The PKZIP must go through a formal certification and accreditation (C&A) process before it can be deployed in Quality Medical Company (CM) operational environment. An independent Third Party must certify all (HIPPO) PKZIP systems. We will use system certification as a formal procedure for testing security safeguards in the computer system or major application to determine if they meet applicable requirements and specifications outlined.
System accreditation is the formal authorization by a management official for system operation and an explicit acceptance of the associated risk. The management official ensures that all equipment resides on the network under his authority is operated using approved security standards. All C&A evaluations or annual reviews must be conducted by a third party who must have not developed the present PKZIP solution or have any other business relationship with CM.
CM Associate Chief Information Technology Security Officer: – Ensure compliance requirements of this policy concerning data at rest and role-holders access to managed networks, systems and servers – Ensure public-companies regulations are implemented and in compliance – Provide security standards for implementation of PKZIP in HIPPO information technology environments to ensure that they can handle sensitive data and require non- repudiation; – Review company plans to implement this policy; – Review requests for exceptions or exceptions to this policy; and – Conduct reviews of U.
S. Securities and Exchange (SEC) and HIPPO compliance to ensure compliance of this policy. – Receive, review and coordinate a response with the CM Chief Information Technology Officer for any exception requests for exceptions to this policy. Periodically review and update this notice as required; CM Chief Information Technology Officer will: – Ensure the provisions of this policy are implemented and enforced; – Ensure that the requirements of PKZIP policy are satisfied prior to deployment of this technology on any CM system; – Ensure that a backup of the encryption private key(s) is obtained that will be securely stored so encrypted documents may be historically retrieved. The signing private key will exist only on the key token or refill issued to the individual.
The solution must provide a means for archival of private decryption keys, and support for the recovery of a private decryption key on request; – Ensure that agency server administrators, staff offices responsible for server administration, Isms and security staff are acquainted and comply with the provisions of SOCIO Cyber Security Guidance Regarding CA Controlled Access Protection (CSS-013 dated 3/6/02); -Assure that agency server administrators, staff offices responsible for server administration, information yester security program managers and security staff are trained to implement and, maintain PKZIP at a functional CA level and fully understand the ongoing responsibilities to preserve that level of server security.
CM Information Systems Security Program Manager will: – Monitor all agency PKZIP installations to ensure that the provisions of this policy are followed; – Coordinate with agency server administrators to ensure that precautions are taken to properly preserve the required level of server security; – Coordinate with agency personnel to ensure proper certification and accreditation occur on all PKZIP systems prior to deployment; – Coordinate with agency system owners to ensure that PKZIP private key pairs are properly stored. CM System Administrators/Security Administrators responsible for server administration will: – Monitor vendor release notes for new security patches, service packs, software upgrades and updates; – Follow internal configuration management practices in installing security patches and updates; and – Maintain a configuration control manual that documents all changes to the servers with sensitive information.