HR and Personnel Security

2021.2

LifeOmic is committed to ensuring all workforce members actively address security and compliance in their roles at LifeOmic. We encourage self management and reward the right behaviors. This policy specifies acceptable use of end-user computing devices and technology. Additionally, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.

Policy Statements

In addition to the roles and responsibilities stated earlier, LifeOmic policy requires all workforce members to comply with the Acceptable Use Policy for End-use Computing and HR Security Policy.

LifeOmic policy requires that:

(a) Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

(b) Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

(c) Employees and contractors must disclose outside activities and/or conflicts of interest in accordance with the Conflicts of Interest Policy.

(d) Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures LifeOmic has in place. Employees will also have ongoing security awareness training that is audited.

(e) Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any LifeOmic systems has been removed, as well as ensuring that all company owned assets are returned.

(f) LifeOmic and its employees will take reasonable measures to ensure no PHI or corporate data is transmitted via digital communications such as email or posted on social media outlets.

(g) LifeOmic will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

(h) A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc. LifeOmic reserves the right to terminate employees in the case of serious cases of misconduct.

Controls and Procedures

HR Management and Reporting

LifeOmic uses EaseCentral to manage its workforce personnel records.

Organization Structure

A reporting structure has been established that aligns with the organization’s business lines and/or individual’s functional roles. The organizational chart is available to all employees via the EaseCentral and/or posted on the internal web portal.

Job Functions and Descriptions

Position / Job descriptions are documented and updated as needed that define the skills, responsibilities, and knowledge levels required for certain jobs.

Performance Reviews and Feedback

Employees receive regular feedback and acknowledgment from their manager and peers. Formal performance reviews are conducted annually using EaseCentral. Performance measures, incentives, and other rewards are established by management according to responsibilities at all levels, reflecting appropriate dimensions of performance and expected standards of conduct.

Acceptable Use of End-user Computing

LifeOmic requires all workforce members to comply with the following acceptable use requirements and procedures, such that:

(a) Per LifeOmic security architecture, all workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

(b) Use of LifeOmic computing systems is subject to monitoring by LifeOmic IT and/or Security team.

(c) Employees may not leave computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, unattended in public.

(d) Employees may must take computing devices (including laptops and smart devices) used for business purpose, including company-provided and BYOD devices, with them when they leave the office for the day.

(e) Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

(f) Use only legal, approved software with a valid license. Do not use personal software for business purposes and vice versa.

(g) Encrypt all email messages containing sensitive or confidential data.

(h) Employees may not post any sensitive or confidential data in public forums or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

(i) Anti-malware or equivalent protection and monitoring must be installed and enabled on all endpoint systems that may be affected by malware, including workstations, laptops and servers.

(j) All data storage devices and media must be managed according to the LifeOmic Data Classification specifications and Data Handling procedures.

(k) It is strictly forbidden to download or store any ePHI on end-user computing devices, including laptops, workstations and mobile devices.

(l) Mobile devices are not allowed to connect directly to LifeOmic production environments.

Employee Screening Procedures

LifeOmic publishes job descriptions for available positions and conducts interviews to assess a candidates technical skills as well as culture fit prior to hiring.

Background checks of an employee or contractor is performed by HR/operations and/or the hiring team prior to the start date of employment.

Employee Onboarding Procedures

A master checklist for employee onboarding is maintained by HR/Facilities.
It is published in the HR system or the HR folder on Google Drive.

The HR Representative / Facility Manager is responsible to create an Issue in the Jira HR & Facilities project to initiate and track the onboarding process. The onboarding process should include the following IT/Security items:

  1. Training and Policy Acceptance.

    • New workforce member is provided training on LifeOmic security policy, acceptable use policy, HIPAA awareness, conflicts of interests, and given access to the Employee Handbook.
    • Records of training, outside activities and conflict of interest disclosures, and policy acceptance is kept in the HR system (currently EaseCentral).
    • The training and acceptance must be completed within 30 days of employment.
  2. Access.

    • Standard access is provisioned according to the job role and approval as specified in the HR onboarding Jira ticket.
    • Non-standard access requires additional approval following the access request procedures.
    • Request for modifications of access for any LifeOmic employee can be made using the procedures outlined in the Access Establishment and Modification policy and procedures.
  3. System configuration.

    • The end-user computing device (e.g. workstation or laptop) may be provisioned by IT to install necessary software, malware protection, security agents, and setting system configurations.
    • Users in a technical role, such as Development, may choose to self configure their system. In this case, the user is given configuration guidelines defined by IT and Security. The system must have the required security configuration and endpoint agents installed for monitoring and to ensure compliance.

Employee Exiting/Termination Procedures

A master checklist for employee existing/termination is maintained by HR/Facilities. It is published in the HR system or the HR folder on Google Drive.

  1. The Human Resources Department (or other designated department), users, and their supervisors (HR) are required to notify Security upon completion and/or termination of access needs and facilitating completion of the “Termination Checklist”.

  2. HR are required to notify Security to terminate a user’s access rights if there is evidence or reason to believe the following (these incidents are also reported on an incident report and is filed with the Privacy Officer):

    • The user has been using their access rights inappropriately;
    • A user’s password has been compromised (a new password may be provided to the user if the user is not identified as the individual compromising the original password);
    • An unauthorized individual is utilizing a user’s User Login ID and password (a new password may be provided to the user if the user is not identified as providing the unauthorized individual with the User Login ID and password).
  3. Security will terminate users' access rights immediately upon notification, and will coordinate with the appropriate LifeOmic employees to terminate access to any non-production systems managed by those employees.

  4. Security audits and may terminate access of users that have not logged into organization’s information systems/applications for an extended period of time.

Employee Issue Escalation

LifeOmic workforce members are to escalate issues using the procedures outlined in the Employee Quick Reference. Issues that are brought to the Escalation Team are assigned an owner. The membership of the Escalation Team is maintained by the Chief Executive Officer or his delegate.

Security incidents, particularly those involving ePHI, are handled using the process described in Incident Response. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in Breach Notification. Refer to Incident Response for a list of sample items that can trigger LifeOmic’s incident response procedures; if you are unsure whether the issue is a security incident, contact the Security team immediately.

It is the duty of the incident owner to follow the process outlined below:

  1. Create an Issue in the Github Security Issues tracker.
  2. The Issue is investigated, documented, and, when a conclusion or remediation is reached, it is moved to Review.
  3. The Issue is reviewed by another member of the Escalation Team. If the Issue is rejected, it goes back for further evaluation and review.
  4. If the Issue is approved, it is marked as Done, adding any pertinent notes required.
  5. The workforce member that initiated the process is notified of the outcome via email.

Whistleblower Policy and Process

The LifeOmic requires all workforce members to observe high standards of business and personal ethics in the conduct of their duties and responsibilities. All workforce members must practice honesty and integrity in fulfilling their responsibilities and comply with all applicable laws and regulations.

(a) Reporting Responsibility. Each workforce member is required and encouraged to report serious concerns so that LifeOmic can address and correct inappropriate internal conduct and actions. This includes

  • questionable or improper accounting or auditing matters,
  • violations and suspected violations of company policies or ethics, or
  • suspected violations of law or regulations that govern LifeOmic’s operations

(b) Acting in Good Faith. Anyone filing a written complaint concerning a violation or suspected violation must be acting in good faith and have reasonable grounds for believing the information disclosed indicates a violation. Any allegations that prove not to be substantiated and which prove to have been made maliciously or knowingly to be false will be viewed as a serious disciplinary offense.

(c) Confidentiality. Insofar as possible, the confidentiality of the whistleblower will be maintained. However, identity may have to be disclosed to conduct a thorough investigation, to comply with the law, and to provide accused individuals their legal rights of defense.

(d) No Retaliation. Workforce members, in good faith, reporting a concern under the Whistleblower Policy shall NOT be subject to retaliation or adverse employment consequences. Moreover, any workforce member who retaliates against someone who has reported a concern in good faith is subject to disciplinary actions up to and including termination of employment.

(e) Reporting. Reports of concerns may be filed directly with the company CEO, COO, and/or the Compliance Officer. Additional reporting procedure details can be found in the employee handbook.

Conflict of Interest Policy and Process

We make decisions on behalf of the company every day, and part of our responsibility is to make those decisions in LifeOmic’s best interests and independent of any outside influences. We must be able to perform our duties and exercise our judgment on behalf of LifeOmic without being impacted by conflicts of interest or the appearance of conflicts of interest. Sometimes, the appearance of a conflict can create as much harm as the actual existence of a conflict. If you are ever in doubt about whether a conflict exists, err on the side of disclosure. This company conflict of interest policy applies to everyone working at LifeOmic, whether you are an employee or contractor.

(a) What is a conflict of interest? A conflict of interest is just what the name implies—it occurs when you have a personal or outside (non-company) interest that conflicts with the best interests of the company, or, in other words, when your personal interests conflict with a company interest. A conflict of interest may affect your ability to make objective decisions for the company. For example, judgment or decision making could be inappropriately influenced when the outside interest:

  • Impacts your ability to make decisions based on what is best for the company
  • Affects your impartiality (for example, in choosing between two suppliers or two potential employees)
  • Introduces personal or non-business issues into what should be a business decision

There are many different ways in which conflicts of interest can occur. Here is a non-exhaustive list that is meant to illustrate activities that may be considered actual conflicts of interest and activities that may create the appearance of a conflict of interest:

  • Outside jobs and affiliations with competitors (including advisory work), customers or suppliers, including consulting arrangements and board seats.
  • Engaging in any other employment or personal activity during work hours, or using our property in any other employment or activity.
  • Investments which might influence or appear to influence your judgment.
  • Working with close relatives or having a relationship with another employee who can influence decisions such as salary, performance rating or promotion.
  • Using our name, logo, equipment, or other property for personal purposes.
  • Any activity that might lead to the disclosure of our confidential information.

(b) Policy Requirements. We understand that while working for the company, you may wish or need to engage in an outside activity. If you intend to do so, it is your responsibility to ensure that such activities do not violate this or other LifeOmic policies. Any outside activity must not interfere with your ability to properly perform your job duties at LifeOmic, must not compete with the company’s products and services, must not violate LifeOmic’s compliance obligations (including contracts), and must not lead to the disclosure of company Confidential Information. If you are in doubt as to whether a particular activity is permissible, you must advise your line manager and HR of any proposed outside activity in advance.

LifeOmic will review the outside activity and advise you regarding next steps, e.g. submitting a disclosure form. In the event the activity is approved, it remains your responsibility to advise the company and take appropriate steps, in the event a conflict arises from a change in the outside activity. The responsibility of resolving a conflict of interest starts with you reporting it to your line manager, and may reach senior management. All conflicts of interest will be resolved as fairly as possible. Senior management has the responsibility of the final decision when a solution can not be found.

(c) Disclosure Responsibility and Process. You must complete the Outside Activities / Conflict of Interest Disclosure Form upon hire and when your situation changes. Contact HR for a copy of the Form. Given the evolving nature of LifeOmic’s business, conflicts of interest and the appearance of a conflict can change over time. If you have a preexisting outside activity, relationship or other potential situation that creates a new potential conflict situation, for example, due to company changes or product innovation, you must make the disclosure as soon as you learn of the existence of an actual or apparent conflict of interest.

Employee Performance Review Process

Formal performance reviews are conducted annually using Small Improvements.

  • 360 feedback is collected from team members working directly with the employee
  • Employee provides their own self assessment for both performance outcome and behavior
  • Manager reviews employee self-assessment and peer feedback, and documents the final review and rating
  • The final review and rating is reviewed and signed by both the employee and their manager

Employee Incentives and Rewards

LifeOmic encourages employees to go above and beyond to contribute to the business objectives and help their peers and customers. Employees are recognized and rewarded for positive behavior on a regular basis via peer recognition, appreciation, feedback, and rewards using Motivosity.

Continuous Education and Skills Development

LifeOmic provides employees the opportunity to attend conferences, trade shows, and/or ongoing training/studies relevant to their job function and business objectives.

Non-Compliance Investigation and Sanctions

Workforce members shall report non-compliance of LifeOmic’s policies and procedures to the Security Officer or other individual as assigned by the Security Officer. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

  1. The Security Officer promptly facilitates a thorough investigation of all reported violations of LifeOmic’s security policies and procedures. The Security Officer may request the assistance from others.

    • Complete an audit trail/log to identify and verify the violation and sequence of events.
    • Interview any individual that may be aware of or involved in the incident.
    • All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
    • Provide individuals suspected of non-compliance of the Security rule and/or LifeOmic’s policies and procedures the opportunity to explain their actions.
    • The investigator thoroughly documents the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.
  2. Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.

    • A fair disciplinary process will be utilized for employees are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc.
    • LifeOmic reserves the right to terminate employees in the case of serious cases of misconduct.
    • A violation resulting in a breach of confidentiality (i.e. release of PHI to an unauthorized individual), change of the integrity of any ePHI, or inability to access any ePHI by other users, requires immediate termination of the workforce member from LifeOmic.
  3. The Security Officer facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).

  4. In the case of an insider threat, the Security Officer and Privacy Officer are to set up a team to investigate and mitigate the risk of insider malicious activity. LifeOmic workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.

  5. The Security Officer maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of seven years after the conclusion of the investigation.

  6. When the Security Officer identifies a violation and begins a formal sanction process, they will notify the appropriate management or supervisors within 24 hours. That notification will include 1) identifying the individual sanctioned, 2) the reason for the sanction, and 3) specific procedures for service or account restriction / revocation or other disciplinary actions as required.

Warning Notice Template

Clean Desk Policy and Procedures

Employees must secure all sensitive/confidential information in their workspace at the conclusion of the work day and when away from their workspace. This includes both electronic and physical information such as:

  • computer workstations, laptops, and tablets
  • removable storage devices including CDs, DVDs, USB drives, and external hard drives
  • printed materials

Computer workstations/laptops must be locked (password protected) when physically unattended. Portable devices such as laptops and tablets should be taken home at the conclusion of the work day.

Removable storage devices and printed documents must be treated as sensitive material and locked in a drawer or similar when not in use. Printed materials must be immediately removed from printers or fax machines. Passwords must not be written down or stored physically.

Keys and access cards used for access to sensitive or restricted information/areas must not be left unattended anywhere in the office.