Contact Us |
Safeguarding Information and Information Systems: The CIBMTR, together with its affiliates, the NMDP and the MCW, safeguards its information systems and information they hold through comprehensive information security programs, which they have in place, and will continue to maintain in documented by System Security Plans (SSP) that comply with Office of Management and Budget (OMB) Circular A-130 and the Computer Security Act of 1987 and aligns with National Institute of Standards and Technology (NIST) SP 800-53 baseline controls. The CIBMTR SSP incorporates applicable elements of the U.S. Department of Health & Human Services (HHS) Information Security Program, the Health Resources & Services Administration (HRSA) Office of Information Technology (OIT) security policies, procedures, controls, and standards in the creation of its own information security/privacy policies and to ensure the confidentiality, integrity, and availability of its information systems and data. Core elements of the CIBMTR SSP are as follows:
Annual Security Control Assessment & Authorization: CIBMTR will engage a qualified, independent third party to perform an annual security control assessment of its system security and privacy controls selected from NIST 800-53 and consistent with the [Federal Information Processing Standards (FIPS)] 199 risk categorization of CIBMTR. Any findings identified from this assessment will be documented in a plan of action, assigned a risk ranking and remediated within an acceptable corresponding timeframe.
Continuous Monitoring: CIBMTR, MCW and NMDP have collectively developed plans and implemented continuous monitoring activities in numerous areas to monitor, prevent and mitigate risk to sensitive data as well as support rapid discovery of unanticipated threats or hazards as well as checks and balances for detecting whether these are operating as expected.
Vulnerability Management: CIBMTR conducts continuous information security vulnerability monitoring on devices across the enterprise using Security Content Automation Protocol (SCAP) compliant tools. Mitigation control and remediation processes for discovered vulnerabilities are in place and will be maintained to detect and remediate applicable vulnerabilities. Vendor security patches are reviewed upon release from third parties, evaluated for applicability, risk, and criticality, and deployed to information systems based on a risk-based approach and a repeatable, measured cycle that ensures that all patches are deployed through all test, pre-production and production environments at a pace commensurate with the security and operational risk levels.
Incident Response: NMDP, MCW and CIBMTR have incident response policies and implementation plans consistent with NIST 800-53, NIST 800-61, and OMB M-17-12, which undergo regular testing and updating, as appropriate.
Protection of Sensitive Information: CIBMTR is committed to maintaining a secure environment that protects the confidentiality, integrity, and availability of information that is or may be sensitive.
Standard for Encryption: MCW currently encrypts laptops and mobile devices with verified encryption technology validated under the Cryptographic Module Validation Program to comply with FIPS 140-2. MCW has also extended verified encryption technologies to desktop replacements. CIBMTR stores keys to decrypt/recover encrypted information in a secure manner accessible only to authorized system administrators. Additional protections exist for mobile devices, such as remote wipe features. Data transferred between organizational locations or with authorized parties is protected using secure managed file transfer protocol.
Security Awareness & Training: All CIBMTR permanent, part-time and temporary personnel receive annual security awareness training and new staff receive security training as part of their orientation. Training material is reviewed and updated annually and is then utilized to conduct refresher training on an annual basis through a learning management system and/or in-person venue. All personnel are also required to complete the more comprehensive training tool, Collaborative IRB Training Initiative Program (CITI), upon hire and every 2 years thereafter. Additionally, regular technical, job-specific and role-based training is required on an annual basis for all employees and contractors who have significant security responsibilities.
Rules of Behavior: The CIBMTR requires all workers (permanent, temporary or contractual) to read and sign an acknowledgment that the worker understands the organization’s policies and code of conduct, as stated in the organization’s Information Technology Rules of Behavior. Users are held responsible and accountable for their actions by this signed agreement. Review and acknowledgment of the Rules of Behavior is conducted during orientation of new staff and refreshed annually for all other staff.
Personnel Security /Position Sensitivity Designations: The CIBMTR ensures that individuals occupying positions of responsibility within CIBMTR (including third-party service providers) meet established information security criteria for those positions. CIBMTR maintains position sensitivity designation for its personnel on an ongoing basis. Criteria for assigning high, medium or low risk to positions is based on the risk to affect integrity of the data or disrupt operations. The organization reviews position sensitivity designations every 5 years or if an employee changes title or functional group or has a substantial increase in responsibility/access to sensitive records. MCW also administers a background check both as a condition of hire and every four years thereafter.
Access Control: Access to CIBMTR’s information assets is controlled and maintained using procedures to authorize, change and remove access, and using systems to enforce access. Access is granted only to authorized employees, contingent workers and third parties as required by job role, information security, privacy, legal, and regulatory requirements.
Physical and Environmental Protection: Physical access to CIBMTR information systems, equipment, and respective operating environments is limited to individuals authorized to protect data centers and supporting infrastructure. The CIBMTR also protects information systems against environmental hazards and the provision of appropriate environmental controls in its facilities.
System Development Life Cycle: The CIBMTR has implemented a system development life cycle and borrows from the AGILE product development framework where appropriate. These frameworks incorporate information security review and validation at predefined intervals, as well as testing and validation of system and product requirements. They are designed to be consistent with the organization’s information security policies, standards and procedures and industry best practices.
Asset Management: The CIBMTR will continue to maintain an active inventory of its IT assets, including relevant IT assets operated in conjunction with this contract using a Security Content Automation Protocol (SCAP) compliant tool.
Configuration Management: The CIBMTR has implemented and will continue programs to remain compliant with the base requirements established in the Minimum-Security Configuration Standards Requirements. Monitoring software is implemented to ensure that software updates and patching are performed on a regular basis to maintain compliance with Minimum Security Configuration Standards Requirements and aligns to Information Security and Privacy Policies. MCW has also implemented automated configuration compliance assessment of all IT assets. Current compliance tests are performed using the Federal Desktop Core Configuration, US Government Configuration Baseline and Center for Internet Security guidelines.
Risk Assessment: The CIBMTR conducts regular information security risk assessments of operations, information assets, and individuals, resulting from the operation of information systems and the associated processing, storage, or transmission of information as required to meet information security, privacy, legal, and regulatory requirements.
Contingency Plan: The CIBMTR and the NMDP maintain and annually test a contingency plan that conforms to information security, privacy, legal, and regulatory requirements. This includes the establishment, maintenance, and effective implementation of plans for emergency response, backup and restoration operations, and post-disaster recovery. These plans support the information systems which ensure the availability of critical information resources and continuity of operations in emergency situations.
In addition to these, CIBMTR will continue to stay current with and adopt as relevant best practices in maintaining a proactive information security posture.