Published: March, 2010
Revised: March, 2023

I. Introduction

This Policy describes the requirements for security controls to protect Endpoints that process, transmit and/or store Data (as each is defined in the MMG Information Security Charter (the “Charter”)) https://www.monstrousmediagroup.com/isc. Such requirements differ depending on whether such Data is Sensitive Data, Confidential Data, Internal Data or Public Data (as each is defined in the Charter).

No distinction is made in this Policy between an Endpoint owned by the MMG or personally owned. All Information Security Policies (as defined in the Charter) will apply to a personally owned Endpoint used for MMG business.

Any Endpoint that processes, transmits and/or stores Data must be registered in accordance with Section III(A) and have the minimum protection requirements set forth in Section III(B) or (C) and, if applicable, Sections III(D), (E), and/or (F), in each case for the most restricted class of Data that is processed, transmitted or stored on such Endpoint.

Capitalized terms used in this Policy without definition are defined in the Charter.

II. Policy History

• The effective date of this Policy is March 30, 2011.
• Reviewed and/or revised March 14, 2023.

III. Policy Text

A. Registration of Certain Endpoints

All Endpoints that process, transmit and/or store PHI, (2) all Endpoints that are used for MMGIT purposes (“MMGIT Endpoints”), and (3) all Endpoints which are part of the MMG Clientele Healthcare Component, must be registered with the IT Custodian or other person, Department or business unit who is responsible for maintaining an inventory of Endpoints in his/her area of responsibility. All inventories of registered Endpoints must be provided to the MMG Information Security Office. Registration will be carried out in accordance with the MMG Information Security Procedures https://www.monstrousmediagroup.com/isc

B. General Protection Requirements for Desktop and Laptop Computers

Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a desktop or laptop computer:

1. Access to the Endpoint is password protected and conforms to the MMG Information Resource Access Control and Log Management Policy https://www.monstrousmediagroup.com/isc.
2. The Endpoint is running vendor-supported operating systems that are automatically updated and has up-to-date security patches installed.
3. A firewall is activated and configured on the Endpoint.
4. Anti-virus, anti-spyware and monitoring programs are installed to perform continuous and/or scheduled scanning to detect and/or prohibit unauthorized access. The virus definition list is updated at least once daily.
5. The Endpoint is configured to lock after 15 minutes of inactivity.
6. All Data files used for MMG purposes are backed up regularly.
7. The Endpoint is physically protected and not shared with unauthorized persons.
8. Each Endpoint that stores MMG Data is disposed of in accordance with the MMG Sanitization and Disposal of Information Resources Policy https://www.monstrousmediagroup.com/isc.

C. General Protection Requirements for Mobile Devices

Each User shall ensure that the following protections, at a minimum, are implemented for each Endpoint that is a Mobile Device:

1. Access to the Endpoint is password protected in accordance with the MMG Information Resource Access Control and Log Management Policy https://www.monstrousmediagroup.com/isc.
2. The Endpoint contains a mechanism to encrypt all Data stored on the device.
3. The Endpoint is configured to lock after 5 minutes of inactivity.
4. The Endpoint has a mechanism for a secure remote wipe if it is lost or stolen.
5. The Endpoint erases data after 10 failed password or login attempts.
6. Each Endpoint that stores MMG Data is disposed of in accordance with the MMG Sanitization and Disposal of Information Resources Policy https://www.monstrousmediagroup.com/isc.
7. If the Endpoint is a mobile phone issued or financially subsidized by MMG to support its administrative or academic operations, it is the responsibility of departmental administrators (or client or department equivalents) to enter the mobile phone number into BambooHR, so that the mobile phone is enrolled in MMG’s Emergency Text Message Notification System. Please note the following additional points:
   1. If the Endpoint is a mobile phone not issued or financially subsidized by MMG, it is recommended, but not required, that the Endpoint be enrolled in MMG’s Emergency Text Message Notification System.
   2. If any staff wish to receive emergency messaging on a different device than their MMG-issued or subsidized mobile phone, they may log into MMG and change the mobile phone number via MMG Self-Service.

In addition, it is recommended, but not required, that the Endpoint contain a device recovery mechanism through the use of a GPS tracking system.

D. Protection Requirements for Endpoints in the MMG Clientele Healthcare Component

Each User of any MMG Clientele Healthcare Component Endpoint must follow the specific provisions relating to Endpoints in the MMGIT Information Security Procedures which reflect the regulatory requirements for managing ePHI.

E. Additional Protection Requirements for Endpoints Containing Sensitive Data or Confidential Data

Each User shall ensure that, in addition to the protections described in Section B or C and Section D above, a record of what Sensitive Data or Confidential Data is stored on each Endpoint is maintained separately from the Endpoint.

In addition, it is recommended but not required, that Confidential Data be protected with password while in transit and in storage.

F. Additional Protection Requirements for Endpoints Containing Sensitive Data

Each User shall ensure that, in addition to the protections described in Section B or C and Sections D and E above, the following protections are implemented for any Endpoint that processes, transmits and/or stores Sensitive Data:

1. Sensitive Data are encrypted while in transit and in storage, including such Data stored on Removable Media.
2. Only encryption technologies that are based on standard algorithms that have no inherent security flaws (e.g., AES, RSA, IDEA, etc.) are used.
3. At a minimum, a 256 bit encryption cipher key is used.
4. If the Endpoint is a desktop or laptop computer, it is encrypted leveraging full disk encryption.
5. The Endpoint does not use Peer-to-Peer Programs unless such use and the configuration of the Program are approved by the applicable Information Security Office.

Any Endpoint that exists on the Effective Date of this Policy and contains PHI, but cannot use encryption because of technology limitations, may be granted a special waiver by the applicable Information Security Office if such Office determines that there are compensating controls in place to address all major information security risks.

H. Supplemental Requirements

The requirements list set forth in this Policy are not comprehensive and supplemental controls may be required by MMG to enhance security as necessary.

IV. Cross References to Related Policies

The Information Security Policies referred to in this Policy are listed in Appendix A hereto.

Appendix A

Related Policies

• Information Resource Access Control and Log Management Policy
• Information Security Charter
• Sanitization and Disposal of Information Resources Policy   

Policies: https://www.monstrousmediagroup.com/isc