The purpose for this policy is to
give direction to workstation security for the mentioned company workstations
with a specific end goal to guarantee the security of data on the workstation
and data that workstation access. Moreover, the strategy gives direction to
guarantee the prerequisites of the HIPAA Security Rule “Workstation
Security” Standard 164.310(c) are met.
This policy applies to all
full-time employees, contractors, other members, business providers and agents
with a domain name operated or personal-workstation connected to the company
network. Additional requirements about HIPAA can accessed from
Access Tools Policy
Remote desktop software otherwise
called remote access tools, give an approach to PC clients and support staff
alike to share screens, get to work PC systems from home, and the other way
around. There are a bunch of tools available in the market which are leading for
remote policy. A few examples of them can be logmein, Gotomypc, and virtual
network computing. These tools are definitely time saving and noteworthy,
however they also create a chance of being misused and bringing the intentions
of being theft, unauthorized access. That is the reason to use better tools and
keep is approved, monitored and only under the access of authorized users on
the computer systems.
The remote access tools policy can be applied to all remote
The main use for this policy is to
figure out the need for the requirements and installation of the software on
the computer devices within the organization.
To reduce and keep the risk of losing the program functionality, this
policy is better used and also to it lowers the exposure of the delicate
information which is in the company network. It also reduces the risk of
exposure to introducing to malware and legal exposure of having an unlicensed software
which is considered illegal.
All the targeted employees in the organization
should be allowed or granted permission to install this software which reduces
the unnecessary exposure. Illegal file versions or DLLs which help in software
from running smoothly, the risk of introduction of bugs from effected
installation software, unlicensed or illegal software which could be found out
during an exam or checking of the software, and programs which can introduce to
a new hazard like hacking of the internal data of the company software will be
introduced by installing the software.
This policy applies to all
everybody in organization not limited to Company employees, contractors,
vendors and agents with company-owned mobile devices. This should be able to
cover all the devices like computers, servers, smartphones, tablets that are
active in the organization.
Application Security Policy
The main reason behind the web
application security policy is to provide security assessments for the company
web applications. When you perform a web application assessment it identifies
the potential harmful errors that may cause to the system. It avoids weak
authentication, insufficient error handling, sensitive information leakage,
etc. Knowing these issues and documenting the pattern and origin of it will
help the risk of attack to be limited to the company software in turn providing
a good compliance agreement to keep the attacks very minimum.
Web application attacks are the
most frequent occurring and also the largest scale attacks to threat the
company system.. It is crucial that any
web application be assessed for vulnerabilities and any vulnerabilities be
remediated prior to production deployment.
This policy covers all web
application security assessments requested by any individual, group or
department for the purposes of maintaining the security posture, compliance,
risk management, and change control of technologies in use at Company.
All web application security
evaluations will be performed by appointed security faculty either utilized or
shrunk by organization. All discoveries are viewed as secret and are to be
dispersed to people on a “need to know” premise. Circulation of any
discoveries outside of organization is entirely restricted unless affirmed by
the Chief Information Officer.
Any connections inside
multi-layered applications found amid the checking stage will be incorporated
into the evaluation unless unequivocally restricted. Impediments and ensuing
support will be archived before the begin of the evaluation.