Policies and Procedures - tw-Security, LLC - Data Security - Information Security

“If it’s not documented, it’s not done.”

The importance of having well-written policies and procedures cannot be overstated. Policies define expectations, responsibilities, and procedures to follow. Governance, the assignment of oversight, and management responsibilities are contained in the privacy, breach notification, and information security policies and procedures.

Proof of compliance is evidence-based which implies that policies, procedures, plans, forms, standards, etc., need to be in place to demonstrate compliance. During an audit, the auditor will assess the alignment of the three “P’s” – Perceptions, Policies, and Practices!

tw-Security recommends conducting a high-level review of existing privacy, security, and breach notification policies which results in a short report of general findings and recommendations. Frequently, we find that current policies and standards may exist; however, some may be outdated or do not accurately reflect current practices. Consequently, the review helps us know where to focus efforts: remediate or create new.

We write policies and procedures for targeted groups of readers and cross-referenced to applicable frameworks, standards, and regulations.

The most efficient way to amend the policies and procedures is to have knowledge of the information security and privacy program. Two critical areas inform the policies – the risk analysis that identifies safeguards and controls, and the results of an evaluation of compliance with HIPAA or other regulations. We utilize our collection of customizable templates to create new, framework-based privacy, breach notification, and information security policies. Our policies and procedures are “right-sized” and uniquely tailored for an organization.

We organize policies in three groups for the targeted reader.

1. Workforce Policies

Organizational-wide policies written for employees and workforce members containing the pertinent policy statements and procedures for information security, privacy, and breach notification.

2. IT Security Policies and Procedures

The IT Security Manual is a collection of policies and procedures for the information services staff and application and system administrators. The manual establishes policies and procedures for appropriately protecting information resources from accidental or intentional unauthorized use, modification, disclosure, or destruction. Adherence to the information security policies safeguards the confidentiality, integrity, and availability of your information. We can cross-reference the policies to relevant frameworks, standards, and regulations for your organization. Examples include:

HIPAA Security Rule
Payment Card Industry Data Security Standard (PCI DSS)
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d)
Joint Commission
NIST Cybersecurity Framework
The General Data Protection Regulation (GDPR)
ISO 27001
HITRUST Common Security Framework (CSF)

3. Privacy and Breach Notification Policies and Procedures

The Privacy and Breach Notification Manual provides a comprehensive risk-based and compliance approach to protecting the various types of confidential information. The Manual is a collection of policies and procedures written for the Privacy Officer, Compliance Officer, and HIM Department. We can cross-reference the policies to relevant frameworks, standards, and regulations, such as:

HIPAA Privacy Rule
Breach Notification and Sanction Requirements
The General Data Protection Regulation (GDPR)
FERPA (Title 34, Subtitle A, Chapter I, Part 99)
HITRUST Common Security Framework (CSF)
Alignment with state requirements, e.g. California Consumer Privacy Act of 2018 (CCPA), Security, Privacy, and Breach Notification Washington State’s Office of the CIO and Data Share Agreements