Safeguarding Information and Information Systems
CIBMTR, together with its affiliates, the NMDP and MCW, safeguards their information systems and information through comprehensive information security programs, which they have in place and will continue to maintain as documented by System Security Plans (SSP) that comply with Office of Management and Budget (OMB) Circular A-130 and the Computer Security Act of 1987 and aligned with National Institute of Standards and Technology (NIST) SP 800-53 baseline controls. The CIBMTR SSP incorporates applicable elements of the US Department of Health & Human Services (HHS) Information Security Program as well as the Health Resources & Services Administration (HRSA) Office of Information Technology (OIT) security policies, procedures, controls, and standards in the creation of its own information security/privacy policies and to ensure the confidentiality, integrity, and availability of its information systems and data. Core elements of the CIBMTR SSP are as follows:
Annual Security Control Assessment & Authorization
CIBMTR will engage a qualified, independent third party to perform an annual security control assessment of its system security and privacy controls selected from NIST 800-53 and consistent with the [Federal Information Processing Standards (FIPS)] 199 risk categorization of CIBMTR. Any findings identified from this assessment will be documented in a plan of action, assigned a risk ranking, and remediated within an acceptable corresponding timeframe.
Continuous Monitoring
CIBMTR, MCW, and NMDP have collectively developed plans and implemented continuous monitoring activities in numerous areas to monitor, prevent, and mitigate risk to sensitive data. They have also developed plans and implemented activities to support rapid discovery of unanticipated threats or hazards as well as checks and balances for detecting whether these are operating as expected.
Vulnerability Management
CIBMTR conducts continuous information security vulnerability monitoring on devices across the enterprise using Security Content Automation Protocol (SCAP) compliant tools. Mitigation control and remediation processes for discovered vulnerabilities are in place and will be maintained to detect and remediate applicable vulnerabilities. Vendor security patches are reviewed upon release from third parties; evaluated for applicability, risk, and criticality; and deployed to information systems based on a risk-based approach and a repeatable, measured cycle that ensures that all patches are deployed through all test, pre-production, and production environments at a pace commensurate with the security and operational risk levels.
Incident Response
NMDP, MCW, and CIBMTR have incident response policies and implementation plans consistent with NIST 800-53, NIST 800-61, and OMB M-17-12, which undergo regular testing and updating, as appropriate.
Protection of Sensitive Information
CIBMTR is committed to maintaining a secure environment that protects the confidentiality, integrity, and availability of information that is or may be sensitive.
Standard for Encryption
MCW currently encrypts laptops and mobile devices with verified encryption technology validated under the Cryptographic Module Validation Program to comply with FIPS 140-2. MCW has also extended verified encryption technologies to desktop replacements. CIBMTR stores keys to decrypt/recover encrypted information in a secure manner accessible only to authorized system administrators. Additional protections exist for mobile devices, such as remote wipe features. Data transferred between organizational locations or with authorized parties are protected using a secure managed file transfer protocol.
Security Awareness & Training
All CIBMTR permanent, part-time, and temporary personnel receive annual security awareness training and new staff receive security training as part of their orientation. Training material is reviewed and updated annually and is then utilized to conduct refresher training on an annual basis through a learning management system and/or in-person venue. All personnel are also required to complete the more comprehensive training tool, Collaborative IRB Training Initiative Program (CITI), upon hire and every 2 years thereafter. Additionally, regular technical, job-specific, and role-based training is required on an annual basis for all employees and contractors who have significant security responsibilities.
Rules of Behavior
CIBMTR requires all workers (permanent, temporary, or contractual) to read and sign an acknowledgment that the worker understands the organization’s policies and code of conduct, as stated in the organization’s Information Technology Rules of Behavior. Users are held responsible and accountable for their actions by this signed agreement. Review and acknowledgment of the Rules of Behavior is conducted during orientation of new staff and refreshed annually for all other staff.
Personnel Security / Position Sensitivity Designations
CIBMTR ensures that individuals occupying positions of responsibility within CIBMTR (including third-party service providers) meet established information security criteria for those positions. CIBMTR maintains position sensitivity designation for its personnel on an ongoing basis. Criteria for assigning high, medium, or low-risk to positions are based on the risk to affect the integrity of the data or disrupt operations. The organization reviews position sensitivity designations every 5 years or if an employee changes title or functional group or has a substantial increase in responsibility/access to sensitive records. MCW also administers a background check both as a condition of hire and every four years thereafter.
Access Control
Access to CIBMTR’s information assets is controlled and maintained using procedures to authorize, change, and remove access as well as using systems to enforce access. Access is granted only to authorized employees, contingent workers, and third parties as required by job role, information security, privacy, legal, and regulatory requirements.
Physical and Environmental Protection
Physical access to CIBMTR information systems, equipment, and respective operating environments is limited to individuals authorized to protect data centers and supporting infrastructure. CIBMTR also protects information systems against environmental hazards and the provision of appropriate environmental controls in its facilities.
System Development Life Cycle
CIBMTR has implemented a system development life cycle and borrows from the AGILE product development framework where appropriate. These frameworks incorporate information security review and validation at predefined intervals as well as testing and validation of system and product requirements. They are designed to be consistent with the organization’s information security policies, standards and procedures, and industry best practices.
Asset Management
CIBMTR will continue to maintain an active inventory of its IT assets, including relevant IT assets operated in conjunction with this contract using a SCAP compliant tool.
Configuration Management
CIBMTR has implemented and will continue programs to remain compliant with the base requirements established in the Minimum Security Configuration Standards Requirements. Monitoring software is implemented to ensure that software updates and patching are performed on a regular basis to maintain compliance with Minimum Security Configuration Standards Requirements and align to Information Security and Privacy Policies. MCW has also implemented automated configuration compliance assessments of all IT assets. Current compliance tests are performed using the Federal Desktop Core Configuration, US Government Configuration Baseline, and Center for Internet Security guidelines.
Risk Assessment
CIBMTR conducts regular information security risk assessments of operations, information assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of information as required to meet information security, privacy, legal, and regulatory requirements.
Contingency Plan
CIBMTR and NMDP maintain and annually test a contingency plan that conforms to information security, privacy, legal, and regulatory requirements. This includes the establishment, maintenance, and effective implementation of plans for emergency response, backup and restoration operations, and post-disaster recovery. These plans support the information systems, which ensure the availability of critical information resources and continuity of operations in emergency situations.
In addition to these, CIBMTR will continue to stay current with and adopt relevant best practices in maintaining a proactive information security posture.