ࡱ>   bjbj&z&z DPgDPg(gz z  8y&dp\D>DD Ԯ֮֮֮֮֮֮$U9DC|:D"DD  %3`H`H`HDv R `HDԮ`H`H^"< s0EԟP I0y$BF<<\tDD`HDDDDDZGDDDyDDDDDDDDDDDDDz X : This template is to be used as a guide in developing individual security assessments for new and changing medical devices, applications and/or infrastructure systems. This document is intended to document controls for reasonably anticipated threats and vulnerabilities. The evaluation of responses will be made throughout the process. HSC Management will make a final review and risk decision. Note: Approval of a security assessment does not provide any assurances that HSC Systems, DBA, interface or other IT groups can immediately start your project. Purchases, Contracts and Implementation of new IT assets will not move forward without the completion of an IT Security Assessment. Submission of a Security Assessment does not necessarily guarantee acceptance of the product. Approval by UH IT management is still required. Important: Please start this effort by creating a Visio or other graphical workflow of the system. Include all points where information is created or accessed, mapping through appropriate network areas. Include the server/database/application and then diagram return paths if applicable. Finally, map the backup and recovery processes and include your diagram(s) either in the field specified in the assessment or as an appendix item at the end of the assessment. Please do not send diagrams as additional attachments. Note: For confidential or Restricted Data outsourcing HSC requires all available third party security certifications/attestations (preferably based on standards such as: (ISO 27002, HITRUST, NIST 800-53, SSAE-16 SOC 2, OWASP, or equivalent) from the vendor that are applicable to the service / application under consideration. For payment card hosting, PCI DSS attestation and reports will be required. If necessary, the vendor can submit a redacted copy of certifications to safeguard sensitive information. HSC reserves the right to request and review the vendor's third party certifications/attestations annually. Any vendor who also partners with third parties that create, use, transmit, receive or store HSC data are required to provide independent third party security certifications/attestations. Please complete all sections of the assessment. Contact the IT Security Office with questions at 272- 8275. Questions in RED are questions for the Vendor and or requester to answer for ITSEC. These are ITSEC follow-up questions for the vendor All answers are in Black for all Right hand Column blocks Security Requirement (Controls)Detailed Information Requester Name: Business Owner: Name, Title, Department, Contact information, Help.HSC Ticket #Vendor Name, System Name, Application name; System version: Technical pre/post sales engineer contact. (if known) What does this system DO? Identification of Roles: System Administrator: Application Administrator: Backup System Administrator:Summary of Hardware/Software: Operating system? i.e. Windows 7 or 10, Windows Server 2008 or 2012 Any vendor or third party software on the system (e.g. Java, Adobe, etc.)  Overview of Data Flow Diagram and Processes: More than one data flow charts or diagrams may be used to properly describe the flow of information where necessary. Vendor/Trusted Partner, please place data flow diagram in this section: (Please delete this example and put in your own data flow diagram).   Data Classification & Confidentiality Confirmation: (Verify from cover sheet) Data Sharing? Research Data? Pre-approved data in/out? What type of data is handled/processed by your system? Confidential Level I (ePHI, PII, etc.) Please specify patient identifiers e.g. Name, MRN, DOB Etc. here: UH Restricted Level II (information that is to remain inside UH systems) or Unrestricted Level III (de-identified or public)  Interfaces, Interconnections and Dependencies: Connections to any existing HSC systems? (Cerner, Active Directory accounts)  Access Requirements and Restrictions: (Append information to data flow) Does the system require External access through VPN?  Account creation, modification, deletion, and review: Please provide details of your procedure/policyPasswords Controls: Please provide details of password complexity rules, failed logins lockouts, password history and other security measures available in the system: How do you ensure Data Integrity: How do you ensure the confidentiality, integrity and availability of information collected and utilized by this system?  Data Encryption: Can the system be encrypted with Mcafee Encryption software? Note: To ensure HIPAA compliance, endpoint devices, confidential data in motion and at rest must be encrypted must be encrypted to a recommended standard (AES 256, TLS1.1) . See NIST Standards  Security Logging and Monitoring: What type of Logs does the system create/transmit (Syslog and specialized logs)? What is the frequency of Log review, and who reviews these logs?  System Backups: Who performs system Backups? What type of backup software/hardware is utilized? Antiviral and Malware Protection: Is Mcafee AV compatible with your systems, if not, what products do you support?  OS and Vendor Applications Patching: What is you patching policy/procedure? Please specify Department or IT unit responsible for patching?  Third-party Applications & Patching: What about other software patches (Adobe, browser plugins, etc.)?  Incident Response Components: Which organization is the primary interface for security Incidents, or other incidents to the system?  Disaster Recovery Process/Options: What are the Disaster Recovery plans/processes failover and backup services for this system?Physical Security: Are there any special physical security requirements (cameras, key-card access to system, etc.)? Outsourcing Requirements. (Answer required) Do you outsource any part of this system to a Cloud or other organization? Do you keep all data in your organization or is it outsourced to a cloud or other company (US or outside of US)?  Do ICD-10 or 5010 Transaction Standards apply?  Security Training: Which organization provides Security training for this product?  Threats/Vulnerabilities for Security Plan Controls (Threats to UNMH Network or Data) SUMMARY OF IDENTIFIED VULNERABILITIES/THREATSVulnerability/ThreatMitigation Status (Has mitigation been completed or recommended (plan needed))LikelihoodImpactVulnerability/Threat 1: Recommended Mitigation 1: Vulnerability/Threat 2: Recommended Mitigation 2: Vulnerability/Threat 3: Recommended Mitigation 3: Vulnerability/Threat 4: Recommended Mitigation 4:  Impact Ranks There must be a defined threat listed above. Threats are HIGH impact by default. If NONE of the descriptors apply to a threat, it may be downgraded to a lower impact. Low(1)Will have no effect on Patient / Sensitive Data. Will have no loss of tangible assets or resources;Medium(2)May result in the loss of limited tangible assets or resources; May reduce organization image, or slightly reduce an organizations mission, reputation, or interest Will not result in human injury. Will not result in loss of ePHI or PII in excess of 500 records Will have no effect on core business operationsHigh(3)May result in the highly costly loss of major tangible assets or resources May significantly violate, harm, or impede an organizations mission, reputation, or interest May result in human death or injury. May result in loss of ePHI or PII in excess of 500 records System availability loss causes critical core business operations to not function or be unavailable. Source of exploit External (Internet Facing)Y or NIf yes, there are significantly more threats that may exploit any vulnerabilities found in plan.Internal (e.g. Accidental: user or privileged user makes mistakes affecting data integrity).Y or NAre controls in place to mitigate vulnerabilities found that could come from internal network or accidental mistakes? Likelihood Ranks Low(1)This vulnerability is theoretical, but there is no know method of exploitation Mitigating controls make this threats vulnerability impossible or highly unlikely to exploit using any known techniqueMedium(2)Proof-of-concept reports exist, but not publicly available Requires multiple steps to exploit Only available to advanced attackers Mitigating controls make this threats vulnerability hard to exploitHigh(3)Scattered reports are publicly available Security controls are not layered or completely effective Some automated tools can exploit the vulnerability for this threat Mitigating controls are not completely effectiveVery High(4)Reports of this vulnerability are reported publicly Automated tools can scan for an exploit the underlying vulnerability for this threat Key security controls missing No mitigating controls in place to reduce this likelihoodRisk Score Matrix Risk Score MatrixImpactLowMediumHighLikelihoodLow123Medium246High369Very high4812 Note 1: When calculating risk use the above numbers for assigning risk totals: Green 1-3 risk is Low, Yellow 4 risk is Medium and Red 6-12 risk is High. Note 2: When the ePHI data fields are limited to only MRN, the risk is limited risk". The impact medium (2) and the likelihood would have to be low or medium (1) or (2). Risk (2) (2) = (4) Medium. Definition: Risk is the combination of Probability-likelihood of and its consequences-impact (Impact is calculated first using Table 2. Then the probability-likelihood is calculated from Table 4. Impact(_) * Likelihood (_) = Risk for each threat or vulnerability found the above plan. Risk Summary: Security Analyst Name: Security Analyst Summary: Security Review Date: Security Manager Name: Security Manager Summary: Security Review Date: The following approvals must be recorded: Director Network and Infrastructure approval Y/N comments:  FORMTEXT      , Director PC Systems approval Y/N comments:  FORMTEXT      , Administrator IT approval Y/N comments:  FORMTEXT      , Manager IT Security approval Y/N comments:  FORMTEXT      , Director Systems Development/Admin approval Y/N comments:  FORMTEXT      , Director Clinical Systems approval Y/N comments:  FORMTEXT      ,     HSC IT Project Security Requirements  Document Version: 10.1 Document Classification: HSC Restricted Date Created: 12/9/2015 Page  PA N O S - @ A K L T ߻ߤyyylZJlJlJlJJlJlh`h>*CJOJQJ^J"hRdh5>*CJOJQJ^Jh>*CJOJQJ^J,hv h5B* CJOJQJ^JaJph `&hv 5B* CJOJQJ^JaJph `,hh5B* CJOJQJ^JaJph `"hv 5B*CJOJQJ^Jph"h5B*CJOJQJ^Jph(hJh5B*CJOJQJ^JphhCJOJQJ^J - @ A H I nef $Ifgd7gdG dd[$\$gd@*0gd  & F8^8gd8^8gd & Fgdgd   F H I c EInUefį|||tgtbbttt[Wh hGh h/.5hGhG5B*phhGhG5hv CJOJQJ^J)hv h@*0B*CJOJQJ^JaJph?<0#hv B*CJOJQJ^JaJph?<0)hv hB*CJOJQJ^JaJph?<0hCJOJQJ^Jh`h>*CJOJQJ^J"h h5>*CJOJQJ^Jh>*CJOJQJ^J"ϼr`N?N;+hyhy5OJQJ\^JhLh| 5CJ OJQJ^JaJ #hehL5CJ OJQJ^JaJ #hehHm5CJ OJQJ^JaJ &heh| 5CJ OJQJ\^JaJ h| 5CJ OJQJ\^JaJ hL5CJ OJQJ\^JaJ &hehL5CJ OJQJ\^JaJ %hy5B*CJOJQJ\^Jphhy5CJOJQJ\^J%h5B*CJOJQJ\^Jphh5CJOJQJ\^J| $Ifgd7zkd$$Ifl44566  t 06664 laf4p yt/||j$$1$7$8$H$Ifa$gde $Ifgd Pzkd$$Ifl44566  t 06664 laf4p yt/=>}}tte$1$7$8$H$Ifgd $Ifgd P $Ifgd jykdV$$Ifl      0 5" ( t06664 layt/)<=>?JLMXZ[mn~̼ٖى|eR?$h@*0hlB*OJQJ\^Jph$h@*0h+B*OJQJ\^Jph- *h@*0h+56B*OJQJ\^Jphhe5OJQJ\^Jh+5OJQJ\^Jhyh ]5OJQJ\^Jhy#hHmhHm5CJOJQJ^JaJhyhl5OJQJ\^JhP5OJQJ\^Jh_A5OJQJ\^Jhy5OJQJ\^Jhl5OJQJ\^J>?M[n~}}}}}}nnnn$1$7$8$H$IfgdHm $Ifgdlykd$$Ifl      0 5" ( t06664 layt/ %:;<=PY[||||j^ZM@Mh!5OJQJ\^Jh^%5OJQJ\^Jh_Ah_ACJOJQJ^J#h_AB*CJOJQJ^JaJph)h@*0h_AB*CJOJQJ^JaJphh_A5OJQJ\^Jh4Nh_A5OJQJ\^JhDNhHm5CJOJQJ^JaJh ]5CJOJQJ^JaJhyhG5OJQJ\^JhGB*OJQJ\^JphhDNB*OJQJ\^Jph;<}}}}t $Ifgd\0 $Ifgd_Aykd$$Ifl      0 5" ( t06664 layt/<=[o}tt}kkkkk $Ifgd\0 $Ifgd+ $IfgdkY9ykd3$$Ifl      0 5"( t06664 layt/ [enot !"#ırraP@h B*CJOJQJ^Jph!h Ph 56OJQJ\^J!hyh 56OJQJ\^Jhyh 5OJQJ\^Jh| h^%hHmCJOJQJ^Jh^%CJOJQJ^Jh+h^%CJOJQJ^J%h_Ah_AB*CJOJQJ^Jphh_ACJOJQJ^Jh+CJOJQJ^J%h@*0h+B*CJOJQJ^Jphh_AB*CJOJQJ^Jph!&*+{{rri``` $Ifgd\0 $IfgdV $Ifgd! $IfgdkY9ykd$$Ifl      0 5"( t06664 layt/ #&*+,-.01234567]ijkǶ{wkw[K[>h+5OJQJ\^Jhyhy5OJQJ\^Jhyh 5OJQJ\^JhPCJOJQJ^Jh  jqh!#h UmHnHujh UmHnHuh CJOJQJ^JhY0DhY0D5CJOJQJ^J h 5CJOJQJ\^JaJ/h@*0h 5B*CJOJQJ\^JaJph)h@*0h B*CJOJQJ^JaJphh CJOJQJ^J+034567kpggXX$1$7$8$H$IfgdK $IfgdkY9ykd*$$Ifl      0 5"( t06664 layt/ $Ifgd\0 H$Ifgd\0 kl  bcyDz{lZZMlMAZM2h h| CJOJQJ^Jh| CJOJQJ^Jh| CJOJQJ\^J"hpuh| 5CJOJQJ\^Jh!h| CJOJQJ^J%h| h| B*CJOJQJ^Jph#h| B*CJOJQJ^JaJph#hKB*CJOJQJ^JaJph)h@*0hKB*CJOJQJ^JaJph$h@*0h B*OJQJ\^Jph)h@*0h+B*CJOJQJ^JaJph hKh+CJOJQJ^JaJ bc}}$1$7$8$H$Ifgd! $IfgdkY9$1$7$8$H$If^gdG$1$7$8$H$If^gd| $1$7$8$H$If^gd| $1$7$8$H$If^gdG$1$7$8$H$Ifgd| $1$7$8$H$IfgdK 5ŵtt`L:#h!B*CJOJQJ^JaJph'h!hK5B* OJQJ\^Jphp'hV:h^hh^5OJQJ\^J%h| h!B*CJOJQJ^Jph%h| h^B*CJOJQJ^Jphh^5OJQJ\^Jh hHmCJOJQJ^JhC5CJOJQJ^JaJ h^h!CJOJQJ^JaJ#h B*CJOJQJ^JaJph)h@*0hKB*CJOJQJ^JaJph#h!B*CJOJQJ^JaJph)h@*0h^B*CJOJQJ^JaJphVW}w$If $Ifgd-ykd,$$Ifl      0 5"( t06664 layt/WXkl$%07ª׆tcWKKWW?hlCJOJQJ^JhCCJOJQJ^JhHmCJOJQJ^J h^hKCJOJQJ^JaJ#h-B*CJOJQJ^JaJphhlhl5OJQJ\^Jh| hKCJOJQJ^JhK/h@*0hK5B*CJOJQJ\^JaJph)h@*0hKB*CJOJQJ^JaJphhK5OJQJ\^JhhK5OJQJ\^Jh^CJOJQJ^JWXl~~~$If{kd2-$$Ifl      0 5"( t06664 layt/%yiYPPPP $IfgdHmx$7$8$H$Ifgd-x$7$8$H$IfgdK $Ifgdl{kd-$$Ifl      0 5"( t06664 layt/ {rrrrriiiii $IfgdHm $Ifgdl{kd\.$$Ifl      0 5"( t06664 layt/ $Ifgd- &E_sddddUI9hyhL5OJQJ\^JhlCJOJQJ^JhHmhHmCJOJQJ^JhC5CJOJQJ^JaJ'hV&?&&&&&&&&&'5'<''''''''ννݽννννݽνννν h| h| h| h jh 3CJOJQJaJhDh 3CJOJQJaJ hd]h 3CJOJQJ^JaJhd]h 3CJOJQJaJhd]h 35CJOJQJaJ hxh 3h h 35h 39##6$W$$$$$%y%jaSS & F $Ifgdm$ $IfgdkdY>$$Ifl081, t0644 lapyt & F $Ifgdm$ y%%%>&?&@&R&S&T&o&je]XXO $Ifgdgd|  & F%gd 3gd 3kd>$$Ifl081, t0644 lapyt & F $Ifgdm$ o&v&&&5'<''Wkd?$$IflF! 3((( t06    44 lapyt $Ifgd'''''''`[[S[J $Ifgd & F%gd 3gd 3kd#@$$IflF! 3((( t06    44 lapyt''''((((((()#)h)i)q)))**H*I*V****+7+8+J+K+]+d+e+f+j+q+v+w++++++++++++++++++++++++++,V,{,--Žh@h 35 h 35 h| 5 h+h 3h 3hd]h 3CJOJQJaJhd]h 35CJOJQJaJ hph 3D'((((((#)h)jaSSSS & F $Ifgdm$ $Ifgdkd@$$Ifl081, t0644 lapyt & F $Ifgdm$h)i)q)))*H*xoaaaa & F $Ifgdm$ $IfgdkdSA$$Ifl081, t0644 lapytH*I*V****7+xoaaaa & F $Ifgdm$ $IfgdkdA$$Ifl081, t0644 lapyt7+8+J+K+]+d+xpkbb $Ifgdgd 3 & F%gd 3kdB$$Ifl081, t0644 lapytd+e+f+j+q+v+bYYYY $Ifgdkd!C$$Ifl406 @`FfF   t0644 lBa<pytv+w+++& $IfgdkdC$$Ifl4\6 @BFF8F*  t(0644 lBa<p(yt++++++++++++++++++++++++V,gd 3Ff)PFfL $IfgdFfIFfuF $Ifgd---.;.<.=.K.L.M.N.O.f.............㷷{jVVjIh]]5OJQJ\^J&hVmh 35CJOJQJ\^JaJ h 35CJOJQJ\^JaJh 3"h3Nh 3CJOJQJ\]^J'hJUh 3>*B* OJQJ\^Jphp#h0j@h 35CJOJQJ^JaJh 35CJOJQJ^JaJh`h 35OJQJ\^Jh| 5OJQJ\^Jh 35OJQJ\^Jh@h 35OJQJ\^JV,--;.<.=.L.M.N.O.f.........../0011:22gd| gd]]gd 3......///M/N/X/Y/Z/0000 0 000:0j0l00ȻnSSSSSEEh| CJOJQJ^JaJ4jhGrh| CJOJQJU^JaJmHnHu/jRhGrh| CJOJQJU^JaJ)jhGrh| CJOJQJU^JaJ hGrh| CJOJQJ^JaJh| CJOJQJ\]^Jh| 5OJQJ\^J h| 5CJOJQJ\^JaJ"h3Nh]]CJOJQJ\]^J'hJUh]]>*B* OJQJ\^Jphp00000000000000011111 1 1111<1l1n11111111111112ҷҦҦҷҦҦhҷҦ/jwShGrh| CJOJQJU^JaJ/jShGrh| CJOJQJU^JaJh| CJOJQJ^JaJ hGrh| CJOJQJ^JaJ4jhGrh| CJOJQJU^JaJmHnHu)jhGrh| CJOJQJU^JaJ/jRhGrh| CJOJQJU^JaJ(222$2&2(2*2,2.202224282:2L2n22222222222222222222222222ڧڧyuuyuuyuuyuuh#cjh#cU/jcThGrh| CJOJQJU^JaJh| CJOJQJ^JaJ4jhGrh| CJOJQJU^JaJmHnHu/jShGrh| CJOJQJU^JaJ)jhGrh| CJOJQJU^JaJ hGrh| CJOJQJ^JaJ(222222222*3.303233=>?opgd|h / gdM / gdr  P$gd 1$7$8$H$gdP$a$gdHm2222(3*3,3.30323V3^3f333333²oaP?.a.P h/hV VCJOJQJ^JaJ hMhMCJOJQJ^JaJ h/hMCJOJQJ^JaJh@*0CJOJQJ^JaJ h/heCJOJQJ^JaJh4hh45OJQJ^J#h_h5CJOJQJ^JaJjhHmUmHnHuhMh45CJOJQJ^JhI5CJOJQJ^JhMhL5CJOJQJ^JhMhl5CJOJQJ^JhMhy5CJOJQJ^J3334:;<=>?opﴣ{{mh| CJOJQJ^JaJh|hh|hh CJaJh#ch4 h/hrCJOJQJ^JaJ h/h4CJOJQJ^JaJ h/hMCJOJQJ^JaJ%hCJOJQJ^JaJmHnHuU)jhMhMCJOJQJU^JaJ hMhMCJOJQJ^JaJGE 1 Document Owners: UH IT Security, HSLIC IT Security Vendor Application & Image System on UH Server User Inputs patient name. Receives radiology image. gd| 0P&P+p,p-p.p1h0/R 4567:ppe= /!"#$% Dp$$If!vh#v66:V l44  t 06665664f4p yt/$$If!vh#v66:V l44  t 06665664f4p yt/$$If!vh#v"#v(:V l t06665"5(/ 4yt/$$If!vh#v"#v(:V l t06665"5(/ 4yt/$$If!vh#v"#v(:V l t06665"5(/ 4yt/$$If!vh#v"#v(:V l t06665"5(/ 4yt/$$If!vh#v"#v(:V l t06665"5(/ 4yt/k&Dd G    A?|j0195384Picture 1C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\j0195384.wmf"2 %`dlkhvd$`!$`dlkhvd1$*g$xZtDzH X$B   Z8).E nłR܃S(;xwΏo3:3IzI?@2'2zۄ4i ';Ͽ}JIS{eWd:ϟ=IYi=|be!|=!" o"=K.u2ͿZNiMR_T/wyO'54^Ϯ Q>ks궬E)Sq"] -˜ⅹ$y#6!"|Gև4>⡾$b"b'~=4XeHK PGx^|g|7G#߱!KWYs1GY9Z= `=}l9Ćl9AƴcL+64dM D&5y]^ L˦a~6-kӳ0E,<-ĺ"[FH6ΖcSmE6Vb muƲM5iv;hG#v;j'qss|=CRM\rVs}E#!Bu b'6Sb-bb\],B.Lf omg s6<`s6\gjc0Nvdc;\VdA;[f]"Y!Y'r`9gr 7+eY.Y,˛I7seVLcf$=Mr=Yc=F'8\7stu9Ecu9JʑQb/~X/?9b,(qWXY7DR0M@+fb)֙bMqք&X5%YߙYZX Ͷ-%glv~7le%n5 j{C'kg#Ƕ5`>jƮ Q'Fn.m~ƽ]zqkKWߧ߫kdPRzӾz۔LID▦4ghSJ8>:6ޤٺv#ѝq}uO/xAx8V å!U1_I&-#^.ٲ'c YwѸud\AdVO,=%؃ |.H|z\{/;i*%~f:#:j,bLWN[>c6 PgeSh/}׻hSnG+LRXo'XO tXO[xz$r>YT]FuwC}5տz+jעNz!g~z I IDttDW@u86yQQ52@~2hII2 GlvAmAFmf([M <^{]i [pVw$Œn2s~|i LGNtGմ;Fcڽ \Vb]5gI/{f'v>oWvhx6vb]@KԵUXbYlfL9Tbvlif8\@ dߚaF/^wJߙ=?C2?Mw:TcP_VR'hbt#-T#GYS$H)"H8@r>E:614K9S6C. FOz\Tvg7,y0%yo}Iz}TԳ@ANB_jEϩ@=h2SRY,}Z)I|JvdE~kn90 ʚ2%`g2Bb`7QHq'jƓx5LP UOuBWsv 0͕&{֐$!,i<]Zʥ%"/|6 }i}UCTgMgdM"q֑zVHKI|4ss\47>sl4gbs4IxXn>)3o+p68GZ ):.dr]mۑۄ,uL[L$֗J@7ÐTϼn$.Cuaж9HdgopjWW0R:C}: xz)$UULU8LF2LEFFdOdjAv6@Ϋ8h׍\QߑznЁ4S;˓*v}RwStSx j=Vr}%N ;q}׉+Ǹ~Gpuv] "c`ݞtG?yz]}ӏ{2PVДbeMEVTgM6IJ2M[mv1uޚC}VBhh]D[X/am6 gm.6d lQ em4;W6+d-`B#ChkB+(Z3hҵ- Ѻ4|^ҲN~`vυT.[u#ی] ۍ lwl-E6ƱW` 4dlMlYʖd m1V l+m 3 ? M0{cveWM8;cJ2=[b0x,ҷl=zY 3iX=X[@mӍˤwCfwu%vVbtۢs:?I-<үumz&mG`oz݄-haͩ;t MR=P:JAP6H SMY1,G+I+CC9 tLG@E;(DPZFPQeizQ&Dx סy,=ӽ9[ӕ!]ey]פy +҇ <~_Dn ?@-/m'R"mh#2|"%* $$cH-HI ,Y%49m0+ 3Ӗ27 }=)K$YF}U5UKGWa^Ս*Չzʨ\0-Њ:%h 6sRF_ 8ɩmt/V_fҟI6IAJiC(`s A2􍊆yF_( V4V9K< O]d,FPZL&FAZ ~4B:iS~P)[j }oB˜U=UW5uz _giZ.HJ*PjT Iv^W:ؗwUjD}$o&L/zHҀmieJ'T"ITȯ Yg2YzAwf:N堣 oF]TzQ} -"PV$i UiiE^UI#J {'7dd8C]2P.2z}w&1e \}XIuDm$ ABu)בp4E%뵻˞o`z >d#ߎ!z< StfOm.IUѳǦlZfk\n4p Q)k2̶~mɃ\{Ni+˚24ަ:V:5e- ie53V655U0x3S5n$ 4dNYX𢍒%0Ym^rm)Gۆy!2[\Ar!cC IQj<7"DƋleD]]aE=V]ˇ|xckމ3>iR4,@PyYZ"(ƾ4YM:A‡eI[H[?]ތ^_g_uq/Q_ԖEuiYD`}R-Dn}g͸~,’>x'9XۏŃuvk=; |Yg;nb !V^eU+V&26+/ip ں<0u42Y s#w14w _W <`X9js2EVbIeX[x\i]'|WI|^m|> ((&FB?uD/]B,U J}F=?zؠ7z/ NBbFb^c_n(`yBˋ.o 򩎑ty/u!yy]~~ zx x?Iߌ QuL}MG1ִ?bi,œg*ED[H䵁"f%me?*xE{gy1@+<ػ<})Okq?}ށ5}|Qt,Aցg3d} >B̵X`zBN`h5XRUޖ}l >چ64<_l+l>|ڏ/-߱&+_n <[۾怶|A:j/wCx-c^3o|#;,`g×'Ըb!nb$vb/u'nnoF7qx)C\G} i7nn*o n)]#|{'| \ډ.^v HRpPe+#K]]3Q!Ib?ǀ+GG"Ћlf˂OF :D:lw^3i"痎YsI8~^IvB-f;"T-`ߩE9,ŞlƦ),ǰˮjbY|S<=lWƶۊ⹍lqf`oI쁽zSwM]⩝&ZCG'3OMmgKV6^%.j6@q*e\JE,\^1ůHP?o_4! Ēޫڌj셊fTvZE0[y*'ȚWXbU*VQy0@>Ph60V+gz%ȿOͨͬ>h[eVaNJ?k*LVRl* )D!2R0N%,fAde>%s`AbMl8`X#E -1"M ։E8'3*J2eXbd6PF*lN칬<˫*5W XՈMR$j'RS8eSC0na qq nqn7rq sOi}qgir$ T$?88D 4ÀvCk{x@;Џ4^<3xAWtoY^w@]z,ggHB 2ǃ-b;B'ItH{ ^10NO0C i  i/C+l3- :1S-Z@i@ztQxVE .AZ|$Ҳm/2MВjmӡj fПlZX!j UhJVͦsX7|IR~@ϛ$KCx-><pQHzN=p2_=/;"T˼AB< zAC] s~4r2"\V#de(&Od%ru7d rUօ{#rA e[rN~ AA\oJ8H&vdlM椅lB*8Cb%u&e7;Q'?ʁdJx7N$g(1yw '-0`,wttKozX~zzyNea$afސJ)2wI)s u;CBM"z > z ?sԕ ] ?ԁgtVD]PڕuHknxw'uu<_ót@[ԏ2}ma ]ыs=2z$`32_bxS5h)(tʔCO!O죩2؊( -(-G^ Ʉ!k&m4DSř¨ GA,51nvoh^Z?A 4CU4FQ-*GE TP?CoIz.~EW-]j 8Ngh7X(RWbpyV pVU{"+G,(C2o }X@xiU>FUT_GUn%7r sP x(2e-Q썼`\DTP>BR:2-p^Fy Y o/>"s))[l JKWz@_z(Pj&/iZgpQ9 SkOGpqN% w<7:<7(3e)f2B:Ƹ斥蘖hhH.F,NjMJKK⠎s{9?Ѿ89w޽s;ws} ' "O>U;pw7 v`_O{po[{5rOXұ}=ڳm6D*ʹ%L6hqƟ߼Ȯ?߷r=7l|Y2.i)n@N#mxܣ7eJ >4Fh4 "f4Ir&]rAp7gnH!H *5.t=d^耉 4YSit3~;FhNaB0_Mqm7ɲ|$9f22$p9eK'L n"c RDRMC$G~GfdYȳ$#~n"U.'|H WRnvP9/j9ĜЫxVR4P{p1_×@KV}PsrU`w8^;V/ELz@][0dAPlk)V@%=v&\Zkh%ͱ(7>NQ ~֚=Bm*s~f#-!?lcaoO>!ܨ>W #-0'r+ToWSE,E5mWeNoSXS(^$$If!vh#v"#v(:V l t06665"5(/ 4yt/$$If!vh#v"#v(:V l: t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V lf t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4yt/$$If!vh#v"#v(:V l  t06665"5(4ytk $$If!vh#v"#v(:V l t06665"5(4ytk $$If!vh#vx3:V l t065x3p yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v#v#vf:V l t065555fp(yt/$$If!vh#v#v,:V l- t0655,pyt$$If!vh#v#v,:V l t0655,pyt$$If!vh#v#v,:V l t0655,pyt$$If!vh#v(:V l t065(pyt$$If!vh#v(:V l t065(pyt$$If!vh#v#v,:V l t0655,pyt$$If!vh#v#v,:V l t0655,pyt$$If!vh#v#v,:V l t0655,pyt$$If!vh#v#v,:V l t0655,pyt$$If<!vh#vf#v :V l4  t06+5f5 / Ba<pyt*$$If<!vh#vf#v#v8#v*:V l4  t(06+,55585*/ Ba<p(ytH$$If<!vh#v#v#v#v8#v*:V l4  t2PPP06+555585*/ Ba<p2PPPytkd+E$$Ifl4rY6 @`FFFF8F*  t2PPP0644 lBa<p2PPPytN$$If<!vh#v#v#v#v8#v*:V l4  t2P06+,555585*/ Ba<p2PytkdaH$$Ifl4rY6 @BFFF8F*  t2P0644 lBa<p2PytN$$If<!vh#v#v#v#v8#v*:V l4  t2P06+,555585*/ Ba<p2PytkdK$$Ifl4rY6 @BFFF8F*  t2P0644 lBa<p2PytN$$If<!vh#v#v#v#v8#v*:V l4  t206+,555585*/ Ba<p2ytkdN$$Ifl4rY6 @BFFF8F*  t20644 lBa<p2ytvDText20vDText20vDText20vDText20vDText20vDText20!x2 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@ 0@66666_HmH nH sH tH @`@ NormalCJ_HaJmH sH tH @ w& Heading 2dd$d%d&d'd-D@&M NOPQ;@CJOJQJaJDA D Default Paragraph FontVi@V  Table Normal :V 44 la (k (No List >B> Body TextCJOJQJ^J4@4 Header  !4 @4 Footer  !B"B TableBold $< 5^JaJ4!24 TableBody5\.12. VersionNo8PR8 Body Text 25\TCbT Body Text Indent ^CJOJQJ^J.)q. Page Number(O( Style1bRb Body Text Indent 27$8$H$^CJOJQJaJ>Q> Body Text 3  & FCJHH D^C Balloon TextCJOJQJ^JaJ6U 6  Hyperlink >*B*ph*W * :Strong5\@@@  ] List Paragraph ^\/\ w&Heading 2 Char(;@CJOJQJaJfHq jj j\{cp/IDg6wZ0s=Dĵw %;r,qlEآyDQ"Q,=c8B,!gxMD&铁M./SAe^QשF½|SˌDإbj|E7C<bʼNpr8fnߧFrI.{1fVԅ$21(t}kJV1/ ÚQL×07#]fVIhcMZ6/Hߏ bW`Gv Ts'BCt!LQ#JxݴyJ] C:= ċ(tRQ;^e1/-/A_Y)^6(p[_&N}njzb\->;nVb*.7p]M|MMM# ud9c47=iV7̪~㦓ødfÕ 5j z'^9J{rJЃ3Ax| FU9…i3Q/B)LʾRPx)04N O'> agYeHj*kblC=hPW!alfpX OAXl:XVZbr Zy4Sw3?WӊhPxzSq]y 1f*! 1fi*! 55 [#k5Wc' X!"'-.0223!#&(*,.0268:=@CGJV[cefgij><+hWxZbp j k!!!!!""#"@"^"d"#y%o&''h)H*7+d+v++V,2 "$%')+-/134579;<>?ABDEFHIKLMNOPQRSTUWXYZ\]^_`abdhmM'Y'_'''''''(("(a(m(s((((*FFFFFF!@ "@ (  VB  C D"?$!J$(  >   0e0e@AB`TC`TDEPFQFR&UVWX 5%?||"TT`T`T`T`T~V#V# ~ ~**=7`T=7o- P Po-o-o- P P o- o- o- P Po-o-o-TOTO o- o-o-dQ0dQ0o-o-d@8d";d";@8@8dYBd;Ed;EYBYBd*Md Pd P*M*Mdo-%Q0%Q0(o-(o-%@8%";%";(@8(@8%YB%;E%;E(YB(YB%*M% P% P(*M(*M%*=7*<*NN*`T*=7** ***WX@`@@@@@@@@@@@@@@@@  VV VV VV  WMRznserver"d 4 ?PK!8[Content_Types].xmlAN0EH%N@%邴K@`dOdlyLhoDX3'AL:*/@X*eRp208J妾)G,R}Q)=HiҺ0BL):T뢸WQDY;d]6O&8* VCLj"󃒝 yJ.;[wIC_ :{IOA !>Ø4 p;fɑ3׶Vc.ӵn(&poPK!8! _rels/.relsj0 }qN/k؊c[F232zQLZ%R6zPT]( LJ[ۑ̱j,Z˫fLV:*f"N.]m@= 7LuP[i?T;GI4Ew=}3b9`5YCƵkρؖ9#ۄo~e?zrPK!gEdrs/e2oDoc.xmlm6Ww@ )!w[UVx$Sno0Æ,iH ?KW]{ej+fm񿗽nݺ فE=0cЭ>? ߱lp#XoExq}~T'[i+nחWo|6_.v*2PЪAt^jw9klRސ`J LlbㇾRԗ*"s5_.|,{-TTh/?pΎo08 z=`D&|7)_/?*Ȗ 0sx Ơk<J&M[@Onʮ!ѿ,;z!I p`Z䀁7a-v iJ[–Rhmʉ }-f M7j)nR&B܌\eڞQ$nb)J2qqOr &mdfB&=zzAσ.֦XPr 䖈{J!9fy'``Y98E})6 ^7U u9<#l+<Ķbncl+2-@J &]7vyswT$_a&\nj݁A=[.-CdHyft q%8FL`lk9֊іI Qˏ1.( LV`UX4I⋂pjVص(Lh۱kQ5UO)R echyy٬WV-lU V(Bxq`D}FEW@ZfU$K^0Ja7 Ӂ'ץZ|jVǰ^D*kof7Z W3\Kl>O1rFQz++9r-4wtFU9z+JFr:k%A"F[ װg$Xڰl l]l4\Þ`ukf;F"r`Dv :Cp {FխE:Ul#kk3n]N%KʰP8bipf_ms6rQELpӇb{AB Mw,^ꪸZ|xWs=|np,^;19M5@>ES[@ZeNu T=U=ߡʙ*EC:#տPF_2yt6SL#w%OH[JJHeVPju]lXRxPK!8K drs/downrev.xmlLN0EH5HlnTTn<$~DۄǬ`93Gwέ6> X.SmUR;1dhwxǖJ)q() MFЦۧF4*/n4]1F6}䀏6_pǸmVLH)ԡNNGw*- _<9[IDX2΁ߡPK-!8[Content_Types].xmlPK-!8! /_rels/.relsPK-!gE.drs/e2oDoc.xmlPK-!8K drs/downrev.xmlPK+ +"  `HRiIJ~$"Elbow Connector 3c"@o?PK!8[Content_Types].xmlAN0EH%N@%邴K@`dOdlyLhoDX3'AL:*/@X*eRp208J妾)G,R}Q)=HiҺ0BL):T뢸WQDY;d]6O&8* VCLj"󃒝 yJ.;[wIC_ :{IOA !>Ø4 p;fɑ3׶Vc.ӵn(&poPK!8! _rels/.relsj0 }qN/k؊c[F232zQLZ%R6zPT]( LJ[ۑ̱j,Z˫fLV:*f"N.]m@= 7LuP[i?T;GI4Ew=}3b9`5YCƵkρؖ9#ۄo~e?zrPK!?odrs/e2oDoc.xmlS0#4Ij XOm'x,43vrB`yfS!-k D LK+ψ);Ƴ FrΥ/(GwU>& ?qAƜ:J/0"h161VyﯢJ#K`,کii_tn~PK! b drs/downrev.xmlLN0 HCd$.-*l8MBcƴeMR%Y۽=G۟~M/FsVAH@lv"ZBUvq!6q( uK dȣo8qe$`gCmZOQx|4u㿷.íR73HsWաb;[D!yJUJs i΋#r* PK-!8[Content_Types].xmlPK-!8! /_rels/.relsPK-!?o.drs/e2oDoc.xmlPK-! b Zdrs/downrev.xmlPKfK   L ?"Text Box 2c"×?PK!8[Content_Types].xmlAN0EH%N@%邴K@`dOdlyLhoDX3'AL:*/@X*eRp208J妾)G,R}Q)=HiҺ0BL):T뢸WQDY;d]6O&8* VCLj"󃒝 yJ.;[wIC_ :{IOA !>Ø4 p;fɑ3׶Vc.ӵn(&poPK!8! _rels/.relsj0 }qN/k؊c[F232zQLZ%R6zPT]( LJ[ۑ̱j,Z˫fLV:*f"N.]m@= 7LuP[i?T;GI4Ew=}3b9`5YCƵkρؖ9#ۄo~e?zrPK!Q(Ndrs/e2oDoc.xmlTn0 }q61]  Y6I}})9M0?H^Jw^](kfjwy35HyEӛWΖ05wA/;[6[fg-WGr8Mj+y~uƽӻIW i8 @dE[HK6j ΁m;р`@h| uމߠ`xӄ3*3M#O9`6lZlg`Lx(At\Ha1W3J|P>_·(7uX{"(CkHQopZ:rlMN?IM.flPyDBUt~2Nש9쑲'!vfI(GT֙q qD~Xx:Ӑ@]z *(&(fo}arMd? XK;EVOPK!Q drs/downrev.xmlLN0 HCd$n,YWFWNSIېzMh S+oO8e/5l҃IX.0MS5N0GZ-oo ̕AOаB>G m}ι[m/\)>`1uhíkn^W0ti-o)3pO?Cn$噑lHƙmE ǥȀ_PK-!8[Content_Types].xmlPK-!8! /_rels/.relsPK-!Q(N.drs/e2oDoc.xmlPK-!Q drs/downrev.xmlPK F ! L!?"Text Box 2c"Ò?PK!8[Content_Types].xmlAN0EH%N@%邴K@`dOdlyLhoDX3'AL:*/@X*eRp208J妾)G,R}Q)=HiҺ0BL):T뢸WQDY;d]6O&8* VCLj"󃒝 yJ.;[wIC_ :{IOA !>Ø4 p;fɑ3׶Vc.ӵn(&poPK!8! _rels/.relsj0 }qN/k؊c[F232zQLZ%R6zPT]( LJ[ۑ̱j,Z˫fLV:*f"N.]m@= 7LuP[i?T;GI4Ew=}3b9`5YCƵkρؖ9#ۄo~e?zrPK!e$Edrs/e2oDoc.xmlSێ }@7vnbYmMUi{v3H;`o^f8̜3:E: YJj%{yk@/ֽ)D-ZX )i)Vtl6U͚ؓ{L+,:&5~zgAu[p.\yK5-3"ւ8s?XY4D%z'a Y`7Ga~kT9V/hضLŝз՘³!<(YRѰj,92l]\OaJE+Dן :ߕJ<"Fױ=jCNg7YE I6*M ,IyEȲ7PK-!8[Content_Types].xmlPK-!8! /_rels/.relsPK-!e$E.drs/e2oDoc.xmlPK-!B`, ~drs/downrev.xmlPK B S  ? + , 0 1 * [t X 1t!i  t  d t1b+u _Hlt398556945 _Hlt398556946kk*@@kk* (((((((((V)`))))*8A<G g l [ l $~ i!n!N"S"%(*333333333333333333333 &&&&&&&&&((((((((((((((((((()V)`)))))* &&&&&&&&&(((((((((((((((()V)`)))))*%dfDezz:  ,Ȩ4 dLX[;SR+Qhcb 9vk ض5[^-"Q:"XȄC %LZy %jjV% &8ST'Ph> '#+wniX,r3,tJ! 2=7:2њ&xhWck l % v  4Y!I;OW/{?AkK`*Hm^zK~U%} {(]#ck'sHhQ>![!"h"u"B'#5#E$%(%&w& 'yA([Y(),)k)*Q$+;+)N,s,-{-7;-,_-/./S/Z/Ik/@*0?50xL0\0u0226.2I4lj4fl4&56'6N6Z8]8 99kY9 :7:O=:Y:r:sS;!<d(<bC<t<=(=-="8=E=O=U-> ? @S@_@WXXluX'*YGYZBZ[Y[][.\B\V\a\$j\ ]]]B5]M]^^^^9 _A_B_U_)```v`7Fa]pa&bLbzRbcWcRdDbe{ f)h+h^dhyhzh|h$ ibiE)j=)kCkj-lRWlum:m-ninsnOoXpqqCqGr+r't7t?tuGuxAvevqvG w"w :w)]xBlxy-y=yIEyRyOgyRzUzn{Z{`{~{@}Z_}vq~>-1GDm$dNfbq^| & 3%qIS1[-1CU ZfxHo#CV'u6ywd`gT$,6Xt# |r7l_A3O=yEDGzQ^%MEcu$71E@kr=d|4Zi7z:D';F7Qni&v/HHAFAJvBqu=~!28MwB.8&C'ctP+<NN$c4LQ^pue&3ju9UZ:G Pu+|a25SP UBu"D> )2/f0\< h b3I8QmqA(AlI_D{yd j=DT Ync`Vmvy/2:~0-k4# vBJC3LwGQMdBq$}"Uc 0 BRC>f +r>".MP-j9=@$P8[ep{s }0#AkoCOYU b@8wC B!0& 4 _mA?E R_p((dgnword-docGUIDdgnword-eventsink&{2E7B1D16-A36D-4EDA-B598-E0BC1647A2BE} 115776920@4Z'Z(Z)*@02@Unknown G.[x Times New Roman5Symbol3. .[x Arial7..{$ Calibri5. .[`)TahomaC.,.{$ Calibri Light?= .Cx Courier New;WingdingsA$BCambria Math"1hGG 4g" I" I!24(( 3qHX ?2!xxyV6  Information System Security PlanDavid Grisham, Ph.D. Julie Toomsen%                           ! " # $ Oh+'0Td |    $Information System Security PlanDavid Grisham, Ph.D.HTo be used with all projects to evaluate security risks and measuresNormalJulie Toomsen2Microsoft Office Word@@|eՑl@W@W " ՜.+,0 hp  ؿHospitalsI( !Information System Security Plan Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnpqrstuvwxyz{|}~   Root Entry F s @ Data oT1TableWordDocumentSummaryInformation(DocumentSummaryInformation8MsoDataStore s s2A5HUUFSSJT==2 s sItem  PropertiesUGYJHZNVUO2==2 s sItem  PropertiesODKIEGD5ICA==2 s sItem .Properties  !"$ DocumentLibraryFormDocumentLibraryFormDocumentLibraryForm This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision. osoft.com/office/2006/metadata/contentType"/>  F Microsoft Word 97-2003 Document MSWordDocWord.Document.89qCompObj#r