Security & Compliance Policy

Information Security Policy

HIPAA + CIS v8Dunder Mifflin

Control mapping: HIPAA §164.308(a)(1); CIS Controls v8 (governance)

Master governance policy establishing the security program and risk-management process.

Purpose

This Information Security Policy establishes Dunder Mifflin's commitment to protecting the confidentiality, integrity, and availability of its information assets, including any electronic protected health information (ePHI) it creates, receives, maintains, or transmits.

It serves as the master policy under which all subordinate security policies, standards, and procedures are organized.

Scope

This policy applies to all workforce members, contractors, and third parties who access Dunder Mifflin information systems, and to all systems, applications, networks, and data owned or operated on Dunder Mifflin's behalf.

Policy

  • Dunder Mifflin maintains a documented information security program proportionate to the sensitivity of the data it handles and the risks it faces.
  • A formal risk analysis is conducted at least annually and after any significant change to the environment; identified risks are tracked to remediation in a risk register.
  • Security responsibilities are assigned to a named Security Official with authority to develop, implement, and enforce this program.
  • All subordinate policies are reviewed at least annually and approved by management.
  • Controls are selected and prioritized using recognized frameworks, including the HIPAA Security Rule and the CIS Controls v8.

Roles & Responsibilities

  • Executive management is accountable for the security program and for providing the resources needed to sustain it.
  • The designated Security Official owns this policy, reviews it at least annually, and approves exceptions.
  • Methodology IT, as the managed services provider, implements and operates the technical controls described here on behalf of Dunder Mifflin.
  • All workforce members are responsible for complying with this policy and reporting suspected violations.

Enforcement & Exceptions

Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.

Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.