Information security policies

Article I. Introduction.

1.1 Purpose.

1.1.1 Information Security Policies. The purpose of this document (“these Policies”) is to delineate the policies Sourcewell has adopted to:

A. Comply with its statutory and regulatory obligations with respect to privacy and data security; and 

B. Support its efforts to protect the security, confidentiality, integrity, and availability of the data it collects, stores, uses, or disseminates and the systems Sourcewell uses to perform these functions. 

1.1.2 Supporting Documentation. These Policies are supplemented by applicable standard operating procedures and information technology and information security standards and practices which describes the specific administrative, physical, and technical safeguards and controls used to fulfill the obligations described in these Policies. 

1.2 Scope. 

1.2.1 Technology Resources. These Policies apply to all data, systems, activities, and assets owned, controlled, or used by Sourcewell (“Technology Resources”), including, but not limited to, infrastructure; communication systems and devices; information systems and services; computer hardware, software, and devices; and any new technologies implemented by Sourcewell.

1.2.2 Users. These Policies apply to any individual (“User”) who accesses or uses Sourcewell’s Technology Resources. This includes Sourcewell employees as well as any consultant, independent contractor, service provider, or vendor (“Third Party”) engaged by Sourcewell. Employee-specific privacy and data security processes and expectations are outlined in more detail in Sourcewell’s Employee Handbook.

1.3 Sanctions. Any Sourcewell employee found to be in violation of these policies may be subject to disciplinary action up to and including termination of employment. Employees who violate local, state, or Federal law may also be subject to civil or criminal prosecution. Any Third Party that violates this Policy may be found in breach of contract or face civil and criminal prosecution. 

1.4 No Expectation of Privacy and Monitoring. Users shall have no expectation of privacy while using Sourcewell’s Technology Resources. Sourcewell reserves the right to review, search, monitor, and control use of its Technology Resources and to retrieve, alter, or delete any data created, received, transmitted, or stored by any User on or through Sourcewell’s Technology Resources to the extent permitted by applicable law. The use of Technology Resources constitutes the User’s authorization for Sourcewell to take these actions.

1.5 Training. Sourcewell will provide resources and training opportunities where necessary to help Users understand their obligations under these Policies. Employees must complete information security training within the timeframes required by Sourcewell. Failure to participate in required training may constitute a violation of this Policy.

1.6 Information Security Coordinator.

The Sourcewell Board of Directors has appointed the Manager of IT Operations to serve as Sourcewell’s Information Security Coordinator. References to the Information Security Coordinator or Sourcewell IT in these Policies means the Information Security Coordinator or any IT staff authorized by and under the supervision of the Information Security Coordinator.

1.6.2 Authority. The Information Security Coordinator is authorized to develop, implement, maintain, and enforce these Policies and any related policies, standards, and processes they deem necessary and appropriate, including, but not limited to, the Information Security Program.

1.6.3 Policy Review. On or before May 1st each year, the Information Security Coordinator must initiate review of this Policy and engage other departments and stakeholders, including Human Resources and Legal, as appropriate.

Article II. MGPDA, HIPAA, and Other Applicable Laws

Various information security laws, regulations, and industry standards apply to Sourcewell and the data Sourcewell Users collect, store, use, and disseminate. Sourcewell is committed to comply with applicable laws, regulations, and standards, which include, but are not limited to, the following:

2.1 Minnesota Government Data Practices Act (“MGDPA”).

The MGDPA at Minnesota Statutes, Chapter 13, govern the collection, creation, storage, maintenance, and dissemination of data held by Minnesota governmental entities (“Government Data”), including Sourcewell. Sourcewell’s Data Practices Policy, Data Inventory, and Records Retention Schedule, which outlines its policies with respect to the classification, disclosure, and disposition of Government Data. The Data Practices Policy, Data Inventory, and Records Retention Schedule can be found under “Legal Policies” in the Board Policy Book. 

2.2 Health Insurance Portability and Accountability Act (“HIPAA”).

Sourcewell serves as the Sponsoring Association and provides administrative services for the Better Health Collective, a government joint risk pool for employee benefits. In that capacity, certain Users have access to and use Protected Health Information (“PHI”) governed by HIPAA. An entity, like Sourcewell, that conducts functions governed by HIPAA and other functions that are not may designate itself as a hybrid entity for HIPAA compliance purposes. Sourcewell has designated itself as a hybrid entity. The following documents Sourcewell’s intent to comply with the HIPAA and the HITECH Act applicable to this designation. 

2.2.1 Designated Health Care Component. Sourcewell’s Department of Insurance and Risk Management (“IRM”) is solely responsible for conducting the functions governed by HIPAA and the only department that employs Users with access to PHI. Therefore, Sourcewell has designated IRM as its sole healthcare component.

2.2.2 Safeguards. IRM Users do not disclose PHI to other departments in a manner that would be prohibited if IRM and other departments were separate legal entities. IRM Users also protect electronic PHI from other Sourcewell departments in the same manner as it would be required if IRM and other departments were separate legal entities. Finally, if a User performs duties for IRM and a non-healthcare component, the User does not use or disclose PHI created or received in the course of or incident to their IRM work in a manner that would be prohibited under HIPAA. 

2.2.3 Privacy and Security Officer. Sourcewell has appointed its IRM Manager as the Privacy and Security Officer for its healthcare components. 

2.3 Family Education Rights and Privacy Act (“FERPA”).

Sourcewell serves as a third-party service provider to educational entities throughout the United States. In that capacity, certain Users have access to and use Personally Identifiable Information governed by the FERPA. FERPA requires Sourcewell to implement safeguards to protect this data. This Policy is intended to demonstrate Sourcewell’s compliance with these obligations.

2.4 Other State Laws.

Statutes in some states outside Minnesota provide for additional statutory protections for student data beyond those provided for in FERPA. Sourcewell developed these Policies to include data protections required by FERPA and those common to most customers, including those in other states. As a result, when a customer asks Sourcewell to agree to additional customer-specific requirements:

2.4.1 Review and Approval. Legal and the Information Security Coordinator must review all related documentation, including the customer’s information security policies or standards and any related agreements requiring Sourcewell to comply.

2.4.2 Compliance. If Sourcewell Legal and the Information Security Coordinator agree that Sourcewell is willing and able to comply with customer-specific information security policies or standards, the Information Security Coordinator is responsible for notifying affected Users and ensuring they have the resources needed to comply with the additional requirements.

Article III. Access Controls and Acceptable Use

Sourcewell has implemented the following safeguards and controls to protect Sourcewell’s Technology Resources.

3.1 Requests for Access.

Authorized staff may request to add, change, or terminate access for internal Users under their supervision and external Users with a demonstrated need that cannot be reasonably met through other means. Staff requesting access are responsible for ensuring Users under their supervision comply with these Policies and for notifying Sourcewell IT when a User leaves the organization, or their engagement is terminated.

3.2 Identity and Access Management.

Sourcewell uses identity and access management controls to provide User accounts with appropriate access privileges.

3.2.1 In general. Sourcewell IT will only grant access to Sourcewell’s Technology Resources to authorized Users. Users will only receive access to the Technology Resources required to perform their responsibilities.

3.2.2 Unique User Accounts. Sourcewell IT will assign each User a unique account, password, passphrase, or other credentials to provide for individual accountability. Users are prohibited from sharing their credentials with others. Where necessary, Sourcewell IT will use systems logs or other technical controls to identify and/or mitigate unauthorized access.

3.2.3 Entity Authentication. Any User accessing Sourcewell’s Technology Resources must be authenticated. The level of authentication must be appropriate to the data being accessed and the User’s role.

3.2.4 Unauthorized Access. Users are prohibited from gaining unauthorized access to Sourcewell’s Technology Resources or in any way damaging, altering, or disrupting these Resources. 

3.3 Acceptable Use Policy.

Sourcewell provides Users with Technology Resources to support its business requirements and functions. This section describes Sourcewell’s policy with respect to the use of these Technology Resources and explains the steps Users must take to protect them.

3.3.1 General Use of Information Technology Resources. Access to and us of Technology Resources is a privilege and not a right. Unacceptable use of Technology Resources may result in disciplinary action up to and including termination of employment. Users who violate local, state, or Federal law may also be subject to civil or criminal prosecution.

A. Acceptable use includes all authorized access to and use of Sourcewell’s Technology Resources as needed to fulfill a User’s assigned duties and functions. Minimal personal use is acceptable to the extent it does not interfere with the User’s performance of their responsibilities or impair another User’s ability to theirs.

B. Unacceptable use includes all unauthorized access to and use of Sourcewell’s Technology Resources for purposes including, but not limited to:

  1. Transmitting, receiving, or storing Government Data in violation of Sourcewell’s Data Practices Policy or other applicable state and federal privacy laws.

  2. Achieving personal gains or other activities that may create a real or perceived conflict of interest with Sourcewell. 

  3. Creating undue security risks or negatively impacting the performance of Sourcewell’s Technology Resources.

  4. Causing embarrassment, loss of reputation, or other harm to Sourcewell.

  5. Hacking, spoofing, or launching denial of service attacks.

  6. Gaining or attempting to gain unauthorized access to others' networks or systems.

  7. Sending fraudulent email messages.

  8. Distributing or attempting to distribute malicious software.

  9. Spying or attempting to install spyware or other unauthorized monitoring or surveillance tools.

  10. Committing acts such as terrorism, fraud, or identity theft.

  11. Downloading, storing, or distributing child pornography or other obscene or illegal materials.

  12. Violating another’s intellectual property rights.

  13. Uploading, downloading, or disseminating defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene, or otherwise inappropriate or offensive messages or media.

  14. Distributing joke, chain letter, commercial solicitations, or hoax emails or other mass messaging or spamming.

  15. Disrupting the workplace environment, creating a hostile workplace, or invading the privacy of others.

  16. Using encryption or other technologies in an attempt to hide illegal, unethical, or otherwise inappropriate activities.

  17. Installing or distributing unlicensed or pirated software.

3.3.2 Desktop, Laptop, and End-User Controls. Users may only access Sourcewell’s Technology Resources using Sourcewell-provided user accounts on approved devices that support Sourcewell’s current minimum information security standards.

3.3.3 Social Media. Users must comply with Sourcewell’s Social Media Guidelines, found in Sourcewell’s Employee Handbook, when using their personal Social Media accounts to interact with Sourcewell’s official Social Media sites or to engage in other activities related to Sourcewell and its programs or services.

3.3.4 Mobile Devices and Bring Your Own Device to Work. Any use of personnel mobile devices, including laptops, smartphones, and tablet computers, to connect to Sourcewell’s Technology Resources must be approved in advance by Sourcewell IT. If Sourcewell IT permits any User to use their own device for this purpose, the User must agree to use such devices subject to this Policy and any additional policies, procedures, standards, and processes Sourcewell implements. Further:

A. Sourcewell may require the User to install specific security controls on the device, including device management software, access controls, encryption, and remote wiping capabilities. 

B. The User must allow Sourcewell IT to review the device and remove any Government Data, if their relationship with Sourcewell terminates, the User changes devices or services, and in other similar situations. The User must also promptly provide Sourcewell IT with access to the device when requested for Sourcewell’s legitimate business purposes.

C. Devices with access to Sourcewell email or other Technology Resources must be protected by password/passphrase or another approved authentication method. Such devices must be physically secured by the user at all times.

D. The User is prohibited from connecting a mobile device containing Government Data to any unsecured network without technology security controls in place. Unsecured networks include home networks, hotel networks, open or for-pay wireless hotspots, convention networks, or any other network that Sourcewell has not approved or does not control.

3.3.5 Remote Access. Sourcewell IT has implemented technology solutions and controls which provide users with remote access capabilities to approved Technology Resources. Users with remote access privileges may only use Sourcewell-provided means and multifactor authentication to access Sourcewell’s Technology Resources. Users are prohibited from installing or setting up any other remote connections, including remote desktop software. Remote access connections to Sourcewell Technology Resources must be configured to time out or be disconnected as prescribed in existing information technology and information security standards and related standard operation procedures.

3.3.7 External Network Connections. Sourcewell IT and the Information Security Coordinator must review and approve all extranet and other connections to Sourcewell’s Technology Resources before implementation. A signed business agreement between Sourcewell and any organization seeking access must accompany any request for extranet connection. Connectivity will be limited to only those assets required to perform the specified functions. Extranet connections will be monitored and may be deactivate if unusual or inappropriate traffic is detected. 

3.3.8 Wireless Network Connections. Users are prohibited from connecting any wireless access points, routers, or other similar devices to Sourcewell Technology Resources without prior approval from Sourcewell IT and the Information Security Coordinator. Users are prohibited from connecting wireless access points (WAPs) directly to Sourcewell’s trusted network.

Article IV: Protecting and Managing Sourcewell’s Information Technology Environment

4.1 Protecting Information Assets.

Sourcewell IT installs and configures its computers according to current technical standards and procedures, including anti-virus software, standard security controls, and approved operating system version and software patches. Only Sourcewell-supplied or approved software, hardware, and information systems may be installed in Sourcewell’s IT environment or connected to its network. 

4.1.1 End-User Computers and Access.

A. End-user computers are configured to request authentication from Sourcewell’s domain at startup and user login. Sourcewell may deny network access to end-user computers that do not meet current standards. 

B. User accounts are configured to require strong passwords/passphrase and multifactor authentication. To protect against password/passphrase guessing and other brute force attacks, Sourcewell will deactivate a user’s account after five (5) failed login attempts. Reactivation may be based on a timeout or manual reset. Authentication credentials must be encrypted during transmission across any internal or external network.

4.1.2 Passwords and User Credentials. Sourcewell has implemented automated password/passphrase rules to ensure that users are required to use strong passwords/passphrases. IT procedures and technical standards define these password rules and other authentication means. Users are required to protect all user credentials, including passwords, passphrases, tokens, badges, smart cards, or other means of identification and authentication. Specifically, Users are prohibited from:

A. Disclosing passwords, passphrases, one-time use codes, or another authentication means to anyone, including anyone who claims to be from Sourcewell IT;

B. Writing down passwords/passphrases or otherwise recording them in an unsecure manner

C. Using save password features for applications

D. Using the same password/passphrase for different systems or accounts, except where single sign-on features are automated; and

E. Reusing passwords/passphrases

4.1.3 Perimeter Controls. Sourcewell IT uses perimeter controls to secure its network against external attacks. Firewalls are also used and configured according to current technical standards and procedures to separate Sourcewell’s trusted network from the internet or internet-facing environments. Sourcewell may, at its discretion, implement additional perimeter controls, including intrusion detection and prevention services, data loss prevention software, specific router or other network configurations, or network monitoring. Users are prohibited from creating internet connections outside perimeter controls.

4.1.4 Data and Network Segmentation. Sourcewell IT uses technical controls, such as firewalls, access control lists, or other mechanisms, to segment some data or areas of its network. Users are prohibited from altering segmentation plans without approval from Sourcewell IT.

4.1.5 Encryption.

A. Sourcewell may encryption stored data (data-at-rest) and transmitted data (data-in-transit) using generally accepted encryption algorithms and products approved by the Information Security Coordinator. Sourcewell IT will periodically review encryption products and algorithms for any known risks. 

B. Encryption algorithms use keys to transform and secure data. Because they allow decryption of the protected data, Users must use proper key management, which includes selecting encryption keys to maximize protection levels, ensuring keys are available when needed to support data decryption by using secure storage methods and creating and maintaining secure backups, tracking access to keys, and changing keys on a periodic basis according to risks.

4.1.6 Data and Media Disposal. When Sourcewell IT retires or otherwise removes Technology Resources, it will scrub or otherwise render data contained thereon unreadable and unrecoverable. This process may include destroying data media according to applicable waste disposal regulations or using data wiping software that meets generally accepted data destruction standards. 

4.1.7 Log Management and Retention. Sourcewell IT logs systems and user activities on all Technology Resources. Security controls or other network elements may also produce logs, which are secured, retained, and disposed according to Sourcewell’s Data Practices Policy, Data Inventory, and Records Retention Schedule. Logs are periodically reviewed to identify any activities that may indicate a security incident.

4.1.8 Physical Security. Sourcewell IT uses physical safeguards to avoid theft, intrusions, unauthorized use, or other abuses of its Information Assets. Users must comply with Sourcewell’s current physical security standards, which are outlined in more detail Sourcewell’s Employee Handbook.

4.1.9 Disaster Preparedness (Business Continuity and Disaster Recovery). Sourcewell IT has implemented and periodically tests its disaster preparedness plans, which support continuity of operations and systems availability if a disaster or other unplanned business impacting event occurs. System administrators perform regular data backups for the information assets they maintain. Backup strategies balance the business criticality of the data, the resources required, any impact to Users and Technology Resources. Sourcewell IT also documents and periodically tests data and systems restoration procedures.

4.2 Managing Information Assets.

Sourcewell IT must approve and manage all additions and changes to Sourcewell’s production IT environment to avoid unexpected business impacts. Sourcewell IT also ensures that its development environments comply with this Policy and current IT standards to minimize information security risks. 

4.2.1 Procurement. Only Sourcewell IT or those authorized by the Information Security Coordinator may procure Technology Resources for use in or connection to Sourcewell’s network. Any such procurement must comply with Sourcewell’s Procurement Policy. These requirements apply applies regardless of whether the Resource is purchased, open source, or made available to Sourcewell at no cost. Sourcewell IT and Legal must be consulted early in the procurement process to ensure that legal and information security risks are identified and managed prior to implementation. This is particularly true with respect to any cloud computing service providers that are intended to access, store, or manage Government Information; document sharing services; and other internet-based service providers that will collect, create, store, or otherwise manage Government Data on behalf of Sourcewell. 

4.2.2 Asset Management. Sourcewell IT is responsible for tracking and documenting all Technology Resources. Inventory tracking must include operating system levels and all installed software and software versions to support vulnerability identification and mitigation. All Government Data is assigned a data owner who is responsible for tracking the location, use, disposal, and disposal of the data under their control.

4.2.3 Authorized Environments and Authorities. Only authorized IT personnel may install and connect hardware or software in Sourcewell’s IT environment. Users are prohibited from converting end-user computers to servers or other shared resources without assistance from IT. Sourcewell IT will limit administrative or privileged systems access to those individuals with a business need to know. Administrative access and related information must be distributed to more than one individual to minimize risks. The Information Security Coordinator must review and approval any new or modified internet connections or internet-facing environments prior to deployment.

4.2.4 Change Management. Sourcewell IT maintains a change management process to minimize business impact and disruption to its production IT environment. Users must submit change requests to Sourcewell IT and include an action plan with assigned roles and responsibilities, implementation milestones, testing procedures, and a rollback plan if the change fails. Sourcewell IT will track identified problems, fixes, and releases during software development and will include code archiving or versioning tools to ensure earlier versions can be recovered and rebuilt, if needed.

4.2.5 Application and Software Development 

A. To avoid any undue or unexpected impact to Sourcewell’s production IT environment, applications and other software development and testing must take place in reasonably segmented environments with segregation of duties between development and operations. Developers may be granted limited access to production environments where personnel and expertise availability is limited, but only for specific troubleshooting or support purposes. 

B. Security by design principles must be used to identify potential information security risks and resolve them early in the development process. Project team members must seek guidance from the Sourcewell IT team, Information Security Coordinator, critical vendors, industry experts, and industry best practices to identify and avoid application-level security risks. Defensive coding techniques, regular code reviews, and application-level scanning may also be used to identify and remediate any information security issues before release.

Article V: Incident Reporting and Response

5.1 Definitions.

"Breach of the security of the data" means the unauthorized acquisition, access, use, or disclosure of Government Data maintained Sourcewell.

"Contact information" means name and mailing address or e-mail address for the data subject.

"Unauthorized acquisition" means that a person has obtained, accessed, or viewed Government Data without the informed consent of the data subject or statutory authority with the intent to use the data for nongovernmental purposes.

"Unauthorized person" means any person who accesses Government Data without a work assignment that reasonably requires access or, regardless of the person's work assignment, for a purpose not otherwise permitted under the MGDPA.

5.2 Notice to Individuals and Investigation Report. 

5.2.1 Notice of Breach. 

A. Government Data. As quickly as possible upon discovery of a breach of Government Data, Sourcewell must provide written notice to any individual who is the subject of the data or whose data was, or is reasonably believed to have been, acquired by an unauthorized person. The notice may not be unreasonably delayed consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the security of the data. Notice of breach must inform the individual that an investigation report will be prepared; how the individual may obtain the report; and that the individual may request delivery of the report by mail or e-mail. 

B. Protected Health Information. If the breach involves Protected Health Information, notice of breach must be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the incident. Notice regarding breach of PHI must include:

  1. The date of the breach and of when it was discovered, if known; 

  2. The types of PHI that were involved in the breach;

  3. Any steps individuals should take to protect themselves from potential harm resulting from the breach 

  4. A brief description of what Sourcewell is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and 

  5. Contact procedures for individuals to ask questions or obtain additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address 

5.2.2 Investigative Report. Upon completion of an investigation into any breach in the security of data and final disposition of any disciplinary action, including exhaustion of all rights of appeal under any applicable collective bargaining agreement, Sourcewell must prepare a report on the facts and results of the investigation. If the breach involves unauthorized access to or acquisition of data by an employee, contractor, or agent of Sourcewell, the report must at a minimum include:

A. A description of the type of data that were accessed or acquired

B. The number of individuals whose data was accessed or acquired; and

C. If there has been final disposition of disciplinary action, the name of each employee determined to be responsible for the unauthorized access or acquisition.

5.2.3 Security Assessments. At least annually, Sourcewell IT will conduct a comprehensive security assessment of any personal information maintained by Sourcewell.

Article VI: Third Party Service Providers

The Information Security Coordinator is responsible for tracking, evaluating, and overseeing third-party service providers that interact with Sourcewell’s Technology Resources. 

6.1 Service Provider Approval Required.

Users must obtain approval from Legal and the Information Security Coordinator before engaging a service provider to perform functions that involve access to Sourcewell’s Technology Resources.

6.2 Contract Obligations.

Service providers that access Sourcewell’s Technology Resources must agree by contract to comply with applicable laws and these Policies. Sourcewell may require service providers to demonstrate their compliance by submitting to independent audits or other forms of review or certification based on risks.

Article VII. Risk and Compliance Management

Sourcewell supports a risk management cycle to enforce these Policies and to identify information security risks; to develop standards, procedures, safeguards, and controls; and to verify that safeguards and controls are working properly. This includes, but is not limited to, the following:

7.1 Risk Assessment and Analysis.

The Information Security Coordinator conducts periodic assessments to identify information security risks across Sourcewell’s IT environment, including application software, databases, operating systems, servers, other network components, and other connected devices. Assessment activities may include analyses, audits, reviews, scans, and penetration testing. Users are prohibited from taking any actions to avoid, impact, or otherwise impede risk assessments. 

7.2 Remediation and Mitigation Plans.

The Information Security Coordinator maintains and oversees remediation and mitigation plans to address any findings resulting from a risk assessment. 

7.3 Vulnerability Management and Disclosure. 

7.3.1 External Discovery and Management. Manufacturers, security researchers, and other external sources may identify security vulnerabilities in hardware, software, and other equipment, and notify impacted organizations and individuals. In most cases, the manufacturer or developer will provide a patch or fix to remediate the vulnerability. 

7.3.2 Internal Management. The Information Security Coordinator also maintains a process to identify and track applicable vulnerabilities, scan devices for current patch status, and notify system administrators and other impacted parties. Users must cooperate with necessary updates and make all Sourcewell-owned devices available to IT for timely patching and related activities, as requested. 

7.4 Compliance Management.

The Information Security Coordinator maintains responsibility for enforcing these Policies. If The Coordinator suspects a User may have acted in violation of these Policies, the Information Security Coordinator may contact the User to resolve the issue.