Statutes, codes, and regulations
Maryland Administrative code
Title 10 - MARYLAND DEPARTMENT OF HEALTHPart 3Subtitle 10 - LABORATORIES
Chapter 10.10.11 - Biological Agents Registry Program
Section 10.10.11.20 - BAR Information Security Standards - Administrative Procedures

Md. Code Regs. 10.10.11.20

Download
PDF
Current through Register Vol. 51, No. 25, December 13, 2024
Section 10.10.11.20 - BAR Information Security Standards - Administrative Procedures

A trusted partner shall establish and maintain administrative procedures to protect BAR information integrity, confidentiality, and availability, which include:

A. Entering and maintaining with the Department a trusted partner agreement that certifies that the trusted partner shall:
(1) Establish and implement the policies and procedures to carry out the requirements of this chapter; and
(2) Designate a BAR information custodian;
B. Establishing and implementing a contingency plan for protecting confidentiality of and access to BAR information when responding to a disaster or computer information system emergency, which includes:
(1) Preparing critical facilities that can be used to facilitate continuing protection of BAR information in the event of an emergency;
(2) Disaster recovery procedures to follow in the event of:
(a) Fire;
(b) Vandalism;
(c) Natural disaster; or
(d) Computer information system failure;
(3) An emergency mode operation plan that includes procedures for assuring continuing protection of BAR information when the trusted partner continues to operate in the event of:
(a) Fire;
(b) Vandalism;
(c) Natural disaster; or
(d) Computer information system failure; and
(4) Testing and revising procedures that document the process of periodically testing the written contingency plan procedures to determine:
(a) Weaknesses; and
(b) The subsequent process of revising the procedures, if necessary;
C. A mechanism for the receipt, viewing, manipulation, storage, release, dissemination, and disposal of BAR information;
D. Information-use policies that ensure that BAR information is used only as specified in this chapter;
E. Internal audit procedures for:
(1) Maintaining records of computer information system activity including:
(a) Logons;
(b) File accesses; and
(c) Security incidents; and
(2) Reviewing the records of computer information system activity for:
(a) Breaches in security; and
(b) Unauthorized access;
F. Personnel security procedures that ensure that only personnel who have the required authorizations and agency clearances have access to BAR information by:
(1) Providing oversight of unauthorized personnel when the personnel are performing their duties near BAR information, which includes:
(a) Supervision of maintenance personnel by an authorized and knowledgeable individual; and
(b) Assuring that unauthorized or unsupervised operating and maintenance personnel do not have and cannot acquire access to BAR information;
(2) Maintaining and reviewing a record of access authorizations that documents the levels of access granted to an individual accessing BAR information;
(3) Establishing personnel clearance procedures as a protective measure applied to determine that an individual's access to BAR information is permissible; and
(4) Ensuring that BAR information computer information system users, including maintenance personnel, receive security awareness training;
G. Employee termination procedures for ending an employee's employment or a user's access to BAR information, which includes:
(1) Changing locks, lock combinations, or keypad codes when personnel knowledgeable of locks, lock combinations, or keypad codes no longer need to:
(a) Know the information; or
(b) Access BAR information;
(2) Removal from access lists, including physical eradication of an individual's access privileges;
(3) Termination or deletion of an individual's access privileges to BAR information for which the individual currently has authorization and need-to-know access when the authorization and need-to-know access no longer exists; and
(4) Returning to the trusted partner any access devices, such as:
(a) Keys;
(b) Tokens;
(c) Badges; or
(d) Cards; and
H. Training for all personnel concerning the vulnerabilities of the BAR information and ways to ensure the protection of BAR information, which include:
(1) Awareness training including:
(a) Password maintenance;
(b) Security incident reporting; and
(c) Viruses and other forms of malicious software;
(2) Periodic security reminders of security concerns; and
(3) User education in:
(a) What to do if a virus is detected;
(b) Monitoring logon success or failure;
(c) How to report discrepancies; and
(d) Password management, including the:
(i) Rules to be followed in creating and changing passwords; and
(ii) Need to keep passwords confidential.

Md. Code Regs. 10.10.11.20