1. All policies are stored and updated to maintain LifeWIRE compliance with HIPAA, HITRUST, NIST, and other relevant standards. Updates and version control are done similarly to source code control.
2. Policy update requests can be made by any workforce member at any time. Furthermore, all policies are reviewed annually by both the Security and Privacy Officer to assure they are accurate and up-to-date.
- LifeWIRE employees may request changes to policies using the following process:
- The LifeWIRE employee initiates a policy change request by creating an Issue in the LifeWIRE Quality Management System.
- The Security Officer or the Privacy Officer is assigned to review the policy change request.
- Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
- If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
- If the policy change requires technical modifications to production systems, those changes are carried out by authorized personnel using LifeWIRE’s change management process.
3. All policies are made accessible to all LifeWIRE workforce members. The current master policies are published here.
- Changes are automatically communicated to all LifeWIRE team members through integrations with Microsoft Teams.
- The Security Officer also communicates policy changes to all employees via email. These emails include a high-level description of the policy change using terminology appropriate for the target audience.
4. All policies, and associated documentation, are retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later
- Version history of all LifeWIRE policies is done via OneDrive.
- Backup storage of all policies is done with OneDrive.
5. The policies and information security policies are reviewed and audited annually, or after significant changes occur to LifeWIRE’s organizational environment. Issues that come up as part of this process are reviewed by LifeWIRE management to assure all risks and potential gaps are mitigated and/or fully addressed. The process for reviewing polices is outlined below:
- The Security Officer initiates the policy review by creating an Issue in the LifeWIRE Quality Management System.
- The Security Officer or the Privacy Officer is assigned to review the current LifeWIRE policies.
- If changes are made, the above process is used. All changes are documented in the Issue.
- Once the review is completed, the Security Officer or Privacy Officer approves or rejects the Issue. If the Issue is rejected, it goes back for further review and documentation.
- If the review is approved, the Security Officer or Privacy Officer then marks the Issue as Done, adding any pertinent notes required.
6. Policy review is monitored on a quarterly basis using the Quality Management System reporting to assess compliance with above policy.
7. LifeWIRE utilizes the HITRUST MyCSF framework to track compliance with the HITRUST CSF on an annual basis. LifeWIRE also tracks compliance with HIPAA and publishes results. In order to track and measure adherence on an annual basis, LifeWIRE uses the following process to track HITRUST audits, both full and interim:
- The Security Officer initiates the HITRUST audit activity by creating an Issue in the LifeWIRE Quality Management System.
- The Security Officer or the Privacy Officer is assigned to own and manage the HITRUST activity.
- Once the HITRUST activity is completed, the Security Officer approves or rejects the Issue.
- If the review is approved, the Security Officer then marks the Issue as Done, adding any pertinent notes required.
8. Compliance with annual compliance assessments, utilizing the HITRUST CSF as a framework, is monitored on a quarterly basis using the Quality Management System reporting to assess compliance with above policy.
Additional documentation related to maintenance of policies is outlined in 5.3.1