Security & Compliance Policy
Control mapping: HIPAA §164.308(a)(6); CIS Control 17 (Incident Response)
Detecting, reporting, and responding to security incidents and breaches.
This policy establishes how Dunder Mifflin detects, reports, responds to, and recovers from security incidents, including suspected breaches of ePHI.
Security incidents should be reported to the Security Official and to Methodology IT's service desk without delay. Early reporting limits harm and is never penalized.
Compliance with this policy is mandatory. Violations may result in disciplinary action up to and including termination of employment or contracts, and may carry civil or criminal liability.
Any exception must be requested in writing, justified by a documented business need, risk-assessed, and approved by the Security Official before it takes effect. Approved exceptions are reviewed at least annually.