Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)
|
|
- Agnes White
- 6 years ago
- Views:
Transcription
1 Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014) Comprehensive Information Security Program (Policy )
2 Purpose Temple University, as mandated by federal law, requires each academic or administrative unit ( organization ) that gathers, stores, maintains, transmits or otherwise handles personally identifiable information ( PII ) to have written guidelines and procedures for safeguarding such information. PII is any personally identifiable information that is collected about an individual in connection with providing a product or service, unless that information is otherwise publicly available. Examples of PII include Social Security number, date and location of birth, financial records, driver s license information, or any other information on an application for a student loan or in connection with establishment of a gift annuity. Pursuant to the University s Comprehensive Information Security Program ( CISP ), policy , each organization covered under the CISP is required to perform an assessment, at least annually, that evaluates the following: Risk of loss of PII Risk of unauthorized access to PII Safeguards in place to mitigate the risks of loss and unauthorized access. Safeguards This review serves as your organization s compliance and risk assessment, and documents your present practices to protect PII. The University Privacy Officer will evaluate your submission and will schedule a meeting to discuss your assessment. If you have questions related to the completion of this assessment, please contact the University Privacy Officer. While the guidelines and procedures listed in the CISP are considered a good baseline for compliance, they are not intended to be all-inclusive due to the differences in the nature of each organization s use of and access to PII. As such, each organization is required to critically evaluate business processes, identify risks, and establish reasonable safeguards to protect data under its care. Carefully planned and successfully implemented safeguards generally reduce the risk of loss or unauthorized access. The guidelines listed in the CISP for safeguarding PII are divided into three sections: 1. Administrative 2. Physical 3. Technical This assessment evaluates all three types of safeguards. 1
3 Updates and notes for Fiscal Year 2013/ Temple University s Classification and Handling of Protected Data policy assigns a level of sensitivity to data and determines the extent to which it needs to be controlled and secured. Please review this policy at 2. If you submitted a risk assessment last year, you may refer to it but please complete and submit this year s version of the assessment as some questions have changed. Submission Instructions The deadline for submitting this assessment to the University Privacy Officer is June 30th, The University Privacy Officer is working under the guidance of the Management Audit Committee, and is required to provide a status of all submissions. Submissions received after the deadline may be indicated as late. All assessments are subject to review by the Management Audit Committee. Incomplete submissions will not be accepted; if you do not have an answer to a specific question, please respond appropriately (e.g. No response, Not considered, etc), or contact the University Privacy Officer for clarification as needed. Upon completion of this assessment please do the following: 1. Review it with your organization head, supervisor as well as cognizant vice president or provost. 2. Send the completed assessment via or TUsafesend to the University Privacy Officer on or before the deadline. 3. Print your assessment; sign, and obtain necessary signatures, then forward it to the University Privacy Officer: Leonard Nelson The TECH Center, Room W. Montgomery Avenue Philadelphia PA leonard.nelson@temple.edu Direct Phone: Department Phone:
4 Contact and Signature Sheet Covered Unit Contact Information Organization Name Organization Mailing Address Organization Phone Number Organization Fax number Privacy and Security Liaison (The person filling this assessment) Name Title TUid Position Control Number (PCN)* Direct Phone Number address * Position Control Number (PCN) can be obtained from University s Organizational Chart at Required Signatures Privacy and Security Liaison Date Cognizant Vice President/Provost Date (or designee) 3
5 I. General Regulatory and Policy Compliance Survey The following survey is designed to determine whether your organization is covered by more than one regulation. At minimum, please answer Yes or No. If you answer yes, please summarize the business need in one or two sentences. 1. FERPA Compliance 1 : Does your organization collect, store, process, transmit or otherwise handle student records? 2. GLBA Compliance 2 : Does your organization collect, store, process, transmit or otherwise handle nonpublic information in connection with an application for a student loan or in connection with establishment of a gift annuity? 3. HIPAA Compliance 3 : Does your organization collect unit store, process, transmit or otherwise handle patient health information? (Indicate No if your organization does not collect anything beyond routine student or employee sick notes). If yes, please indicate the name your HIPAA Compliance Officer. 4. Social Security Number Usage Policy 4 : Do individuals in your organization collect, store, process, transmit or otherwise handle Social Security Numbers? Please list any federal, state, local or other business requirements for using SSN. 5. PCI-DSS Compliance 5 : Does your organization store, process, transmit or otherwise handle credit card information? 1 FERPA, also referred to as the Buckley Amendment, was enacted in1974 and amended in The text of FERPA appears at 20 U.S.C. 1232g. Among other things, FERPA governs the privacy of student academic records. For more information see Temple University's Guidelines Pertaining to Confidentiality of Student Records (Policy Number ) on the Temple University Policies and Procedures website. 2 The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act ( GLBA ), is a federal law that, among other things, regulates the security and confidentiality of customer nonpublic personal information possessed by financial institutions. For more information see Comprehensive Information Security Program (Policy Number ) 3 The U.S. Department of Health and Human Services issued Standards for Privacy of Individually Identifiable Health Information, 45 CFR Parts 160 and 164 ( Privacy Rule ) to establish a set of national standards for the protection of certain health information. For more information, see The TUHS Personal Health Information Privacy Practices Notice may be found at 4 Pennsylvania State Senate Bill No. 712 was enacted in 2005 to establish notification requirements for entities that experience a data breach that results in the exposure of private information. The bill includes definitions of personal information and has stipulations for when and how notifications are to be made. Of significance is the protection of Social Security Numbers. For information on Temple s SSN policy, see Social Security Number Usage Policy (Policy Number ) and the Social Security Number Usage Procedures (Policy Number ) 5 The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. 4
6 6. Identity Theft Program (Red Flags Rule) Compliance 6 (a) Does your organization receive consumer reports (i.e. credit reports) from any consumer reporting agency (such as Experian, TransUnion or Equifax) regarding the student or employee population that it serves? (b) Does your organization maintain/update any type of account for the student/employee population that it serves? (Banner student records can be considered covered accounts - see footnote below for definitions relating to the Red Flags rule). (c) Does your organization update the contact information of students or employees on centrally managed systems (like Banner)? (d) Does your organization provide replacement OwlCard (Temple ID card) to students or employees? (e) During the course of normal business, does your organization verify the identity of an individual before providing a service? If yes, please indicate how identity is verified for in person visits, phone calls or other contact with individuals to whom services are provided. (f) Does your organization collect, store, process, transmit or otherwise handle student or employee photographs? 6 The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. For more information please see Identity Theft Prevention Program (Policy Number ). Red Flags Definitions (extracted from the policy) are as follows: DEFINITIONS Defined terms in this Policy are intended to have the meaning ascribed to them by the FTC in the Red Flag Rules, as such Red Flag Rules may be amended from time to time, and shall be read consistently with the FTC s definitions. The following definitions have been modified according to the specific activities of the University covered by the Red Flag Rules. 1. Account means a continuing relationship established by a person with the University to obtain a product or service for personal, family, household or business purposes. Account includes: (a) An extension of credit, such as the right to make periodic payments to repay a student loan, or the purchase of property or services from the University involving a deferred payment; and (b) A deposit account. 2. Covered account means: (a) An account that the University offers or maintains, that involves or is designed to permit multiple payments or transactions, such as a student account or Diamond Dollars account; and (b) Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to the account holder or to the safety and soundness of the University from identity theft, including financial, operational, compliance, reputation, or litigation risks. 3. Credit means rights granted by the University to defer payment of a debt; to incur debts and defer payment; or to purchase property or services from the University and defer payment therefor. 4. Identity theft means a fraud committed or attempted using the identifying information of another person without authority. 5. Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. 5
7 II. Access List of Personally Identifiable Information 7 On the table below, please check with an X in the column labeled PII, the type of PII that your organization collects, maintains accesses, transmits, or otherwise handles. Under Source or Report Name, indicate the source of your organization s access to PII (see Source Key below; add to it as needed). If PII is provided in a report, please indicate the report name. Briefly indicate your organizations business need for PII. If individuals in your organization obtain a particular type of PII from multiple sources, please add as many rows as necessary below the PII type. SOURCE KEY: BANNER; COGNOS; eprint; DDB = Department Database; SS = Spread Sheet; PF = Source is a paper based form; O=Other Type of PII PII Source Key or Report Name Business Reason/ Justification Social Security Number Date and Location of Birth Payment History Credit Card Numbers Driver s License/ Passport Number ACH/ Direct Deposit Numbers Financial Records/Information (please list; add rows as necessary) a. b. c. d. Other (please list; add rows as necessary) a. b. c. d. 7 PII excludes any information that you have a reasonable basis to believe is lawfully made available to the general public from: a) Federal, State, or local government public records b) Widely distributed media, e.g., telephone book, radio, television, web site that is available to the general public c) Disclosures to the general public that are required by Federal, State, or local law 6
8 III. List of Service Providers 8 that handle PII Complete the following table to catalog the name of each service provider under contract with your organization that receives, maintains, processes, or otherwise is permitted access to PII under Temple University s stewardship. Please indicate the general nature of service provided; indicate the contract start date; the contract end date (if available or applicable); whether a Service Provider Requirements statement was included in the contract (indicate with Yes or No ; and the last date the service provider conducted a risk review (Service Provider Safeguards) of Temple University customer information under their care Name of Service Provider General Nature of Service Provided Contract Start Contract End Service Provider Requirements Contract Included? Date of last Service Provider Safeguards Report received. 8 Service Provider is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to Gramm-Leach-Bliley, Red Flags rule (please refer to other related policies for additional definitions). 7
9 IV. Individual Access to Sensitive and Confidential Information 9 Complete the following table to list the individuals with access to your organization s PII. Please include their full name; TUid; and Position Code Number ( PCN ). The TUId and PCN numbers will be used to compile a list of positions that have access to PII. Indicate the type of PII the employee has access to. If an employee has access to the listed types of PII, simply check the box with the letter X. Type of PII Key: SSN = Social Security Number; DOB = Date of Birth; FR = Financial Records; PH = Payment History; CCN = Credit Card Number; ACH = Automated Clearing House Number; DL = Driver s License/State ID Employees with access to PII Type of PII Access and Purpose TUid PCN 10 Name SSN DOB FR PH CCN DL ACH DL Purpose 9 Temple University s Classification and Handling of Protected Data assigns a level of sensitivity to data and determines the extent to which it needs to be controlled and secured. For more information, see Classification and Handling of Protected Data at the Data Classification Grid at and the Storage and Cloud Computing Approved Usage at 10 The Position Control Number (PCN) can be obtained from University s Organizational Chart at 8
10 Employees with access to PII Type of PII Access and Purpose TUid PCN 11 Name SSN DOB FR PH CCN DL ACH DL Purpose Type of PII Key: SSN = Social Security Number; DOB = Date of Birth; FR = Financial Records; PH = Payment History; CCN = Credit Card Number; ACH = Automated Clearing House Number; DL = Driver s License/State ID 11 The Position Control Number (PCN) can be obtained from University s Organizational Chart at 9
11 V. Administrative Safeguards: 1. Describe the process followed to ensure the background of new employees with access to PII has been thoroughly checked. a. Reference check procedures b. Background checks 2. Describe the process for determining whether employees have a need-to-know for access to PII. a. How often is this audit conducted? 3. Have you denied access to PII as a result of this audit? If so, and the individual is presently employed in your organization, please list the Name, TUid, PCN, Denial Date and reason for denying access. DENIAL REASONS: Reevaluated Position; Disciplinary Action; Internal Audits finding; Business Process Redesign TUid PCN Name Denial Date Reason 4. Describe the process for instructing and regularly reminding all organization employees of Temple University s legal requirement and obligation to safeguard PII. a. Frequency of notification b. Method of notification c. Posting of reminders about employee responsibility in areas with PII 5. Describe any other administrative safeguards in place to safeguard PII. a. Handling of organization requests for PII 10
12 6. Do you have a records retention policy? If so, please list indicate: a. Whether this is as a result of federal, state or local regulation (please list them); University policy; or business best practices. b. Indicate how long records are kept c. Indicate how archives are stored 7. Describe the process for handling breaches, both internal and external, to the security and confidentiality of PII. a. Documentation guidelines for recording the incident b. Indicate who is notified c. Indicate how and when the Privacy Officer is notified d. Indicate how discipline is imposed for breaches due to employee misconduct or negligence 8. Have you experienced a data breach within the past 2 fiscal years? If so please indicate when and who you contacted. 11
13 VI. Physical Safeguards: 1. If your organization has computers (workstations, laptops or servers) that contain PII, describe how they are physically protected from theft. a. Are the hard drives of workstations and laptops that contain PII encrypted? b. Are computers that contain PII physically protected with an anti-theft cable? c. Are servers containing PII placed in a secure location with approved physical protection? 2. Describe how paper records containing PII are stored and kept secure in the organization. a. If in a locked cabinet, indicate how access to the cabinet is controlled and monitored b. If in a locked room, indicate how access to the room is controlled and monitored c. Indicate type of file cabinet, e.g., fire proof, lockable with a unique key d. Indicate if you have any video surveillance covering the stored paper records e. Include protection from physical hazards, such as fire and flood 3. Describe the procedures for maintaining and testing secure areas. a. Alarm tests b. Video tests c. Other 4. Describe how access to PII is restricted to only those with a need-to-know. a. Locks are all keys accounted for? b. Alarm Codes does each employee have his/her own identifiable code? 5. Describe how PII contained on paper is disposed of. a. Document preparation for disposal b. Storage prior to disposal c. Security of storage area(s) d. Who oversees the security records disposal 12
14 6. Describe how PII contained on electronic medium, including computer hardware, is disposed of. a. Document preparation for disposal b. Storage prior to disposal c. Security of storage area(s) d. Indicate who oversees the security records disposal 7. Describe how information in use (e.g., on one s desk) is safeguarded. a. Indicate how internal and external mail is properly marked when it contains PII b. Indicate how documents on the printer and on the fax machine are safeguarded? c. Other 13
15 VII. Technical Safeguards: 1. List any organizational computer (server or desktop/laptop), that stores PII (irrespective of how long the PII is stored on it, and in what format). Please list the name, TUid and PCN of the primary person in charge or uses the computer, as well as the location (building, room number) of computer(s) that holds PII. Indicate the last time the system was evaluated for vulnerabilities by the Office of Information Security. Add additional rows as necessary. Indicate the system type (Desktop, Laptop, Server, Other) Employee in charge of the computer TUid PCN Name System Type Location of Computer Date of last Assessment 2. If you have desktop computers, servers and other systems that store or transmit PII, that do NOT participate in Temple s TUsecure program (that is, systems that do not use AccessNet for logon authentication), please describe whether: a. Auto logout and/or screen locks (such as password enabled screensavers) are enforced. b. A minimum password length is enforced. c. A schedule for changing passwords at least twice a year is maintained. 3. Describe how PII under the care of your organization is transported from one system to another electronically a. Indicate how electronically transmitted information is safeguarded? b. Does the PII data rest in a temporary location (file system, database, proxy cache, etc.) during the course of its transportation? How are those points of rest safeguarded? (Your application owner or system administrator should be able to answer these questions). 4. Indicate organization procedures for backing-up files containing PII. a. Indicate back-up schedule b. Indicate back-up storage type, e.g., TUcloud, File Server, CD, etc. c. Back-up security d. Describe how backup media is stored, and what safeguards are in place to secure them. 5. Describe your procedure for: a. Software patches 14
16 Indicate how the need for updates is monitored Indicate who is responsible for obtaining and installing patches b. Anti-virus software Indicate who is responsible for obtaining and installing anti-virus software Indicate whether automatic updates are used to update the anti-virus software 15
Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationRed Flags Program. Purpose
Red Flags Program Purpose The purpose of this Red Flags Rules Program is to document the protocol adopted by the University of Memphis in compliance with the Red Flags Rules. Many offices at the University
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationUniversity of North Texas System Administration Identity Theft Prevention Program
University of North Texas System Administration Identity Theft Prevention Program I. Purpose of the Identity Theft Prevention Program The Federal Trade Commission ( FTC ) requires certain entities, including
More informationSeattle University Identity Theft Prevention Program. Purpose. Definitions
Seattle University Identity Theft Prevention Program Purpose The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection
More informationPrevention of Identity Theft in Student Financial Transactions AP 5800
Reference: Fair and Accurate Credit Transactions Act (Pub. L. 108-159) The Board recognizes that some activities of the Shasta-Tehama-Trinity Joint Community College District, "District," are subject to
More informationSTOCKTON UNIVERSITY PROCEDURE DEFINITIONS
STOCKTON UNIVERSITY PROCEDURE Identity Theft Prevention Program Procedure Administrator: Director of Risk Management and Environmental/Health/Safety Authority: Fair and Accurate Credit Transactions Act
More information[Utility Name] Identity Theft Prevention Program
[Utility Name] Identity Theft Prevention Program Effective beginning, 2008 Minnesota Municipal Utilities Association Sample Red Flag policy I. PROGRAM ADOPTION The [Utility Name] ("Utility") developed
More informationRed Flag Policy and Identity Theft Prevention Program
Unified Government of Wyandotte County and Kansas City, Kansas Adopted: 5/11/2011 Red Flag Policy and Identity Theft Prevention Program Authority: The Mayor and the Board of Commissioners are responsible
More informationIdentity Theft Prevention Program. Effective beginning August 1, 2009
Identity Theft Prevention Program Effective beginning August 1, 2009 I. PROGRAM ADOPTION Christian Brothers University developed this Identity Theft Prevention Program pursuant to the Federal Trade Commission's
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationIDENTITY THEFT PREVENTION Policy Statement
Responsible University Officials: Vice President for Financial Operations and Treasurer Responsible Office: Office of Financial Operations Origination Date: October 13, 2009 IDENTITY THEFT PREVENTION Policy
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More information( Utility Name ) Identity Theft Prevention Program
***DRAFT*** ( Utility Name ) Identity Theft Prevention Program Implemented as of, 2008 *** This document is intended to give guidance to municipal utilities in their understanding of the FTC Red Flag Rule.
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPolicy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT
Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT The Utility maintains accounts for its customers to pay for utility service where bills are
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationDocument Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes
Effective Date: 01/01/2014 Page 1 of 7 REVISION HISTORY Revision No. Revision Date Authors Description of Changes 1.0 11/04/2013 CISO Populate Into Standard Template APPROVED BY This Policy is established
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy
UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification
More informationKeeping It Under Wraps: Personally Identifiable Information (PII)
Keeping It Under Wraps: Personally Identifiable Information (PII) Will Robinson Assistant Vice President Information Security Officer & Data Privacy Officer Federal Reserve Bank of Richmond March 14, 2018
More informationCity of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program
City of New Haven Identity Theft Prevention Program, October 2008, page City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program Adopted by Resolution of the Mayor and
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationDETAILED POLICY STATEMENT
Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico
More informationData Compromise Notice Procedure Summary and Guide
Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:
UCOP ITS Systemwide CISO Office Systemwide IT Policy UC Event Logging Standard Revision History Date: By: Contact Information: Description: 05/02/18 Robert Smith robert.smith@ucop.edu Approved by the CISOs
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationCOMMENTARY. Information JONES DAY
February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationOverview of Presentation
A HIPAA Security Incident and Investigation. It Can Happen to You. Sandra a L. Sessoms, RN, CPHQ, CHC Interim Vice President, System Compliance West Penn Allegheny Health System Robert R. Michalski, CHC
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationRED FLAGS IDENTITY THEFT PREVENTION PROGRAM
RED FLAGS IDENTITY THEFT PREVENTION PROGRAM Due to being identified as a service provider, MED-1 Solutions, LLC, and its Affiliate Complete Billing Services ( MED-1 ) has adopted this Identity Theft Prevention
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationUniversity Policies and Procedures ELECTRONIC MAIL POLICY
University Policies and Procedures 10-03.00 ELECTRONIC MAIL POLICY I. Policy Statement: All students, faculty and staff members are issued a Towson University (the University ) e-mail address and must
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationINFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security
INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security The Office of Illinois Attorney General Lisa Madigan has created
More informationSouthern Adventist University Information Security Policy. Version 1 Revised Apr
Southern Adventist University Information Security Policy Version 1 Revised Apr 27 2015 Summary The purpose of this policy statement is to establish the requirements necessary to prevent or minimize accidental
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationIAM Security & Privacy Policies Scott Bradner
IAM Security & Privacy Policies Scott Bradner November 24, 2015 December 2, 2015 Tuesday Wednesday 9:30-10:30 a.m. 10:00-11:00 a.m. 6 Story St. CR Today s Agenda How IAM Security and Privacy Policies Complement
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationInformation Classification & Protection Policy
University of Scranton Information Technology Policy Information Classification & Protection Policy Executive Sponsor: AVP Information Resources Responsible Office: Information Security Originally Issued:
More informationInformation Technology Standards
Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this
More informationPolicy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4
Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationFTC SAFEGUARDS RULE. Gramm-Leach-Bliley Act Effective 5/23/2003
FTC SAFEGUARDS RULE Gramm-Leach-Bliley Act Effective 5/23/2003 1 Introduction The purpose of the FTC Safeguards Rule is to: Ensure the security and confidentiality of customer information. Customer information
More informationOuachita Baptist University. Identity Theft Policy and Program
Ouachita Baptist University Identity Theft Policy and Program Under the Federal Trade Commission s Red Flags Rule, Ouachita Baptist University is required to establish an Identity Theft Prevention Program
More informationMobile Device policy Frequently Asked Questions April 2016
Mobile Device policy Frequently Asked Questions April 2016 In an attempt to help the St. Lawrence University community understand this policy, the following FAQ document was developed by IT in collaboration
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationOverview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card
More informationProtecting Your Gear, Your Work & Cal Poly
9/20/2016 1 Protecting Your Gear, Your Work & Cal Poly Information Security Office Shar i f Shar i f i, CI SSP, CRISC Kyle Gustafson, Information Security Analyst Jon Vasquez, Information Security Analyst
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Removable Storage Media Security Standard This standard is applicable to all VCU School of Medicine personnel.
More informationAn Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule Legal Disclaimer: This overview is not intended as legal advice and should not be taken as such. We recommend that you consult legal
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationData Security: Public Contracts and the Cloud
Data Security: Public Contracts and the Cloud July 27, 2012 ABA Public Contract Law Section, State and Local Division Ieuan Mahony Holland & Knight ieuan.mahony@hklaw.com Roadmap Why is security a concern?
More informationNebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015
Nebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015 Definitions Cellular Telephone Service For the purposes of this policy, cellular telephone
More informationUCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification
University of California UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification UCOP Implementation Plan for Compliance with Business and Finance Bulletin
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationFrequently Asked Question Regarding 201 CMR 17.00
Frequently Asked Question Regarding 201 CMR 17.00 What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationCriteria to Participate as an ACE Authorized Test Provider
Criteria to Participate as an ACE Authorized Test Provider Overview of the Authorized Test Provider Program Organizations with ACE credit-recommendation sometimes distribute or sell their courseware to
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationThe University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems
The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security
More informationNew Data Protection Laws
Richard E. Mackey Jr. Vice President, Consulting Boston New York San Francisco Sacramento Charlotte Washington DC The deadline has been a moving target but come March 1, Massachusetts new data protection
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationU.S. Private-sector Privacy Certification
1 Page 1 of 5 U.S. Private-sector Privacy Certification Outline of the Body of Knowledge for the Certified Information Privacy Professional/United States (CIPP/US ) I. Introduction to the U.S. Privacy
More informationPresented by: Jason C. Gavejian Morristown Office
Presented by: Jason C. Gavejian Morristown Office jason.gavejian@jacksonlewis.com 973.538.6890 } Unauthorized use of, or access to, records or data containing personal information Personal Information
More informationSecurity Standards for Information Systems
Security Standards for Information Systems Area: Information Technology Services Number: IT-3610-00 Subject: Information Systems Management Issued: 8/1/2012 Applies To: University Revised: 4/1/2015 Sources:
More informationUniversity of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017
University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 Related Policies, Procedures, and Resources UAB Acceptable Use Policy, UAB Protection and Security Policy, UAB
More informationDATA STEWARDSHIP STANDARDS
DATA STEWARDSHIP STANDARDS Policy: Enterprise Data Stewardship Policy Document: Data Stewardship Standards Campus: MSU-Billings (MSUB) Revision: 01-08-18 Contact: Michael Barber, Chief Information Officer
More informationHF Markets SA (Pty) Ltd Protection of Personal Information Policy
Protection of Personal Information Policy Protection of Personal Information Policy This privacy statement covers the website www.hotforex.co.za, and all its related subdomains that are registered and
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationCARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose
CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION I. Purpose To provide guidance to schools and administrative offices regarding the maintenance, retention,
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationSUBJECT: Effective Date: Policy Number: Florida Public Records Act: Scope and
SUBJECT: Effective Date: Policy Number: Florida Public Records Act: Scope and 2-100.4 1/14/2014 Compliance Supersedes: Page Of 2-100.3 1 6 Responsible Authority: Vice President and General Counsel DATE
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationTop Five Privacy and Data Security Issues for Nonprofit Organizations
Top Five Privacy and Data Security Issues for Nonprofit Organizations Julia K. Tama, Esq. Jeffrey S. Tenenbaum, Esq. Association of Corporate Counsel Nonprofit Organizations Committee Legal Quick Hit MAY
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More information