability and Accountability Act (HIPAA) of 1996; HIPAA Security Rule; and, HIPAA Privacy Rule, and is intended to help Burgess Group mature its Information Security & Compliance Program while protect the confidentiality, integrity, and availability of its information assets.
This policy applies to all Burgess Workforce Members, Burgess systems, information, networks, services, facilities, and equipment including those hosted by outside parties. Burgess Workforce Members means all Burgess employees, contractors, consultants, vendors and temporary employees.
The policy owner is VP of Security & Compliance for Burgess.
Roles & Responsibilities
The VP of Security & Compliance is responsible for:
- Establish and maintain the Security Management Plan (SMP). The SMP contains definitions, policies, processes, plans and implementations for the ISP, provide requirements to track, measure and report on ISP activities. The SMP will contain a list and description of the relevant roles and responsibilities for the ISP. The SMP will be reviewed on an annual basis and updated as needed.
- Establish a security and risk metrics program with quantifiable criteria to effectively determine the degree of impact the ISP has on business operations.
- Perform an annual risk assessment that identifies risks, threats, and vulnerabilities on Burgess Group information systems.
- Use a formal risk and compliance tool to maintain risk metrics and periodically provide updates to the Internal Auditor and Executive Team.
- Establish a comprehensive compliance program to ensure compliance with industry standards such as: ISO/IEC 27001; NIST 800-53 rev 4, Security and Privacy Controls for Federal Information Systems and Organizations; Health Insurance Portability and Accountability Act (HIPAA) of 1996; HIPAA Security Rule; and, HIPAA Privacy Rule.
- Lead the compliance program to ensure that Burgess’s ISP obtains and maintains HITRUST and SOC. • Establish a repeatable process to ensure formal management review and approval of all security initiatives.
- Monitor the security of Burgess systems and provide security training and awareness programs to users.
- Coordinate the Burgess Incident Response Team.
- Provide executive level, corporate officer support to the ISP and all its support functions to ensure that Burgess is operating an effective and compliant ISP.
- In conjunction with VP of Security & Compliance, the designated Burgess Internal Auditor will periodically perform audits of the ISP to ensure that appropriate security controls are in place and operating as intended. This may require you to occasionally respond to data or process requests relating to what you do to protect the information assets assigned to you.
- Maintain appropriate industry-standard security certifications.
Burgess Workforce Member are responsible for:
- Adhering to the Information Security Program Policy.
- Attend security and awareness training.
- Requesting assistance from the VP of Security & Compliance if they need guidance on requirements specified in the Information Security Program Policy.
- Immediately report all suspected policy violations, system intrusions, virus infections and other conditions which might jeopardize the systems or information to the VP of Security & Compliance.
Information Security at Burgess is a critical business function that should be incorporated into all aspects of Burgess’s business practices and operations. The mission of Information Security is:
Enhance Burgess mission while strengthening the protection of systems and data to such a level that Information Security becomes a competitive differentiator for Burgess products and services.
Information security is a foundational business practice that must be incorporated into planning, development, operations, administration, sales and marketing, as each of these business functions requires specific safeguards to be in place to mitigate the risk associated with normal business activities.
Critical Success Factors
The following factors are critical to the successful implementation of security within Burgess:
- Comprehensive security policies, standards, and procedures that clearly reflect Burgess’s business objectives.
- A security approach that is consistent with Burgess’s culture.
- Highly visible support from Burgess’s executive management.
- Solid understanding of security requirements and risk management practices.
- Effective communication of information security to all Burgess managers, associates, partners, clients, vendors and developers.
- Information security awareness and training.
- Continual review and measurement of the effectiveness and efficiency of security controls and mechanisms.
- Timely adjustments to the security posture by addressing deficiencies and by reflecting changes in Burgess’s business objectives, as necessary.
- Annual review of the information security policies, standards, and procedures to update these documents as needed to reflect changes to business objectives or the risk environment.
- Burgess needs support from all Burgess Workforce Members in abiding by the requirements of this and the supporting ISP policy documents.
- Burgess needs Burgess Workforce Members to support the ISP by maintaining the confidentiality, integrity and availability of the information assets entrusted to them. Burgess also needs Burgess Workforce Members to actively participate in all required information and security training initiatives.
Failure to comply with the policy may result in disciplinary action including termination of employment, services, or relationship with Burgess.
- ISO/IEC 27001, ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls
- NIST 800-53 rev 4, Security and Privacy Controls for Federal Information Systems and Organizations
- Health Insurance Portability and Accountability Act (HIPAA) of 1996
- HIPAA Security Rule
- HIPAA Privacy Rule.
The follow acronym can be found within this policy:
The follow definitions are provided to assist with understand terms used within this policy:
- Burgess Workforce Member Burgess Workforce Members means all Burgess employees, contractors, consultants, vendors and temporary employees.
Burgess Code Of Conduct
The Burgess Code of Conduct articulates Burgess’s commitment to conducting business in a lawful and ethical manner.
Mission and Values
We Pioneer to create the most remarkably efficient healthcare information solutions available, by asking, “is there a better way?” We Simplify to make life so much easier for our clients that they would never consider doing things any other way. We Bring People Together to benefit everyone in the healthcare system, because great information delivered in a meaningful way transforms businesses as well as lives. We Do The Right Thing to develop lasting trust, one positive experience at a time. We know that our decisions matter, so we always approach them with thoughtfulness and care. We always have our clients’ and each other’s best interests at heart and communicate in a constructive, honest and accessible way.
The Code of Conduct requires that business transactions and client interactions are to be carried out in an ethical manner. In support of this requirement, no resource shall make, file, or use any false, fictitious, or fraudulent statements or documents in connection with the delivery of client services. Additionally, no resource shall falsify, conceal, or cover up a material fact in the performance of their duties.
Avoid Conflicts of Interest
Your judgment is one of your most valuable assets. You should avoid any activity, interest or association that conflicts with or appears to compromise your exercise of independent judgment. Conflicts can arise in many situations. It will not always be easy to distinguish between proper and improper activity. When in doubt, consult your manager, Human Resources or the Compliance Officer before taking any action.
Seek Guidance and Report Concerns
Resources are strongly encouraged to report incidents involving noncompliance, misconduct, Fraud, Waste, and/or Abuse, or any other form of unethical behavior to the Burgess Compliance Officer via: [email protected]. Burgess will not retaliate against any resource for filing a report to the Burgess Compliance Officer.
The Burgess Compliance Officer is responsible for investigating all reports that involve acts of possible misconduct, ethics, fraud, waste, or abuse, and/or compliance within twenty-four (24) hours of receipt. In the event the Burgess Compliance Officer is not available to monitor the [email protected] email account, investigate, and/or respond during the scheduled date/time frame listed above, the Vice President, Corporate Operations will assume responsibility of the [email protected] email account and the investigations and/or responses.
Copy to be provided