No products in the cart.
Technology
POLICY:
It is the policy of Sunshine Farm to inform and train all users regarding the acceptable use of technology equipment, information, responsibilities, and security. Initial and ongoing related training and competencies will be documented. The main objectives for acceptable use are:
A. The confidentiality and security of data and information are protected against
unauthorized misuse or disclosure.
.
B. The integrity of data and information to protect from unauthorized or accidental modification.
C. The availability and accessibility of technology balanced against the need for use.
PROCEDURES:
The following information is to be used as an outline of what is expected regarding information technology (IT). It defines terms, identifies standards, and supports IT implementation. The procedures for IT use will address the following topics:
A. Acceptable Use of Technology and/or Equipment which may include business computers, tablets, cell phones, USB drives, email, and internet, Wi-Fi, network access, Information and Communication Technology (ICT) for service delivery, or use of other applications.
1.) The acceptable use of all technology is implemented to support business
processes, service delivery, and information systems including how information
is collected, processed, stored, and communicated.
2.) Guidelines for using the internet, Wi-Fi, and/or the network as well as other
resources are specified regarding business computers, laptops, phones, tablets,
and/or personal devices.
3.) The control and use of technology including bringing or using personal devices
on the business network or for business purposes will also be addressed.
B. Orientation. All new staff and other stakeholders, as appropriate, will be provided with an Orientation or Onboarding Session regarding the various IT systems and practices.
1.) New staff must read and acknowledge the “Acceptable Use of Information Technology” located within their staff handbook or policy and procedure manual.
2.) Staff must confirm they have read and agree by signing and dating the appropriate document .
3.) All training and competencies must be documented and filed in their personnel file.
C. Information Collection Maintaining the security and integrity of collected information is crucial to our business viability. Administrative and personal information is collected in a legal, ethical, and uniform manner per the guidelines and timeframes identified in relevant policies and procedures. Information is reviewed and analyzed for use in our strategic planning, various decision-making events, and quality improvement, Information is collected in accordance with our mission, vision, values, and program goals. Overall, the data collected is meant to:
1.) Enhance quality of services and identify unmet needs.
2.) Improve efficient business functions (health and safety, workforce management,
strategic planning, risk management, performance improvement, etc.).
3.) Increase productivity and foster effective communication among all stakeholders.
D. Technology demonstration. The use of information technology services will be demonstrated in the following ways:
1.) The Website: Stakeholders can become familiar with services, scheduling, , job openings, surveys to determine quality of services or corporate compliancy, appointment requests, and online assessments with resources for accessing special accommodation requests, if needed.
2.) Hardware and Software: The telephone systems, training software, intrapersonal file sharing, email, business accounting software, file management, billing software, electronic health record, payroll services, ICT delivery of services, online assessments, insurance, fee collection systems, and other technology services required by contracts or based on need.
E. Information dissemination. Technology information will be disseminated to staff, persons served, and other stakeholders as appropriate and in accordance with individual policies. The above types of demonstration will be performed based on the type of input, outcome, and audience.
F. Responsibility. Administration is responsible for coordinating the security and privacy of private information, the assessment and planning of technology needs, as well as ensuring appropriate training.
G. General Use and ownership. Proprietary information stored on electronic and computing devices whether owned or leased, remains the sole property of Sunshine Farm.
Use of Hardware
POLICY:
Staff are responsible for the technology resources entrusted to them. Due diligence and care should be exercised to ensure the security and integrity of these business resources including, but not limited to computers, monitors, modems, hard drives, keyboards, cell phones, mobile devices, tablets, mice, printers, and scanners.
PROCEDURE: Reasonable and prudent steps must be taken to protect Sunshine Farm technology equipment or resources. At no time should safety toward hardware be compromised or circumvented.
A. Sunshine Farm hardware and other information systems should only be used as authorized
by the administrator.
1.) Requesting, purchasing, or obtaining hardware must be approved by the administration.
2.) Use of Sunshine Farm technology should conform to an individual’s job function
and/or specific job description.
3.) Any action which breaches, evades, or circumvents reasonable and prudent methods
of hardware use; should be immediately reported to the appropriate management.
B. Company owned computers are for business use only. The use of personal electronic devices, i.e., smart phone, tablet, desktop computers, or laptops is prohibited for business use, unless authorized by the Administration
.
1.) All computers must be password protected and only those persons who are authorized
can use or have access to approved devices.
2.) Each person authorized is assigned a security code or password and must sign
a confidentiality statement. Security codes or passwords shall be changed periodically,
and information must be backed up monthly.
C. Portable devices. The purchase of portable devices such as cell phones, tablets, and laptop computers must meet the guidelines for purchasing equipment under the financial policy.
1.) Portable systems must run a compatible software system and integrate with existing hardware.
2.) The portable system must be able to run the following applications/software:
a. Internet Browser: Google Chrome, Firefox, Safari/iOS.
b. Most current version of Microsoft and Office 365.
c. Cloud Storage such as Professional Dropbox.
d. Security: Anti-Malware such as McAfee or Malwarebytes.
e. Adobe Acrobat, JAVA, Brother Printing/Scanning or other equipment .
C. External devices. This may include modems, routers, monitors, keyboards, mice, printers, scanners, fax machines, phones, shredder, mailing equipment, and other security devices.
1.) Purchase and use of all other computer peripherals can only be authorized by appropriate
staff.
2.) External devices must be compatible with the company’s current hardware and software
systems.
3.) The request for accessories (hands free kit, additional scanner, label maker/printer, etc.)
must be included with the initial request for purchase.
4.) All purchases of devices must be supported by 1–2-year manufacturer warranty or other
guarantee.
D. Bring your own device. All staff who use or access our business technology equipment and/or services are bound by these conditions
.
1.) Staff must register their device for business use and report what applications that are
being used for business purposes on personal devices.
2.) Staff will register their devices when completing their onboarding and/or orientation to
the Technology Standards. The following can be used for business purposes:
a. Approved device for the use of email access using appropriate security measures.
b .Approved device for the use of business internet access using appropriate
security measures.
c. Approved device for the use of business telephone calls using appropriate security
measures.
3.) Each staff member that utilizes personal devices agrees:
a. Not to download or transfer business or sensitive information to the device.
Sensitive information includes business or personal information sensitive to the
business such as intellectual property, personnel details, client information, etc.
b. To maintain the device with current operative and security software.
c. Not to share the device with other individuals to protect the business data access
through the device.
d. To abide by the internet policy for appropriate use and access of the internet.
e. To notify the business immediately in the event of loss or theft of the device.
f. Not to connect USB memory sticks from an untrusted or unknown source to
equipment.
4.) To keep devices secure, the following must be observed:
a. Devices must never be left unattended in a public place, or in an unlocked home, vehicle, or even if it locked. Wherever possible, staff should keep device on their person or securely locked away.
b. Devices should be carried on as hand luggage when traveling.
c. Passwords and encryption should always be utilized for device access.
Use of Software
POLICY: Staff may be required to use a company owned computer to complete the responsibilities of their position. The Administrator is the only person authorized to approve software use, changes, or purchases.
There are typically three classifications of software. This includes Systems Software which aids the user and the hardware to function and interact with each other, Programming Software, as well as Application Software. Unauthorized software applications may be removed as all software needs to be approved and evaluated on an individual basis and implemented using the appropriate configuration procedure.
PROCEDURE: Reasonable and prudent steps should be taken to protect Sunshine Farm provided technology, equipment and resources. At no time should safety toward software be compromised or circumvented. Software procedures are outlined below:
A. Sunshine Farm software and other information systems should only be used as authorized
by the administrator.
1.) Requesting, purchasing, or obtaining software must be approved by the Administrator
and follow the purchasing policy prior to the use or download of such software.
2.) All software that is purchased must be sold by reputable software sellers and meet relevant
security rules so that configuration can be implemented smoothly.
3.) Use of Sunshine Farm provided technology should conform to an individual’s job function and/or description.
4.) Any action which breaches, evades, or circumvents reasonable and prudent methods of software use; should be immediately reported to the administrator.
B. Software Use. All personnel must receive training relevant to their job description and use prior to the use of any software. This will be the responsibility of the administrator. Staff is prohibited from bringing software from home and loading it onto company hardware.
1.) Unless express approval is obtained from the Administrator, software cannot be taken home
and loaded on personal devices.
2.) When a staff member is authorized to take home a company device, the use of all software
or hardware must be business related unless previously approved.
3.) Illegal use, reproduction, or duplication is strictly forbidden and may be subject to civil
and criminal penalties including fines and imprisonment.
C. Software Audit. There will be periodic audits of all company owned PC’s, including laptops to insure we follow software licenses.
1.) Software for which there is no supporting registration, license, and/or original installation
will be removed from the user’s computer.
2.) A search for viruses and any other unknown software will also be implemented.
3.)Full cooperation of all users is required.
4.)The company reserves the right to audit networks and systems on a periodic basis to ensure
compliance with acceptable use policy.
D. Browser and Operating system best practices. : To guarantee the best experience, get the most out of our electronic systems, and ensure security and performance, the following best practices are to be applied:
1.) Keep your OS and browser updated.
2.) Enable JavaScript and cookies.
3.) Utilize AdBlock and other security protections.
4.) Remove browser extensions.
E. Email The use of email must be consistent with Sunshine Farm policies and procedures for ethical conduct, safety, and in compliance with applicable laws and proper business practices. The Sunshine Farm email account should be used primarily for business-related purposes. Personal communication is permitted on a limited basis, but nonrelated commercial uses are prohibited.
1.) All data contained within an email message or attachment must follow
the secure data transfer protection standards.
2.) Personnel must use extreme caution when opening e-mail attachments
received from unknown senders, which may cause malware.
3.) Email messages should be retained if they qualify as a business record.
Email messages are considered a business record if there is a legitimate and
ongoing reason to preserve the information contained in the message.
4.) The email system shall not be used for the creation or distribution of any unacceptable usage including disruptive messages, offensive comments about
race, gender, hair color, disabilities, age, sexual orientation, pornography,
religious and practices, political beliefs, or nation origin. Personnel who receive
any emails with this content form other staff members should report the matter
to their supervisor immediately and utilize the grievance reporting system,
if warranted.
5.) Users are prohibited from automatically forwarding business email to
personal accounts or 3rd party email systems. Individual messages which are forwarded by the user must not contain any confidential or
private information.
6.) Personnel is prohibited from using 3rd party email systems and storage servers
such as Google, Yahoo, and MSN Hotmail, etc. to conduct business, to create transactions, or to store/retain information.
7.) Personnel shall have no expectation of privacy in anything they store, send, or receive on the company’s email system.
8.) Email accounts and messages may be monitored without prior notice or
warning.
F. Backup and security. All business-critical data will be backed up monthly to protect and ensure data integrity.
1.) Ensure continuity of services through monthly backup of all technology and data.
This provides the assurance that the use of systems will be available and ensures the
safe and effective storage of critical information.
2.) Backups of data must be handled with the same security precautions as the data itself.
When systems are disposed of, or re-purposed, data must be certified or deleted, or disks
destroyed consistent with industry best practices for the security level of the date.
3.) To validate the backup can be created completed within a timely basis, a test database
is verified using the daily backups.
4.). Ongoing assessment of Technology will be performed, and planning will occur
annually. It will be updated as needed.
Technology Business Continuity and Disaster Recovery
POLICY
Sunshine Farm is committed to ensuring that regular business services can be maintained in the event of a disaster (ranging from weather-related to catastrophic) using key technologies and disaster preparedness measures.
Ensure we are better prepared in the event of a disaster by having basic technology services available or by utilizing a plan to support resuming business.
PROCEDURE
A. Since Sunshine Farm utilizes virtual services in a variety of ways, disaster preparedness
methods will be maintained using key IT services employed through the following methods:
1.) Phone Systems: In the event of a disaster rendering the phone systems unusable, cell phones
will become the primary method of contact for key office personnel. A list of cell phone
numbers and home phone numbers is maintained and updated regularly. Office calls will
be forwarded to the appropriate person’s phone to manage business calls.
2.) Internet Servers/Networks: Alternative secure internet access could be established if the
office server or network is down. A secure “Hotspot” will be implemented in the event
of an office disaster. This will be used for essential services only, until the network is
restored.
3.) Data Storage: All data is backed up daily utilizing our secure cloud-based system and will
be virtually restored when necessary.
4.) Remote Connectivity: If a disaster has prevented work from the administrative office
another device located at the residence at Sunshine Farm will serve as a backup for
connectivity.
5.) All policies and procedures for security and privacy management are to be followed.
If it is a security breach that has caused the disaster, appropriate risk measures
(for reporting) will be taken according to the breach.
Security
POLICY
Reasonable and prudent steps will be taken to protect business data and information systems. At no time should these steps be breached, evaded, bypassed, or circumvented. Any action which breaches, evades, or circumvents these reasonable and prudent steps should be immediately reported to management. Due diligence and care must be exercised to ensure the security and integrity of all resources including safeguarding and protection of data and other IT systems.
PROCEDURE
Data and information systems will only be accessed according to one’s respective job function and description. Approval and use must be authorized by Administrative Staff and/or designated person. Threat prevention must be utilized to protect against negligent and/or intentional damage. Business continuity and recovery from this damage is imperative if the business is to operate without interruption.
A. Access Management: Access to the network, servers, and other systems will require individual unique logins for authorization to the system. Authentication includes the use of passwords to gain access to the system.
1.) Passwords: System level and user level passwords must comply with the password
policy outlined below. Providing access to another individual, either deliberately or
through failure to secure access, is prohibited. All computing devices must be secured
with a password protected screensaver with the automatic activation feature set to 10
minutes or less. Personnel must lock the screen or log off when the device is unattended.
a. Passwords must consist of a minimum of eight (8) characters and must contain
three of the four following attributes – upper-case letter, lower-case letter,
number or symbol.
b. New passwords must be significantly different than the previous five used
passwords.
c. When a staff member forgets their password or is locked out after 3 unsuccessful
attempts, then the administrator will reissue a new initial password that will be
required to be changed upon successful log in.
B. Physical Access: For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access. All devices must be securely locked in offices with appropriate password protection.
1.) Technology Access: Authorization of technology use will be performed upon new
hire orientation/onboarding and completion of technology training relevant to one’s
job role. Deactivation or de-authorization will be implemented upon termination,
security issue, or other policy breach.
2.) Data Export and Transfer Capabilities: Sunshine Farm will protect restricted,
confidential, or sensitive data from loss to avoid reputation damage and to avoid
adversely impacting our stakeholders.
3.) Data may be exported or transferred in the following cases:
a. Email exchange
b. Video Conferencing
c. Billing, Payroll, or other financial transactions
d. Fax, Phone Call, or other communication methods
e. Record sharing
4.) Data is defined as:
a. Credit card details, bank account numbers, and other financial identifiers
b. Email addresses, names, addresses, and other combinations of personally identifiable information
c. Documents that have explicitly marked with “Confidential” information
d. HIPAA information including all elements of the medical record.
C. Decommissioning of Physical Hardware and Data Destruction: To protect our stakeholder’s data, all storage mediums must be properly erased before being disposed of. Special tools shall be used to securely erase data prior to equipment decommissioning or destruction. Best practices for data destruction include:
1.) Utilize Appropriate Processes: Sunshine Farm will establish the destruction
process to address physical and electronic records that complies with relevant
information management policies.
2.) Monitor, Adjust, and Analyze: Sunshine Farm will implement quality performance measures to ensure the destruction process meets the current needs
of the business.
3.) Malicious Activity Protection: Norton is the tool used for Virus Protection, Endpoint Security, Cloud Security, and as a Common DLP Engine. This is employed to ensure the integrity of all operating systems including Windows, , Android, and iOS so that we can defend ourselves against viruses, malware, spyware, and ransomware attacks while staying on top of privacy and security.
4.) Security Protection: Norton protects against security threats by utilizing
anti-virus protection, protecting and shredding sensitive files, deleting cookies,
safe web browsing, performance optimization, multi-device compatibility,
encrypted storage, and more.
1. Remote Access: These policies are meant to provide guidelines for appropriate use of remote access capabilities to the company’s network, business applications, and technology systems. This policy applies to all staff, contractors, vendors, and other agents with a company owned or personally owned device used to connect to the company network. Activities include reading or sending email, viewing intranet web resources, utilizing the electronic medical record, or any other applications used for business. The same type of security measures must be implemented for remote access.
2. Training: Data security and client confidentiality procedures are an indispensable and integral part of the system policies and procedures therefore, training will occur for new staff, upon the use of new technology, and as needed or warranted. This will be performed by appropriate staff.
PRIVACY, AND CONFIDENTIALITY:
POLICY: The business information systems, data, and technology assets, which include but are not limited to computers, computer networks, printers, and other related pieces of equipment and/or systems, are the property of the agency and are valuable company assets.
INTENT: Individuals using and having access to this technology must take reasonable and prudent steps to preserve the integrity of the systems, the data, and to protect the information. These assets are to be used for appropriate business-related functions only.
GENERAL INFORMATION: All communications made and transmitted within Sunshine Farm will be professional in nature as they represent the agency, our culture, and the individuals we serve. Prior to the use of the agency data and telecommunication systems, the staff member or company/individual hired by Sunshine Farm is required to read the information policies and sign an acknowledgment statement.
Information and technology assets include but are not limited to the hardware, software, equipment that makes up workstations, local area networks, wide area networks, telephone, and other communication systems. All changes, modifications, and alterations to computing assets must be made and/or approved by the Administration.
PROCEDURE: Confidentiality of all treatment information and records shall be kept, recorded, released, maintained, and provided to requesting parties, in accordance with all applicable laws.
1. The “Minimum Necessary” rule is required of all personnel to ensure only the minimum protected personal information necessary to carry out services. Refer to the policies concerning Confidentiality for additional information.
2. Reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected personal information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure will be maintained by the following safeguards:
a. Shredding documents containing PHI before discarding them.
b. Securing clinical records with lock and key or pass code.
c. Limiting access to keys or pass codes.
d. Passwords are established through the Management Team.
e. Sharing of passwords between staff members is forbidden.
f. New or change of current password is available upon request.
g. Personnel must set up their workstations to automatically log off after a predetermined time of inactivity, i.e., a screensaver with a password.
h. Individually identifiable information shall not be transmitted via email.
ASSISTIVE TECHNOLOGY
POLICY: Sunshine Farm will attempt to provide appropriate assistive technology to staff and persons served with disabilities. We are committed to training staff on how to most effectively use assistive technology to improve quality services. Training is accomplished via in-person, one-on-one, group presentations, or on your own through work or home study.
INTENT: Multiple methods of assistance for staff, clients, and other stakeholders will be available upon reasonable request, ability to meet request, and options available. Cost will be a factor upon ability to meet need.
GENERAL INFORMATION: Assistive technology is defined as any item, piece of equipment, or product, whether acquired commercially, off the shelf, modified, or customized, that is used to increase, maintain, or improve the functional capabilities of individuals with disabilities.
PROCEDURE: The need for assistive technology must be determined on a case-by-case basis. Reasonable Accommodation Requests are to be made to the administration. If it is determined that assistive technology item is required for personnel to be provided a reasonable opportunity to perform the responsibilities of job or to meet the needs of persons served, the technology will be provided.
Examples of assistive technology include:
• Customized office furniture or supplies.
• Specialized keyboard (ergonomic or large key).
• Voice recognition software.
• Large monitors.
• Video phones.
• Screen magnifiers.
• Optical character recognition (OCR) scanning software.
Rights reserved by Sunshine Farm: Violation of policy or misuse of business assets is subject to disciplinary action up to and including termination. Failure to report violations constitutes a violation in policy and is therefore subject to disciplinary action. These policies are intended to augment existing laws. Sunshine Farm reserves the right to monitor, audit, screen, and preserve data as the agency deems necessary in maintaining compliance with company policy.
Sunshine Farm Current physical inventory of hardware and providers.
Technology
Internet Provider – Shaw Cable
Cell Phone Provider – Rogers and Virgin Mobile
E-Mail Provider – Mail.com and Gmail.com
Virus Protection – Norton
Back-up routine – Monthly back-ups to external hard drive and ‘The Cloud’
Hardware
Acer All in one computer.
Model number AZ238wS
Serial Number DQB86AA010803023643000
Purchased – Best Buy, 2018
ASUS Tower
Model Number M11BB
Serial Number ASM11881AA8650
Purchased – Best Buy 2009
Computer Monitor (Hewlett Packard)
Model Number LA2205WG
Serial Number 3CQ048NiGW
Purchased – Best Buy 2009
Brother Printer
Model Number MFC-48900CDW
Serial number U64646C1F653205
Purchased – Best Buy May 26, 2020
Brother Printer
Model Number MFC-48900CDW
Serial number U64646C1F697124
Purchased – Best Buy May 26, 2021
Pitney Bowes Postage Meter
Model – Mail Station 2
Serial Number – 5236949
Leased from Pitney Bowes February 2024.
Cell Phones
Model – IPhone 14
Serial Number – M3Q6331YFT
Service Provider – Rogers
Model – IPhone 12
Serial Number – H4YJ88NK0F00
Service Provider – Virgin Mobil
Personnel Acknowledgement Form:
1. You need to complete the security awareness training and agree to uphold the acceptable use policy.
2. If you identify an unknown, un-escorted or otherwise unauthorized individual, you need to immediately notify .
3. Visitors to must be escorted by an authorized employee at all times. If you are responsible for escorting visitors you must restrict them appropriate areas.
4. You are required not to reference the subject or content of sensitive or confidential data publicly, or via systems or communication channels not controlled by. For example, the use of external e-mail systems not hosted by to distribute data is not allowed.
5. Please keep a clean desk. To maintain information security you need to ensure that all printed in scope data is not left unattended at your workstation.
6. You need to use a secure password on all systems as per the password policy. These credentials must be unique and must not be used on other external systems or services.
7. Terminated employees will be required to return all records, in any format, containing personal information. This requirement should be part of the employee onboarding process with employees signing documentation to confirm they will do this.
8. You must immediately notify in the event that a device containing in scope data is lost (e.g. mobiles, laptops, etc.).
9. In the event that you find a system or process which you suspect is not compliant with this policy or the objective of information security you have a duty to inform so that they can take appropriate action.
10. If you have been assigned the ability to work remotely you must take extra precaution to ensure that data is appropriately handled. Seek guidance from if you are unsure as to your responsibilities.
11. Please ensure that assets holding data in scope are not left unduly exposed, for example visible in the back seat of your car.
12. Data that must be moved within is to be transferred only via business provided secure transfer mechanisms (e.g. encrypted USB keys, file shares, email etc.). will provide you with systems or devices that fit this purpose. You must not use other mechanisms to handle in scope data. If you have a query regarding use of a transfer mechanism, or it does not meet your business purpose you must raise this with.
13. Any information being transferred on a portable device (e.g. USB stick, laptop) must be encrypted in line with industry best practices and applicable law and regulations. If there is doubt regarding the requirements, seek guidance from .
Name___________________________ Date______________________________
Witness_______________________________
Staff Training Day Agenda: Technology and Data Management
(Annually as scheduled in Sunshine Farm Perpetual Calendar)
Introduction:
– Welcome and objectives of the training day
– Importance of technology in enhancing services at Sunshine Farm
Session 1: Confidentiality and Security of Data
– Overview of data confidentiality and its importance
– Policies and procedures for maintaining data confidentiality
– Best practices for secure data handling and storage
– Case studies on data breaches and prevention strategies
– Interactive Q&A session
Session 2: Integrity of Data
– Understanding data integrity and its impact on service quality
– Methods to ensure data accuracy and reliability
– Regular data audits and checks
– Role of staff in maintaining data integrity
– Hands-on activities to practice data integrity techniques
Session 3: Availability and Accessibility of Data
– Ensuring data is available when needed
– Tools and technologies for data accessibility
– Balancing data accessibility with security measures
– Strategies for disaster recovery and data backup
– Group discussions on improving data availability at Sunshine Farm
Session 4: Enhancing Services through Technology
– Overview of current technology used at Sunshine Farm
– Demonstrations of new tools and software
– Practical applications of technology in daily operations
– Benefits of technology for persons served, staff, and stakeholders
– Collaborative brainstorming session for technology improvements
Discussion and ideas of areas we can improve
-Strengths
-Weaknesses
-Opportunities
-Threats
Conclusion:
– Recap of key points covered in the training
– Open forum for feedback and additional questions
– Next steps and action plans for implementing learned practices
– Thank you and closing remarks
Additional Resources:
– Handouts with key takeaways and best practices
– Contact information for IT support and further training opportunities.