120 likes | 229 Views
SECURITY POLICY DOCUMENT. According to art. 34 d. lgs. 30 June 2003, n. 196. Chapter I Organizational structure and information system of the company/institution. (seat) The dental laboratory : (headoffice) location (town, street, street number)
E N D
SECURITY POLICY DOCUMENT According to art. 34 d. lgs. 30 June 2003, n. 196
Chapter IOrganizational structure and information system of the company/institution • (seat) The dental laboratory : (headoffice) location (town, street, street number) • (branch office) : location (town, street, street number) • information system: • number of stand-alone computer • operating system • internet connection (dial-up…) • number of portable computer • operating system • internet connection
Chapter IIList of processing operations concerning personal data - (Whom the data are referred to?) • Patient data -(Which kind of data are stored?) • personal data • (any data that can be used to identify a person) • identification data • (personal data that permit the direct identification of the data subject) • sensitive data • (any data that disclose information about health life, disease, especially contagious disease, pregnancy) • Employees data • Personal data • Identification data • Sensitive data (health life) • Suppliers data • Personal data • Identification data
Chapter IIIdistribution of tasks and responsabilities among the departments/division in charge of processing data • The person in charge for data is the doctor with regard to patients, employees and suppliers data • You can identify a single employee in charge for data
Chapter IVAnalysis of the risk applying to the data • Physical Risks • Risk of entry by unauthorized person - Level: low • Risk of fire - Level: medium • Risk of flooding- Level: low
Chapter IVAnalysis of the risk applying to the data (2) • Data Processing Risks • Risk of damages, loss or modification of data caused by unauthorized access to the information system • Level: low • Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm) • Level: low • Risk of damages, loss or modification of data caused by malfunctioning of the information system • Level: low • Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology • Level: low • Risk of damages, loss or modification of data caused by power failure • Level: low
Chapter Vmeasures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data • Physical Risks • 1.Risk of entry by unauthorized person: • Surveillance system • Alarm system • Night watchman • Security guard • Risk of fire • Fire escape • Fire preservation system • Fireproof wall • Risk of flooding • The office is on the 2nd floor
Chapter Vmeasures to be taken in order to ensure data integrity as well as protection of areas and premises insofar as they are relevant for the purpose of keeping and accessing such data (2) • Data Processing Risks • Risk of damages, loss or modification of data caused by unauthorized access to the information system • Firewall • Password (that is changed every six months) • Risk of damages, loss or modification of data caused by software bugs (e.g. virus, trojan horse, worm) • Anti-virus software (e.g. Avast professional) automatically updated through internet connection • Risk of damages, loss or modification of data caused by malfunctioning of the information system • Periodic softwareupdating • Periodic technical assistance • 4.Risk of damages, loss or modification of data caused by a wrong utilization of the computer technology • Password • Periodic computer science and data processing training of employee • Risk of damages, loss or modification of data caused by power failure • Power generator • Uninterruptible Power Supply
Chapter VIDescription of criteria and mechanisms to restore data availabitlity following destrcution and/or damage • Back-up copy • Frequency (e.g. monthly back up) • Back up copy diskette are replaced every year • There are two back up copy diskettes • Back up copy diskettes are locked
Chapter VIISchedule of training activities concerning the persons in charge of the processing • Periodical training of the employee with regard to: • legal aspect of privacy protection; • tort, criminal and administrative liability for illegal processes of data • lawful behaviours with regard to data process • technical aspect of electronic data storage
Chapter VIIICriteria to be implemented in order to ensure adoption of the minimum security measures whenever the processing operations concerning personal data are externalized • Personal data will be externalized to third person: - For book-keeping purposes, to business consultant sig. X - For dental furniture, to dental technician, sig. X -For other medical products, to suppliers sig. X, Y., Z • Personal data externalized are the only strictly necessary to the collaborator activity • The above mentioned person are supposed to respect the same rule implemented by the Dental laboratory • The Dental Laboratory will verify privacy rules observance