Department of Public Health O F S A N F R A N C I S C O

Size: px
Start display at page:

Download "Department of Public Health O F S A N F R A N C I S C O"

Transcription

1 PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: CISSPCISSP/C Distribution: DPH-wide Other: n/a phil.mcdown@sfdph.org 1. POLICY INTENT DEFINITION: For the purpose of this policy, the term Portable Computer(s) includes Personal Digital Assistants (PDAs), Laptops, Notebooks, Palmtops, Cellular Phones, Combination devices, Cameras, detachable memory media and any future technology capable of storing, manipulating, transferring and transmitting digital data. This document establishes the security policy for deployment and use of Portable Devices capable of downloading, copying, storing or transporting SFDPH data. It intends to protect all Restricted SFDPH information accessed through, displayed on, output from and stored on such devices from being revealed to unauthorized persons, and to provide accountability for device use. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security and Privacy. The sections that relate to Portable Computer Devices (as a subset of Workstations) are CFR (b) and (c), the 2010 HITECH act specifies the Federal enforcement and penalty aspects of this policy. This Policy incorporates the intent and provisions of the External Personal Computer and USB Drive Technical Security Parameters Previously Issued in 2010 as a separate document and explicitly includes the use of any privately-owned devices which may access the CCSF Electronic Mail and Network systems, including interfacing with the , wireless voice and data communications systems and the use of Universal Serial Bus (USB) devices for document, file and attachment transfer to and from the Department s secure Wide Area Network (WAN) and physical facilities. INCLUSION BY REFERENCE: This policy is an annex to the SFDPH Workstation, Portable Device and Storage Media, Malware and Data Transmission Policies. All of the principles, standards, guidelines and responsibilities described in the aforementioned Policies are included as part of this document by reference. The purpose of this document is to further extend, refine and define how workstation security, use and control principles apply in the mobile data processing and storage device context.

2 PAGE 2 of 9 2. POLICY STATEMENTS: 2.1 General Access Control Device Access. Data accessed via Portable Devices is for authorized work purposes only. Access to SFDPH data is permitted only after a valid User ID and Password has been entered regardless of the nature of the device Only authorized SFDPH workforce members, vendors, contractors and third-party providers, who have been issued a Network logon ID and established a valid password, are permitted to use portable computers to access SFDPH data Patients and the general public are only allowed to see SFDPH data or patient information with the data owner s or patient s explicit, written, or spoken permission and under specific and controlled circumstances. Refer to SFDPH HIPAA Privacy and Confidentiality Procedures for details regarding such access Refer to the Access Control Policy and the Password Policy Security Policy documents for more details Role-Based Access to Restricted data. Only data authorized for access by the user who is signed-on to access the network may be displayed, copied, uploaded or download by that individual. Do not try to access data that you are not authorized to use or to allow others to use a portable computer that you are signed-onto. Refer to the Need-To- Know portion of the Access Control Policy for specifics Auditing of Access. All attempts to sign-on and/or access data from a portable computer may be logged by Enterprise Systems, and reported to Management, Information Audit and the Incident Response Team, as appropriate. 2.2 Access to CCSF Electronic Mail and Attachments. A) Privately owned personal computers may be utilized to access the CCSF Electronic Mail system via Department Remote Access systems (Virtual Private Network/Juniper etc.). Attachments to external electronic mail messages are also allowed, but will be screened for Computer Virus/Malware contamination upon introduction to the SFDPH Wide Area Network

3 PAGE 3 of 9 (WAN). If the external personal computers have approved Anti-Virus / Anti Malware software installed and is capable of scanning attachments for the presence of viruses, the capability will be in operation when the device attempts to communicate with SDFPH systems. Attachments are to be scanned for current status and remediated BEFORE connection to or data exchange with the SFDPH WAN is attempted. C) Attachment scanning capabilities of firewalls and appliances at SFDPH will be enabled at all times, unless directed otherwise by IT management. In upon introduction to the SFDPH WAN, malware is detected in an external message and/or attachment, that document will be isolated, remediated and, if necessary, deleted by the Department WAN security infrastructure 2.3. Use of Universal Serial Bus data storage devices ( USB Drive, Memory Stick, Flash Drive, Thumb Drive etc.) General guideline: Employees and other SFDPH system and network users are expected to take all reasonable care that they do not permit any USB device to become contaminated with malware (due to prior connection to a device, network or website that may be contaminated, e.g. a home computer with inadequate anti-malware applications operating on it). Additional care must be taken to avoid connecting any such contaminated device to any SFDPH network, system or device. A) Universal Serial Bus (USB) devices may be authorized to be utilized to store and transfer documents to the SFDPH WAN via Department Remote Access methodologies or direct connection. Devices which communicate with SFDPH systems and to which USB devices are allowed to connect must have the Auto-Run function disabled at the USB port level before any data exchange is attempted. Removal of PHI or other Restricted from SFDPH facilities in any kind of portable device requires prior written permission by the user s supervisor. B) In order to augment SFDPH Network Malware screening, it is required that appropriate Anti-Virus/Malware software be installed on the personal computer device. (A listing of approved Anti-Malware packages for remote access is included in this document as Appendix A) and will periodically be updated by DPH-IT. If the external personal computer s device has appropriate Anti-Virus/Malware software installed, the USB device and document scanning and remediation functionality of the software is to be enabled before connection to the SFDPH WAN.

4 PAGE 4 of 9 C) In the event Malware is detected, by any means, on any USB device or document connecting to the SFDPH WAN, that device will be disconnected from the WAN and the drive, document or file isolated, remediated and deleted - if necessary, it is to be erased and reformatted, by the Departmental WAN security infrastructure Accountability for Portable Devices: For all portable devices permitted or assigned to workforce members, the device s installed security systems, changes of possession, modifications, losses and thefts will be documented in such a way that preserves an audit trail of the responsibility for and use of the device and of the responsibility for performing and/or approving relocations, modifications and removal. 3. STANDARDS & GUIDELINES General Guideline: - Especially when away from your SFDPH office environment, treat your portable electronic devices and work area as you are expected to treat your office workspace: Put away Restricted data when you are done with it, lock it up when you go away and don t leave it around or use it where others can read it. When using portable devices to display data, be especially aware of the people in your vicinity. Also be aware of the increased risk of loss or theft of portable devices (and the data stored on them) Portable Computer Usage: Prevent unauthorized device access. Portable computers which store, display or transmit SFDPH Restricted data must: Not be left unattended by the user. If the nature of the job assignment is such that the user must leave the device unattended, the user must log-out or otherwise disable the device. For detachable devices such as PDA s and USB drives, the device will be ejected and either securely stored or maintained in the user s possession Be set to enable all system and application capabilities to time-out (terminate the logged-in session after a prescribed period of inactivity has occurred) Only be used in locations and positions such that their displays cannot be easily viewed or read by unauthorized persons.

5 PAGE 5 of Be stored in secure locations from which they cannot be easily or quickly removed or stolen Prevent unauthorized Data Network access. Portable devices may not attempt access to the SFDPH Data Network without authorization: Without authorization; do not attempt to connect any interface (cable, plug etc.) from a portable device to a device or outlet that may connect to the SFDPH Data Network Do not attempt to wirelessly (RF or Wi-Fi) interface a portable device with any SFDPH data network or access point without authorization All wireless devices to be used to connect to any SFDPH data network must be registered and used according to the RF Security Policy and the Wi-Fi Security Policy Data Storage Limitations. In general, storage of Restricted data (PHI and/or any information covered by confidentiality or privacy regulation, legislation or law) on portable computers should be disallowed by local managers and only explicitly permitted when there are compelling business/clinical reasons and no viable alternative In cases where critical data must be stored on a portable computer, access control and security policies must be strictly followed and enforced (Access Control Policy and Workstation Policy) If critical data is to be saved on a portable computer, it will be stored in encrypted form In cases where critical data has previously been stored on a portable computer, it shall be removed and securely disposed-of (See Disposal Policy) as soon as the need for it ends Backup or any form of copying and/or removal of critical data from a portable computer will be supervised by local management and limited to specific authorized workforce members.

6 Data Output Limitations: PAGE 6 of In general, physical (e.g., hard-copy) output of critical data from portable computers should be disallowed by local management and only permitted when there are compelling reasons and no viable alternative In cases where Restricted data must to be physically output in print or other physical medium from a portable computer, the output must be removed, destroyed or stored securely when no longer being actively used Accountability for Portable Computers. In addition to the standards and guidelines specified in the Workstation Policy, the following portable-specific requirements must also be accounted for: Portable Equipment and Software: The portable device s storage site(s) when not in use The name and specifications of all installed and/or enabled security measures such as password controlled activation, encrypted data storage or encrypted transmission of data Actions: Assignment to workforce member(s) Relocation, removal, loss, theft or disposal or the device Loss or theft of the device - when away from SFDPH facilities, any loss or theft of portable computers must be immediately reported to the user s management and, as appropriate, to the facity s security staff and/or local Law Enforcement authorities. Because these events often happen out of SFDPH jurisdiction, this is distinct from and in addition to the ordinary reporting of property thefts when on site as required in the relevant SFDPH administrative policies. 4. RESPONSIBILITIES 4.1. SFDPH Executive Management is responsible for: Authorizing the establishment of Enterprise-wide standards for portable computer use and providing direction to the implementation of the standards: Establishing Standards and Guidelines for the Enterprise-wide application of this policy.

7 PAGE 7 of Directing the development and deployment of training in the appropriate and secure use of portable computers Defining the roles of the various, Departments, business units and trusted entities in the implementation of this policy: Establishing contractual obligations for all third parties to comply with this policy The SFDPH CIO/CISO is responsible for: Advocating and supporting DPH-IT security needs, concerns and projects to Chief Officer and Division Director level Senior management Implementing SFDPH-wide policy for portable computer devices and is ultimately responsible for the safety and security of the SFDPH Enterprise Network. The SFDPH CIO or designee must approve all exceptions to this policy Development, deployment and maintenance of policies for appropriate and secure use of portable computing devices Directing the development and promulgation of training and orientation materials to encourage and encourage employee awareness of the security problems and issues involved in the use of portable memory devices and media devices Directing the monitoring, and analysis of the state of compliance and risk-management of existing programs and procedures SFDPH Information Technology (DPH-It) is responsible for: Developing guidelines for the distribution, registration and network connection of portable computers Maintaining access control systems and role-related access tables for portable computers used to access SFDPH systems Developing standards for installation and visibility control equipment for portable computers Local Management is responsible for: Interpreting Enterprise-wide policy and adapting it to local physical and work-related conditions.

8 PAGE 8 of Establishing procedures for issuing portable computers to workforce members and for accounting for the information required in the Workstation Policy and in 3.2 above. These procedures will be available and maintained in writing, either on paper, web pages accessible to workforce members or both Establishing procedures for controlling physical and visual access to and use of portable computers. These procedures will be produced and maintained in writing, either on paper, web pages accessible to workforce members or both Ensuring that each workforce member is receives training on the requirements for appropriate use of portable computers and the capabilities and limitations of the user s particular profile and of the consequences of attempts to exceed them Facility Management is responsible for: Providing physical facilities for secure storage, inventory and disposal of portable computers. 5. PENALTIES FOR VIOLATIONS (for details refer to the Sanctions Policy): 5.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations 5.4. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations.

9 PAGE 9 of 9 APPENDIX A: Listing of Approved Anti-Virus /Malware Software Packages for remote access to the SFDPH Network via WebConnect. 1) Retail Products: MacAfee: Virus Scan Plus, Internet Security, Total Protection Symantec: Norton 360, Norton Internet Security, Norton Anti-Virus Trend Micro Systems: Anti -Virus/ Anti -Spyware, Internet Security Pro. Avast!: Home Edition 2) Internet Service Provider Bundled Products. Comcast: Mc Afee Security Suite AT & T: Mc Afee Virus scan Plus / Mc Afee Security Suite AOL: Mc Afee Virus Plus. 3) Enterprise Products. SFDPH Standard: Trend Office Scan. UCSF Standard: Sophos Anti-Virus. APPENDIX B: Listing of approved security software for other forms of Remote Access and Data Transfer (e.g., USB devices) TO BE DEVELOPED as future technology and acquisition allows.

Department of Public Health O F S A N F R A N C I S C O

Department of Public Health O F S A N F R A N C I S C O PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:

More information

Department of Public Health O F S A N F R A N C I S C O

Department of Public Health O F S A N F R A N C I S C O PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:

More information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision

More information

GM Information Security Controls

GM Information Security Controls : Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400

More information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program

More information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

INFORMATION ASSET MANAGEMENT POLICY

INFORMATION ASSET MANAGEMENT POLICY INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives

More information

Department of Public Health

Department of Public Health PAGE 1 of 13 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary

More information

Information Technology Standards

Information Technology Standards Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this

More information

HIPAA Federal Security Rule H I P A A

HIPAA Federal Security Rule H I P A A H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created

More information

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring

More information

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy Policy Title: Effective Date: Revision Date: Approval(s): LASO: CSO: Agency Head: Allowed Personally Owned Device Policy Every 2 years or as needed Purpose: A personally owned information system or device

More information

Employee Security Awareness Training Program

Employee Security Awareness Training Program Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Removable Storage Media Security Standard This standard is applicable to all VCU School of Medicine personnel.

More information

Information Security Data Classification Procedure

Information Security Data Classification Procedure Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations

More information

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security

More information

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15 Risk Analysis with EHR Questions Example Answers/Help: Status What new electronic health information has been introduced into my practice

More information

EXHIBIT A. - HIPAA Security Assessment Template -

EXHIBIT A. - HIPAA Security Assessment Template - Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information

More information

Security and Privacy Breach Notification

Security and Privacy Breach Notification Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains

More information

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Seven Requirements for Successfully Implementing Information Security Policies and Standards Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information

More information

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the

More information

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule. Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity

More information

Responsible Officer Approved by

Responsible Officer Approved by Responsible Officer Approved by Chief Information Officer Council Approved and commenced August, 2014 Review by August, 2017 Relevant Legislation, Ordinance, Rule and/or Governance Level Principle ICT

More information

Acceptable Use Policy

Acceptable Use Policy Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information

More information

BHIG - Mobile Devices Policy Version 1.0

BHIG - Mobile Devices Policy Version 1.0 Version 1.0 Authorised by: CEO Endorsed By: Chief Operations Officer 1 Document Control Version Date Amended by Changes Made 0.1 20/01/2017 Lars Cortsen Initial document 0.2 29/03/2017 Simon Hahnel Incorporate

More information

PS 176 Removable Media Policy

PS 176 Removable Media Policy PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data

More information

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations

More information

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union) ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

Lakeshore Technical College Official Policy

Lakeshore Technical College Official Policy Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director

More information

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets

More information

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Apex Information Security Policy

Apex Information Security Policy Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8

More information

COMMENTARY. Information JONES DAY

COMMENTARY. Information JONES DAY February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States

More information

Information Security Management Criteria for Our Business Partners

Information Security Management Criteria for Our Business Partners Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents

More information

7.16 INFORMATION TECHNOLOGY SECURITY

7.16 INFORMATION TECHNOLOGY SECURITY 7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for

More information

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches

More information

ISSP Network Security Plan

ISSP Network Security Plan ISSP-000 - Network Security Plan 1 CONTENTS 2 INTRODUCTION (Purpose and Intent)... 1 3 SCOPE... 2 4 STANDARD PROVISIONS... 2 5 STATEMENT OF PROCEDURES... 3 5.1 Network Control... 3 5.2 DHCP Services...

More information

Access to University Data Policy

Access to University Data Policy UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

Texas Health Resources

Texas Health Resources Texas Health Resources POLICY NAME: Remote Access Page 1 of 7 1.0 Purpose: To establish security standards for remote electronic Access to Texas Health Information Assets. 2.0 Policy: Remote Access to

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018 DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information

More information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security

More information

AUTHORITY FOR ELECTRICITY REGULATION

AUTHORITY FOR ELECTRICITY REGULATION SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...

More information

Clear Desk, Clear Screen Policy

Clear Desk, Clear Screen Policy Clear Desk, Clear Screen Policy 1 P a g e Table of Contents 1 Introduction... 3 2 Purpose... 3 3 Non Operations Policy... 3 4 Operations Policy.4 5 Review and Approvals... 5 2 P a g e 1 Introduction Synchronoss

More information

1 Privacy Statement INDEX

1 Privacy Statement INDEX INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related

More information

The simplified guide to. HIPAA compliance

The simplified guide to. HIPAA compliance The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act

More information

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII. Page 1 of 1 TABLE OF CONTENTS SECTION PAGE I. Policy 2 II. Authority 2 III. Supportive Data 2 IV. Signature Block with Effective Date 3 V. Definitions 3 VI. Protocol 4 VII. Procedure 4 VIII. Distribution

More information

Enterprise Income Verification (EIV) System User Access Authorization Form

Enterprise Income Verification (EIV) System User Access Authorization Form Enterprise Income Verification (EIV) System User Access Authorization Form Date of Request: (Please Print or Type) PART I. ACCESS AUTHORIZATION * All required information must be provided in order to be

More information

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy COMPUTER & INFORMATION TECHNOLOGY CENTER Information Transfer Policy Document Controls This document is reviewed every six months Document Reference Document Title Document Owner ISO 27001:2013 reference

More information

Healthcare Privacy and Security:

Healthcare Privacy and Security: Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association

More information

Juniper Vendor Security Requirements

Juniper Vendor Security Requirements Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks

More information

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected. I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To

More information

Altius IT Policy Collection

Altius IT Policy Collection Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software

More information

EA-ISP-009 Use of Computers Policy

EA-ISP-009 Use of Computers Policy Technology & Information Services EA-ISP-009 Use of Computers Policy Owner: Nick Sharratt Author: Paul Ferrier Date: 28/03/2018 Document Security Level: PUBLIC Document Version: 1.05 Document Ref: EA-ISP-009

More information

Name of Policy: Computer Use Policy

Name of Policy: Computer Use Policy Page: Page 1 of 5 Director Approved By: Approval Date: Reason(s) for Change Responsible: Corporate Services Leadership April 22, Reflect current technology and practice Corporate Services Leadership Leadership

More information

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore

More information

Data Backup and Contingency Planning Procedure

Data Backup and Contingency Planning Procedure HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage

More information

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Internet,  , Social Networking, Mobile Device, and Electronic Communication Policy TABLE OF CONTENTS Internet, Email, Social Networking, Mobile Device, and... 2 Risks and Costs Associated with Email, Social Networking, Electronic Communication, and Mobile Devices... 2 Appropriate use

More information

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements

More information

Personal Communication Devices and Voic Procedure

Personal Communication Devices and Voic Procedure Personal Communication Devices and Voicemail Procedure Reference No. xx Revision No. 1 Relevant ISO Control No. 11.7.1 Issue Date: January 23, 2012 Revision Date: January 23, 2012 Approved by: Title: Ted

More information

Identity Theft Prevention Policy

Identity Theft Prevention Policy Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening

More information

Physical Safeguards Policy July 19, 2016

Physical Safeguards Policy July 19, 2016 Physical Safeguards Policy July 19, 2016 SCOPE This policy applies to Florida Atlantic University s Covered Components and those working on behalf of the Covered Components (collectively FAU ) for purposes

More information

Introduction to SURE

Introduction to SURE Introduction to SURE Contents 1. Introduction... 3 2. What is SURE?... 4 3. Aim and objectives of SURE... 4 4. Overview of the facility... 4 5. SURE operations and design... 5 5.1 Logging on and authentication...

More information

Data Security and Privacy Principles IBM Cloud Services

Data Security and Privacy Principles IBM Cloud Services Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer

More information

SPRING-FORD AREA SCHOOL DISTRICT

SPRING-FORD AREA SCHOOL DISTRICT No. 801.1 SPRING-FORD AREA SCHOOL DISTRICT SECTION: TITLE: OPERATIONS ELECTRONIC RECORDS RETENTION ADOPTED: January 25, 2010 REVISED: October 24, 2011 801.1. ELECTRONIC RECORDS RETENTION 1. Purpose In

More information

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 Related Policies, Procedures, and Resources UAB Acceptable Use Policy, UAB Protection and Security Policy, UAB

More information

Integrating HIPAA into Your Managed Care Compliance Program

Integrating HIPAA into Your Managed Care Compliance Program Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,

More information

Cyber Security Program

Cyber Security Program Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by

More information

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110 Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including

More information

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

3 rd Party Certification of Compliance with MA: 201 CMR 17.00 3 rd Party Certification of Compliance with MA: 201 CMR 17.00 The purpose of this document is to certify the compliance of Strategic Information Resources with 201 CMR 17.00. This law protects the sensitive

More information

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure

More information

HIPAA Compliance Checklist

HIPAA Compliance Checklist HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.

More information

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost

More information

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals

More information

The Common Controls Framework BY ADOBE

The Common Controls Framework BY ADOBE The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.

More information

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using

More information

Trust Services Principles and Criteria

Trust Services Principles and Criteria Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access

More information

Putting It All Together:

Putting It All Together: Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,

More information

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE 164.502 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE 164.514 - Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine

More information

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems. SECURITY POLICY FOR USER 1.Purpose: The policy aims at providing secure and acceptable use of client systems. 2.Scope: This policy is applicable to the employees in the Ministry / Department / Subordinate

More information

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial

More information

Privacy Breach Policy

Privacy Breach Policy 1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure

More information

Data Security Policy for Research Projects

Data Security Policy for Research Projects Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data... 2 6.0 Classification of Research

More information

Information Technology Update

Information Technology Update Information Technology Update HIPAA SECURITY RULE Faculty and Staff Training University of South Carolina USC Specialty Clinics HIPAA Security Rule Agenda What is the HIPAA Security Rule Authority Definition

More information