Workstation
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2019-10-12
- reviewed: 2018-06-20
- Applicability: standard
Automatically manage workstations using Mobile Device Management (MDM) software
- Require and enforce device protections
- full-disk encryption of data on all devices (such as phones and laptops)
- strong authentication
- automatic screen lock for unattended devices
- software and firmware updates from the vendor
Protect information from unauthorized view
- Papers and removable media
- store out of site when they are unattended
- When working in a public environment such as a coffee shop
- Shield the screen and keyboard from view when entering or viewing secrets.
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title | Text |
|---|---|---|---|
| ISO | A.11.2 | Equipment | Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
| ISO | A.11.2.1 | Equipment siting and protection | Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
| ISO | A.11.2.2 | Supporting utilities | Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
| ISO | A.11.2.3 | Cabling security | Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. |
| ISO | A.11.2.4 | Equipment maintenance | Equipment shall be correctly maintained to ensure its continued availability and integrity. |
| ISO | A.11.2.5 | Removal of assets | Equipment, information or software shall not be taken off-site without prior authorization. |
| ISO | A.11.2.6 | Security of equipment and assets off-premises | Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. |
| ISO | A.11.2.8 | Unattended user equipment | Users shall ensure that unattended equipment has appropriate protection. |
| ISO | A.11.2.9 | Clear desk and clear screen policy | A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. |
| HIPAA | 164.310(b) | Workstation use | Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. |
| HIPAA | 164.310(c) | Workstation security | Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. |