Confidentiality Statement and Information Security Controls
File Keepers adheres to stringent industry standards. As a member of PRISM, File Keepers consistently upgrades its Document Security Process to ensure privacy and physical security and our compliance with federal regulations (i.e., Gramm-Leach-Bliley Act, Title V, Sarbanes-Oxley, HIPAA Act of 1996 and HITECH Act of 2008).
These polices are in effect, reviewed and edited often to accommodate our changing technologies. Operational procedures are available and adherence to them is on a daily basis. Furthermore cross training between assigned personnel is always in effect. There is a pre-employment screening process for potential employees, which includes background and drug testing. Lists of authorized personnel exit are maintained. Device restrictions and access lists exist where they are appropriate.
Our facilities are secure, state-of-the-art record centers with industry and regulatory mandated fire suppression systems, and seismically designed shelving and intrusion alarms. Strict ID badge/security access procedures are in place. Our secure fleet of vehicles is equipped with GPS tracking for remote monitoring and all drivers use load validation scanners and printers, and participate with management in frequent audits of security procedures.
In today's business climate, a large responsibility rests on FILE KEEPERS' shoulders. 'Privacy', 'Security' and 'Confidentiality' have become key issues within our industry and are vital to FILE KEEPERS' business operation. With the strict regulations brought forward through the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 (Enron Act), and the Federal Financial Institutions Examination Council (FFIEC) many businesses are turning to FILE KEEPERS to ensure the safety, security, privacy and confidentiality of their records.
All access to data is restricted, controlled and monitored by the MIS Department and as stated above no access is granted without written approval. All employees must attend orientation sessions regarding security awareness and read and sign a copy of our company security and usage policies and practices. We require all employees to re-read our company security and usage policies and sign them periodically. User account additions, modifications, and terminations are conducted immediately by MIS staff upon notification by HR and Operation managers. No authorization to technologies or systems is ever established without written authorization from Operations management.
Explicit multi-management approvals are in place. Explicit authentication procedures are in effect and encryption where applicable. Devices applied to our tasks are seldom required to be labeled on a per user basis. Much of the desktop automation is in a multi-user environment. However, mobile devices are assigned and these assignments are recorded. The acceptable use of technologies is defined and is enforced. Locations for network technologies is closely defined and guarded for proper security and environmental conditions.
We do not maintain a list of company approved products. All automation purchases are vetted through our MIS Department. Who in turn selects the most appropriate technologies for each specific need at that time. The vetting process is dominated by standardization yet flexible enough to assume use of new technologies as they are available and are reliable. Automatic disconnection of sessions is always on and applies to both internal and external access. Our policy is to allow access to supporting vendors only during required need and all access are monitored during the entire session. Few service providers are allowed access to our systems and those with access to actual data are even smaller. There is no need of generating a list of them. As stated above, contractors are required to read and sign off on our security and access usage policies, and their access is monitored live by an MIS representative at all times. Furthermore, contractors are required to sign further documentation pursuant to non-discloser rules as well.
Both employees and contractors our security policies are defined, documented, signed, updated, and revised often. Furthermore, contractors are required to sign further documentation pursuant to nondiscloser rules as well. All security management tasks are assigned, implemented, and monitored by our MIS Department. Although not documented as a formal “Incident Response Plan” we have in place procedures of notification that are followed religiously. These procedures are also modified with changing conditions and the changes disseminated in writing.
Our MIS Department prepares and documents all policies and procedures relative to technology usage and security. The responsibility to disseminate this documentation is in the hands of our Human Resources Department. Our MIS Department is responsible for monitoring all security conditions and this is conducted 24/7/365. All security issues are documented and decimated within the management of our MIS Department. Further dissemination to Operation managers occurs where needed and further addressed via changes in our security policies and procedures when appropriate.