Skip to content

Roles, Responsibilities and Training

2020.1

Security and compliance is everyone’s responsibility. Changineers is committed to ensuring all workforce members actively address security and compliance in their roles. Statistically, cybersecurity breaches typically start with compromise of end-user computing devices, social engineering, human error or insider threat. Therefore, users are the first line of defense and yet usually the weakest link. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

In this and all related policy documents, the term “employees” and “workforce members” may be used interchangeably to include all full-time and part-time employees in all job roles, contractors and subcontractors, volunteers, interns, managers and executives at Changineers.

The Security Officer, in collaboration with the Privacy Officer, is responsible for facilitating the development, testing, implementation, training, and oversight of all activities pertaining to Changineers’s efforts to be compliant with the applicable security and compliance regulations and industry best practices. The intent of the Security Officer Responsibilities is to maintain the confidentiality, integrity, and availability of critical and sensitive data such as PII/ePHI. The Security and Privacy Officer is appointed by and reports to the Board of Directors and/or the CEO.

Changineers has appointed James Gregory as the Security Officer and Sonya Corcoran as the Privacy Officer. The security committee is chaired by the Security Officer, and represented by the select members of the senior leadership team (Security Officer, Privacy Officer).

Policy Statements

Changineers policy requires that:

(a) A Security and Privacy Officer must be appointed to assist in maintaining and enforcing safeguards towards security and compliance.

(b) Security and compliance is the responsibility of all workforce members (including employees, contractors, interns, and managers/executives). All workforce members are required to:

  • Complete all required security trainings, including annual regulatory compliance training such as HIPAA awareness and additional training as part of the ongoing security awareness program and as required by job role.

  • Follow all security requirements set forth in Changineers security policy and procedures, including but is not limited to access control policies and procedures and acceptable use policy for end-user computing.

  • See something, say something: follow the incident reporting procedure to report all suspicious activities to the security team.

(c) All workforce members are required to report non-compliance of Changineers’s policies and procedures to the Security Officer or designee. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

(d) All workforce members are required to cooperate with federal, state and local law enforcement activities and legal investigations. It is strictly prohibited to interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.

(e) Workforce members found to be in violation of this policy will be subject to sanctions.

(f) Segregation of Duties shall be maintained when applicable to ensure proper checks and balances and minimize conflict of interests. This helps reduces the possibility of fraud and insider threat considerably, and eliminates single points of compromise to critical systems.

Controls and Procedures

Assignment of Roles and the Security Committee

Changineers has appointed James Gregory as the Security Officer and Sonya Corcoran as the Privacy Officer.

The security committee is chaired by the Security Officer, and represented by the select members of the senior leadership team, including Security Officer, Privacy Officer, in addition to the Security and Privacy Officer.

General Responsibilities of the Security and Privacy Officer

The authority and accountability for Changineers’s information security program and privacy program is delegated to the Security and Privacy Officer. The Security Officer and the security team are required to perform or delegate the following responsibilities:

  • Build and maintain security and privacy program to satisfy regulatory and contractual requirements.
  • Establish, document, distribute and update security policies, standards and procedures.
  • Oversee, enforce and document all activities necessary to maintain compliance and verifies the activities are in alignment with the requirements;
  • Monitor, analyze, distribute and escalate security alerts and information.
  • Develop and maintain security incident response and escalation procedures to ensure timely and effective handling of all situations.
  • Administer user accounts, including additions, deletions, and modifications.
  • Monitor and control all access to critical systems and data, including but not limited to PHI/ePHI.
  • Perform risk assessment, remediation, and ongoing risk management.
  • Provide regular security awareness and compliance training, as well as periodic security updates and reminder communications for all workforce members.
  • Maintains a program that incentivizes right behaviors, supports timely and proper reporting and investigation of violations, implements effective and practical mitigation, and applies fair sanctions when necessary.
  • Assist in the administration and oversight of business associate agreements.
  • Facilitate audits to validate compliance efforts throughout the organization.
  • Work with the COO/CFO to ensure that any security objectives have appropriate consideration during the budgeting process.

Workforce Supervision Responsibilities

Although the Security Officer is responsible for implementing and overseeing all activities related to maintaining compliance, it is everyone’s responsibility (i.e. team leaders, supervisors, managers, co-workers, etc.) to supervise all workforce members and any other user of Changineers’s systems, applications, servers, workstations, etc. that contain sensitive data.

  1. Monitor workstations and applications for unauthorized use, tampering, and theft and report non-compliance according to the Security Incident Response policy.
  2. Assist the Security and Privacy Officers to ensure appropriate role-based access is provided to all users.
  3. Take all reasonable steps to hire, retain, and promote workforce members and provide access to users who comply with the Security regulation and Changineers’s security policies and procedures.

Segregation of Duties

Changineers has dedicated team/personnel assigned the job function of security and compliance. Segregation of duties are achieved via a combination of assignment of roles and responsibilities to different personnel, and automation enforcement for software-defined processes.

Checks and balances are ensured via such segregation of duties and related review/approval processes. When applicable, reviews and approvals must be obtained from designated personnel separate from the individual performing the work.