Security Policy of a Dental

Security Policy of a Dental Office

Information Technology Security for XYZ's Dental Office will be achieved by implementing these controls, policies, procedures and standards. This approved Security policy reflects the rapidly changing technologies within the dental office and aims ensure that the facility is properly protected and all security objectives are met. This security policy provides clear direction and support for security. XYZ is the owner of this policy and is therefore responsible for the review and enforcing of controls authorized by the policy.

Access Privileges will be unique for each user and determined by the system administrators; Account refers to access privileges assigned to a user; E-mail is the electronic mail and exchange of information; Data Ownership is any data stored on the office's computers - it is owned by XYZ's office; Web Server is the web server operated by to office to access the internet and external data sources; Information Security represents the attempt to preserve confidentiality, integrity and availability of data Policy Owner is XYZ who is responsible for policy maintenance and review

SYSTEM - This policy covers all freestanding computers, networked computers, timeshared computers, servers or terminals owned, leased or operated by XYZ's Dental Office. This also entails any network or networked component that links the before mentioned devices with any external network or network component including all peripherals, software, data and media associated with these devices; telephones, modems, fax machines, recording devices or other devices forming part of the office's voice network. Users cannot attempt to circumvent any system security, network security or any protection or resource restrictions placed on their account. The users must not attempt to capture or decode passwords or access codes, read or capture any data without authority or attempt to create or install any form of malicious software (for example worms, viruses, sniffers) which may affect computing or network equipment, software or data. User must not attach any unauthorised device or signal to the system or connect any equipment providing external access to the system (for example, a modem) without the proper authorization.

GENERAL - XYZ's system provide support the office's medical research, community service and administrative work and should not be used for any other purpose. No person will utilize the system for private purpose, including private commercial, political or religious purposes. It is acknowledged that there will be some use of communications for personal purposes, but this must clearly not interfere with obligations owed by the office or third parties or otherwise breach any part of this policy.

ACCESS - Access to the system is controlled by the formal user registration process and includes using unique user-ids which represent that any user can be linked and made responsible for their actions; users must have authorization from the system owner; users must sign a statement indicating that they have been informed and that they understand this policy; when in breach of these policies, users can be immediately removed or have their access rights amended as needed.

USER PASSWORD Management - Passwords will be used to authenticate user's identity and to establish system accountability. Passwords are intended to protect the system's resources and data from unauthorized access. Appropriate password selection enhances the security of the user-id and password combination, thus users must follow good security practices when choosing passwords.

PASSWORD SELECTION - Passwords must be at least seven characters in length and cannot be a dictionary-based word or a phone number type combination. Passwords must contain at least 1 number and 1 non-alphabetic character such as "% or *." Passwords must remain confidential at all times and cannot be shared with peers of subordinates. Users are responsible to avoid any written record of their password unless this written record can be stored securely. Employees are required to change passwords on a regular basis and they must be capable of changing their own passwords.

SECURITY and PRIVACY - the following security and privacy requirements apply: The Office does not accept responsibility for the privacy, confidentiality or security of data or information not generated by this office or transmitted from external sources into the system. The Office does not accept responsibility for loss, corruption, misdirection or delays in transmission of personal data through the system. Users are responsible for the integrity of all data and all incidents that affect security must be reported to System administrator as quickly as possible. Users must protect the system data from all unauthorised access and they are responsible to ensure the system's data is properly backed up against the threat of loss, security threats, environmental hazards, corruption or destruction. No system equipment is allowed to be taken out of the office without proper authorization.

ELECTRONIC MAIL - messages will be kept as short and specific as practicable. Materials that can be transmitted by e-mail include: confirmation of arrangements and appointments, records and minutes of work related material; information received in digital form from external parties; administrative information. Material that can not be transmitted by e-mail include: sensitive data; solicitation of donations or subscriptions to political causes, inappropriate personal observation the office or system, employees or patients; advertising material; material of a private nature including private, commercial, political, religious or pornographic; any content that promotes discrimination on the basis of race, colour, national origin, age, marital status, sex, political affiliation, religion, disability or sexual preference.

ELECTRONIC MAIL BEHAVIOR - E-mail is intended for office business use and may be used in legal proceedings. Responsible personal use is permitted provided it is in a reasonable fashion that is not detrimental to the office or the management. The office may be liable for the acts of an employee that are done in the course of employment, even if the act is unauthorized and contrary to office's policies regarding discrimination and harassment also applies to any e-mail communication. The general laws of copyright, privacy and freedom of information apply to e-mail communication and all users will be responsible for compliance with those laws.

COPYRIGHTED SOFTWARE - it is the responsibility of each employee to protect the office's interests as they perform their duties which entail a responsibility to assure that commercial software, acquired for the system is used only in accordance with licensing agreements. Users cannot make any illegal copies of copyrighted software with the exception of a single copy made for archival purposes. When licenses are for multiple users, the office cannot exceed the authorized number of copies. Licences, software manuals and procurement documentation will be stored in a secure location and can not be taken off the premises without authorization.