3a. computer and information security standards workbook

8/16/2019 3a. Computer and Information Security Standards Workbook

1/53

RACGP Computer and information security standards workbook 0


2/53



3/53



4/53



5/53

Contents

2 RISK ASSESSMENT 9

2.1 S EC R!"# C$$R%!&A"$R ' S ( )

2.2 A R"!C *A"E "+E $PERA"!&G PARA,E"ERS )

2.3 S "A-- A&% "EC+&!CA* S PP$R" C$&"AC" %E"A!*S 10

2. A SSE" REG!S"ER 11

2./ ! %E&"!-# "+REA"S *&ERA !*!"!ES A&% C$&"R$*S 2

2. ! %E&"!-# APPR$PR!A"E C$&"R$*S 3

2.4 S EC R!"# ,A&AGE,E&" A&% REP$R"!&G !&C* %!&G ,$&!"$R!&G C$,P*!A&CE A&% RE !E5 P*A&&!&G 3

2.6 E % CA"!$& A&% C$,, &!CA"!$& 3

2.9 B REACH REPORTING 3/

3 STAFF ROLES AND RESPONSIBILITIES 36

3.1 S ECURITY COORDINATOR 3

3.2 O THER STAFF ROLES AND RESPONSIBILITIES 3

3.3 S AMPLE CONFIDENTIALITY AGREEMENT 34

4 ACCESS CONTROL AND MANAGEMENT 38

5 BUSINESS CONTINUITY AND DISASTER RECOVERYPLANS 39

6 BACKUP 46

7 MALWARE, VIRUSES AND EMAIL THREATS 48

8 NETWORK PERIMETER CONTROLS 49

9 PORTABLE DEVICES AND WIRELESS NETWORKS 50

1 PHYSICAL, SYSTEM AND SO!TWARE PROTECTION 51

10.1 P HYSICAL PROTECTION /1

10.2 S YSTEM MAINTENANCE /2

10.3 S OFTWARE MAINTENANCE /2

11 SECURE ELECTRONIC COMMUNICATION 53

RACGP Computer and information security standards workbook


6/53

TABLES

RACGP Computer and information security standards workbook /


7/53

"ab7es 'cont(



8/53

+ow to use t8is document



9/53

1 Computer and information security checklist "8is c8eck7ist pro9ides a record of t8e 12 basic computer and information security cate:oriest8at s8ou7d be undertaken. "8e c8eck7ist is a :uide on7y and does not describe t8e comp7ete7ist of security acti9ities t8at s8ou7d be undertaken. %etai7s of t8ese are pro9ided in t8eRACGP Computer and information security standards.

C !"#$%& '() *(+ &!'$* ( ,%-#&*$ -/%- *,$Date of assessment: ___ / ___ / _____

C'$% & T', , C !" %$%)'"ick and add date(

1. Risk Assessment

Conduct risk assessment acti9ities and put procedures in p7ace ;;


10/53


11/53

2 Risk assessment -or a detai7ed e?p7anation refer to Section 3.1 of t8e RACGP Computer and informationsecurity standards.

2.1 Security coordinator(s)

&ame's(@ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

2.2 Articulate the operating parameters

58at are t8e 7e:a7 andprofessiona7 re uirementsfor t8e protection of t8einformation for w8ic8 t8epractice is custodianB

-or e?amp7e Commonwea7t8 Pri9acy Act '1)66( State and "erritoryPri9acy Acts &ationa7 Pri9acy Princip7es.

58at capabi7ities does t8epractice 8a9e in terms ofsecurity know7ed:e ande?pertiseB

-or e?amp7e t8e practice mana:er 8as !" e?pertise %r ones 8asabi7ity to confi:ure and update anti>ma7ware software.

58o makes t8e decisionsabout t8e securityprotections to be put in

p7aceB

-or e?amp7e t8e practice partners t8e practice mana:er.

58at processes are inp7ace to assist in decisionmakin: re:ardin: t8e useof t8e information t8epractice 8o7dsB-or e?amp7e in t8einstances of secondary useof data or freedom ofinformation re uests.

-or e?amp7e structured decision makin: framework in practicedecisions made as committee in practice meetin:s.



12/53

2.3 Staff and technical support contact details

T' % 1 U,%& '() $%-/(*-' - ($'-$ )%$'* ,

ull name !ole in practice

"ontact details

#o$ilenum$er

%thercontactnum$ers

%ther contact details(home address & email)

D-u77 name 0 ??>???>??? ??>????>???? DaddressDemai7

T%-/(*-' ,#"" &$ - ($'-$ )%$'* ,

'ame and company Support pro ided for

"ontact details

DContactperson DCompany

e:. ser9er "e7@Emai7@

Address@



13/53

2. Asset register

*hysical assets F computer and communications e uipment backup media power

supp7ies furniture 'network dia:rams s8ou7d a7so be inc7uded(

T' % 2 A,,%$ &% *,$%& - !"#$%& ,%& %& 1

M' %

M )%

S%&*' (#! %&

L -'$* (

S#"" *%&

C ,$P#&-/',% )'$%

W'&&'($

S#"" &$

S#"" *%&

S ,$%! ('!%

U,%) + & 7% . ,%& %& * *(- *(*-' &%- &),

I($%&(%$ "& $ - 7IP '))&%,,

C%($&' "& -%,,*( #(*$ ' CPU,"%%)

R'() ! '--%,, !%! & 7RAM,*:%

H'&) )*, )&* % 7HDD,*:%;!' %

CD;D$%&(' )% *-%, '$$'-/%)7% . "&*($%& ,-'((%&

O"%&'$*( , ,$%! 7OS'() %&,* (

OS ,%&*' (#! %&; *-%(-% %



14/53

T' % 3 A,,%$ &% *,$%& - !"#$%&, 7- " ', &%?#*&%)

"omputer 2 "omputer 3

M' %M )%

S%&*' (#! %&

L -'$* (

S#"" *%&

C ,$

P#&-/',% )'$%

W'&&'($

S#"" &$S#"" *%&

S ,$%! ('!%

U,%) + &

IP '))&%,,

CPU ,"%%)

M%! & RAM,*:%

HDD ,*:%;!' %

CD;D


15/53

T' % 4 A,,%$ &% *,$%& " &$' % - !"#$%&, 7% . '"$ ",

*orta$le computer 1 *orta$le computer 2

M' %M )%

S%&*' (#! %&

L -'$* (

S#"" *%&

C ,$

P#&-/',% )'$%

W'&&'($

S#"" &$S#"" *%&

S ,$%! ('!%

U,%) + &

IP '))&%,,

CPU S"%%)

M%! & RAM,*:%

HDD ,*:%;!' %

CD;D


16/53

T' % 5 A,,%$ &% *,$%& "&*($%&,

*rinter 1 *rinter 2 *rinter 3

L -'$* (M' %

M )%

S%&*' (#! %&

S#"" *%&

C ,$

P#&-/',% )'$%

W'&&'($

S#"" &$"onfiguration

S ,$%! ('!%

U,%) + &

IP '))&%,,

N%$= & "'$-/"'(% (#! %&

N%$= & =', - %$ (#! %&

T' % 6 A,,%$ &% *,$%& $/%& "%&*"/%&' ,

Scanner #odem +ninterrupti$le po,er supply (+*S)

L -'$* (

M' %

M )%

S%&*' (#! %&

S#"" *%&

C ,$

P#&-/',% )'$%

W'&&'($

S#"" &$

"onfiguration

S ,$%! ('!% &


17/53

"'(% (#! %&

N%$= & =', - %$ (#! %&

&


18/53

T' % 8 A,,%$ &% *,$%& (%$= & %?#*"!%($

!outer/hu$ ire,all (ifhard,are $ased)

0ntrusion detectionsystem (0DS) (ifhard,are $ased)

L -'$* (

M' %

M )%

S%&*' (#! %&

S#"" *%&

C ,$

P#&-/',% )'$%

W'&&'($

S#"" &$"onfiguration

S ,$%! ('!%

U,%) + &

IP '))&%,,

N%$= & "'$-/"'(% (

N%$= & =', - %$ (

T' % 9 A,,%$ &% *,$%& (%$= & - (+* #&'$* (

T "% 7% . - *%($ ,%& %& "%%& $ "%%&

IP '))&%,, &'( %

S# (%$ !',

D !'*(;= & & #"

W*() =, *($%&(%$ ('!% ,%& *-%7WINS ,%& %& IP

D !'*( ('!% , ,$%! 7DNS ,%& %&IP

D ('!*- / ,$ - (+* #&'$* ( "& $ -7DHCP ,%& %& IP

G'$%='

N#! %& + ( )%,

L -'$* (, + ( )%,7'() *)%($*+*-'$* (Cou7d be cross>referenced to networkdia:ram

1.2.3.

M'*($%('(-% )%$'* ,



19/53

-lectronic information assets F databases e7ectronic fi7es and documents ima:e and9oice fi7es system and user documentation business continuity and disaster reco9ery p7ans

T' % 10 A,,%$ &% *,$%& ,/'&%) )'$' ',%,

+sed $y (,hich program)

ocated on (,hichcomputer)

*ath and data$ase nameeg. Ser er " program ....

T' % 11 A,,%$ &% *,$%& $/%& )'$' ',%, ) -#!%($ '() +* % -'$* (,

+sed $y (,hich program)

ocated on (,hichcomputer)

*ath and data$ase nameeg. !eception1 " programname ....

Soft,are assets F app7ication pro:rams operatin: system communications software

T' % 12 A,,%$ &% *,$%& "%&'$*( , ,$%!

N'!%; %&,* (

D%,-&*"$* (

S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,



20/53

T' % 13 A,,%$ &% *,$%& "&'-$*-% !'(' %!%($ , +$='&% "& &'!

N'!%; %&,* (

D%,-&*"$* (

S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,

RACGP Computer and information security standards workbook 1)


21/53

T' % 14 A,,%$ &% *,$%& - *(*-' , +$='&% "& &'!

N'!%; %&,* (

D%,-&*"$* (

S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,

T' % 15 A,,%$ &% *,$%& +*('(-*' !'(' %!%($ , +$='&% "& &'!

N'!%; %&,* (

D%,-&*"$* (

S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,



22/53

T' % 16 A,,%$ &% *,$%& '($* *,;'($* !' ='&% , +$='&% "& &'!

N'!%; %&,* (

D%,-&*"$* (S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,

T' % 1@ A,,%$ &% *,$%& ,%-#&% !%,,' *( ;- !!#(*-'$* (, , +$='&% '() P I-%&$*+*-'$%,

N'!%; %&,* (

D%,-&*"$* (

S%&*' (#! %&,; *-%(-% - )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%, '()' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%&

S#"" &$ )%$'* ,

E(-& "$* ( % ,

P I -%&$*+*-'$%,P&'-$*$* (%& D%$'* , 7) ( %;,!'&$ -'&) %>"*& -'$* (



23/53

T' % 18 A,,%$ &% *,$%& $/%& ('!% , +$='&% "& &'!, 7% . ' > &' ) =( ')

N'!%; %&,* (

D%,-&*"$* (S%&*' (#! %&,; *-%(-%- )%,

W/*-/ - !"#$%&,

L -'$* ( + !%)*'

L -'$* ( + !'(#' ,

L -'$* ( + *-%(-% - )%,'() ' &%%!%($,

D'$% "#&-/',%);#" &')%)

S#"" *%& S#"" &$ )%$'* ,

T' % 19 A,,%$ &% *,$%& %!'* - (+* #&'$* (

P&'-$*-% %!'* '))&%,,

I(- !*( !'* ,%& %&7e:. P$P3(

O#$ *( !'* ,%& %&7e:. simp7e mai7 transferprotoco7 HS,"PI(

O$/%& )%$'* ,

T' % 20 A,,%$ &% *,$%& *($%&(%$ ,%& *-% '() - (+* #&'$* (

P& *)%& 7ISP

D*' #" (#! %&'if sti77 used(

A--%,, " '(

P& > ,%& %& T&'(,!*,,* ( - ($&"& $ - 7TCP ;IP '))&%,,

DNS

S%- ()'& DNS

M )%! $ "%

S#"" &$ )%$'* ,

*ersonnel assets F staff and contractors

Contact detai7s of a77 staff are contained in "ab7e 1 in t8is CISS Workbook document.



24/53


25/53

'et,or diagrams



26/53

2.4 0dentify threats5 ulnera$ilities and controls

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y

Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired

(to action)

9uman +nintentional 0nternal (insider threats/staff/authorised third parties)

Error


27/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)emp7oyment 'see Section 3. (• *ocation of e uipment to minimise unnecessary access'see Section 3.11.1(• &etwork connections and cab7in: protected inc7udin:se:re:ation of power and communications cab7es

e7ectroma:netic s8ie7din: and documented set>up ofpatc8in:. 'seek tec8nica7 ad9ice for confirmation of t8ese(• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(

*eakin: or t8eft ofinformation

F io7ation of 7e:is7ation or re:u7ation

F Ad9erse7y affectreputation

F reac8 of confidentia7ity'potentia7information disc7osure(

F *e:itimateaccess to systems

• Confidentia7ity and nondisc7osure a:reements si:ned'see Section 3.3.2(• A:reements wit8 t8ird parties inc7udin: comp7iance wit8practice po7icies 'see Section 3.3.3(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• Secure de7etion of information w8en e uipment andassets disposed of 'see Section 3.11.1(• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(

Emp7oyeesabota:e

F %isrupt operationa7acti9ities

F reac8 of inte:rity'potentia7 informationmodification ordestruction(

F *e:itimateaccess to systems

F *ack of po7icyand proceduremonitorin:

• !mp7emented and monitored access contro7 po7icy andprocedure 'see Section 3. (• reac8 reportin: in p7ace 'see Section 3.1.)(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• *imit access to system uti7ities 'see Section 3.11.2(

-raud F -inancia7 7oss F Access tosystems

F &o monitorin: of access orbusiness functions

• !mp7emented and monitored access contro7 po7icy andprocedure 'see Section 3. (• reac8 reportin: in p7ace 'see Section 3.1.)(• A:reements wit8 t8ird parties 'see Section 3.3.3(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• Secure de7etion of information w8en e uipment andassets disposed of 'see Section 3.11.1(

Emai7 based socia7 F reac8 of confidentia7ity F *ack of staff• Staff awareness trainin: 'see Section 3.1.6(



28/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)

en:ineerin:'e:. P8is8in:(

and unaut8orised access awareness

,isuse of

informationsystems

F -inancia7 7oss

F reac8 of confidentia7ity

F *ack of usa:e

monitorin:

• ,onitorin: of internet and emai7 po7icy 'see Section 3. (• Suitab7e conse uences for breac8es of po7icy 'seeSection 3.1.)(• A:reements wit8 t8ird parties 'see Section 3.3.3(

9uman Deli$erate - ternal

"8eft or dama:e ofe uipment

F -inancia7 7oss F %isrupt operationa7

acti9ities

F !nade uatep8ysica7 contro7s

of system andnetwork

• p to date asset re:ister 'see Section 3.1(• Effecti9e p8ysica7 protections inc7udin: 7imited access tocritica7 resources suc8 as ser9er 'see Section 3.10.1(• Remo9a7 of a77 e uipment and assets is forma77yrecorded 'see Section 3.11.1(• Return of assets 'keys and e uipment( on termination of emp7oyment 'see Section 3. (• *ocation of e uipment to minimise unnecessary access'see Section 3.11.1(• &etwork connections and cab7in: protected inc7udin:se:re:ation of power and communications cab7ese7ectroma:netic s8ie7din: and documented set up o fpatc8in:. 'seek tec8nica7 ad9ice confirmation of t8ese(



29/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(•

"8eft of information F io7ation of 7e:is7ationor re:u7ation



F *ack ofappropriateaccess contro7

F *imited networkcontro7s

• Access contro7 po7icy and procedures 'see Section 3. (•

Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S• reac8 reportin: to aut8orities 'see Section 3.1.)(• Effecti9e perimeter contro7s inc7udin: firewa77s and !%Ssecurity 'see Section 3.)(• Secure messa:in: and transfer of information usin:encryption and aut8entication 'see Section 3.12(• Remo9a7 of a77 e uipment and assets is forma77yrecorded 'see Section 3.11.1(• Secure disposa7 or re>use of e uipment 'see Section3.11.1(•

• *o:ica7 se:re:ation of networks into c7inica7administrati9e and e?terna7 access and insta77 secure:ateway between t8em to fi7ter traffic 'needs ad9ice fromtec8nica7 ser9ice pro9ider(• Se:re:ate wire7ess networks as perimeters are i77>defined 'needs ad9ice from tec8nica7 ser9ice pro9ider(• $t8er network routin: contro7 mec8anisms based onsource and destination addresses 'see tec8nica7 ser9icepro9ider for ad9ice(.• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(

-raud F -inancia7 7oss F *ack ofappropriateaccess contro7

• Access contro7 po7icy and procedures 'see Section 3. (• reac8 reportin: to aut8orities 'see Section 3.1.)(• Effecti9e perimeter contro7s inc7udin: firewa77s and !%Ssecurity 'see Section 3.)(• Confi:ure network to identify unaut8orised accessattempts and a7ert 'see Section 3.)(• Separate c7inica7 and business information systems'needs ad9ice from tec8nica7 ser9ice pro9ider(



30/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)

,a7icious 8ackin:and unaut8orisedaccess


F reac8 of inte:rity'potentia7 informationdisc7osure modification or destruction(

F !nade uatenetwork andinternet protection

• Confi:ure network to identify and record unaut8orisedaccess attempts and pro9ide a7erts on t8is 'see Section3.)(• Confi:ure network ser9ices to deny a77 incomin: trafficnot e?press7y permitted 'see Section 3.)(• Secure remote access met8ods F suc8 as modems anduse P&s 'see Section 3.10(• Restrict connection time of users and 7imit 7o:>onattempts 'seek ad9ice from tec8nica7 ser9ice pro9ider(.

• se pri9ate !P addresses on interna7 networks anddisab7e unused ser9ices on ser9ers accessib7e to internet'seek ad9ice from tec8nica7 ser9ice pro9ider(.• +a9e :ood password po7icy 'see Section 3. (• Restrict p8ysica7 access to critica7 e uipment 'seeSection 3.11.1(• Re uire users to c8an:e passwords re:u7ar7y 'seeSection 3. (• Put a77 pub7ic7y accessib7e ser9ices on secureddemi7itarised Jone '%,K( network se:ments 'see Section3.12(• se of e uipment and information off>site s8ou7d inc7udeeducation and suitab7e 8ome>office or te7eworkin: securitymeasures 'see Section 3.10.2(• *imit access to system uti7ities 'see Section 3.11(

naut8orisedaccess

F -inancia7 7oss F reac8 of confidentia7ityand inte:rity

• Confi:ure network>based !%S and firewa77s emai7content fi7terin: software and


31/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)• Care w8en usin: wire7ess networks and usin: portab7ede9ices in pub7ic p7aces 'see Section 3.10(

6echnical +nintentional

E uipment or8ardware fai7ure'e:. 8ard diskcras8es andte7ecommunications fai7ures(


F Poor or nobackupprocedures

F *ack of systemmaintenance

• Contro7 of en9ironmenta7 conditions inc7udin:temperature and 8umidity 'see Section 3.11.1(• "wo met8ods of te7ecommunications routes a9ai7ab7e for emer:ency situations 'e:. 7and7ine and mobi7e ser9icea9ai7ab7e(

Software fai7ure'e:. bu:s patc8es(


F &ot doin:re:u7ar softwareupdates orpatc8in:

• Se:re:ation of system uti7ities from app7ication software'seek ad9ice from tec8nica7 ser9ice pro9ider(• Security features and 7imitation of t8ese in app7icationsoftware are known 'see Section 3.11.3(• *oad software updates as soon as t8ey becomea9ai7ab7e 'see Section 3.11.3(

!nformation 7oss F %isrupt operationa7acti9ities


F reac8 of confidentia7ity F -inancia7 7oss 'e:. 7ossof bi77in: data(


F Encryption notused appropriate7y

• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(• ackup po7icy and procedures in p7ace and monitoredfor comp7iance 'see Section 3.4(• Portab7e de9ices po7icy and procedures enforced andmonitored inc7udin: backup of portab7e de9ice 'seeSection 3.10(•

Encryption used for backups portab7e and mobi7ede9ices and messa:e transfer 'see Sections 3.4 3.10and 3.12(

Power outa:e orspikes


F *ack of powerbackup andconditioners

F A:in:infrastructure

• !nsta77 a PS and power 7ine conditioners 'see Section3.11.1(• !f power supp7y unre7iab7e insta77 a7ternati9e powersource• Periodic test of PS batteries workin: 'see Section3.11.1(• ,aintain ser9iceab7e infrastructure 'e7ectricity and



32/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)te7ecommunications(

6echnical Deli$erate

,a7icious code 'e:.

9irus(

F %isrupt operationa7

acti9ities F %enia7 or de:radation of ser9ice

F %ata 7oss F reac8 of inte:rity

F !nade uate

network andinternet protection F *ack of stafftrainin:

F &ot keepin:anti>9irus updatescurrent

F Spam fi7terin:

• Anti>ma7ware software automatica77y re:u7ar7y updated'see Section 3.6(• Re:u7ar precautionary scans of information systems'see Section 3.6(• Spam fi7terin: 'see Section 3. (• Staff education on emai7 attac8ments 'see Section 3. (• Pro8ibit use of unaut8orised software 'see Section 3. (• 7ock use of mobi7e code e.:. use web browser securityto 7imit pro:ram add>ons 'unknown Acti9eM( 'see Section3.11(• *imit use of fi7e transferto>peer app7ications un7essessentia7 to norma7 operations 'see Section 3.11(• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(

!nformation 7oss F io7ation of 7e:is7ation or re:u7ation




F *ack ofappropriateaccess contro7

• Effecti9e monitored backup procedures 'see Section3.4(• reac8 reportin: to aut8orities 'see Section 3.1.)(• Se:re:ation of system uti7ities from app7ication software'seek ad9ice from tec8nica7 ser9ice pro9ider(.• *imit access to system uti7ities 'see Section 3.11(

%enia7 of Ser9ice'%oS > attempt tomake computerresourcesuna9ai7ab7e(

F *oss or de:radation ofnetwork capacity

F *oss of !nternetconnecti9ity

• Confi:ure !ntrusion detection system to detect %oS 'see

Section 3.)(• -irewa77 confi:uration to b7ock specified n etwork traffic'see Section 3.)(• 7ock out:oin: connections to !nternet re7ay c8at '!RC(instant messa:in: and peer>to>peer ser9ices'seek ad9icefrom tec8nica7 ser9ice pro9ider(

-n ironmental

-7ood F %isrupt operationa7acti9ities

F !ncomp7etebusiness

• Comp7ete and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(



33/53

T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,

6hreat/rissource

Disruption/impac t

7ulnera$ilit y


(to action)

F Endan:er persona7safety

continuity anddisaster reco9eryp7ans

• Effecti9e monitored backup procedures 'see Section3.4(• *ocation of critica7 e uipment away 'and protected( fromaccidenta7 dama:e 'see Section 3.11.1(• Consider raisin: e uipment off f7oor to minimise impact

of f7ood 'e:. burst water pipes(• %o not position immediate7y beneat8 air>conditionin:units• Staff trained in emer:ency procedures re7atin: to f7oodand e7ectrica7 issues• App7y ot8er occupationa7 8ea7t8 and safety pro9isions

Eart8 uake F %isrupt operationa7acti9ities


F !ncomp7etebusinesscontinuity anddisaster reco9eryp7ans

• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(

-ire 'inc7udin:bus8fire(




• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(• Ensure e7ectrica7>based fire>fi:8tin: e uipment a9ai7ab7ein c7ose pro?imity to critica7 e uipment• Staff trained in emer:ency 'e7ectrica7 fire( procedures• App7y ot8er occupationa7 8ea7t8 and safety pro9isions

Storm < Cyc7one F %isrupt operationa7acti9ities



• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(• App7y ot8er occupationa7 8ea7t8 and safety pro9isions



34/53

2.; 0dentify appropriate controls

!dentify t8e appropriate contro7s and e?istin: contro7s imp7emented in t8e practice in t8etab7e abo9e.

2.< Security management and reporting5 including monitoringcompliance and re ie, planning

T' % 23 R*, ',,%,,!%($ &% *%= ,-/%)# %

Agreed inter al Date of last re ie, Date of ne t re ie,

2.= -ducation and communication

T' % 24 R*, ',,%,,!%($ ,$'++ %)#-'$* ( &%- &) 7' ,$'++

-ducation method Date last underta en 'e t date

!nduction trainin:

-orma7 on>:oin: trainin:

%iscussion at meetin:s

RACGP Computer and information security :uide7ines F "emp7ate document 33


35/53

2.9 B&%'-/ &%" &$*(se t8e fo77owin: temp7ate.

DPractice &ame

I(-*)%($ ; B&%'-/ R%" &$

R%" &$ D'$%;T*!%

A#$/ &

D%$'* , + $/% *(-*)%($ (date time what happened impact and information system affected!

A-$* (, $' %(;+*> (who contacted correcti"e action taken!

O#$- !%

F#$#&% '-$* (, &%?#*&%) (eg. ensure malware protection up to date!



36/53

3 Staf roles and responsibilities-or a detai7ed e?p7anation refer to Section 3.2 of t8e RACGP Computer and informationsecurity standards.

3.1 S%-#&*$ - &)*('$ & P%&, ( & "%&, (, &%," (,* %

N'!%7,

T' % 25 C &)*('$ & '((#' &% *%= )'$%, '() $&'*(*(

"oordinator role re ie, dates "oordinator training pro ided dates

3.2 O$/%& ,$'++ & %, '() &%," (,* * *$*%,

T' % 26 O$/%& ,$'++ & %, '() &%," (,* * *$*%,

6as *erson or people responsi$le

Perform backups

pdate software

RACGP Computer and information security standards workbook 3/


37/53

3.3 S'!" % - (+*)%($*' *$ ' &%%!%($

"8is samp7e may be used to ensure t8at practice staff and ot8er peop7e workin: in a practice w8omay 8a9e access to confidentia7 patient data or ot8er business information comp7y wit8 pri9acy andsecurity of information as re uired under 7e:is7ation inc7udin: t8e Pri9acy Act 1)66 'amended( andt8e &ationa7 Pri9acy Princip7es.

! 'name( ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; understand t8at as a condition

of emp7oyment by 'name and address of practice( ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

! s8a77 neit8er durin: nor after t8e period of emp7oyment


38/53

4 Access control and management -or a detai7ed e?p7anation refer to Section 3. of t8e RACGP Computer and informationsecurity standards.

T' % 2@ A--%,, - ($& ,$'++ '--%,, % % , '() /%' $/ *)%($*+*%&,

Staff mem$er 9ealthcare pro ideridentifier indi idual (9*0>0)

*rogram/application(name of software!

Access le el (restrictedinformation only orfull user access!

Practice nurse

*ractice unit (#ame of the practice! 9ealthcare pro ider identifier organisation (9*0>%)



39/53

5 Business continuity and disaster recovery plans

-or a detai7ed e?p7anation refer to Section 3./ of t8e RACGP Computer and information

security standards.

T' % 28 B#,*(%,, - ($*(#*$ -&*$*-' #,*(%,, +#(-$* (,

"ritical function System/re8uirementsnormally used

Alternati eresources

Patient consu7tations and treatment. F Recordin: c7inica7 notes F Prescriptions

F Referra7s

Secretaria7 ser9ices 'e:. formattin: reports(

"8is wi77 inc7ude any processes t8at are nowor wi77 be in future e7ectronic suc8 as e>prescriptions 7ab re uests and e>referra7s.

C7inica7 records system

5ord processin:app7ication

!nternet connection ore7ectronic messa:in:ser9ice.

Paper based forms orcomputer printed formsto be comp7eted by

8and. $eep all paperforms in one place for a%uicker switch to manual

procedures whenre%uired .

%ictation system

"ypewriter 'if a9ai7ab7e(

Appointments Appointment sc8edu7in:pro:ram

Copy of currentappointment sc8edu7e'today=s( s8owin: patient

te7ep8one numbers

Copy of futureappointment sc8edu7es8owin: patientte7ep8one numbers

Accounts and bi77in: Practice mana:ement'bi77in:( pro:ram

Account 8o7der andpatient information.

,anua7 in9oice


40/53

T' % 29 B#,*(%,, - ($*(#*$ '))*$* (' &%, #&-%, &%?#*&%) + & - ($*(#*$ '()

&%- %&

!esource *otential reason 6o $e used for ?ho to contact and contact details

*eople

*ocum staff Absence of medica7staff

Additiona7 demand forser9ices

Consu7tin: e:. 7oca7 GPrecruitment ser9ices

"emporaryadministration staff

Absence of key staff Reception dutiesEnterin: back7o: ofdata

0nformation and documents

+ardcopies ofinformation

!noperab7e computersystems or powerouta:e

*ook up information

Staff contact 7ist

E?terna7 contact 7ist'8ea7t8care pro9iders,edicare(

-8uipment computer and telecommunications

"e7ecommunications'7and7ine or mobi7ete7ep8one(

*oss of p8one system'power outa:e orot8er(

Contact aut8oritiespatients 8ea7t8carepro9iders

A7ternati9einfrastructure 'e:.power 7i:8tin: water:enerator(

Power outa:ef7oodin: natura7disaster e9ents

P8ysica7 safety'7i:8tin:(Resumption ofoperation 'power(

E7ectricity pro9ider

A7ternati9e computerresources 'e:. a 7aptopand copy of e7ectronicinformation(

Ser9er nonoperationa7or power fai7ure

*ook up critica7information suc8 aspatient detai7s orappointments

%ictap8one andbatteries

RACGP Computer and information security standards workbook 3)


41/53

@udget

T' % 30 B#,*(%,, - ($*(#*$ - ($'-$ '() &%," (,* * *$ *,$ *( % %($ + *(-*)%($ & )*,',$%&

*erson/position #o$ilenum$er

%thercontactnum$er

!esponsi$le for

D&ame < doctor 0 ??>???>??? ??>????>????D&ame < practice mana:er 0 ??>???>??? ??>????>???? Contact wit8 tec8nica7 ser9ice

pro9ider D&ame < 8ead receptionist 0 ??>???>??? ??>????>???? ,ana:in: manua7 bi77in:

processD&ame 0 ??>???>??? ??>????>???? *ocate 7ast backup



42/53

T' % 31 B#,*(%,, - ($*(#*$ = & '& #(), + & -&*$*-' "&'-$*-% +#(-$* (,

C&*$*-' +#(-$* ( A $%&('$% "& -%)#&% P%&, (&%," (,* %

Patient consu7tationsand treatment@

F recordin: c7inica7notes

F prescriptions F referra7s

Secretaria7 ser9ices(eg. formattingreports!

&his will include any

processes that arenow or will be in futureelectronic such as e'

prescriptions labre%uests and e'referrals.

Appointments• Set up a7ternate computer '7aptop( if possib7e wit8

copy of appointment system on it or a dai7yappointment sc8edu7e e7ectronic copy to refer to on7y.

n7ess t8e practice 8as a tested met8od of updatin:and inte:ratin: appointments made on t8is copy use itto refer to on7y.

•

*ocate dai7y printout of appointment sc8edu7e 'wit8patient contact numbers(. Contac patients incircumstances w8ere appointments need to beresc8edu7ed.

• Record di7i:ent7y in a manua7 appointment book a77c8an:es to appointments and re uests forappointments

Reception staff

Accounts and i77in:• ,anua77y swipe ,edicare cards• ,anua77y issue receipts• Retain copies of a77 receipts in a secure 7ocation to be

entered into t8e system 7ater

Reception staff

Practice financia7acti9ities (payroll

edicare claimsbanking!

• ankin:• ,edicare c7aims• Payro77

Practicemana:er

Communication (eg.email!

Recei9in: test resu7ts

Reca77s and reminders



43/53


44/53


45/53

Agreed inter al Date of last re ie, Date of ne t re ie,

T' % 3@ B#,*(%,, - ($*(#*$ +'# $

Date ault noted !emedial action performed @y ,hom



46/53


47/53

T' % 39 B'- #" '- #" & $'$* ( ,-/%)# % '() -/%- *(

M ( T#%, W%) T/#&, F&* S'$ S#(

C8ecked C8ecked C8ecked C8ecked C8ecked C8ecked C8ecked

T' % 40 B'- #" )'$' &%,$ &'$* ( '() $%,$*( "& -%)#&%

!estoring procedure in the e ent of a ser er failure *erson responsi$le

• *ocate backup media for t8e pre9ious day• !nsert backup media in t8e ser9er• Ensure t8at a77 ot8er computers 8a9e 7o::ed out of t8e ser9er • Perform restore for particu7ar system


48/53

7 al!are" viruses and email threats-or a detai7ed e?p7anation refer to Section 3.6 of t8e RACGP Computer and informationsecurity standards.

T' % 41 M' ='&% , +$='&% "& $%-$* ( &%- &)

Soft,are(name and

ersion)

"omputers Support +pgrade procedure

*ersonresponsi$le

Annualsu$scriptionrene,ed



49/53

# $et!ork perimeter controls-or a detai7ed e?p7anation refer to Section 3.) of t8e RACGP Computer and informationsecurity standards.

T' % 42 N%$= & "%&*!%$%& - ($& , *($,* ( )%$%-$* ( , ,$%! - (+* #&'$* (

'ame andersion

9ard,areconfiguration

Soft,areconfiguration

#aintenancere8uired

Support

T' % 43 N%$= & "%&*!%$%& - ($& , +*&%=' - (+* #&'$* (

'ame andersion

9ard,areconfiguration

Soft,areconfiguration

#aintenancere8uired

Support



50/53

% &orta'le devices and !ireless net!orks-or a detai7ed e?p7anation refer to Section 3.10 of t8e RACGP Computer and information security standards.

T' % 44 P &$' % )% *-%, '() #,%,

ist the porta$le de ices(eg. laptops portable hard dri"es!

@riefly descri$e the mechanism for securingtheir data

!emote access set>up

P7ease document your remote access set>up 8ere

RACGP Computer and information security standards workbook )


51/53

1( &hysical" system and soft!are protection-or a detai7ed e?p7anation refer to Section 3.11 of t8e RACGP Computer and informationsecurity standards.

10.1 P/ ,*-' "& $%-$* (

T' % 45 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( UPS

6ype -8uipmentattached

#aintenancere8uired

@attery life Support contact

T' % 46 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( "& -%)#&% + & - ($& %),/#$) =( + ,% & %&

?hen is it necessary to use this procedure

?hat to do *ersonresponsi$le

T' % 4@ R%! ' + ',,%$, &%- &)

Asset and offsite location

Date out 'ame andsignature

Date returned 'ame andsignature

RACGP Computer and information security standards workbook /0


52/53

10.2 S ,$%! !'*($%('(-%

T' % 48 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , ,$%! !'*($%('(-%

D'$% S ,$%! !'*($%('(-% $', "%&+ &!%) B =/ !

10.3 S +$='&% !'*($%('(-%

T' % 49 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , +$='&% !'*($%('(-%"& -%)#&%,

6as *ersonresponsi$le

re8uency *rocedure

S +$='&% !'*($%('(-%

T' % 50 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , +$='&% !'*($%('(-%

Date Soft,are maintenance tas performed @y ,hom

RACGP Computer and information security standards workbook /1


53/53

11 )ecure electronic communication-or a detai7ed e?p7anation refer to Section 3.12 of t8e RACGP Computer and informationsecurity standards.

T' % 51 S%-#&% % %-$& (*- - !!#(*-'$* ( !%,,' *( , ,$%! &%- &)

Secure messaging system used $y practice *urpose

3a. computer and information security standards workbook

Documents