1. Introduction

Orapuh is committed to ensuring the confidentiality, integrity, and availability of its digital assets and information. This policy outlines the guidelines and procedures for safeguarding Orapuh’s digital infrastructure, data, and public health information.

2. Scope

This policy applies to all Orapuh employees, volunteers, contractors, and third-party vendors who access, manage, or handle Orapuh’s digital assets and information.

3. Information Classification

  • Public: Information intended for public release.
  • Internal: Information restricted to Orapuh employees, volunteers, and approved partners.
  • Confidential: Sensitive information, including patient health records and personal data.

4. Access Control

  • Role-based access: Access to information systems and data will be based on job roles and responsibilities.
  • Multi-factor authentication (MFA) for remote access.
  • Regular review and update of user access permissions.

5. Data Protection

  • Encryption of sensitive data both in transit and at rest.
  • Regular data backups with off-site storage.
  • Data retention and disposal policies in compliance with regulatory requirements.

6. Network Security

  • Firewalls and intrusion detection/prevention systems.
  • Regular network vulnerability assessments and penetration testing.
  • Secure Wi-Fi with strong encryption and guest network isolation.

7. Endpoint Security

  • Antivirus and anti-malware software on all devices.
  • Patch management to ensure all software and systems are up-to-date.
  • Mobile device management (MDM) for company-owned and BYOD devices.

8. Incident Response

  • Incident reporting and escalation procedures.
  • Regular security awareness training for employees.
  • Forensic analysis and investigation in case of security breaches.

9. Physical Security

  • Secure data centers with controlled access.
  • CCTV surveillance and alarm systems.
  • Secure disposal of physical media and devices.

10. Third-Party Management

  • Vendor risk assessments before engagement.
  • Security requirements in contracts and service level agreements (SLAs).
  • Regular audits and reviews of third-party security practices.

11. Compliance

  • Adherence to relevant laws, regulations, and standards.
  • Regular compliance audits and assessments.
  • Training and awareness programmes on compliance requirements.

12. Training and Awareness

  • Regular security awareness training for all employees.
  • Phishing and social engineering awareness programmes.
  • Updates on emerging threats and best practices.

13. Policy Review and Updates

  • Regular review and update of the security policy.
  • Stakeholder input and feedback in policy development and updates.
  • Communication of policy changes to all relevant parties.

14. Enforcement

  • Violations of this security policy may result in disciplinary action, up to and including termination.
  • Reporting mechanisms for policy violations and concerns.
  • Whistleblower protection for employees reporting security incidents in good faith.

15. Conclusion

Orapuh’s security policy aims to create a secure and trusted environment for its digital operations, protecting both its assets and the sensitive public health information it manages. All employees and stakeholders are expected to comply with this policy to maintain the highest standards of security and confidentiality.

By adhering to this comprehensive security policy, Orapuh demonstrates its commitment to maintaining the trust of its patients, partners, and the public.