LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 555.02 Information Technology and Security
 
  PROCEDURES
To ensure compliance with the provisions of this policy, the following responsibilities have been designated to the following data security officials:
  1. DMH Departmental Information Security Officer (DISO)
     
    1. DMH CIO must designate a DISO who is responsible for the development, implementation, and maintenance of DMH data security policies, procedures, and guidelines.
       
    2. The DMH DISO will assist DMH managers in the risk analysis and management process.
       
    3. The duties of the DMH DISO include, but are not limited to, the following:
       
      1. Provide information security related to technical, regulatory, and policy leadership;
      2. Facilitate the development and implementation of the DMH information security policies and procedures;
      3. Coordinate information security efforts across the facilities within DMH in alignment with Countywide security policies;
      4. Direct continuing information security training and education efforts;
      5. Represent DMH at the County Information Security Steering Committee (ISSC);
      6. Report to the DMH Chief Information Officer;
      7. Ensure DMH is in compliance with all laws, rules, and regulations as they relate to the proper handling of data and electronic media;
      8. Recommend new security standards as technology changes;
      9. Coordinate Department-wide security software and hardware purchasing and licensing; and
      10. Review and approve data security implementation and risk management efforts.
         
    4. The DMH DISO or his/her designee must review and approve the Risk Analysis Report.
       
    5. The DMH DISO or his/her designee must review and approve the DMH Facility Master Security Management Report, DMH Policy 550.01, Security Management Process.
       
    6. The DMH DISO or his/her designee must assist System Managers/Owners in implementing access authorization procedures and determining the appropriate technical access controls.
       
    7. The DMH DISO or his/her designee will coordinate the Departmental Computer Emergency Response Team (DCERT).
       
    8. The DMH DISO or his/her designee and DCERT are responsible for determining the appropriate level of response to a security incident.
       
    9. The DMH DISO or his/her designee must represent the Department at the County Computer Emergency Response Team (CCERT) as the primary DCERT member.
       
    10. Creating and periodically updating the Facility Master Security Management Report.
       
    11. Working with System Managers/Owners, DMH managers and supervisors, and the DMH Human Resources Bureau to develop workforce security procedures and to coordinate those activities necessary to implement the workforce security procedures.
       
  2. DMH Chief Information Officer (CIO)

    The duties of the DMH CIO or his/her designee include, but are not limited to, the following:
     
    1. Management responsibility over all systems within the Department;
       
    2. Ensuring that System Managers/Owners conduct risk assessments for their data resources and information systems in accordance with DMH procedures;
       
    3. Ensuring System Managers/Owners develop plans to implement the Facility Master Security Management Report's recommended safeguards and actions;
       
    4. Ensuring System Managers/Owners establish, document, and implement procedures for reviewing information systems activity, including but not limited to audit logs, problem logs, system access reports, change control logs, and security incident reports;
       
    5. Ensuring System Managers/Owners implement safeguards and defense mechanism under the direction of the DISO or his/her designee and maintain each system’s security controls current and up to date while applying vendor’s released updates and patches to close gaps and remediate vulnerabilities which may introduce risks to the County’s network, systems, computing equipment, and data or which may violate compliance with federal, State, or Departmental policies, procedures, or standards;
       
    6. Ensuring System Managers/Owners authorize access to information resources under their control on a "need to know basis" for carrying out the essential job functions of Workforce Members;
       
    7. Ensuring System Managers/Owners implement procedures for establishing DMH Workforce Member access to electronic information for example, through access to a workstation, transaction, program, process, or other mechanism that is both necessary and appropriate for the job functions of the Workforce Member;
       
    8. Ensuring System Managers/Owners implement procedures that modify a user's right of access to a workstation, transaction, program, process, or other mechanism, when such modification is necessary to align the Workforce Members' access with their essential job functions and terminate access to the ones no longer justified or authorized for or a change in their employment status has ended their relationship with the Department;
       
    9. Ensuring the System Managers/Owners respond to security incidents and emergency situations in a manner authorized and directed by the DISO or his/her designee and DCERT.
       
  3. System Managers/Owners

    The System Managers/Owners security responsibilities include, but are not limited to the following:
     
    1. Establishing rules for system use and protection of PHI and other confidential information as required by DMH Policy 553.02, DMH Privacy and Security Compliance Program policy;
       
    2. Working with DMH DISO or his/her designee to implement DMH Policy 550.01, Security Management Process: DMH Risk Management;
       
    3. Establishing, documenting, and implementing procedures for reviewing information systems activity, including but not limited to, audit logs, problem logs, system access reports, change control logs, and security incident reports;
       
    4. Working with DMH DISO or his/her designee, DMH managers and supervisors, and DMH Human Resources to develop workforce security procedures and coordinating those activities necessary to implement the workforce security procedures;
       
    5. Implementing procedures for establishing DMH Workforce Member access to electronic information; for example, through access to a workstation, transaction, program, process, or other mechanism that is both necessary and appropriate for the job functions of the Workforce Member;
       
    6. Ensuring each Workforce Member with access has signed an acknowledgment of the DMH Policy 556.01, DMH Acceptable Use for County Information Technology Resources that: (1) defines their responsibility for protecting the confidentiality, integrity, and availability of all DMH information resources and (2) identifies restrictions for utilizing those resources;
       
    7. Determining the sensitivity and criticality of the resources for which they are responsible and developing, implementing, and maintaining a Contingency Plan that is commensurate with that criticality;
       
    8. Ensuring appropriate physical safeguards and technical security policies are implemented, maintained, and sustained at all times;
       
    9. Reporting all system failures, equipment malfunctions, and suspicious activities to the DMH Help Desk or his/her designee immediately upon discovery;
       
    10. Defining the system's security requirements in its System Security Documentation; and
       
    11. Training and communicating to the Workforce Member the proper procedures for protecting the PHI and other confidential information.
       
  4. DMH Human Resources Bureau (HRB)

    The security responsibilities of the DMH HRB include, but are not limited to, the following:
     
    1. Working with System Managers/Owners to ensure proper workforce clearance procedures are implemented;
       
    2. Ensuring each new Workforce Member receives and signs acknowledgment of DMH Policy 556.01, Acceptable Use for County Information Technology Resources, during the new hire orientation and that each Workforce Member completes the acknowledgment during the annual Performance Evaluation process. Signed acknowledgments will be filed in the Workforce Member's official personnel folder; and
       
    3. Ensuring all DMH personnel terminations, new hires, or internal transfers are communicated timely to the DMH DISO or his/her designee.
       
  5. Workforce Managers and Supervisors

    The security responsibilities of workforce managers and supervisors include, but are not limited to, the following:
     
    1. Determining Workforce Members' access rights and levels based on their job responsibilities and authorizing Workforce Members to have access to electronic data systems, the Internet, and Intranet systems;
       
    2. Supervising the activities of DMH Workforce Members in relation to the use and disclosure of electronic data and prevent any misuse of network, systems, equipment, and information;
       
    3. Ensuring Workforce Members do not access PHI or perform clinical duties that may put them in contact with a client or client data prior of their successful completion of both privacy and security awareness and comprehensive HIPAA trainings;
       
    4. Providing authorization and supervision to DMH Workforce Members and others who need to be in areas where confidential and/or sensitive information may be accessed, and observing appropriate safeguards to ensure those who may be exposed to confidential or sensitive information are made aware of the policies protecting that information;
       
    5. Identifying and supervising DMH Workforce Members who work with confidential and/or sensitive information or who work in locations where confidential and/or sensitive information might be accessed; and
       
    6. Reporting any and all suspected and actual breaches of information security to the DMH DISO or Help Desk.
       
  6. Workforce Member

    The security responsibilities of all DMH Workforce Members include, but are not limited to, the following:
     
    1. Complying with the provisions of all relevant data security policies and procedures. Including but not limited to the DMH Policy 553.02, DMH Privacy and Security Compliance Program; DMH Policy 556.01, DMH Acceptable Use for County Information Technology Resources; and DMH Policy 551.03, Workstation Use and Security; and
       
    2. Reporting any and all suspected and actual breaches of information security to the DMH DISO or DMH Help Desk.