2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.

Employees Policy

Fox and Geese is committed to ensuring all workforce members actively address security and compliance in their roles at Fox and Geese. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 02.e - Information Security Awareness, Education, and Training
  • 06.e - Prevention of Misuse of Information Assets
  • 07.c - Acceptable Use of Assets
  • 09.j - Controls Against Malicious Code
  • 01.y - Teleworking

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(5)(i) - Security Awareness and Training

Employment Policies

  1. All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
    • Records of training are kept for all workforce members.
    • Upon completion of training, workforce members complete this form.
    • Employees must complete this training before accessing production systems containing PHI or PII.
  2. All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
  3. The Fox and Geese Employee Handbook clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices, and social media usage.
    • Workforce members are required to sign an agreement stating that they have read and will abide by all terms outlined in the Fox and Geese Employee Handbook, along with all policies and processes described in this document.
    • A Human Resources representative will provide the agreement to new employees during their onboarding process.
  4. Fox and Geese does not allow mobile devices to connect to any of its production networks.
  5. All workforce members are educated about the approved set of tools to be installed on workstations.
  6. All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to production systems with access to PHI or PII data.
  7. All Fox and Geese-purchased and -owned computers are to display this message at login and when the computer is unlocked: This computer is owned by Fox and Geese. By logging in, unlocking, and/or using this computer you acknowledge you have seen, and follow, these policies (https://github.com/foxandgeese/policies). Please contact us if you have problems with this - legal@versionista.com.
  8. Employees may only use Fox and Geese-purchased and -owned workstations for accessing production systems with access to PHI or PII data.
    • Any workstations used to access production systems must be configured as prescribed in Systems Access Policy.
    • Any workstations used to access production systems must have virus protection software installed, configured, and enabled.
    • Fox and Geese may monitor access and activities of all users on workstations and production systems in order to meet (Auditing Policy) requirements.
  9. Access to internal Fox and Geese systems can be requested using the procedures outlined in Systems Access Policy. All requests for access must be granted by the Fox and Geese Security Officer.
  10. Request for modifications of access for any Fox and Geese employee can be made using the procedures outlined in Systems Access Policy.
  11. Fox and Geese employees are strictly forbidden from downloading any PHI or PII to their workstations.
    • Restricting transfers of PHI or PII is enforced through technical controls as described in Systems Access Policy.
    • Employees found to be in violation of this policy will be subject to sanctions as described in Roles Policy.
  12. Employees are required to cooperate with federal and state investigations.
    • Employees must not interfere with investigations through willful misrepresentation, omission of facts, or by the use of threats against any person.
    • Employees found to be in violation of this policy will be subject to sanctions as described in Roles Policy.

Issue Escalation

Fox and Geese workforce members are to escalate issues using the procedures outlined in the Employee Handbook. Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer.

Security incidents, particularly those involving PHI or PII, are handled using the process described in Incident Response Policy. If the incident involves a breach of PHI or PII, the Security Officer will manage the incident using the process described in Breach Policy. Refer to Incident Response Policy for a list of sample items that can trigger Fox and Geese's incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.

It is the duty of that owner to follow the process outlined below:

  1. Create an Issue in the Fox and Geese Quality Management System.
  2. The Issue is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
  3. The Issue is reviewed by another member of the Escalation Team. If the Issue is rejected, it goes back for further evaluation and review.
  4. If the Issue is approved, it is marked as Done, adding any pertinent notes required.
  5. The workforce member that initiated the process is notified of the outcome via email.