Running head: ASSET PROTECTION POLICY 1

ASSET Protection Policy

Raul Mendoza

University of San Diego

Cyber Security Ops Policy

CSOL-540

Clay Wilson

April 9, 2018
ASSET PROTECTION POLICY 2

ASSET Protection Policy

I. Scope

This policy establishes HIC standards for the protection of company assets. It is
important that all employee’s, contractors, part-time and temporary workers, and
those employed by others to perform work on HIC systems, networks, data
integrity and organizational assets understand and enforce this policy.

All HIC assets connected to HIC networks must have supported anti-virus
software installed, updated, and running at all times. Any asset found with
malware or infected by malicious software will be removed from the network
until it can be verified that the asset is virus free.

As Cyber adversaries continue to intensify their efforts on impacting businesses, it

is paramount that we stay vigilant in our efforts to protect our assets from
malware and compromise. Although we must prepare for the worst, it is important
to understand which adversaries present the greatest threats to us.

II. Objectives

a. To establish a clear and organized accountable method for enforcing HIC

protection controls.

b. To protect HIC from accidently disposing of company assets with

sensitive Personal Health Information prior to proper sanitization. (U.S.
Department of Health & Human Services [HHS], 2015, p. 1)

c. To protect HIC assets from software that can be used to compromise

computer functions, steal data, bypass access controls, or otherwise cause
harm to an HIC computer and networks. Several of the most common
types of malware: (Abraham, 2017, p. 1)

i. Adware
ii. Bot
iii. Bug
iv. Ransom
v. Rootkit
vi. Virus

d. To prevent infection of HIC computers, networks, and technology systems

by computer viruses and other malicious code.

III. Responsibilities

a. Chief Executive Officer (CEO)

ASSET PROTECTION POLICY 3

i. Executive sponsor of the Information Security policy, standards,

and procedures throughout the organization.

b. Chief Information Officer (CIO)

i. Demonstrates commitment to the global information security

program throughout the organization.
ii. Allocates sufficient resources for operational security process
development and standard compliance.

iii. Provides constructive feedback and communication with the CISO

and security teams.

c. Chief Information Security Officer

i. Responsible to the CIO for enforcing all policies and standards

throughout HIC.

ii. Establishes all security controls and protections to ensure HIC’s

implementation meets all laws, regulations, and compliance
requirements.

IV. Policy Enforcement and Exception Handling

Any HIC member who violates this Policy may be subject to disciplinary action
up to, and including, termination of employment. Additionally, individuals may
be subject to loss of HIC’ Information Resources access privileges and, if
warranted, civil or criminal prosecution under California or federal law.

An exception may be granted only if the infected system performs a critical

function necessary to support a critical business need. Only under those instances
will the system be allowed to continue to operate but will require a plan to remove
the device to be taken offline and purged of the malicious software.

V. Review and Revision

Version Revised Effective Approved By Brief Change

number Date Date Summary
1.1 April 2, April 9, 2018 R. Mendoza Asset
protection
2018
ASSET PROTECTION POLICY 4

References

Abraham, S. (2017). List of Types of Malware. Retrieved from

https://www.malwarefox.com/malware-types/

U.S. Department of Health & Human Services. (2015). What do the HIPAA Privacy and

Security Rules require of covered entities when they dispose of protected health

information? . Retrieved from https://www.hhs.gov/hipaa/for-professionals/faq/575/what-

does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html