Roles and Responsibilities

Chief Security Officer

Ryan Rich ryan.rich@datica.com

The Chief Security Officer (CSO) is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Datica. In HIPAA terms, the CSO is considered the "Security Officer" for Datica. Specific responsibilities include:

  • Ensuring security policies, procedures, and standards are in place and adhered to by entity.
  • Providing basic security support for all systems and users.
  • Advising owners in the identification and classification of computer resources. See Information Classification Section, below.
  • Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design and development, through testing and production implementation.
  • Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
  • Providing on-going employee security education.
  • Performing security audits
  • Reporting regularly to the Information Security and Risk Management Committee on Datica’s status with regard to risk and information security.

Data/Application Owner

The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another employee. It should be noted that Datica takes every effort to ensure that customer data is stored only in customer-owned and maintained environments. At no time does Datica have intentional access to customer production data. The owner of information has the responsibility for:

  • Knowing the information for which she/he is responsible.
  • Reviewing and approving all requests for their application access authorizations
  • Determining a data retention period for the information, relying on advice from the Legal Department - or ensuring that guidance already exists in the Data Retention and Media Destruction Standard.
  • Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the organizational unit.
  • Authorizing access and assigning custodianship.
  • Specifying controls and communicating the control requirements to the custodian and users of the information.
  • Reporting promptly to the CSO or delegate the loss or misuse of Datica (or customer) information.
  • Initiating corrective actions when problems are identified.
  • Promoting employee education and awareness by utilizing programs approved by the CSO or delegate, where appropriate.
  • Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

Data/Application Custodian

The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include:

  • Providing and/or recommending physical safeguards.
  • Providing and/or recommending procedural safeguards.
  • Administering access to information.
  • Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
  • Evaluating the cost effectiveness of controls.
  • Maintaining information security policies, procedures and standards as appropriate and in consultation with the CSO or delegate.
  • Promoting employee education and awareness by utilizing programs approved by the Privacy Officer, where appropriate.
  • Reporting promptly to the CSO or delegate the loss or misuse of Datica information.
  • Identifying and responding to security incidents and initiating appropriate actions when problems are identified.

Manager

Managers are Datica employees who supervise other employees in the capacities described below. User management is responsible for overseeing their employees' use of information, including:

  • Initiating security change requests to keep employees' security record current with their positions and job functions.
  • Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
  • Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
  • Providing employees with the opportunity for training needed to properly use the computer systems.
  • Reporting promptly to the CSO or delegate the loss or misuse of Datica information.
  • Initiating corrective actions when problems are identified.
  • Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.

User

The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:

  • Understand, abide by, and acknowledge, by way of signature, the Acceptable Use Policy.
  • Access information only in support of their authorized job responsibilities.
  • Comply with Information Security Policies and Standards and with all controls established by the organization.
  • Follow proper procedure for all disclosures of PHI outside of Datica and within Datica, other than for treatment, payment, or health care operations.
  • Keep personal authentication devices (e.g. passwords, Smartphones, PINs, etc.) confidential.
  • Attend HIPAA and Information Security training upon initial hire and complete annual refresher HIPAA and Information Security training.
  • Report promptly to the CSO or delegate the loss or misuse of Datica. information.
  • Initiate corrective actions when problems are identified.

Privacy Officer/Data Privacy Officer

Jeremy Pierotti jeremy.pierotti@datica.com

The Privacy Officer, in collaboration with the CSO or delegate, Information Security/Risk Management/Compliance Team, and senior leadership, are responsible for overseeing the development, implementation, and oversight of all activities pertaining to Datica’s efforts to be compliant with, among other compliance mandates, the HIPAA Privacy Rule (Privacy Rule) and Breach of Unsecured PHI Rule, as applicable and as described in Business Associate Agreements. The intent of all oversight activities include those necessary to maintain the Confidentiality, integrity, and availability of protected information as described in the Information and System Classification section of this policy. These responsibilities include, but are not limited to the following:

  • Oversee all organizational initiatives related to the identification, development, implementation, auditing, enforcement, improvement, and adherence to the organization’s privacy policies and procedures and the Privacy Rule and Breach of Unsecured PHI Rule.
  • Monitor developments relating to privacy and Breach of Unsecured PHI, including changes in applicable laws and regulations and when significant risks are identified.
  • Verifies privacy safeguarding measures meet the requirements of the Privacy Rule, while balancing business needs and capabilities to maintain the confidentiality, integrity, and availability of protected and confidential information.
  • Serve as a resource for Datica staff and customers regarding the privacy of protected and confidential information and data.
  • Work with staff members, vendors, outside consultants, customers, and other third parties to continuously improve privacy within the organization.
  • Privacy policy and procedure oversight

    1. Ensures written policies and procedures comply with the Privacy and Breach of Unsecured PHI Rules
    2. Ensures written policies and procedures establish appropriate administrative, technical, and physical safeguards to protected and confidential information.
  • Make all reasonable efforts to limit incidental uses and disclosures and protect the privacy of PHI from intentional or unintentional uses and disclosures that are in violation of the law or Datica’s policies and procedures.
  • In conjunction with the Chief Security Officer, ensure privacy training is provided to workforce members and other confidential information users as necessary and appropriate to carry out their job functions. Verify the privacy training program reflects current privacy safeguarding requirements. Works with the Human Resources Director to maintain documentation of the training provided.
  • Maintain a program promoting the reporting of non-compliance with established privacy policies and procedures.
  • Promote an open communication system encouraging staff members, customers, and vendors/business associates to express and report concerns or problems related to privacy policies and procedures.
  • Ensure prompt, proper, and consistent investigations as well as consistent and appropriate sanctions are provided against workforce members who fail to comply with Datica’s privacy policies and procedures; takes appropriate steps to prevent recurrence.
  • Mitigate to the extent practicable, any harmful effect known to the organization of a use or disclosure of protected information in violation of the organization’s or business associate’s policies and procedures.
  • Monitor, audit, and reinforce compliance with the law and Datica’s privacy policies and procedures.
  • Report privacy efforts and incidents to the CSO or delegate in a timely manner.
  • Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected information or in locations where it may be accessed.

In regards to data regarding EU citizens the DPO will have the following responsibilities:

  • to inform and advise the controller or the processor and the employees who carry out the processing of their obligations pursuant to the EU GDPR and to other Union or Member State data protection provisions;
  • to monitor compliance with the EU GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • to provide advice where requested as regards the data protection impact assessment and monitor its performance;
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including prior consultation with a supervisory authority, and to consult, where appropriate, with regard to any other matter.

Support Engineer

  • Field customer support tickets in Customer Ticketing Tool
  • Responsible for notification to customers regarding change plans, maintenance, or other issues that may affect production cloud environment. This may be delegated to another Datica Customer Support role dependent on scenario.
  • Provide updates to Customer Support Manager regarding customer environment status
  • Coach and provide guidance for customers migrating to Datica hosted environment

Engineer

  • Add or remove containers and virtual machines in production and non-production cloud environments
  • Add or remove computing resources located in production and non-production cloud environments
  • Control access to data flow
  • Evaluate network performance issues
  • Configure and maintain virtual infrastructure
  • Manage membership and maintain documentation regarding Datica security groups
  • Create, modify, delete, and disable system accounts
  • Investigate and respond to support tickets in Project Management Tool
  • Maintain updated network diagrams, inventory, and port/protocol/service documentation
  • Support remote access to Datica cloud environments
  • Manage and maintain network infrastructure, system interconnections, and build standards
  • Manage, support, and maintain IDS
  • Develop and implement change plans
  • Develop, document, and disseminate access control procedures
  • Install, configure, document and maintain Datica Platforms and Technologies

Developer

  • Investigate and respond to tickets in Project Management Tool
  • Develop and maintain application repository
  • Maintain updated documentation and diagrams regarding key management system
  • Document and maintain network diagrams and the flow of data
  • Develop and complete code migration and change plans

Customer

Responsible for installing and administering servers (where needed), databases, and applications hosted in the Datica production hosting environment

  • Responsible for notifying Datica of any performance or availability issues affecting their environment
  • Send support tickets and requests to Datica through Customer Ticketing Tool
  • Authorize, establish, and manage access, accounts, and permissions to their cloud environment