Information Systems Security


F/EA maintains a System Security Plan Template outlining the security measures enacted to protect and secure F/EA computer systems and data. The System Security Plan is updated with each change to F/EA systems or systems security. Following a change to the Plan, the Plan is reviewed and signed and dated by F/EA executive staff and F/EA officers. All changes to the Plan are tracked under the “Revisions History” section of the plan.

A suggested Plan is published below and should be revised and expanded according to F/EA operations and state regulations.

The purpose of this written information security policy is to define the safeguards that F/EA has in place for protecting confidential information (“CI”) including:

  1. Personal Health Information (“PHI”) -- Any demographic information, medical history, test and laboratory results, insurance information and other health data which may be identified as relating to a specific individual, including any data covered by HIPAA.
  2. Personal Information (“PI”) – A person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account.

CI shall not include information that is lawfully obtained from publicly available information or from federal, state or local government records lawfully made available to the general public; nor shall it include any information that is excluded from protection by an agreement that F/EA has in place with another entity.

Staff Requirements

F/EA requires all staff members to adhere to the following rules regarding information security:

  1. Computers require a login password, and are set to trigger a password-protected screensaver mode after 5 minutes of inactivity
  2. All computer programs and systems used by F/EA that may contain participant or workers CI must be password-protected
  3. Passwords to web-based software that may contain CI are not cached in any browser
  4. Passwords to specific web-based systems that are likely to contain CI (including email) are required to be changed monthly
  5. Computers with the Windows operating system are required to have anti-virus software installed, and configured to update their virus definitions automatically
  6. Smartphones used to access F/EA web-based systems that are likely to contain CI (including email) must be password protected and require the password to be entered upon powering on or returning from idle 

Physical Security

Paper records (e.g., participant files) are kept in locked file cabinets and are accessible only to authorized F/EA personnel.  CI stored in this manner is accessed only to fulfill F/EA-related tasks and/or duties.

Security Checklist and Staff Requirements

Violations of this policy shall be handled on a case-by-case basis.  Discipline shall also be handled on a case-by-case basis, with potential discipline ranging from retraining to suspension and termination depending on the context of the violation.

Security Incidents

In the event F/EA discovers that unencrypted CI has been accessed by an unauthorized third party, F/EA shall notify all personnel that are impacted by the breach.

Ongoing Responsibility

<<F/EA Director>> shall have ultimate responsibility for the ongoing maintenance of and compliance with this Information Security Policy.