DATA SECURITY AND HANDLING FOR CONTRACTED SERVICES

Network and Data Security

Information is considered an important asset of Mains’l Services, Inc., and restrictions are imposed for controlled data access.  Mains’l Services, Inc. considers it important to provide access to information to authorized users only. This operating procedure defines the processes to be used to protect the confidentiality, integrity, availability, and reliability of all information technology resources used to support the needs of our internal and external stakeholders, and to implement and enforce that level of security which will provide for the protection of data and information technology resources from accidental or intentional unauthorized disclosure, modification, or destruction by persons within or outside of Mains’l Services, Inc.

All Mains’l Services, Inc. technology equipment has up to date antivirus software installed, which automatically scans for viruses in real time.
                            

1.    Access to the Network – Local and Remote Access
Access to the Mains’l Services, Inc. intranet (agency network) is restricted.  Each user has a confidential personal identifier (user name and password.)  Personal identifiers are not to be shared with anyone for any reason.  Upon gaining access to the network, user’s access and ability to view, add or modify information is governed by permissions.  These permissions allow access to information which is appropriate to his or her job responsibilities.  Access rights are authorized by the executive assistant and chief financial officer and configured by the ITS/DSO.  Mains’l Services, Inc. Technology and Systems Use Policy and Procedure must be reviewed by all authorized users before intranet access will be given.

Mains’l Services, Inc. complies with all HIPAA data privacy requirements (see Notice of Privacy Practices for Employees, and Notice of Privacy Practices for Consumers.)

Supervisors of authorized users are responsible for immediately notifying the ITS/DSO upon termination, transfer, or resignation for the purpose of system access adjustment or termination.

2.    Access to the FTP site    

A.    Security of Mains’l Services, Inc.’s file transfer protocol (FTP) site is the sole responsibility of the ITS/DSO.  

• Access to the Mains’l Services, Inc. FTP site is restricted and governed by the ITS/DSO, under the requirements of the contracted services contract.  Upon approval by the chief financial officer, each user receives a confidential personal identifier (user name and password), assigned by the ITS/DSO.  The chief financial officer communicates the personal identifier information to the appropriate agency personnel.  Personal identifiers are not to be shared with anyone for any reason.  
• Upon gaining access to the site, user’s access and ability to view, add or modify information is governed by permissions.  These permissions allow access to information which is appropriate to his or her role.  Access rights are authorized by the chief financial officer and configured by the ITS/DSO.
• Mains’l Services, Inc. Technology and Systems Use Policy and Procedure must be reviewed by all employees who require access to the FTP site, before access will be given; in addition, employees will be required to review and sign any policies, procedures, and security agreement forms, as required by contracted entities.  
• Supervisors of authorized users are responsible for immediately notifying the chief financial officer upon termination, transfer, or resignation for the purpose of system access adjustment or termination.

B.    Data Handling

• All data transferred from contracted entities to Mains’l Services, Inc. is downloaded from the secure FTP site to the secure local area network.  Files are unencrypted and converted to the appropriate financial management system.   Data is processed as outlined by the contracted entity.  Once data is processed, it is uploaded to the secure FTP site.
• Again, only authorized users have access to files on the FTP site.

3.    Equipment 

• The information technology specialist/data security officer (ITS/DSO) and executive assistant are responsible for the purchase and installation of the computer software and hardware, and for maintaining the equipment.  In the event computer equipment must leave the facility for repair, hard drives are removed to ensure profile and, thereby, data security.  Prior to computer equipment being exchanged to another user within the agency, authorized users profile is deleted from computer to enforce data privacy.  Storage of company data in local hard drives is prohibited.  In the event computer equipment is leaving the facility to a non authorized user/entity, hard drives formatted to wipe out any traces of sensitive information.  The ITS/DSO is the only authorized personnel to complete the formatted and removal/disposal process.
• Confidential data may not be stored on any unencrypted mobile device, with the exception of the ITS/DSO.   Back up tapes are the only removable media allowed to store data for the sole purposes of back up.

4.    Physical/Site Security

• Mains’l Services, Inc. main headquarters is geographically located in a non-disaster related plain. The facility has strict security levels, governed by the vice president of administration and ITS/DSO. The data center is climate controlled (with its own cooling system), has strict security access, and is monitored for fire and security.  All network server equipment is housed in racks and cages for additional limited access.  All equipment is raised off the floor, at least ten (10) inches, to prevent water damage.  In addition, the headquarters is monitored for fire and security 24/7. 
• The ITS/DSO is responsible for site security and uses preventive measures necessary to minimize the risk of destruction, theft and other losses of equipment, software, and data. The ITS/DSO evaluates the physical location and conditions surrounding the site and take the necessary precautions to protect it.  The ITS/DSO annually evaluate the effectiveness of the site’s security and will report any new findings to contracted entities.  In addition, Mains’l Services, Inc. has an IT Disaster Recovery Plan, which is reviewed and revised, as necessary, minimally on an annual basis.
• It is the responsibility of the individual using the data to maintain appropriate confidentiality and the responsibility of the individual’s supervisor to ensure that the employee has adequate training on protection of information.

5.    Training and Agreement

• Supervisors are responsible for ensuring authorized users receive rules, policies, procedures, and guidelines on departmental information security.  All authorized users will sign a Training and Security Agreement