Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
2
RISK ASSESSMENT
10
11
34
34
36
AGREEMENT
37
BACKUP 46
50
10
51
10.1 PHYSICAL
11
PROTECTION
51
52
52
49
48
53
TABLES
Tables (cont)
Tasks
Completed
(Tick and add date)
__/__/__
1. Risk
Assessment
2. Staff roles
and
responsibilities
__/__/__
3. Practice
security policies
and procedures
__/__/__
Staff policy about levels of access to data and information systems developed
Staff are assigned appropriate access level
Staff have individual passwords which are changed on a regular basis
Confidentiality agreements for third party providers in place
__/__/__
5. Business
continuity and
disaster
recovery plans
__/__/__
6. Staff internet
and email usage
7. Backup
__/__/__
Backup of data done daily, with weekly, monthly and yearly copies retained
Backups encrypted
Backup of data stored securely on and offsite
Backup procedure tested by performing a restoration of data
Backup procedure included in a documented business continuity and disaster
recovery plan
Antivirus and anti-malware software installed on all computers
Automatic updating of virus definitions is enabled on all computers/server
Staff trained in anti-malware procedures
Automatic weekly scans are enabled
__/__/__
9. Network
perimeter
controls
__/__/__
10. Portable
devices and
wireless
networks
__/__/__
__/__/__
4. Access
control and
management
8. Malware,
viruses and
email threats
11. Physical,
system and
software
protection
12. Secure
electronic
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
__/__/__
Tasks
Safe and secure use of email, internet and the practice website policy
developed and reviewed periodically
Completed
(Tick and add date)
__/__/__
2 Risk assessment
For a detailed explanation refer to Section 3.1 of the RACGP Computer and information
security standards.
10
Role in
practice
<Full name>
Contact details
Mobile
number
Other
contact
numbers
04xx-xxx-xxx
xx-xxxx-xxxx
<address>
<email>
<practice to
complete>
Support provided
for
Contact details
<Contact
person><Company>
eg. server
Tel:
Email:
Address:
11
12
Computer 3
Make
Model
Serial number
Location
Supplier
Cost
Purchase date
Warranty
Support
Supplier
System name
Used for
IP address
CPU speed
Memory RAM
size
HDD size/make
CD/DVD
Internal
devices
External
devices
attached
Operating
system (OS)
and version
Operating
system serial
number/licence
key
Network patch
panel number
Network wall
socket number
13
Portable computer 2
Make
Model
Serial number
Location
Supplier
Cost
Purchase date
Warranty
Support
Supplier
System name
Used for
IP address
CPU Speed
Memory RAM
size
HDD size/make
CD/DVD
Internal
devices
External
devices
attached
Operating
system and
version
Operating
system serial
number/licence
key
14
Printer 2
Printer 3
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support
Configuration
System name
Used for
IP address
Network patch
panel number
Network wall
socket number
Modem
Uninterruptible power
supply (UPS)
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support
Configuration
System name
N/A
Used for
N/A
IP address
N/A
Network patch
N/A
15
panel number
Network wall
socket number
N/A
Monitors
Keyboard/mouse
IP address
N/A
N/A
N/A
Network patch
panel number
N/A
N/A
N/A
Network wall
socket number
N/A
N/A
N/A
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support
Configuration
System name
Used for
16
Firewall (if
hardware based)
Intrusion detection
system (IDS) (if
hardware based)
Location
Make
Model
Serial number
Supplier
Cost
Purchase date
Warranty
Support
Configuration
System name
Used for
IP address
Network patch
panel no
Network wall
socket no
1.
2.
3.
Maintenance details
17
Electronic information assets databases, electronic files and documents, image and
voice files, system and user documentation, business continuity and disaster recovery plans
Located on (which
computer)
Table 11: Asset register other databases, document and file locations
Used by (which
program)
Located on (which
computer)
18
19
20
PKI certificates
Practitioner
21
Table 18: Asset register other <name> software programs (eg. lab, x-ray download)
Name/version
Description
Serial numbers/licence
codes
Which computers
Location of media
Location of manuals
Location of licence codes
and agreements
Date purchased/upgraded
Supplier
Support details
22
Location
<practice to complete>
23
Network diagrams
<Insert network diagrams here>
24
Disruption/impac
t
Vulnerabilit
y
Controls
Existing
Required
(to action)
<practice to
complete>
<practice to
complete>
Person
responsible
Financial loss
Disrupt operational
activities
Breach of integrity
(inadvertent information
modification or
destruction)
Legitimate
access to systems
Lack of training
Inadvertent access
by staff
Violation of legislation or
regulation
Breach of confidentiality
(potential
information disclosure)
Legitimate
access to systems
by staff
Lack of formal
implemented
policy and
procedures,
particularly
password controls
Inadvertent viewing
of information by
nonstaff
Violation of legislation or
regulation
Breach of confidentiality
Lack of
appropriate
access control
Staff not
following policy
<practice to
complete>
Financial loss
Disrupt operational
activities
Legitimate
access to
premises and
equipment
25
Disruption/impac
t
Vulnerabilit
y
Controls
Existing
Required
(to action)
Person
responsible
Violation of legislation or
regulation
Adversely affect
reputation
Breach of confidentiality
(potential
information disclosure)
Legitimate
access to systems
Employee
sabotage
Disrupt operational
activities
Breach of integrity
(potential information
modification or
destruction)
Legitimate
access to systems
Fraud
Financial loss
Access to
systems
No monitoring of
access or
business functions
Breach of confidentiality
Lack of staff
Lack of policy
and procedure
monitoring
26
Disruption/impac
t
Vulnerabilit
y
engineering
(eg. Phishing)
awareness
Misuse of
information
systems
Financial loss
Breach of confidentiality
Lack of usage
monitoring
Controls
Existing
Required
(to action)
Person
responsible
<Additional items>
Financial loss
Disrupt operational
activities
Inadequate
physical controls
of system and
network
27
Disruption/impac
t
Vulnerabilit
y
Controls
Existing
Required
(to action)
Person
responsible
Theft of information
Violation of legislation
or regulation
Adversely affect
reputation
Breach of confidentiality
Lack of
appropriate
access control
Limited network
controls
Fraud
Financial loss
Lack of
appropriate
access control
28
Disruption/impac
t
Vulnerabilit
y
Malicious hacking
and unauthorised
access
Disrupt operational
activities
Breach of integrity
(potential information
disclosure, modification or
destruction)
Inadequate
network and
internet protection
Controls
Existing
Required
(to action)
Person
responsible
Unauthorised
access
Financial loss
Breach of confidentiality
and integrity
29
Disruption/impac
t
Vulnerabilit
y
Controls
Existing
Required
(to action)
Person
responsible
Technical Unintentional
Equipment or
hardware failure
(eg. hard disk
crashes and
telecommunication
s failures)
Disrupt operational
activities
Poor or no
backup
procedures
Lack of system
maintenance
Software failure
(eg. bugs, patches)
Disrupt operational
activities
Not doing
regular software
updates or
patching
Information loss
Disrupt operational
activities
Adversely affect
reputation
Breach of confidentiality
Financial loss (eg. loss
of billing data)
Poor or no
backup
procedures
Encryption not
used appropriately
Power outage or
spikes
Disrupt operational
activities
Lack of power
backup and
conditioners
Aging
infrastructure
30
Disruption/impac
t
Vulnerabilit
y
Controls
Existing
Required
(to action)
Person
responsible
telecommunications)
Technical Deliberate
Malicious code (eg.
virus)
Disrupt operational
activities
Denial or degradation of
service
Data loss
Breach of integrity
Inadequate
network and
internet protection
Lack of staff
training
Not keeping
anti-virus updates
current
Spam filtering
Information loss
Violation of legislation or
regulation
Adversely affect
reputation
Breach of confidentiality
Poor or no
backup
procedures
Lack of
appropriate
access control
Denial of Service
(DoS - attempt to
make computer
resources
unavailable)
Loss or degradation of
network capacity
Loss of Internet
connectivity
Environmental
Flood
Disrupt operational
activities
Incomplete
business
31
Disruption/impac
t
Vulnerabilit
y
Endanger personal
safety
continuity and
disaster recovery
plans
Earthquake
Disrupt operational
activities
Endanger personal
safety
Incomplete
business
continuity and
disaster recovery
plans
Fire (including
bushfire)
Disrupt operational
activities
Endanger personal
safety
Incomplete
business
continuity and
disaster recovery
plans
Storm / Cyclone
Disrupt operational
activities
Endanger personal
safety
Incomplete
business
continuity and
disaster recovery
plans
Controls
Existing
Required
(to action)
Person
responsible
32
<practice to complete>
Induction training
<practice to complete>
Next date
33
<Practice Name>
Outcome:
34
<practice to complete>
<practice to complete>
Perform backups
<practice to complete>
Update software
35
Signed:
in the presence of
(Name)
(Signature)
(Position)
Date:
36
Table 27: Access control staff access levels and health identifiers
Staff member
Healthcare
provider
identifier
individual (HPI-I)
Program/application
(name of software)
Access level
(restricted
information only or
full user access)
Practice nurse
<practice to complete>
<practice to complete>
37
System/requirements
normally used
Alternative
resources
Word processing
application
Appointments
Internet connection or
electronic messaging
service.
Appointment scheduling
program
Dictation system
Typewriter (if available)
Copy of current
appointment schedule
(todays) showing patient
telephone numbers
Copy of future
appointment schedule
showing patient
telephone numbers
Practice management
(billing) program
Financial software
Internet connection
Post or fax
Internet connection or
electronic messaging
service
38
<practice to complete>
Table 29: Business continuity additional resources required for continuity and
recovery
Resource
Potential reason
To be used for
Locum staff
Absence of medical
staff
Additional demand for
services
Consulting
eg. local GP
recruitment services
Temporary
administration staff
Reception duties
Entering backlog of
data
People
<practice to complete>
Information and documents
Hardcopies of
information
Inoperable computer
systems or power
outage
Look up information
Contact authorities,
patients, healthcare
providers
Alternative
infrastructure (eg.
power, lighting, water,
generator)
Power outage,
flooding, natural
disaster events
Physical safety
(lighting)
Resumption of
operation (power)
Alternative computer
resources (eg. a laptop
and copy of electronic
information)
Server nonoperational
or power failure
Look up critical
information such as
patient details or
appointments
Electricity provider
Dictaphone and
batteries
<practice to complete>
39
Budget
<practice to complete>
Table 30: Business continuity contact and responsibility list in event of incident or
disaster
Person/position
Mobile
number
Other
contact
number
<Name> / doctor
<Name> / practice manager
04xx-xxx-xxx
04xx-xxx-xxx
xx-xxxx-xxxx
xx-xxxx-xxxx
04xx-xxx-xxx
xx-xxxx-xxxx
<Name>
04xx-xxx-xxx
xx-xxxx-xxxx
Responsible for
<practice to complete>
40
Alternate procedure
Person
responsible
<practice to complete>
<practice to
complete>
Reception staff
Secretarial services
(eg. formatting
reports)
This will include any
processes that are
now or will be in future
electronic such as eprescriptions, lab
requests and ereferrals.
Appointments
Reception staff
Practice financial
activities (payroll,
Medicare claims,
banking)
Banking
Medicare claims
Practice
manager
Payroll
Communication (eg.
email)
Receiving test results
Recalls and reminders
<practice to
complete>
41
Recovery procedure
Person responsible
Server failure
<practice to complete>
Power failure
Network problem
Unauthorised access
Inappropriate usage
<practice to complete>
Person responsible
42
Re-enter appointments
<practice to complete>
Next date
43
Agreed interval
<practice to complete>
Fault noted
By whom
<practice to complete>
44
6 Backup
For a detailed explanation refer to Section 3.7 of the RACGP Computer and information
security standards.
Table 38: Backup example procedure
Backup
procedur
e
Activity
When
Person
responsible
Media
cycling
Offsite storage
procedure
For an
automated
backup
Daily
Receptionist
Daily
backup
media
<practice to
complete>
Weekly
Monthly
Annual
(end of
financial
year)
Week 2
Week 3
Week 4
Week 5
Mon
Tues
Wed
Thurs
Fri
Sat
Sun
Mon
Done
Tue
Done
Wed
Done
Thu
Done
Week#1
Done
Sat
Done
Sun
Done
Checked
Checked
Checked
Checked
Checked
Checked
Checked
Mon
Done
Tue
Done
Wed
Done
Thu
Done
Week#2
Done
Sat
Done
Sun
Done
Checked
Checked
Checked
Checked
Checked
Checked
Checked
Mon
Done
Tue
Done
Wed
Done
Thu
Done
Week#3
Done
Sat
Done
Sun
Done
Checked
Checked
Checked
Checked
Checked
Checked
Checked
Mon
Done
Tue
Done
Wed
Done
Thu
Done
Week#4
Done
Sat
Done
Sun
Done
Checked
Checked
Checked
Checked
Checked
Checked
Checked
Mon
Done
Tue
Done
Wed
Done
Thu
Done
Week#5
Done
Sat
Done
Sun
Done
45
Tues
Wed
Thurs
Fri
Sat
Sun
Checked
Checked
Checked
Checked
Checked
Checked
Checked
Person responsible
Practice computer
security coordinator or
technical service provider
When
Person responsible
46
Computers
Support
Upgrade
procedure
Person
responsible
Annual
subscription
renewed
<practice to
complete>
47
Hardware
configuration
Software
configuration
Maintenance
required
Support
<practice to
complete>
Hardware
configuration
Software
configuration
Maintenance
required
Support
<practice to
complete>
48
<practice to complete>
<practice to complete>
49
10
For a detailed explanation refer to Section 3.11 of the RACGP Computer and information
security standards.
Equipment
attached
Maintenance
required
Battery life
Support contact
<practice to
complete>
Table 46: Physical, system and software protection procedure for controlled
shutdown of server
When is it necessary to use this
procedure?
What to do?
Person
responsible
<practice to complete>
Date out
Name and
signature
Date returned
Name and
signature
<practice to
complete>
50
By whom
<practice to complete>
Person
responsible
Frequency
Procedure
<practice to
complete>
By whom
<practice to complete>
51
Purpose
<practice to complete>
52