-
8/16/2019 3a. Computer and Information Security Standards Workbook
1/53
RACGP Computer and information security standards workbook 0
-
8/16/2019 3a. Computer and Information Security Standards Workbook
2/53
RACGP Computer and information security standards workbook 1
-
8/16/2019 3a. Computer and Information Security Standards Workbook
3/53
RACGP Computer and information security standards workbook 2
-
8/16/2019 3a. Computer and Information Security Standards Workbook
4/53
RACGP Computer and information security standards workbook 3
-
8/16/2019 3a. Computer and Information Security Standards Workbook
5/53
Contents
2 RISK ASSESSMENT 9
2.1 S EC R!"# C$$R%!&A"$R ' S ( )
2.2 A R"!C *A"E "+E $PERA"!&G PARA,E"ERS )
2.3 S "A-- A&% "EC+&!CA* S PP$R" C$&"AC" %E"A!*S 10
2. A SSE" REG!S"ER 11
2./ ! %E&"!-# "+REA"S *&ERA !*!"!ES A&% C$&"R$*S 2
2. ! %E&"!-# APPR$PR!A"E C$&"R$*S 3
2.4 S EC R!"# ,A&AGE,E&" A&% REP$R"!&G !&C* %!&G ,$&!"$R!&G C$,P*!A&CE A&% RE !E5 P*A&&!&G 3
2.6 E % CA"!$& A&% C$,, &!CA"!$& 3
2.9 B REACH REPORTING 3/
3 STAFF ROLES AND RESPONSIBILITIES 36
3.1 S ECURITY COORDINATOR 3
3.2 O THER STAFF ROLES AND RESPONSIBILITIES 3
3.3 S AMPLE CONFIDENTIALITY AGREEMENT 34
4 ACCESS CONTROL AND MANAGEMENT 38
5 BUSINESS CONTINUITY AND DISASTER RECOVERYPLANS 39
6 BACKUP 46
7 MALWARE, VIRUSES AND EMAIL THREATS 48
8 NETWORK PERIMETER CONTROLS 49
9 PORTABLE DEVICES AND WIRELESS NETWORKS 50
1 PHYSICAL, SYSTEM AND SO!TWARE PROTECTION 51
10.1 P HYSICAL PROTECTION /1
10.2 S YSTEM MAINTENANCE /2
10.3 S OFTWARE MAINTENANCE /2
11 SECURE ELECTRONIC COMMUNICATION 53
RACGP Computer and information security standards workbook
-
8/16/2019 3a. Computer and Information Security Standards Workbook
6/53
TABLES
RACGP Computer and information security standards workbook /
-
8/16/2019 3a. Computer and Information Security Standards Workbook
7/53
"ab7es 'cont(
RACGP Computer and information security standards workbook
-
8/16/2019 3a. Computer and Information Security Standards Workbook
8/53
+ow to use t8is document
RACGP Computer and information security standards workbook 4
-
8/16/2019 3a. Computer and Information Security Standards Workbook
9/53
1 Computer and information security checklist "8is c8eck7ist pro9ides a record of t8e 12 basic computer and information security cate:oriest8at s8ou7d be undertaken. "8e c8eck7ist is a :uide on7y and does not describe t8e comp7ete7ist of security acti9ities t8at s8ou7d be undertaken. %etai7s of t8ese are pro9ided in t8eRACGP Computer and information security standards.
C !"#$%& '() *(+ &!'$* ( ,%-#&*$ -/%- *,$Date of assessment: ___ / ___ / _____
C'$% & T', , C !" %$%)'"ick and add date(
1. Risk Assessment
Conduct risk assessment acti9ities and put procedures in p7ace ;;
-
8/16/2019 3a. Computer and Information Security Standards Workbook
10/53
-
8/16/2019 3a. Computer and Information Security Standards Workbook
11/53
2 Risk assessment -or a detai7ed e?p7anation refer to Section 3.1 of t8e RACGP Computer and informationsecurity standards.
2.1 Security coordinator(s)
&ame's(@ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2.2 Articulate the operating parameters
58at are t8e 7e:a7 andprofessiona7 re uirementsfor t8e protection of t8einformation for w8ic8 t8epractice is custodianB
-or e?amp7e Commonwea7t8 Pri9acy Act '1)66( State and "erritoryPri9acy Acts &ationa7 Pri9acy Princip7es.
58at capabi7ities does t8epractice 8a9e in terms ofsecurity know7ed:e ande?pertiseB
-or e?amp7e t8e practice mana:er 8as !" e?pertise %r ones 8asabi7ity to confi:ure and update anti>ma7ware software.
58o makes t8e decisionsabout t8e securityprotections to be put in
p7aceB
-or e?amp7e t8e practice partners t8e practice mana:er.
58at processes are inp7ace to assist in decisionmakin: re:ardin: t8e useof t8e information t8epractice 8o7dsB-or e?amp7e in t8einstances of secondary useof data or freedom ofinformation re uests.
-or e?amp7e structured decision makin: framework in practicedecisions made as committee in practice meetin:s.
RACGP Computer and information security standards workbook 10
-
8/16/2019 3a. Computer and Information Security Standards Workbook
12/53
2.3 Staff and technical support contact details
T' % 1 U,%& '() $%-/(*-' - ($'-$ )%$'* ,
ull name !ole in practice
"ontact details
#o$ilenum$er
%thercontactnum$ers
%ther contact details(home address & email)
D-u77 name 0 ??>???>??? ??>????>???? DaddressDemai7
T%-/(*-' ,#"" &$ - ($'-$ )%$'* ,
'ame and company Support pro ided for
"ontact details
DContactperson DCompany
e:. ser9er "e7@Emai7@
Address@
RACGP Computer and information security standards workbook 11
-
8/16/2019 3a. Computer and Information Security Standards Workbook
13/53
2. Asset register
*hysical assets F computer and communications e uipment backup media power
supp7ies furniture 'network dia:rams s8ou7d a7so be inc7uded(
T' % 2 A,,%$ &% *,$%& - !"#$%& ,%& %& 1
M' %
M )%
S%&*' (#! %&
L -'$* (
S#"" *%&
C ,$P#&-/',% )'$%
W'&&'($
S#"" &$
S#"" *%&
S ,$%! ('!%
U,%) + & 7% . ,%& %& * *(- *(*-' &%- &),
I($%&(%$ "& $ - 7IP '))&%,,
C%($&' "& -%,,*( #(*$ ' CPU,"%%)
R'() ! '--%,, !%! & 7RAM,*:%
H'&) )*, )&* % 7HDD,*:%;!' %
CD;D$%&(' )% *-%, '$$'-/%)7% . "&*($%& ,-'((%&
O"%&'$*( , ,$%! 7OS'() %&,* (
OS ,%&*' (#! %&; *-%(-% %
RACGP Computer and information security standards workbook 12
-
8/16/2019 3a. Computer and Information Security Standards Workbook
14/53
T' % 3 A,,%$ &% *,$%& - !"#$%&, 7- " ', &%?#*&%)
"omputer 2 "omputer 3
M' %M )%
S%&*' (#! %&
L -'$* (
S#"" *%&
C ,$
P#&-/',% )'$%
W'&&'($
S#"" &$S#"" *%&
S ,$%! ('!%
U,%) + &
IP '))&%,,
CPU ,"%%)
M%! & RAM,*:%
HDD ,*:%;!' %
CD;D
-
8/16/2019 3a. Computer and Information Security Standards Workbook
15/53
T' % 4 A,,%$ &% *,$%& " &$' % - !"#$%&, 7% . '"$ ",
*orta$le computer 1 *orta$le computer 2
M' %M )%
S%&*' (#! %&
L -'$* (
S#"" *%&
C ,$
P#&-/',% )'$%
W'&&'($
S#"" &$S#"" *%&
S ,$%! ('!%
U,%) + &
IP '))&%,,
CPU S"%%)
M%! & RAM,*:%
HDD ,*:%;!' %
CD;D
-
8/16/2019 3a. Computer and Information Security Standards Workbook
16/53
T' % 5 A,,%$ &% *,$%& "&*($%&,
*rinter 1 *rinter 2 *rinter 3
L -'$* (M' %
M )%
S%&*' (#! %&
S#"" *%&
C ,$
P#&-/',% )'$%
W'&&'($
S#"" &$"onfiguration
S ,$%! ('!%
U,%) + &
IP '))&%,,
N%$= & "'$-/"'(% (#! %&
N%$= & =', - %$ (#! %&
T' % 6 A,,%$ &% *,$%& $/%& "%&*"/%&' ,
Scanner #odem +ninterrupti$le po,er supply (+*S)
L -'$* (
M' %
M )%
S%&*' (#! %&
S#"" *%&
C ,$
P#&-/',% )'$%
W'&&'($
S#"" &$
"onfiguration
S ,$%! ('!% &
-
8/16/2019 3a. Computer and Information Security Standards Workbook
17/53
"'(% (#! %&
N%$= & =', - %$ (#! %&
&
-
8/16/2019 3a. Computer and Information Security Standards Workbook
18/53
T' % 8 A,,%$ &% *,$%& (%$= & %?#*"!%($
!outer/hu$ ire,all (ifhard,are $ased)
0ntrusion detectionsystem (0DS) (ifhard,are $ased)
L -'$* (
M' %
M )%
S%&*' (#! %&
S#"" *%&
C ,$
P#&-/',% )'$%
W'&&'($
S#"" &$"onfiguration
S ,$%! ('!%
U,%) + &
IP '))&%,,
N%$= & "'$-/"'(% (
N%$= & =', - %$ (
T' % 9 A,,%$ &% *,$%& (%$= & - (+* #&'$* (
T "% 7% . - *%($ ,%& %& "%%& $ "%%&
IP '))&%,, &'( %
S# (%$ !',
D !'*(;= & & #"
W*() =, *($%&(%$ ('!% ,%& *-%7WINS ,%& %& IP
D !'*( ('!% , ,$%! 7DNS ,%& %&IP
D ('!*- / ,$ - (+* #&'$* ( "& $ -7DHCP ,%& %& IP
G'$%='
N#! %& + ( )%,
L -'$* (, + ( )%,7'() *)%($*+*-'$* (Cou7d be cross>referenced to networkdia:ram
1.2.3.
M'*($%('(-% )%$'* ,
RACGP Computer and information security standards workbook 14
-
8/16/2019 3a. Computer and Information Security Standards Workbook
19/53
-lectronic information assets F databases e7ectronic fi7es and documents ima:e and9oice fi7es system and user documentation business continuity and disaster reco9ery p7ans
T' % 10 A,,%$ &% *,$%& ,/'&%) )'$' ',%,
+sed $y (,hich program)
ocated on (,hichcomputer)
*ath and data$ase nameeg. Ser er " program ....
T' % 11 A,,%$ &% *,$%& $/%& )'$' ',%, ) -#!%($ '() +* % -'$* (,
+sed $y (,hich program)
ocated on (,hichcomputer)
*ath and data$ase nameeg. !eception1 " programname ....
Soft,are assets F app7ication pro:rams operatin: system communications software
T' % 12 A,,%$ &% *,$%& "%&'$*( , ,$%!
N'!%; %&,* (
D%,-&*"$* (
S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
RACGP Computer and information security standards workbook 16
-
8/16/2019 3a. Computer and Information Security Standards Workbook
20/53
T' % 13 A,,%$ &% *,$%& "&'-$*-% !'(' %!%($ , +$='&% "& &'!
N'!%; %&,* (
D%,-&*"$* (
S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
RACGP Computer and information security standards workbook 1)
-
8/16/2019 3a. Computer and Information Security Standards Workbook
21/53
T' % 14 A,,%$ &% *,$%& - *(*-' , +$='&% "& &'!
N'!%; %&,* (
D%,-&*"$* (
S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
T' % 15 A,,%$ &% *,$%& +*('(-*' !'(' %!%($ , +$='&% "& &'!
N'!%; %&,* (
D%,-&*"$* (
S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
RACGP Computer and information security standards workbook 20
-
8/16/2019 3a. Computer and Information Security Standards Workbook
22/53
T' % 16 A,,%$ &% *,$%& '($* *,;'($* !' ='&% , +$='&% "& &'!
N'!%; %&,* (
D%,-&*"$* (S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
T' % 1@ A,,%$ &% *,$%& ,%-#&% !%,,' *( ;- !!#(*-'$* (, , +$='&% '() P I-%&$*+*-'$%,
N'!%; %&,* (
D%,-&*"$* (
S%&*' (#! %&,; *-%(-% - )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%, '()' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%&
S#"" &$ )%$'* ,
E(-& "$* ( % ,
P I -%&$*+*-'$%,P&'-$*$* (%& D%$'* , 7) ( %;,!'&$ -'&) %>"*& -'$* (
RACGP Computer and information security standards workbook 21
-
8/16/2019 3a. Computer and Information Security Standards Workbook
23/53
T' % 18 A,,%$ &% *,$%& $/%& ('!% , +$='&% "& &'!, 7% . ' > &' ) =( ')
N'!%; %&,* (
D%,-&*"$* (S%&*' (#! %&,; *-%(-%- )%,
W/*-/ - !"#$%&,
L -'$* ( + !%)*'
L -'$* ( + !'(#' ,
L -'$* ( + *-%(-% - )%,'() ' &%%!%($,
D'$% "#&-/',%);#" &')%)
S#"" *%& S#"" &$ )%$'* ,
T' % 19 A,,%$ &% *,$%& %!'* - (+* #&'$* (
P&'-$*-% %!'* '))&%,,
I(- !*( !'* ,%& %&7e:. P$P3(
O#$ *( !'* ,%& %&7e:. simp7e mai7 transferprotoco7 HS,"PI(
O$/%& )%$'* ,
T' % 20 A,,%$ &% *,$%& *($%&(%$ ,%& *-% '() - (+* #&'$* (
P& *)%& 7ISP
D*' #" (#! %&'if sti77 used(
A--%,, " '(
P& > ,%& %& T&'(,!*,,* ( - ($&"& $ - 7TCP ;IP '))&%,,
DNS
S%- ()'& DNS
M )%! $ "%
S#"" &$ )%$'* ,
*ersonnel assets F staff and contractors
Contact detai7s of a77 staff are contained in "ab7e 1 in t8is CISS Workbook document.
RACGP Computer and information security standards workbook 22
-
8/16/2019 3a. Computer and Information Security Standards Workbook
24/53
-
8/16/2019 3a. Computer and Information Security Standards Workbook
25/53
'et,or diagrams
RACGP Computer and information security standards workbook 2
-
8/16/2019 3a. Computer and Information Security Standards Workbook
26/53
2.4 0dentify threats5 ulnera$ilities and controls
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)
9uman +nintentional 0nternal (insider threats/staff/authorised third parties)
Error
-
8/16/2019 3a. Computer and Information Security Standards Workbook
27/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)emp7oyment 'see Section 3. (• *ocation of e uipment to minimise unnecessary access'see Section 3.11.1(• &etwork connections and cab7in: protected inc7udin:se:re:ation of power and communications cab7es
e7ectroma:netic s8ie7din: and documented set>up ofpatc8in:. 'seek tec8nica7 ad9ice for confirmation of t8ese(• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(
*eakin: or t8eft ofinformation
F io7ation of 7e:is7ation or re:u7ation
F Ad9erse7y affectreputation
F reac8 of confidentia7ity'potentia7information disc7osure(
F *e:itimateaccess to systems
• Confidentia7ity and nondisc7osure a:reements si:ned'see Section 3.3.2(• A:reements wit8 t8ird parties inc7udin: comp7iance wit8practice po7icies 'see Section 3.3.3(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• Secure de7etion of information w8en e uipment andassets disposed of 'see Section 3.11.1(• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(
Emp7oyeesabota:e
F %isrupt operationa7acti9ities
F reac8 of inte:rity'potentia7 informationmodification ordestruction(
F *e:itimateaccess to systems
F *ack of po7icyand proceduremonitorin:
• !mp7emented and monitored access contro7 po7icy andprocedure 'see Section 3. (• reac8 reportin: in p7ace 'see Section 3.1.)(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• *imit access to system uti7ities 'see Section 3.11.2(
-raud F -inancia7 7oss F Access tosystems
F &o monitorin: of access orbusiness functions
• !mp7emented and monitored access contro7 po7icy andprocedure 'see Section 3. (• reac8 reportin: in p7ace 'see Section 3.1.)(• A:reements wit8 t8ird parties 'see Section 3.3.3(• Remo9a7 of access ri:8ts on termination of emp7oyment'see Section 3. (• Secure de7etion of information w8en e uipment andassets disposed of 'see Section 3.11.1(
Emai7 based socia7 F reac8 of confidentia7ity F *ack of staff• Staff awareness trainin: 'see Section 3.1.6(
RACGP Computer and information security standards workbook 2
-
8/16/2019 3a. Computer and Information Security Standards Workbook
28/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)
en:ineerin:'e:. P8is8in:(
and unaut8orised access awareness
,isuse of
informationsystems
F -inancia7 7oss
F reac8 of confidentia7ity
F *ack of usa:e
monitorin:
• ,onitorin: of internet and emai7 po7icy 'see Section 3. (• Suitab7e conse uences for breac8es of po7icy 'seeSection 3.1.)(• A:reements wit8 t8ird parties 'see Section 3.3.3(
9uman Deli$erate - ternal
"8eft or dama:e ofe uipment
F -inancia7 7oss F %isrupt operationa7
acti9ities
F !nade uatep8ysica7 contro7s
of system andnetwork
• p to date asset re:ister 'see Section 3.1(• Effecti9e p8ysica7 protections inc7udin: 7imited access tocritica7 resources suc8 as ser9er 'see Section 3.10.1(• Remo9a7 of a77 e uipment and assets is forma77yrecorded 'see Section 3.11.1(• Return of assets 'keys and e uipment( on termination of emp7oyment 'see Section 3. (• *ocation of e uipment to minimise unnecessary access'see Section 3.11.1(• &etwork connections and cab7in: protected inc7udin:se:re:ation of power and communications cab7ese7ectroma:netic s8ie7din: and documented set up o fpatc8in:. 'seek tec8nica7 ad9ice confirmation of t8ese(
RACGP Computer and information security standards workbook 24
-
8/16/2019 3a. Computer and Information Security Standards Workbook
29/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(•
"8eft of information F io7ation of 7e:is7ationor re:u7ation
F Ad9erse7y affectreputation
F reac8 of confidentia7ity
F *ack ofappropriateaccess contro7
F *imited networkcontro7s
• Access contro7 po7icy and procedures 'see Section 3. (•
Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S• reac8 reportin: to aut8orities 'see Section 3.1.)(• Effecti9e perimeter contro7s inc7udin: firewa77s and !%Ssecurity 'see Section 3.)(• Secure messa:in: and transfer of information usin:encryption and aut8entication 'see Section 3.12(• Remo9a7 of a77 e uipment and assets is forma77yrecorded 'see Section 3.11.1(• Secure disposa7 or re>use of e uipment 'see Section3.11.1(•
• *o:ica7 se:re:ation of networks into c7inica7administrati9e and e?terna7 access and insta77 secure:ateway between t8em to fi7ter traffic 'needs ad9ice fromtec8nica7 ser9ice pro9ider(• Se:re:ate wire7ess networks as perimeters are i77>defined 'needs ad9ice from tec8nica7 ser9ice pro9ider(• $t8er network routin: contro7 mec8anisms based onsource and destination addresses 'see tec8nica7 ser9icepro9ider for ad9ice(.• Portab7e de9ices po7icy and procedures enforced andmonitored 'see Section 3.10(
-raud F -inancia7 7oss F *ack ofappropriateaccess contro7
• Access contro7 po7icy and procedures 'see Section 3. (• reac8 reportin: to aut8orities 'see Section 3.1.)(• Effecti9e perimeter contro7s inc7udin: firewa77s and !%Ssecurity 'see Section 3.)(• Confi:ure network to identify unaut8orised accessattempts and a7ert 'see Section 3.)(• Separate c7inica7 and business information systems'needs ad9ice from tec8nica7 ser9ice pro9ider(
RACGP Computer and information security standards workbook 26
-
8/16/2019 3a. Computer and Information Security Standards Workbook
30/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)
,a7icious 8ackin:and unaut8orisedaccess
F %isrupt operationa7acti9ities
F reac8 of inte:rity'potentia7 informationdisc7osure modification or destruction(
F !nade uatenetwork andinternet protection
• Confi:ure network to identify and record unaut8orisedaccess attempts and pro9ide a7erts on t8is 'see Section3.)(• Confi:ure network ser9ices to deny a77 incomin: trafficnot e?press7y permitted 'see Section 3.)(• Secure remote access met8ods F suc8 as modems anduse P&s 'see Section 3.10(• Restrict connection time of users and 7imit 7o:>onattempts 'seek ad9ice from tec8nica7 ser9ice pro9ider(.
• se pri9ate !P addresses on interna7 networks anddisab7e unused ser9ices on ser9ers accessib7e to internet'seek ad9ice from tec8nica7 ser9ice pro9ider(.• +a9e :ood password po7icy 'see Section 3. (• Restrict p8ysica7 access to critica7 e uipment 'seeSection 3.11.1(• Re uire users to c8an:e passwords re:u7ar7y 'seeSection 3. (• Put a77 pub7ic7y accessib7e ser9ices on secureddemi7itarised Jone '%,K( network se:ments 'see Section3.12(• se of e uipment and information off>site s8ou7d inc7udeeducation and suitab7e 8ome>office or te7eworkin: securitymeasures 'see Section 3.10.2(• *imit access to system uti7ities 'see Section 3.11(
naut8orisedaccess
F -inancia7 7oss F reac8 of confidentia7ityand inte:rity
• Confi:ure network>based !%S and firewa77s emai7content fi7terin: software and
-
8/16/2019 3a. Computer and Information Security Standards Workbook
31/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)• Care w8en usin: wire7ess networks and usin: portab7ede9ices in pub7ic p7aces 'see Section 3.10(
6echnical +nintentional
E uipment or8ardware fai7ure'e:. 8ard diskcras8es andte7ecommunications fai7ures(
F %isrupt operationa7acti9ities
F Poor or nobackupprocedures
F *ack of systemmaintenance
• Contro7 of en9ironmenta7 conditions inc7udin:temperature and 8umidity 'see Section 3.11.1(• "wo met8ods of te7ecommunications routes a9ai7ab7e for emer:ency situations 'e:. 7and7ine and mobi7e ser9icea9ai7ab7e(
Software fai7ure'e:. bu:s patc8es(
F %isrupt operationa7acti9ities
F &ot doin:re:u7ar softwareupdates orpatc8in:
• Se:re:ation of system uti7ities from app7ication software'seek ad9ice from tec8nica7 ser9ice pro9ider(• Security features and 7imitation of t8ese in app7icationsoftware are known 'see Section 3.11.3(• *oad software updates as soon as t8ey becomea9ai7ab7e 'see Section 3.11.3(
!nformation 7oss F %isrupt operationa7acti9ities
F Ad9erse7y affectreputation
F reac8 of confidentia7ity F -inancia7 7oss 'e:. 7ossof bi77in: data(
F Poor or nobackupprocedures
F Encryption notused appropriate7y
• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(• ackup po7icy and procedures in p7ace and monitoredfor comp7iance 'see Section 3.4(• Portab7e de9ices po7icy and procedures enforced andmonitored inc7udin: backup of portab7e de9ice 'seeSection 3.10(•
Encryption used for backups portab7e and mobi7ede9ices and messa:e transfer 'see Sections 3.4 3.10and 3.12(
Power outa:e orspikes
F %isrupt operationa7acti9ities
F *ack of powerbackup andconditioners
F A:in:infrastructure
• !nsta77 a PS and power 7ine conditioners 'see Section3.11.1(• !f power supp7y unre7iab7e insta77 a7ternati9e powersource• Periodic test of PS batteries workin: 'see Section3.11.1(• ,aintain ser9iceab7e infrastructure 'e7ectricity and
RACGP Computer and information security standards workbook 30
-
8/16/2019 3a. Computer and Information Security Standards Workbook
32/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)te7ecommunications(
6echnical Deli$erate
,a7icious code 'e:.
9irus(
F %isrupt operationa7
acti9ities F %enia7 or de:radation of ser9ice
F %ata 7oss F reac8 of inte:rity
F !nade uate
network andinternet protection F *ack of stafftrainin:
F &ot keepin:anti>9irus updatescurrent
F Spam fi7terin:
• Anti>ma7ware software automatica77y re:u7ar7y updated'see Section 3.6(• Re:u7ar precautionary scans of information systems'see Section 3.6(• Spam fi7terin: 'see Section 3. (• Staff education on emai7 attac8ments 'see Section 3. (• Pro8ibit use of unaut8orised software 'see Section 3. (• 7ock use of mobi7e code e.:. use web browser securityto 7imit pro:ram add>ons 'unknown Acti9eM( 'see Section3.11(• *imit use of fi7e transferto>peer app7ications un7essessentia7 to norma7 operations 'see Section 3.11(• Contro7 or pro8ibit use of e?terna7 and persona7 de9icessuc8 as S 'see Section 3.10(
!nformation 7oss F io7ation of 7e:is7ation or re:u7ation
F Ad9erse7y affectreputation
F reac8 of confidentia7ity
F Poor or nobackupprocedures
F *ack ofappropriateaccess contro7
• Effecti9e monitored backup procedures 'see Section3.4(• reac8 reportin: to aut8orities 'see Section 3.1.)(• Se:re:ation of system uti7ities from app7ication software'seek ad9ice from tec8nica7 ser9ice pro9ider(.• *imit access to system uti7ities 'see Section 3.11(
%enia7 of Ser9ice'%oS > attempt tomake computerresourcesuna9ai7ab7e(
F *oss or de:radation ofnetwork capacity
F *oss of !nternetconnecti9ity
• Confi:ure !ntrusion detection system to detect %oS 'see
Section 3.)(• -irewa77 confi:uration to b7ock specified n etwork traffic'see Section 3.)(• 7ock out:oin: connections to !nternet re7ay c8at '!RC(instant messa:in: and peer>to>peer ser9ices'seek ad9icefrom tec8nica7 ser9ice pro9ider(
-n ironmental
-7ood F %isrupt operationa7acti9ities
F !ncomp7etebusiness
• Comp7ete and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(
RACGP Computer and information security standards workbook 31
-
8/16/2019 3a. Computer and Information Security Standards Workbook
33/53
T' % 22 R*, ',,%,,!%($ $/&%'$ # (%&' * *$ '() - ($& ,
6hreat/rissource
Disruption/impac t
7ulnera$ilit y
Suggested appropriate controls "ontrols *ersonresponsi$le- isting !e8uired
(to action)
F Endan:er persona7safety
continuity anddisaster reco9eryp7ans
• Effecti9e monitored backup procedures 'see Section3.4(• *ocation of critica7 e uipment away 'and protected( fromaccidenta7 dama:e 'see Section 3.11.1(• Consider raisin: e uipment off f7oor to minimise impact
of f7ood 'e:. burst water pipes(• %o not position immediate7y beneat8 air>conditionin:units• Staff trained in emer:ency procedures re7atin: to f7oodand e7ectrica7 issues• App7y ot8er occupationa7 8ea7t8 and safety pro9isions
Eart8 uake F %isrupt operationa7acti9ities
F Endan:er persona7safety
F !ncomp7etebusinesscontinuity anddisaster reco9eryp7ans
• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(
-ire 'inc7udin:bus8fire(
F %isrupt operationa7acti9ities
F Endan:er persona7safety
F !ncomp7etebusinesscontinuity anddisaster reco9eryp7ans
• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(• Ensure e7ectrica7>based fire>fi:8tin: e uipment a9ai7ab7ein c7ose pro?imity to critica7 e uipment• Staff trained in emer:ency 'e7ectrica7 fire( procedures• App7y ot8er occupationa7 8ea7t8 and safety pro9isions
Storm < Cyc7one F %isrupt operationa7acti9ities
F Endan:er persona7safety
F !ncomp7etebusinesscontinuity anddisaster reco9eryp7ans
• Comp7eted and tested business continuity and disasterreco9ery p7ans and a7ternati9e site identified 'see Section3./(• Effecti9e monitored backup procedures 'see Section3.4(• App7y ot8er occupationa7 8ea7t8 and safety pro9isions
RACGP Computer and information security standards workbook 32
-
8/16/2019 3a. Computer and Information Security Standards Workbook
34/53
2.; 0dentify appropriate controls
!dentify t8e appropriate contro7s and e?istin: contro7s imp7emented in t8e practice in t8etab7e abo9e.
2.< Security management and reporting5 including monitoringcompliance and re ie, planning
T' % 23 R*, ',,%,,!%($ &% *%= ,-/%)# %
Agreed inter al Date of last re ie, Date of ne t re ie,
2.= -ducation and communication
T' % 24 R*, ',,%,,!%($ ,$'++ %)#-'$* ( &%- &) 7' ,$'++
-ducation method Date last underta en 'e t date
!nduction trainin:
-orma7 on>:oin: trainin:
%iscussion at meetin:s
RACGP Computer and information security :uide7ines F "emp7ate document 33
-
8/16/2019 3a. Computer and Information Security Standards Workbook
35/53
2.9 B&%'-/ &%" &$*(se t8e fo77owin: temp7ate.
DPractice &ame
I(-*)%($ ; B&%'-/ R%" &$
R%" &$ D'$%;T*!%
A#$/ &
D%$'* , + $/% *(-*)%($ (date time what happened impact and information system affected!
A-$* (, $' %(;+*> (who contacted correcti"e action taken!
O#$- !%
F#$#&% '-$* (, &%?#*&%) (eg. ensure malware protection up to date!
RACGP Computer and information security standards workbook 3
-
8/16/2019 3a. Computer and Information Security Standards Workbook
36/53
3 Staf roles and responsibilities-or a detai7ed e?p7anation refer to Section 3.2 of t8e RACGP Computer and informationsecurity standards.
3.1 S%-#&*$ - &)*('$ & P%&, ( & "%&, (, &%," (,* %
N'!%7,
T' % 25 C &)*('$ & '((#' &% *%= )'$%, '() $&'*(*(
"oordinator role re ie, dates "oordinator training pro ided dates
3.2 O$/%& ,$'++ & %, '() &%," (,* * *$*%,
T' % 26 O$/%& ,$'++ & %, '() &%," (,* * *$*%,
6as *erson or people responsi$le
Perform backups
pdate software
RACGP Computer and information security standards workbook 3/
-
8/16/2019 3a. Computer and Information Security Standards Workbook
37/53
3.3 S'!" % - (+*)%($*' *$ ' &%%!%($
"8is samp7e may be used to ensure t8at practice staff and ot8er peop7e workin: in a practice w8omay 8a9e access to confidentia7 patient data or ot8er business information comp7y wit8 pri9acy andsecurity of information as re uired under 7e:is7ation inc7udin: t8e Pri9acy Act 1)66 'amended( andt8e &ationa7 Pri9acy Princip7es.
! 'name( ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; understand t8at as a condition
of emp7oyment by 'name and address of practice( ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
! s8a77 neit8er durin: nor after t8e period of emp7oyment
-
8/16/2019 3a. Computer and Information Security Standards Workbook
38/53
4 Access control and management -or a detai7ed e?p7anation refer to Section 3. of t8e RACGP Computer and informationsecurity standards.
T' % 2@ A--%,, - ($& ,$'++ '--%,, % % , '() /%' $/ *)%($*+*%&,
Staff mem$er 9ealthcare pro ideridentifier indi idual (9*0>0)
*rogram/application(name of software!
Access le el (restrictedinformation only orfull user access!
Practice nurse
*ractice unit (#ame of the practice! 9ealthcare pro ider identifier organisation (9*0>%)
RACGP Computer and information security standards workbook 34
-
8/16/2019 3a. Computer and Information Security Standards Workbook
39/53
5 Business continuity and disaster recovery plans
-or a detai7ed e?p7anation refer to Section 3./ of t8e RACGP Computer and information
security standards.
T' % 28 B#,*(%,, - ($*(#*$ -&*$*-' #,*(%,, +#(-$* (,
"ritical function System/re8uirementsnormally used
Alternati eresources
Patient consu7tations and treatment. F Recordin: c7inica7 notes F Prescriptions
F Referra7s
Secretaria7 ser9ices 'e:. formattin: reports(
"8is wi77 inc7ude any processes t8at are nowor wi77 be in future e7ectronic suc8 as e>prescriptions 7ab re uests and e>referra7s.
C7inica7 records system
5ord processin:app7ication
!nternet connection ore7ectronic messa:in:ser9ice.
Paper based forms orcomputer printed formsto be comp7eted by
8and. $eep all paperforms in one place for a%uicker switch to manual
procedures whenre%uired .
%ictation system
"ypewriter 'if a9ai7ab7e(
Appointments Appointment sc8edu7in:pro:ram
Copy of currentappointment sc8edu7e'today=s( s8owin: patient
te7ep8one numbers
Copy of futureappointment sc8edu7es8owin: patientte7ep8one numbers
Accounts and bi77in: Practice mana:ement'bi77in:( pro:ram
Account 8o7der andpatient information.
,anua7 in9oice
-
8/16/2019 3a. Computer and Information Security Standards Workbook
40/53
T' % 29 B#,*(%,, - ($*(#*$ '))*$* (' &%, #&-%, &%?#*&%) + & - ($*(#*$ '()
&%- %&
!esource *otential reason 6o $e used for ?ho to contact and contact details
*eople
*ocum staff Absence of medica7staff
Additiona7 demand forser9ices
Consu7tin: e:. 7oca7 GPrecruitment ser9ices
"emporaryadministration staff
Absence of key staff Reception dutiesEnterin: back7o: ofdata
0nformation and documents
+ardcopies ofinformation
!noperab7e computersystems or powerouta:e
*ook up information
Staff contact 7ist
E?terna7 contact 7ist'8ea7t8care pro9iders,edicare(
-8uipment computer and telecommunications
"e7ecommunications'7and7ine or mobi7ete7ep8one(
*oss of p8one system'power outa:e orot8er(
Contact aut8oritiespatients 8ea7t8carepro9iders
A7ternati9einfrastructure 'e:.power 7i:8tin: water:enerator(
Power outa:ef7oodin: natura7disaster e9ents
P8ysica7 safety'7i:8tin:(Resumption ofoperation 'power(
E7ectricity pro9ider
A7ternati9e computerresources 'e:. a 7aptopand copy of e7ectronicinformation(
Ser9er nonoperationa7or power fai7ure
*ook up critica7information suc8 aspatient detai7s orappointments
%ictap8one andbatteries
RACGP Computer and information security standards workbook 3)
-
8/16/2019 3a. Computer and Information Security Standards Workbook
41/53
@udget
T' % 30 B#,*(%,, - ($*(#*$ - ($'-$ '() &%," (,* * *$ *,$ *( % %($ + *(-*)%($ & )*,',$%&
*erson/position #o$ilenum$er
%thercontactnum$er
!esponsi$le for
D&ame < doctor 0 ??>???>??? ??>????>????D&ame < practice mana:er 0 ??>???>??? ??>????>???? Contact wit8 tec8nica7 ser9ice
pro9ider D&ame < 8ead receptionist 0 ??>???>??? ??>????>???? ,ana:in: manua7 bi77in:
processD&ame 0 ??>???>??? ??>????>???? *ocate 7ast backup
RACGP Computer and information security standards workbook 0
-
8/16/2019 3a. Computer and Information Security Standards Workbook
42/53
T' % 31 B#,*(%,, - ($*(#*$ = & '& #(), + & -&*$*-' "&'-$*-% +#(-$* (,
C&*$*-' +#(-$* ( A $%&('$% "& -%)#&% P%&, (&%," (,* %
Patient consu7tationsand treatment@
F recordin: c7inica7notes
F prescriptions F referra7s
Secretaria7 ser9ices(eg. formattingreports!
&his will include any
processes that arenow or will be in futureelectronic such as e'
prescriptions labre%uests and e'referrals.
Appointments• Set up a7ternate computer '7aptop( if possib7e wit8
copy of appointment system on it or a dai7yappointment sc8edu7e e7ectronic copy to refer to on7y.
n7ess t8e practice 8as a tested met8od of updatin:and inte:ratin: appointments made on t8is copy use itto refer to on7y.
•
*ocate dai7y printout of appointment sc8edu7e 'wit8patient contact numbers(. Contac patients incircumstances w8ere appointments need to beresc8edu7ed.
• Record di7i:ent7y in a manua7 appointment book a77c8an:es to appointments and re uests forappointments
Reception staff
Accounts and i77in:• ,anua77y swipe ,edicare cards• ,anua77y issue receipts• Retain copies of a77 receipts in a secure 7ocation to be
entered into t8e system 7ater
Reception staff
Practice financia7acti9ities (payroll
edicare claimsbanking!
• ankin:• ,edicare c7aims• Payro77
Practicemana:er
Communication (eg.email!
Recei9in: test resu7ts
Reca77s and reminders
RACGP Computer and information security standards workbook 1
-
8/16/2019 3a. Computer and Information Security Standards Workbook
43/53
-
8/16/2019 3a. Computer and Information Security Standards Workbook
44/53
-
8/16/2019 3a. Computer and Information Security Standards Workbook
45/53
Agreed inter al Date of last re ie, Date of ne t re ie,
T' % 3@ B#,*(%,, - ($*(#*$ +'# $
Date ault noted !emedial action performed @y ,hom
RACGP Computer and information security standards workbook
-
8/16/2019 3a. Computer and Information Security Standards Workbook
46/53
-
8/16/2019 3a. Computer and Information Security Standards Workbook
47/53
T' % 39 B'- #" '- #" & $'$* ( ,-/%)# % '() -/%- *(
M ( T#%, W%) T/#&, F&* S'$ S#(
C8ecked C8ecked C8ecked C8ecked C8ecked C8ecked C8ecked
T' % 40 B'- #" )'$' &%,$ &'$* ( '() $%,$*( "& -%)#&%
!estoring procedure in the e ent of a ser er failure *erson responsi$le
• *ocate backup media for t8e pre9ious day• !nsert backup media in t8e ser9er• Ensure t8at a77 ot8er computers 8a9e 7o::ed out of t8e ser9er • Perform restore for particu7ar system
-
8/16/2019 3a. Computer and Information Security Standards Workbook
48/53
7 al!are" viruses and email threats-or a detai7ed e?p7anation refer to Section 3.6 of t8e RACGP Computer and informationsecurity standards.
T' % 41 M' ='&% , +$='&% "& $%-$* ( &%- &)
Soft,are(name and
ersion)
"omputers Support +pgrade procedure
*ersonresponsi$le
Annualsu$scriptionrene,ed
RACGP Computer and information security standards workbook 4
-
8/16/2019 3a. Computer and Information Security Standards Workbook
49/53
# $et!ork perimeter controls-or a detai7ed e?p7anation refer to Section 3.) of t8e RACGP Computer and informationsecurity standards.
T' % 42 N%$= & "%&*!%$%& - ($& , *($,* ( )%$%-$* ( , ,$%! - (+* #&'$* (
'ame andersion
9ard,areconfiguration
Soft,areconfiguration
#aintenancere8uired
Support
T' % 43 N%$= & "%&*!%$%& - ($& , +*&%=' - (+* #&'$* (
'ame andersion
9ard,areconfiguration
Soft,areconfiguration
#aintenancere8uired
Support
RACGP Computer and information security standards workbook 6
-
8/16/2019 3a. Computer and Information Security Standards Workbook
50/53
% &orta'le devices and !ireless net!orks-or a detai7ed e?p7anation refer to Section 3.10 of t8e RACGP Computer and information security standards.
T' % 44 P &$' % )% *-%, '() #,%,
ist the porta$le de ices(eg. laptops portable hard dri"es!
@riefly descri$e the mechanism for securingtheir data
!emote access set>up
P7ease document your remote access set>up 8ere
RACGP Computer and information security standards workbook )
-
8/16/2019 3a. Computer and Information Security Standards Workbook
51/53
1( &hysical" system and soft!are protection-or a detai7ed e?p7anation refer to Section 3.11 of t8e RACGP Computer and informationsecurity standards.
10.1 P/ ,*-' "& $%-$* (
T' % 45 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( UPS
6ype -8uipmentattached
#aintenancere8uired
@attery life Support contact
T' % 46 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( "& -%)#&% + & - ($& %),/#$) =( + ,% & %&
?hen is it necessary to use this procedure
?hat to do *ersonresponsi$le
T' % 4@ R%! ' + ',,%$, &%- &)
Asset and offsite location
Date out 'ame andsignature
Date returned 'ame andsignature
RACGP Computer and information security standards workbook /0
-
8/16/2019 3a. Computer and Information Security Standards Workbook
52/53
10.2 S ,$%! !'*($%('(-%
T' % 48 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , ,$%! !'*($%('(-%
D'$% S ,$%! !'*($%('(-% $', "%&+ &!%) B =/ !
10.3 S +$='&% !'*($%('(-%
T' % 49 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , +$='&% !'*($%('(-%"& -%)#&%,
6as *ersonresponsi$le
re8uency *rocedure
S +$='&% !'*($%('(-%
T' % 50 P/ ,*-' , ,$%! '() , +$='&% "& $%-$* ( , +$='&% !'*($%('(-%
Date Soft,are maintenance tas performed @y ,hom
RACGP Computer and information security standards workbook /1
-
8/16/2019 3a. Computer and Information Security Standards Workbook
53/53
11 )ecure electronic communication-or a detai7ed e?p7anation refer to Section 3.12 of t8e RACGP Computer and informationsecurity standards.
T' % 51 S%-#&% % %-$& (*- - !!#(*-'$* ( !%,,' *( , ,$%! &%- &)
Secure messaging system used $y practice *urpose