The PKI must go through a formal certification and accreditation (C&A) process before it can be deployed in Quality Medical Company (QMC) operational environment. An independent Third Party must certify all (HIPPA) PKI systems. We will use system certification as a formal procedure for testing security safeguards in the computer system or major application to determine if they meet applicable requirements and specifications outlined.
System accreditation is the formal authorization by a management official for system operation and an explicit acceptance of the associated risk. The management official ensures that all equipment resides on the network under his authority is operated using approved security standards. All C&A evaluations or annual reviews must be conducted by a third party who must have not developed the present PKI solution or have any other business relationship with QMC.
QMC Associate Chief Information Technology Security Officer:
– Ensure compliance requirements of this policy concerning data at rest and role-holders access to managed networks, systems and servers – Ensure public-companies regulations are implemented and in compliance – Provide security standards for implementation of PKI in HIPPA information technology environments to ensure that they can handle sensitive data and require non-repudiation; – Review company plans to implement this policy;
– Review requests for exceptions or exceptions to this policy; and – Conduct reviews of U.S. Securities and Exchange (SEC) and HIPPA compliance to ensure compliance of this policy. – Receive, review and coordinate a response with the QMC Chief Information Technology Officer for any exception requests for exceptions to this policy. – Periodically review and update this notice as required;
QMC Chief Information Technology Officer will:
– Ensure the provisions of this policy are implemented and enforced; – Ensure that the requirements of PKI policy are satisfied prior to deployment of this technology on any QMC system; – Ensure that a backup of the encryption private key(s) is obtained that will be securely stored so encrypted documents may be historically retrieved. The signing private key will exist only on the key token or profile issued to the individual. The solution must provide a means for archival of private decryption keys, and support for the recovery of a private decryption key on request;
– Ensure that agency server administrators, staff offices responsible for server administration, ISSPMs and security staff are acquainted and comply with the provisions of OCIO Cyber Security Guidance Regarding C2 Controlled Access Protection (CS-013 dated 3/6/02); -Assure that agency server administrators, staff offices responsible for server administration, information system security program managers and security staff are trained to implement and, maintain PKI at a functional C2 level and fully understand the ongoing responsibilities to preserve that level of server security.
QMC Information Systems Security Program Manager will:
– Monitor all agency PKI installations to ensure that the provisions of this policy are followed; – Coordinate with agency server administrators to ensure that precautions are taken to properly preserve the required level of server security; – Coordinate with agency personnel to ensure proper certification and accreditation occur on all PKI systems prior to deployment; – Coordinate with agency system owners to ensure that PKI private key pairs are properly stored.
QMC System Administrators/Security Administrators responsible for server administration will:
– Monitor vendor release notes for new security patches, service packs, software upgrades and updates; – Follow internal configuration management practices in installing security patches and updates; and – Maintain a configuration control manual that documents all changes to the servers with sensitive information.