Running Header: Assignment: Implementation, Enforcement, and Compliance Plan 1

Micah Geertson
CSOL 540
10/25/2019

Assignment:
Implementation, Enforcement, and Compliance Plan
Assignment: Implementation, Enforcement, and Compliance Plan 2

Table of Contents
HIC, Inc. Implementation, Enforcement and Compliance Plan ............................................................ 3
Introduction .................................................................................................................................... 3
Monitoring and Logging................................................................................................................ 3
Communication .............................................................................................................................. 4
Training .......................................................................................................................................... 4
Assignment: Implementation, Enforcement, and Compliance Plan 3

HIC, Inc. Implementation, Enforcement and Compliance Plan

Introduction
The purpose of this document is to outline the plan of actions for HIC, Inc. as the
company continues to provide quality services in the health insurance industry. This document
will highlight HIC, Inc. security policies and how they will be used to ensure that our customer’s
personal identifiable and protected health information will remain safe in accordance with both
federal and state laws. By ensuring that HIC, Inc. employees, contractors and business
associates adhere to our security policies we will be able to reduce security risks to both the
business and our customers. Questions in regards to this document or any of the HIC, Inc.
security policies should be brought to the attention of direct leadership to ensure adequate
understanding of each document or policy’s goals. Compliance of all subsequent sections of this
document will be enforced by the HIC, Inc. Chief Information Security Officer (CISO) and shall
be referred to throughout the remainder of this document as the Compliance Officer.

Monitoring and Reporting

As denoted by the Compliance Officer, to ensure both safety of HIC, Inc. employees and
our customers, there will be active monitoring of electronic company assets (e.g. workstations,
laptops, tablets, and mobile devices) and their access to email and web services as outlined by
the signed Acceptable Use Policy document included during employee onboarding at HIC, Inc.
Additionally, active automated security scanning and monitoring will take place to ensure that
security vulnerabilities are discovered and security risks/events are properly mitigated. Should
any security vulnerabilities or risks be discovered, they will be handled by the HIC, Inc.
Information Security Team (IST). HIC, Inc. utilizes logging and reporting technology to
consume security events, system logs, and network access in order to determine use and feed
security tools in an attempt to determine unauthorized activity. No HIC, Inc. employee,
contractor, or business associate is authorized to interfere with any scanning, monitoring, logging
or reporting tools. Any attempts to influence, bypass, or disrupt these services will result in
immediate disciplinary action up to and including termination of employment. There will be
quarterly audits of these services to ensure that they remain functional and that proper use of
HIC, Inc. assets is being enforced.
Assignment: Implementation, Enforcement, and Compliance Plan 4

Communication
Current policies and changes to these policies will be made available to all HIC, Inc.
employees, contractors, and business associates. It is up to leadership in each business unit to
ensure that direct reports are aware of, and understand the implications of each and every
security policy in effect at HIC, Inc. Guidance for the dissemination of these policies will be
provided by the Compliance Officer. By ensuring adequate understanding at every level of
operations, the company will be able to reduce the risks posed to both HIC, Inc. employees and
customers.

Training
Each HIC, Inc. employee will be required to attend security awareness and policy
training to ensure both a general understanding of all HIC, Inc. policy and the security
implications associated with user actions upon onboarding. Training will be conducted in a
modular fashion and include (but not limited to) training around data handling, security threat
knowledge, information security, and applicable laws. Mandatory annual refreshing courses will
be conducted through Computer-Based Training (CBT) and be credited upon successful
completion of each CBT. Failure to conduct initial or refresher training will result in loss of
access to company assets and networks. Continual lapse in training will result in notification of
the Compliance Officer and disciplinary action up to and including termination of employment
from HIC, Inc.