Mass General Brigham follows an Enterprise Information Security Program (EISP) that provides both management and users with a detailed understanding of the goals, approach and implemented controls for securing Mass General Brigham’s information assets, including but not limited to sensitive and regulated information, and the EISP lifecycle; including risk assessment, risk treatment, selection and implementation of security controls, ongoing evaluation and maintenance.
The EISP helps providing assurance that Mass General Brigham information and information systems are protected from unauthorized access, use, disclosure, duplication, modification, or destruction in order to maintain their confidentiality, integrity, and availability. To that end, the EISP policies, standards and procedures create an information security framework that is aligned with the recommendations of the International Organization for Standardization’s (ISO) publication 27001 and the National Institute of Standards and Technology’s (NIST) publication 800-53 Family of Controls and Mass General Brigham regulatory and legal requirements (as a HIPAA covered entity), including contractual agreements and intellectual property laws.
All Mass General Brigham workforce members and Mass General Brigham Information Systems must comply with enterprise information security policies, standards and procedures unless a variance has been granted. In compliance with applicable regulatory requirements, Mass General Brigham will conduct, on a periodic basis or more frequently as necessary, an operational review of system activity as appropriate.
All enterprise policies, standards and procedures developed and maintained as part of this program must meet the following requirements:
- Developed in compliance with the Enterprise Information Security Policy Development Procedures.
- Policies are reviewed annually, at a minimum, or as applicable regulatory requirements or contractual agreements dictate. Standards and procedures are reviewed when the overarching policy review results in a substantive change or update.
- Annual reviews must meet the standards contained in the Information Security Program Standards.
- The results of all evaluations must be formally documented and presented to the Chief Information Security and Privacy Officer (CISPO) as part of an Annual Report