Purpose and definitions
The purpose of security information management is to provide and protect information and property from all types of threats, internal or external, accidental or deliberate, by establishing, implementing, executing, monitoring, reviewing, maintaining and improving information security management system - ISMS (Information Security Management System). The implementation of these policies and rules is important for maintaining the integrity of information systems for ensuring provision of services to insured persons, employees of the National Health Insurance Fund (NHIF) and other stakeholders.
The Policy ensures and guarantees that:
- information is protected from unauthorized access
- confidentiality of information shall be kept
- information shall not be disclosed to unauthorized persons any accidental or deliberate actions
- integrity of information shall be maintained by ensuring protecting against unauthorized changes
- access to authorized persons shall be enabled when needed for modifying the information
- compliance is ensured with all regulatory and legal requirements
- policy is supported through continuous business plan which will be defined, maintained and tested in continuous practical work
- training is delivered in all NHIF organizational units
- any violation of safe handling of information shall be reviewed and investigated
- all security violations will be documented and investigated
Scope of application
All employees are responsible for implementing security policies and information security and must provide support to the management bodies that have prescribed the policies and rules.
- Protection of NHIF information
- Protection of information assets
- Providing reliable information
- Ensuring the availability of information to authorized persons
- Confidentiality in all cases of access to existing information.
Privacy Information Security Management should identify risks to property, property value and identify possible vulnerabilities and potential causes of unwanted incidents, which may result in damage to the system or NHIF.
Managing risks to an acceptable level through design, implementation and maintenance of the ISMS.
The policy is in compliance with other standards and NHIF documents including:
- Standard ISO 9001:2001
- Documents on establishment, operation and organization
- Compliance with NHIF contractual obligations
- Compliance with NHIF instructions
- Ensuring operation in accordance with ISO 27001:2005
- Ensuring the accomplishment of objectives under ISO 27001:2005 and maintaining the certified status.
Policy Specifics – Operations
Specific rules are set up to support these documents, including:
- Physical security;
- System Access Control and Data;
- Education regarding safety and specific training in relation thereto;
- Internet and e-mail communication;
- Data Protection through copies;
- Use of mobile devices;
- Storage and Availability of Confidential Information;
- Prevention and detection of activity of software viruses or other malicious codes.
The Director General creates and reviews the rules. The ISMS manager implements the rules through appropriate standards and procedures.
All employees are required to abide by the procedures and maintain safety rules.
All employees are required to report on observed weaknesses and report incidents.
This policy is regularly consulted for the purpose of exercising the right of compulsory health insurance of all NHIF insured persons and business opportunities in terms of services and business support to NHIF staff, insured persons and other stakeholders.
Privacy Information Security Management is regularly and consistently reviewed to ensure its effectiveness and relevance.