LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 555.03 Security Compliance Evaluation
 
  PROCEDURES
  1. Periodic Evaluation by the DISO

    The Departmental Information Security Officer (DISO) is responsible for evaluating the security safeguards of all DMH information systems to ensure compliance with the DMH Policy 553.02, Privacy and Security Compliance Program.
     
    1. The DISO or designee must prepare a written DMH security safeguards evaluation, including a review of the viability of DMH Privacy and Security Compliance Program Policy.
       
    2. The DISO's approval is required before any change is developed and a recommendation is made to any security policy or security procedure.
       
  2. Evaluation Upon Occurrence of Pertinent Events

    If one or more of the following events occur, the security safeguards evaluation process described in Section A must be immediately implemented:
     
    1. Changes in any of the regulatory, compliance, and/or accreditation security regulations or privacy regulations;
       
    2. New federal, State, or local laws or regulations affecting the privacy or security of confidential and/or sensitive information;
       
    3. Changes in technology, environmental processes, or business processes that may affect DMH Privacy and Security Compliance Program Policy;
       
    4. The occurrence of a serious security violation, breach, or other security incident after which the analysis conducted under DMH Policy 552.01, Security Incident Report and Response, indicates that policies and/or procedures need to be added or modified; and/or
       
    5. Changes in any County or DMH policies and/or procedures that may affect the DMH Privacy and Security Compliance Program Policy.
       
  3. Evaluation of Facility Procedures by DMH Facilities

    Periodically, the DMH Chief Information Officer or his/her designee must evaluate the security aspects of the DMH Privacy and Security Compliance Program Policy, as applicable to the Department, the Department's own security policies and procedures, and the implementation, operation, and maintenance of such policies and procedures. The purpose of such internal evaluation is to determine DMH's compliance status and make any changes necessary in order to become compliant, and/or to demonstrate and document compliance with the DMH Privacy and Security Compliance Program Policy and DMH’s own security policies and procedures.
     
  4. Internal Audit of Security Policies and Procedures

    All security-based policies and procedures, including the implementation, operation, and maintenance of such policies and procedures, are subject to periodic audits by DMH Internal Audit Department and/or DISO or his/her designee.