INFORMATION!SECURITY!GUIDELINES!
|
|
- Wendy Roberts
- 6 years ago
- Views:
Transcription
1 INFORMATIONSECURITYGUIDELINES
2 TABLEOFCONTENTS: ScopeofDocument 1 DataDefinitionGuidelines(Appendix1).2 DataProtectionGuidelines(Appendix2).3 ProtectionofElectronicorMachineAReadableData...3 ProtectionofPrintedData....3 DataProtectionandDisposalGuidelines(Appendix3). 4 Datavs.Records... 4 RecordsRetention... 4 RecordARelatedData.. 4 AccessLifetime.. 5 DataDeletion.. 5 SecurityBaseline(Appendix4).. 6
3 CONSISTENT,EFFECTIVEINFORMATIONSECURITY Torespondtosocietalexpectationsandlegislativerequirements,theUniversitymustcreateand apply upatoadate information security standards. Should we fail to do so, in the event of a significant release of personal information or compromise of the University's information systems,theresultwouldbeahighlyvisibleimpacttotheuniversity'sreputationandstatureas aworldaclasseducationandresearchinstitution. Theneedfordataclassification There are legislative requirements that require certain controls be applied toselectsensitive andpersonalinformation.forinformationwithnolegislatedcontrolrequirement,thereisstilla practical need, informed by public expectations and current practices, to protect data in proportiontotheinformation'ssensitivity. Therequirementtoprotectinformation Toensurethatinformationiseffectivelyprotected,informationmustbe: 1.Reliablyidentifiedbysensitivity,aspercurrentDataDefinitionguidelines(Appendix1); 2. Verifiably protected in accordance with location and sensitivity, as per current Data Protectionguidelines(Appendix2); 3. Retained for a duration as defined in the current Data Retention and Disposal guidelines (Appendix3);and 4.DisposedofasdefinedinthecurrentDataRetentionandDisposalguidelines(Appendix3). 1
4 APPENDIX19DATADEFINITIONGUIDELINES Indiscussingaccesscontrolsforinformation,informationisconsideredtobeeitherconfidential ornonaconfidential. Confidentialinformationincludes: 1. Any personally identifiable information (PII): name, address, health data, or any other informationuniquelyassociatedwithanindividual. 2. Any data of a financial or legal nature, where disclosure or sharing has not been explicitly authorized. 3.Dataassociatedwithaccesscontrol,suchaspasswordsordoorAlockcombinations. 4. Information that does not fall into the preceding three categories, but where there is an expectation that the information not be modified, deleted or shared without conscious authorizationbythedataownertoallowsuchactivity. AllotherinformationisconsiderednonAconfidential. WhenconfidentialandnonAconfidentialdataareaggregated,thecollectionasawholemustbe consideredconfidential.unlessdesignatedotherwise,informationisconsideredconfidentialby default. 2
5 APPENDIX29DATAPROTECTIONGUIDELINES Data must be protected from unauthorized access or alteration while the data are in use, in physical or electronic storage, in physical transport or electronic communication, or under administrativeaccess.accesstoconfidentialinformationmustbeonaneedatoaknowbasisonly; needatoaknowrequirementsmustbedocumentedasarequirementofjobdutiesorcontractual obligations. Accessandalterationcontrolsmustmanagethedisclosure,deletion,modificationorduplication ofdata.accessandalterationcontrolsmustbeproportionatetotherisktotheuniversitydueto unauthorizeddisclosure,deletion,modificationorduplicationofdata,whetherconfidentialor nonaconfidential. ProtectionofElectronicorMachineAReadableData Unlessstoredonsecure,UniversityofTorontoAownedequipment,confidentialinformation(as definedinthedatadefinitionguidelines),musthaveoneormoreofthefollowingprotections applied: be encrypted; have all personally identifiable information removed or obfuscated (anonymized);orbesanitized(haveallverifiableinformationremovedorobfuscated).accessto confidential information stored on secure, University of TorontoAowned equipment must be controlledinproportiontotheinformation ssensitivity,andprovidedonaneedatoaknowbasis. Forasystemtobeconsideredsecure,itmustbemanagedtoastandardequivalentto,orbetter thanappendix4 SecurityBaseline. Accesscontrolstochange,readordeletenonAconfidentialdataarenotrequiredbeyondthose necessarytoimplementfunctionaloroperationalrequirements. ProtectionofPrintedData Theonlyoptiontoprotectconfidentialdatainprintedformat,istostoreitunderlockandkey. Thestrengthofthelock,andthecharacteristicsofthestoragefacility(passivefireAresistance, firealarms,firesuppressionsystems,breakaenteralarms,humiditysensors/controls,etc.)must accomodatethephysicalcharacteristicsoftheprintmediumandtherequiredretentionperiod. NonAconfidentialprinteddatadonotrequireaccessorprotectivecontrolsbeyondthephysical characteristicsoftheprintmediumandtherequiredretentionperiodassociatedwiththedata. 3
6 APPENDIX39DATARETENTIONANDDISPOSALGUIDELINES Datavs.Records Data,inthecontextofthisguideline,isregardedasinformationinitsbroadestsense symbols orpatternsthatrepresentmeaning;theterms data and information areusedinterchangeably inthisdocument.forpurposesofriskmanagement, data isconsideredtobetohavedistinct needs which may differ from those of a record, defined as: any document containing information,howeverrecorded,whetherinmanuscript,printed,onfilmorinelectronicformor otherwise.u.#of#t.#policy#on#access#to#information#and#protection#of#privacy(1995). Whilerecordsarecomprisedofdata,datamaynot indeedoftendoesnot representarecord initsentirety,orinitsmostcurrentorofficiallyarecognizedform.datacancreatedthroughthe processofrecordcreation,modification,transportandstorage;thesedataareofteninvisible, butnotirretrievable,andrepresentriskiftheyexistwithoutappropriateaccesscontrols.for example, computer systems may create temporary files to assist the process of document creation arecordsocreatedmaybedeletedattheendofitslife,butthe temporary data associatedwithitscreationmayberetrievablyfoundonthesystemusedtocreatetherecord. Notethatstorageofdataisnotrestrictedtoworkstations,serversandlaptopcomputers,but includes mobile devices (such as, but not limited to, phones and music players), and office appliances (such as multiafunction photocopier / fax / printers). These devices must be consideredwhendevelopingdataretentionanddisposalpractices. RecordsRetention TheUniversity'srecommendationsforhowlongcertainrecordsseriesshouldbekept,areset out in more than 700 records retention schedules developed by the University of Toronto ArchivesandRecordsManagementServices.Theretentionperiodsoutlinedintheseschedules shouldbefollowedandappliedtobothdepartmentalfiles,andtoanyconveniencecopies.for more information, please see the University Archives onaline Retention and Disposition Schedules database [ ]. RecordARelatedData Data associated with records may be created depending on how a record is stored, used or transported.forreference,suchdatamayoccurin,butisnotlimitedto,thefollowingcontexts: 1. Metadata: Information that characterizes scheduled records, such as, but not limited to: documentname(s),storagelocation,author(s),reviewers,etc. 2.TemporaryData:Workingcopiesorprinted'draft'documents;applicationAcreatedcopiesof files,inwholeorinpart(i.e.'tempfiles');copiesofelectronicdocumentsin'trash'folderson computers,butnotyet'emptied'(i.e.deleted). 4
7 3.ResidualData:Datacreatedintheprocessofusingscheduledrecords,suchascarbonAcopies, mimeographoriginals,filmnegatives,or'deleted'filesinelectronicstorage. 4.CachedData:DataretainedforreferenceAeitherasinacatalogueofdocuments,orbyan application in order to speed up performance. Cached data may include some or all of the contentofascheduledrecord,oronlymetadata,andincludessearchindexesofbothscheduled recordsandassociatedmetadata. AccessLifetime WheredataarestoredinmachineAreadableformat,equipmentandsoftwarethatcaninterpret andcommunicatethedatainusableformatmustbekept in working order for the retention durationofthedata.alternatively,thedatamustbemigratedtonewstoragemediainadvance oftheendoflifetimeforitsstoragemedia,orthefailureof,orlackofmanufacturersupportfor interpretingtechnology. DataDeletion All data associated with a record must be rendered irrecoverable after its retention duration expires.dataassociatedwiththecreation,useandtransportofarecordshouldberendered irrecoverableafterdataarenolongeroperationallyuseful. Wheredataarestoredinprintedformat,alldocumentsideallyshouldbeshreddedaspartof the disposal process. Confidential data must always be shredded as part of the data disposal process. Where data are stored in electronic / machineareadable format, all storage media should be physicallydestroyedor'wiped'(overawrittenwithrandomdataaminimumof3times)aspartof thedisposalprocess.devicesusedtostoreconfidentialdatamustalwayseitherbedestroyedor 'wiped'(asabove)aspartofthedatadisposalprocess.technologyusersshouldbeawareofall locationswheredataarestoredintheirenvironment. 5
8 APPENDIX49SECURITYBASELINE Certainpracticeshavebecomedefactorequirementsfortheprotectionofdata.Thesepractices constitutewhatisconsideredtobeamanagedsecuritybaseline: 1. Prompt installation of vendors software updates to correct known vulnerabilities. 2.InstallationandregularupdateofantiAvirussoftware. 3.Encryptionofconfidentialinformationondevicesthatarephysicallyinsecure,ornotunder theuniversityoftoronto scontrol[seethei+tsfulldiskencryptionwebsiteat: 4. Encryption of network communications, such that user credentials and other confidential informationarenotvisibleintransitoverinsecurenetworks. 5.Protectionofnetworkeddevicesviafirewalls. 6.Educationofadministratorsandusersastobestpracticesforprotectingdatawhileinstorage, useandcommunication. 7.Physicalprotectionofresourcesthatrestrictsremovalbyunauthorizedpersons. 8.Backupofcriticaldata,withbackupstestedforreadabilityandprotectedtothesamelevelas datathatisinuse. 9. Effective and practiced incident response procedures, including (but not limited to): monitoringof,andresponsetounauthorizedaccesstosystemsanddata. 10.DisablingunAneedednetworkservices. 11.Deletionof guest ornonapasswordprotectedaccounts. 12. Choosing security settings that are more strict than typically insecure default values, and changingdefaultpasswords. Forasystemtobeconsideredsecure,itmusthaveappliedtheabovesecuritypracticeswitha timelinessandeffectivenessthatreflectsthesensitivityofinformationstored/communicated bythesystem. This list of specific practices will be updated as technologies and risk management practices mature; these updates will be communicated to the University of Toronto Information Technologysupportcommunity. For guidance on what uses of information and communication technology are considered appropriate, please refer to the policy: Appropriate use of Information and Communication Technology ( 6
Employee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationRecords Management and Retention
Records Management and Retention Category: Governance Number: Audience: University employees and Board members Last Revised: January 29, 2017 Owner: Secretary to the Board Approved by: Board of Governors
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationDublin City University
Dublin City University Data Handling Guidelines Data Handling Guidelines Data Handling Guidelines These guidelines are to provide guidance to data custodians as to how they may protect data classified
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationFTC SAFEGUARDS RULE. Gramm-Leach-Bliley Act Effective 5/23/2003
FTC SAFEGUARDS RULE Gramm-Leach-Bliley Act Effective 5/23/2003 1 Introduction The purpose of the FTC Safeguards Rule is to: Ensure the security and confidentiality of customer information. Customer information
More informationIAM Security & Privacy Policies Scott Bradner
IAM Security & Privacy Policies Scott Bradner November 24, 2015 December 2, 2015 Tuesday Wednesday 9:30-10:30 a.m. 10:00-11:00 a.m. 6 Story St. CR Today s Agenda How IAM Security and Privacy Policies Complement
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationMedia Protection Program
Media Protection Program Version 1.0 November 2017 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PROGRAM DETAILS 4 3.2 MEDIA STORAGE AND ACCESS 4 3.3 MEDIA TRANSPORT
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationCARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose
CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION I. Purpose To provide guidance to schools and administrative offices regarding the maintenance, retention,
More informationThe City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.
Policy Number: 10-09-02 Section: Roads and Traffic Subsection: Traffic Operations Effective Date: April 25, 2012 Last Review Date: Approved by: Council Owner Division/Contact: For information on the CCTV
More informationPrivacy Policy on the Responsibilities of Third Party Service Providers
Privacy Policy on the Responsibilities of Third Party Service Providers Privacy Office Document ID: 2489 Version: 3.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2016,
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationCloud FastPath: Highly Secure Data Transfer
Cloud FastPath: Highly Secure Data Transfer Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. Tervela has been creating high performance
More information27018, (27017) & Cloud en/of PII protection
27018, (27017) & 29151 Cloud en/of PII protection Beer Franken, AMC Chief information security & privacy protection officer Standards and Regulations 1 Programma ISO/IEC 27018:2014 CoP for protection of
More informationMeeting the Meaningful Use Security and Privacy Measure
Meeting the Meaningful Use Security and Privacy Measure Meeting the MU Security Measure a risk analysis Complete a risk management assessment Implement an Employee Training Program and Employee Sanction
More informationRECORDS AND INFORMATION MANAGEMENT AND RETENTION
RECORDS AND INFORMATION MANAGEMENT AND RETENTION Policy The Health Science Center recognizes the need for orderly management and retrieval of all official records and a documented records retention and
More informationRecord Lifecycle Modeling Tasks
Lifecycle Modeling Tasks 2014 Capture Process Use Store Dispose Lifecycle of a /Information Set: AHIMA: The cycle of gathering, recording, processing, sharing, transmitting, retrieving, storing and deleting
More informationManagement: A Guide For Harvard Administrators
E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered
More informationData Management Checklist
Data Management Checklist Managing research data throughout its lifecycle ensures its long-term value and prevents data from falling into digital obsolescence. Proper data management is a key prerequisite
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationDIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018
DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018 A. OVERRIDING OBJECTIVE 1.1 This Directive establishes the framework for information management of the Asian Infrastructure Investment
More informationRecords Management - Part 1. Records Retention Folders
Email Records Management - Part 1 Records Retention Folders Introduction This lesson provides an overview on the following topics: Determining if your email is a record Complying with email records policies
More informationTHE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155
THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION Session #155 David Forrestall, CISSP CISA SecurIT360 SPEAKERS Carl Scaffidi, CISSP, ISSAP, CEH, CISM Director of Information Security Baker Donelson AGENDA
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationData Compromise Notice Procedure Summary and Guide
Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or
More informationCommon approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.
Common approaches to email management Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C. Agenda 1 2 Introduction and Objectives Terms and Definitions 3 Typical
More informationUNIVERSITY ARCHIVES RECORDS RETENTION SCHEDULE
UNIVERSITY ARCHIVES RECORDS RETENTION SCHEDULE CREATED SEPTEMBER 2015 MICHIGAN STATE UNIVERSITY MSU UNIVERSITY ARCHIVES RECORDS RETENTION SCHEDULE: has developed this retention schedule to document the
More informationInformation Security Data Classification Procedure
Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations
More informationManaging SaaS risks for cloud customers
Managing SaaS risks for cloud customers Information Security Summit 2016 September 13, 2016 Ronald Tse Founder & CEO, Ribose For every IaaS/PaaS, there are 100s of SaaS PROBLEM SaaS spending is almost
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationGuidelines for Data Protection Document Information
Guidelines for Data Protection Document Information Status Published Published 09/15/2009 Last Updated 09/15/2011 Current Version 1.0 Revision History Version Published Author Description 0.1 07/23/2008
More informationAn Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule Legal Disclaimer: This overview is not intended as legal advice and should not be taken as such. We recommend that you consult legal
More informationThe GDPR toolkit. How to guide for Executive Committees. Version March 2018
The GDPR toolkit How to guide for Executive Committees Version 1.0 - March 2018 Contents Document Purpose... 3 What s included... 3 Step 1 - How to assess your data... 5 a) What is GDPR?... 5 b) Video
More informationData Protection. Plugging the gap. Gary Comiskey 26 February 2010
Data Protection. Plugging the gap Gary Comiskey 26 February 2010 Data Protection Trends in Financial Services Financial services firms are deploying data protection solutions across their enterprise at
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationRELATIONSHIP BETWEEN THE ISO SERIES OF STANDARDS AND OTHER PRODUCTS OF ISO/TC 46/SC 11: 1. Records processes and controls 2012
RELATIONSHIP BETWEEN THE ISO 30300 SERIES OF STANDARDS AND OTHER PRODUCTS OF ISO/TC 46/SC 11: Records processes and controls White paper written by ISO TC46/SC11- Archives/records management Date: March
More informationProtecting Personal Health Information on Mobile and Portable Devices. Guidance from the Information and Privacy Commissioner of Ontario
Protecting Personal Health Information on Mobile and Portable Devices Guidance from the Information and Privacy Commissioner of Ontario Why is the Protection of Personal Health Information (PHI) So Critical?
More informationFirst edition Reference number ISO/IEC 27018:2014(E) ISO/IEC 2014
INTERNATIONAL STANDARD ISO/IEC 27018 First edition 2014-08-01 Information technology Security techniques Code of practice for protection of personally identifiable information (PII) in public clouds acting
More informationPrivacy Policy. 1. Information may collected by Feelingtouch
Privacy Policy When you use Feelingtouch game software or accept Feelingtouch game services, Feelingtouch may collect and use your relevant information. Feelingtouch promises to strictly protect your privacy.
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationEDRMS Document Migration Guideline
Title EDRMS Document Migration Guideline Creation Date 23 December 2016 Version 3.0 Last Revised 28 March 2018 Approved by Records Manager and IT&S Business Partner Approval date 28 March 2018 TABLE OF
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationWHEATON COLLEGE RETENTION POLICY May 16, 2013
WHEATON COLLEGE E-MAIL RETENTION POLICY May 16, 2013 I. PURPOSE Electronic mail (e-mail) has become a ubiquitous service that greatly enhances communication, both internally within the Wheaton community
More informationSarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX) Introduction The Sarbanes-Oxley (SOX) Act was introduced in 2002 to protect shareholders and the general public from fraudulent accounting activities by bringing greater accountability
More informationGreenTec Broderick Drive, Suite 155 Sterling, VA
Media and Systems Protection, Integrity and Accountability Whitepaper GreenTec 22375 Broderick Drive, Suite 155 Sterling, VA 20166 www.greentec-usa.com www.greentec-usa.com CJIS Compliance Whitepaper Table
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationFreedom of Information and Protection of Privacy (FOIPOP)
Freedom of Information and Protection of Privacy (FOIPOP) No.: 6700 PR1 Policy Reference: 6700 Category: FOIPOP Department Responsible: Records Management and Privacy Current Approved Date: 2008 Sep 30
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationCyber Security Guidelines for Public Wi-Fi Networks
Cyber Security Guidelines for Public Wi-Fi Networks Version: 1.0 Author: Cyber Security Policy and Standards Document Classification: PUBLIC Published Date: April 2018 Document History: Version Description
More informationPrivacy Impact Assessment (PIA) Tool
Privacy Impact Assessment (PIA) Tool 1 GENERAL Name of Public Body: PIA Drafter: Email/Contact: Program Manager: Email/Contact: Date (YYYY-MM-DD) In the following questions, delete the descriptive text
More informationPRIVACY-SECURITY INCIDENT REPORT
SECTION I GENERAL INFORMATION Name of Staff Member Reporting Incident PRIVACY-SECURITY INCIDENT REPORT Telephone Number Email Address Division/Office/Facility Unit/Section Supervisor SECTION II PRIVACY
More information8/28/2017. What Is a Federal Record? What is Records Management?
Ramona Branch Oliver US Department of Labor What Is a Federal Record? Records include all books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of physical
More informationXerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers
Xerox FreeFlow Print Server Security White Paper Secure solutions for you and your customers Executive Summary Why is security more important than ever? New government regulations have been implemented
More informationDocument No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy
DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-070 Title: Restricted Data Protection Policy Policy Owner: Infrastructure Manager Effective Date: 5/1/2013 Revision: 4.0 TABLE OF CONTENTS DOCUMENT
More informationPCI Compliance and records management
EX36.9 REPORT FOR ACTION PCI Compliance and records management Date: June 29, 2018 To: Executive Committee From: City Clerk, Chief Information Officer, Treasurer Wards: All Wards SUMMARY The City must
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationPolicy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents
Policy Title: Approved By: ACAOM Commissioners History: Policy Implementation Date: 28 October 2016 Last Updated: Related Policies: ACAOM -Records Retention Schedule References: Responsible Official: ACAOM
More informationLesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)
Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA) Introduction: Welcome to Honesty and Confidentiality Lesson Three: The False Claims Act is an important part
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationFarmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER
Farmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER SUNY Records Retention and Disposition Policy - 6609 Retention
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationHIPAA UPDATE. Michael L. Brody, DPM
HIPAA UPDATE Michael L. Brody, DPM Objectives: How to respond to a patient s request for a copy of their records. Understand your responsibilities after you send information out to another doctor, hospital
More informationImplementing an Audit Program for HIPAA Compliance
Implementing an Audit Program for HIPAA Compliance Mike Lynch Fifth National HIPAA Summit November 1, 2002 Seven Guiding Principles of HIPAA Rules Quality and Availability of Care Nothing in the proposed
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More information5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.
Jay Olin National Archives Ramona Branch Oliver Department of Labor ASAP 6 th Annual National Training Conference May 12-15, 15, 2013 What Is a Federal Record? Records include all books, papers, maps,
More informationNucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11)
NucleoCounter NC-200, NucleoView NC-200 Software and Code of Federal Regulation 21 Part 11; Electronic Records, Electronic Signatures (21 CFR Part 11) A ChemoMetec A/S White Paper March 2014 ChemoMetec
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More informationISO/IEC Information technology Security techniques Code of practice for information security controls
INTERNATIONAL STANDARD ISO/IEC 27002 Second edition 2013-10-01 Information technology Security techniques Code of practice for information security controls Technologies de l information Techniques de
More informationBring Your Own Device Policy
Title: Status: Effective : Last Revised: Policy Point of Contact: Synopsis: Bring Your Own Device Policy Final 2017-Jan-01 2016-Nov-16 Chief Information Officer, Information and Instructional Technology
More informationPolicy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4
Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationGuidelines for Data Protection
Guidelines for Data Protection Doug Markiewicz Policy and Compliance Coordinator Information Security Office www.cmu.edu/iso Background Information Security Policy Published in December 2008 Motivations
More informationKeeping It Under Wraps: Personally Identifiable Information (PII)
Keeping It Under Wraps: Personally Identifiable Information (PII) Will Robinson Assistant Vice President Information Security Officer & Data Privacy Officer Federal Reserve Bank of Richmond March 14, 2018
More informationCloud Security Standards and Guidelines
Cloud Security Standards and Guidelines V1 Document History and Reviews Version Date Revision Author Summary of Changes 0.1 May 2018 Ali Mitchell New document 1 May 2018 Ali Mitchell Approved version Review
More informationFirst aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018
First aid toolkit for the management of data breaches Mary Deligianni Senior Associate 15 February 2018 What is a personal data breach? Breach of security which leads to the accidental or unlawful destruction,
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationBuilding a Privacy Management Program
Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy Commissioner of Alberta Session Overview Reasons for having a PMP Strategies to deal with current and future
More informationDETAILED POLICY STATEMENT
Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico
More informationOracle Database Auditing
By Craig Moir craig@mydba.co.za http://www.mydba.co.za August 2012 Version 1 WHY AUDIT? Allows organizations to enforce the trust-but-verify security principle. Satisfying compliance regulations. Enables
More informationElectronic Signature Policy
Electronic Signature Policy Definitions The following terms are used in this policy. Term Definition Electronic Signature An electronic signature is a paperless method used to authorize or approve documents
More informationProtecting Your Gear, Your Work & Cal Poly
9/20/2016 1 Protecting Your Gear, Your Work & Cal Poly Information Security Office Shar i f Shar i f i, CI SSP, CRISC Kyle Gustafson, Information Security Analyst Jon Vasquez, Information Security Analyst
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationData Protection Policy
Data Protection Policy Status: Released Page 2 of 7 Introduction Our Data Protection policy indicates that we are dedicated to and responsible of processing the information of our employees, customers,
More informationElectronic Communication of Personal Health Information
Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More information