Infrastructure Security Baseline
Purpose
The purpose of the LightForce Minimum Security Standards is to provide the information security standards necessary to comply with LightForce Policies. These standards are mandatory requirements and establish an effective baseline of appropriate system, administrative, and physical controls to apply to data based upon its classification.
Scope
This standard applies to all LightForce data, including but not limited to: HIPAA/PHI, patient record data, personnel data, financial data (budget and payroll), departmental administrative data and legal files, and all other data that pertains to, or supports the operation and/or administration of LightForce or any of its functions.
Classification levels
The Information Security Policy identifies three categories of data: Restricted and Confidential, Internal, and Public. More information regarding the classifications can be found here: https://it-security.lightforceortho.com/security_policies/Information_Security_Policy.html
Standards
The following security standards outline the minimum level of protection and controls that must be adhered to based on the information classification of the data:
Network
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| A network based Firewall (or functional equivalent) shall be implemented that denies traffic from networks and hosts that are not secured at this level |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Network traffic shall be limited to only those services and ports considered essential for departmental business practice |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Networks shall be scanned for vulnerabilities on a regular schedule. Vulnerabilities detected shall be remediated in a timely manner |
|
Required |
Recommended |
Suggested |
| |
|
|
|
|
| Security detection tools (Intrusion Detection (IDS) and Intrusion Prevention (IPS) shall be implemented |
|
Required |
Recommended |
Suggested |
| |
|
|
|
|
| Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a regular basis |
|
Required |
Recommended |
Suggested |
Servers
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| Devices shall be housed in a physically secure location, accessible to only those with a business purpose |
|
Required |
Required |
Not Applicable |
| |
|
|
|
|
| Security updates and patches shall be applied in a timely manner, or automatically when possible |
|
Required |
Required |
Required |
| |
|
|
|
|
| IT and Systems support staff must monitor for announced vulnerabilities in their hardware and software |
|
Required |
Required |
Required |
| |
|
|
|
|
| Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible |
|
Required |
Required |
Required |
| |
|
|
|
|
| Where available, a host based firewall shall be implemented |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Services and applications should be the minimum necessary to accomplish the required business functions |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Passwords shall be changed from the vendor defaults |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Systems shall be ‘hardened’ to a recognized standard, where available. (e.g. CIS…..) |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Individual access to data shall be limited to only those needing access for legitimate purposes |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Only secure (encrypted) transmission shall be allowed. Only secure (encrypted) storage of Restricted information shall be allowed, in absence of mitigating controls (e.g. physically secured area) |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site |
|
Required |
Recommended |
Not Required |
| |
|
|
|
|
| Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with the LightForce Media Handling Policy |
|
Required |
Required |
Required |
User Accounts
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| A process shall be established to create and assign, maintain, and verify a unique system identifier (e.g. NetID, UserID) for each user |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data |
|
Required |
Recommended |
Recommended |
Desktop
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| Services and applications should be the minimum necessary to accomplish the required business functions |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Passwords shall be changed from the vendor defaults |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Systems shall be ‘hardened’ to a recognized standard, where available |
|
Required |
Recommended |
Recommended |
| |
|
|
|
|
| Security updates and patches shall be applied in a timely manner, or automatically when possible |
|
Required |
Required |
Required |
| |
|
|
|
|
| Computer system support staff must monitor for announced vulnerabilities in their hardware and software |
|
Required |
Required |
Required |
| |
|
|
|
|
| Where possible, computer anti-virus shall be installed and updated automatically or in a timely manner |
|
Required |
Required |
Required |
| |
|
|
|
|
| The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions |
|
Required |
Not Applicable |
Not Applicable |
| |
|
|
|
|
| Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with the LightForce Media Handling Policy |
|
Required |
Recommended |
Not Required |
| |
|
|
|
|
| Only secure (encrypted) storage of restricted information shall be allowed, in absence of mitigating controls (i.e. physically secured area) |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Screen saver password must be used when workstations are unattended |
|
Required |
Required |
Recommended |
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| Security standards for desktops are followed |
|
Required |
Required |
Required |
| |
|
|
|
|
| Systems shall have a “strong password” and lock (or wipe) after successive failed attempts to login |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Systems shall be remotely traceable, lock-able and wipe-able |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Hardware, Software and data destruction shall be securely disposed of at the termination of business need in accordance with the LightForce Media Handling Policy |
|
Required |
Recommended |
Not Required |
| |
|
|
|
|
| Only secure storage (full disk/device encryption) shall be allowed |
|
Required |
Recommended |
Not Applicable |
| |
|
|
|
|
| Use of Non LightForce owned equipment |
|
Not Allowed |
Allowed |
Allowed |
| |
|
|
|
|
| Screen saver passwords must be used when unattended |
|
Required |
Recommended |
Recommended |
Software Development
| Standard |
|
Critical and Restricted |
Internal |
Public |
| |
![]() |
![]() |
![]() |
![]() |
| Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities |
|
Required |
Recommended |
Recommended |