- Going to need a System Arch document at some point, detailing how we implment AWS infrastructure, how the software manages access and authorization, and how client apps communicate with the API.
- policy-management-policy: TODO - make a JIRA issue type for new/change policy requests
- policy-management-policy: TODO - create a folder in box where we store our policy review documentation. Update section 6 after this is complete to indicate the box location
- Create 3rd party back system for github. Then update the existing Policies in policy-managemet-policy.md (under section 5)
- Create Roles and Responsibilties document for Security and Compliance Officers. This goes in Box/HR/Job Descriptions folder
- Create issue to update HIPAA and Privacy training materials. Locate them in box where existing docs exist. Get schedule set up for giving the training. Add training to first day assignment of all employees. See “roles-policy.md, workforce training, section 3”
- Create issue for creating review documentation / perhaps a Jira Ticket, that trackes when and how an access review is conducted. the purpose is to track who can and has access to PHI.(system-access-policy.md)
- Create issue for creating a form or issue type that capture the review of accounts in VHC that have access to PHI (system-access-policy.md section Access Establishiment and Modification)
- Add the following to every server shell log in: “This computer is owned by Visible Health, Inc. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://www.visiblehealth.com/compliance/) and have completed training as instructed by HR. Please contact us if you have problems with this - firstname.lastname@example.org.”
- Create jira issue for specing out a denial of service monitoring solution, then implement it. after this is done, add note to System Access Policy that captures the fact this is happening.
- TODO for Cory - check on auto log out shell access to various systems
- TODO For Rae - makesure we have bit in Employee Handbook that talks about what you can and can’t do with your computer - ie no illegal activity.
- Need to figure out a way to provision apple products so that password rules be set up, wifi keys distributed, lock screens with messages, etc
- Need to make sure that the Password Management section marries up with actual VH rules
- Make sure that “Fail2Ban” bans after 7 attempts (Cory) - make sure consistent with the Password Manageent section
- Machines doing the back ups should not have the access to delete back ups (Cory)
- Ensure that any process whereby someone requests temporary auth to PHI has a built in mechanism for revoking auth when the task is completed
Employee handbook should be incorporated as a Policy in the over all P&P doc set
- WE need to make sure that the output of the Risk Assessment is entered into a JIRA ticket for it to be reviewed
- TODO - publishing of the overall policy should be done using MD to HTML conversion and the managment of all of the docs should be gitflowed with a release process to HTML.