Privacy and Cyber Risk Management. Preparing Your Organization for Current and Emerging Risks
|
|
- Dwayne Wilcox
- 5 years ago
- Views:
Transcription
1 Privacy and Cyber Risk Management Preparing Your Organization for Current and Emerging Risks
2 Privacy and Cyber Risk Management Agenda: Recognize security risks Discover the top techniques used by hackers for public institutions Recognize the legal exposures related to cyber risk Privacy and records classification Social media risks Privacy and Cyber Risk insurance coverage
3 What s at Risk? Breach: Network Security Unauthorized Access: Sensitive Information 1 st & 3 rd 1 st Cyber Theft: Finances 1 st Each represents a potential loss to the organization
4 Internet Common Exposures Laptops, tablets, or smart phones Sensitive information storage, WI-FI, App spying Conduct on-line banking (ACH payments) Allow BYOD
5 Common Exposures Use thumb drives or portable external hard drives Lost or stolen Malware Give write access to computer hard drives Digital communication (including video) via webpage or Facebook
6 Common Exposures No comprehensive Cyber Risk Management Program Written Policies Training Supervision Believing that privacy and cyber risks are only an IT issue and limit your scopte to computer and network security! Employees!!!
7 What are hackers doing? Sensitive Information: Social security numbers Credit/debit card numbers Vendor portals/networks Healthcare information Remote access of computers Access to servers & websites Access to outside networks Theft of Finances: Unauthorized financial transactions Breach Network Security from: Vendors or employees Phishing / Spying Social engineering How easy is it?
8 Targeted Attacks Social engineering: Common themes are conferences, internal communications, employee reviews, surveys, meeting invitations and security updates. Context: The makes sense to an employee of that organization. Homework: Attackers do their research, collect employee addresses, and the From field is changed so it appears to come from someone known to the organization. Attachments/links: There is typically a malicious attachment (.doc,.xls,.pdf) that contains exploit code. Executable file attachments and links are also used.
9 Often missed risks: Social Media First Amendment Control over citizen speech on Facebook Control over employee Facebook and other posts From too vague or strict social media policies Title VI & VII Accessibility - ADA Discrimination Hiring Defamation Government communication on social media Open Meetings Act Board deliberations on social media Tennessee Public Records Act Digital request Data retention Social media is a part of your cyber network, whether your website is hosted on your servers, or you have a link to your Facebook site on your website, or allow people to post or send s, or if you use Twitter or text messaging to send alerts.
10 Why the concern? Malicious threats are not going anywhere Stealth hackers, extortionist, rouge contractors Malware Disgruntled employees Mistakes, budgets and shifting priorities You will always have employees No comprehensive privacy and risk management program IT only solution, poor communication and lack of training Failure to make this an organizational priority
11 Why the concern? Network operation & data sharing Increased points of failure due to outsourcing of needs: To whom do we outsource (business partners)? Do they have access to our network or data? What privacy and cyber security safeguards do they have in place? What safeguards do you have in place to prevent unauthorized access to your network by your business partners with login privileges? Do they have the proper privacy and cyber security coverages and are their levels of coverage adequate? Are we named as an additional insured?
12 Why the concern? Network operation & data sharing Dependencies and data-sharing between: Business partners Employees Do they need access?
13 YOUR CITY IS VULNERABLE!
14 Local Government Targets Why local government and public agencies? Often ill-prepared to defend against intruders or detect advanced persistent threat (APT) groups May have limited IT resources and no comprehensive privacy and cyber risk management program May have limited or infrequent employee cyber training Don t think it will happen to them
15 Breaches per Threat Action 1. Hacking 2. Malware 3. Social Engineering Verizon Report
16 Public Incidents 9% 12% Human Error 37% 16% 4% CRIMEWARE (12%) CYBER-ESPIONAGE (16%) EVERTYHING ELSE (4%) INSIDER MISUSE (13%) MISC ERRORS (37%) PHYSICAL THEFT/LOSS (9%) 37% 13% What does this information tell us?
17 Vulnerabilities Uninformed or negligent employees Rogue or dissatisfied employees Negligent entities We somewhat know what s out there, but what are we doing about it? Software patches / security updates Applications
18 Hacker Economics From worms with backdoors to stealthy command-and-control botnets, credential theft, and fraud Hackers use what works! Looking for financial gains Top 10 vulnerabilities = 85% success Operational vulnerability constraints impact risk
19 Legal Exposures Disclaimer: The following is only a summary (for illustrative purposes) of some of prevailing laws that may be applicable to your organization. Please consult your city attorney, MTAS, and/or your insurer for additional resources.
20 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Any political subdivisions, that owns or licenses computerized data that includes personal information. Old law: Security Breach means unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality or integrity of personal information. Effective 07/01/2016: The definition of Security Breach will no longer include the word unencrypted. There are various legal interpretations on this, so seek guidance from legal or the Pool Claims department. In other parts of this (and other statutes), encryption still is used to determine if the breach materially compromises the security, confidentiality, or integrity of personal information, and if it does notification is required. This will require a legislative cleanup of the language or a test case.
21 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Effective 07/01/2016: A definition for Unauthorized Person was added to the statute and include an employee of a covered entity who is discovered to have obtained personal information and intentionally used it for an unlawful purpose. Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay... Effective 07/01/2016: Notice to affected residents must be made immediately but no later than forty-five (45) days following the discovery or notification to covered entity of a security breach (unless a longer time is required due to legitimate law enforcement needs).
22 Privacy and Cyber Risk Management T.C.A Consumer Protection and Identity Theft Deterrence Third Parties business partners who hold or have access to data: Effective 07/01/2016: Notice to covered entity must be made immediately but no later than forty-five (45) days from when the breach became known to third party recipient. (Should be added to or referenced in your agreement!) Effective 07/01/2016: A covered entity subject to HIPAA is exempt.
23 Privacy and Cyber Risk Management T.C.A Safeguards and procedures for ensuring that confidential information protected on laptop computers and other removable storage (b) All municipalities and counties shall create safeguards and procedures for ensuring that confidential information regarding citizens is securely protected on all laptop computers and other removable storage devices used by the municipality or county. What is meant by other removable storage devices? External hard-drives Portable hard-drives Thumb drives Tablets Smart phones CD/DVDs
24 Privacy and Cyber Risk Management T.C.A Safeguards and procedures for ensuring that confidential information protected on laptop computers and other removable storage (c) failure to comply with this section shall create a cause of action or claim for damages against the state, municipality, or county if a citizen of this state proves by clear and convincing evidence that the citizen was a victim of identity theft due to a failure to provide safeguards and procedures regarding that citizen's confidential information.
25 Privacy and Cyber Risk Management INTERNAL CONTROL MANUAL FOR LOCAL GOVERNMENTAL ENTITIES AND OTHER AUDITED ENTITIES IN TENNESSEE, COMPONENT 3 - CONTROL ACTIVITIES Management should design the entity s computerized information system and related control activities to achieve objectives and respond to risks. The external and internal security risks and the controls necessary to limit exposure to unauthorized access, corruption of data, or other misappropriation of information (e.g. personally identifiable information) The Comptroller wants municipal governments to identify and mitigate cyber risks!
26 Privacy and Cyber Risk Management Health Insurance Portability and Privacy Act/Health Information Technology for Economic and Clinical Health (HIPPA) of 1996 provides federal privacy protections for personal health information held by covered entities, regardless of its format (print or digital). The Revised Security Breach Notification Standard Increases the Risk of HIPAA Enforcement. The prior standard: Required notification only if an unauthorized use or disclosure of unencrypted PHI "posed a significant risk of financial, reputational or other harm" to the individual. Revised standard: any unauthorized use or disclosure of unencrypted PHI triggers a security breach notification obligation unless the employer can prove "a low probability that the [PHI] has been compromised based on a risk assessment."
27 Privacy and Cyber Risk Management Fair and Accurate Credit Transactions Act (FACTA) of 2003, which contains provisions designed to help reduce identity theft. Family Educational Rights and Privacy Act (FERPA), which requires schools receiving funds from the U.S. Department of Education to protect certain private records of students. Driver s Privacy Protection Act (DPPA) prohibits the release and use of certain personal information from state motor vehicle records.
28 Safeguards
29 Privacy and Cyber Risk Management T.C.A (a)(2)(A) Tennessee Public Records Act All municipal records shall at all times, during business hours be open for personal inspection by any citizen of Tennessee, and those in charge shall not refuse such right of inspection to any citizen, unless provided by law. Tennessee Code Annotated Section (d) The General Assembly directs the courts to interpret the provisions of the TPRA broadly so as to give the fullest possible access to public records. Do your employees know what isn t a public record?
30 Types of Data Protected Social security #, credit card #, health information, etc. Restricted Open police or personnel investigations, bid information, etc., restricted until completed Open All other documents, papers, letters, photos, video, sound recordings etc. not restricted by other state and/or federal law
31 Safeguard Sensitive Information Definition. Define sensitive information that is subject to protective measures. Location. Identify the sensitive information collected, how it is collected (print or digital), and its location (department). Protection. Implement administrative, physical, and digital safeguards to protect this information. Disposal. If the stored sensitive information is no longer needed, and is eligible for disposal as outlined by your Documents Retention Policy, then appropriate disposal methods should be employed.
32 Safeguard Digital and Physical Assets Digital Assets What and where are they? Computers, portable hard-drives, servers, printers, copiers, tablets, smartphones, thumb drives, etc. Protections Physical barriers, secured cabinets, paper shredder, anti-virus software, firewalls, egress filters, blocked communication ports, network monitoring, hard drive access, password cache, network intrusion detection system, etc.
33 Safeguard Staff Policies and Procedures Computer use Social media retention Should be a part of your larger data retention policy Protection of electronic mobile devices what s your policy? Data classification and sensitive information Training Have employees and elected officials been trained on these policies?
34 Safeguard Business Partners For any business partner who has access to your computers, network and/or sensitive data: Have a contract of expectations for network security Evaluate their network access least privilege Require a non-disclosure agreement Request certificates of insurance Request to be added as an additional insured on their policy
35 Social Media Risks
36 Social Media in Local Government Pros: Increased public participation and encouraging social activism Timely and cost effective communication Creating real-time public record of project information Garner support for municipal projects Publicize meetings and hearings Public safety information Networking and marketing
37 Social Media in Local Government Cons legal pitfalls: First amendment violations External Facebook and other forum comments Internal a) contacting elected officials: Facebook, s, text messaging. b) Personal Facebook, forum usage, or likes Title VI & VII Accessibility - ADA Discrimination Hiring Defamation Government communications on website or social media Open Meetings Act Board deliberations on social media Tennessee Public Records Act Digital request Data retention
38 Cost Containment Efforts If an actual loss occurs, other areas to address.
39 Coverage Issues Privacy and Network Liability Covers liability arising from the failure to properly handle, manage, store, destroy, or otherwise control information, an unintentional violation of your privacy policy that results in the violation of any privacy regulation, or a failure of network security. Data Breach Coverage Covers expenses that result from an information breach including computer forensics service, notification of affected parties, credit monitoring services, and expenses associated with coming into compliance with privacy regulations. (1 st party) Property & Crime Cyber theft of funds
40 Business Partner Coverage Professional Liability (E&O) Professional Liability insurance provides coverage caused by professional negligence or failure to perform professional duties. This often includes errors and omissions coverage, which results from the loss of client data, software or system failure, or claims of non-performance. Cyber Liability Coverage for when the firm is responsible for the security and privacy of a client s data stored on the IT firm s servers, introduction of malicious code or viruses, disclosure of confidential data, Loss of data or digital assets (malicious or accidental), etc. Employee Dishonesty coverage Provides coverage when an employee steals money, equipment or other assets from the client.
41 Plan for the Attack Create a cross-functional team including IT, Risk Management, Human Resources, Finance, Legal, and Law Enforcement Develop and implement a Cyber Risk Management Program Confirms everyone knows his/her roles and responsibilities and that all employees are trained pre/post event Reviews 3rd party contracts with legal, IT, and RM Insure adequate 3 rd party insurance (see previous slide) coverage and entity is named as an additional insured on business partner s policy
42 Plan for the Attack Review and assess the city s computer network, add safeguards as needed Keep a spreadsheet of digital assets, updates and patches Monitors the city s egress Backup daily and store offsite Develop a Recovery & Continuity Plan Work with banks on acceptable financial safeguards Token System Ensure sound financial controls: verification of transactions Confirmation via phone, text or before a major financial transaction
43 Questions? George Dalton, The Pool
Data Compromise Notice Procedure Summary and Guide
Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationCyber Security Issues
RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationThe Data Breach: How to Stay Defensible Before, During & After the Incident
The Data Breach: How to Stay Defensible Before, During & After the Incident Alex Ricardo Beazley Insurance Breach Response Services Lynn Sessions Baker Hostetler Partner Michael Bazzell Computer Security
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationCOUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017
COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE Presented by Paul R. Hales, J.D. May 8, 2017 1 HIPAA Rules Combat Cyber Crime HIPAA Rules A Blueprint to Combat Cyber Crime 2 HIPAA Rules Combat Cyber Crime
More informationIs your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner
Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationFrequently Asked Question Regarding 201 CMR 17.00
Frequently Asked Question Regarding 201 CMR 17.00 What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the
More informationUPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA
UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com INTRODUCTION Cyber attacks increasing Liability/actions resulting
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationUniversity of North Texas System Administration Identity Theft Prevention Program
University of North Texas System Administration Identity Theft Prevention Program I. Purpose of the Identity Theft Prevention Program The Federal Trade Commission ( FTC ) requires certain entities, including
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationHIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders
HIPAA Developed by The University of Texas at Dallas Callier Center for Communication Disorders Purpose of this training Everyone with access to Protected Health Information (PHI) must comply with HIPAA
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationencrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?
Data Privacy According to statistics provided by the Data Breach Level Index, hackers and thieves are stealing more than 227,000 personal records per hour as of 2017, generally targeting customer information
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationDETAILED POLICY STATEMENT
Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico
More informationCyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)
Cyber Security Presenters: - Brian Everest, Chief Technology Officer, Starport Managed Services - Susan Pawelek, Accountant, Compliance and Registrant Regulation February 13, 2018 (webinar) February 15,
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationPCI Compliance. What is it? Who uses it? Why is it important?
PCI Compliance What is it? Who uses it? Why is it important? Definitions: PCI- Payment Card Industry DSS-Data Security Standard Merchants Anyone who takes a credit card payment 3 rd party processors companies
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationInsider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm
Insider Threat Program: Protecting the Crown Jewels Monday, March 2, 2:15 pm - 3:15 pm Take Away Identify your critical information Recognize potential insider threats What happens after your critical
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationCyber Attacks and Data Breaches: A Legal and Business Survival Guide
Cyber Attacks and Data Breaches: A Legal and Business Survival Guide August 21, 2012 Max Bodoin, Vince Farhat, Shannon Salimone Copyright 2012 Holland & Knight LLP. All Rights Reserved What this Program
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationWhat is Cybersecurity?
What is Cybersecurity? Protection against unauthorized access to or use of assets via electronic means Not limited to what we think of as Hacking : Fraud Prevention Misuse of Appropriate Access Important
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationIDENTITY THEFT PREVENTION Policy Statement
Responsible University Officials: Vice President for Financial Operations and Treasurer Responsible Office: Office of Financial Operations Origination Date: October 13, 2009 IDENTITY THEFT PREVENTION Policy
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationBusiness White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data
Business White Paper Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data Page 2 of 7 Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data Table of Contents Page 2
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationHacking and Cyber Espionage
Hacking and Cyber Espionage September 19, 2013 Prophylactic and Post-Breach Concerns for In-House Counsel Raymond O. Aghaian, McKenna Long & Aldridge LLP Elizabeth (Beth) Ferrell, McKenna Long & Aldridge
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationCybersecurity and Nonprofit
Cybersecurity and Nonprofit 2 2 Agenda Cybersecurity and Non Profits Scenario #1 Scenario #2 What Makes a Difference Cyber Insurance and How it Helps Question and Answer 3 3 Cybersecurity and Nonprofit
More informationGoing Paperless & Remote File Sharing
Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director Introduction Define the subject matter Move
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationFERPA & Student Data Communication Systems
FERPA & Student Data Ellevation is subject to the Family Educational Rights and Privacy Act (FERPA) as operating under the "school official" exception, wherein student directory and PII (Personal Identifying
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationSecurity Breaches: How to Prepare and Respond
Security Breaches: How to Prepare and Respond BIOS SARAH A. SARGENT Sarah is a CIPP/US- and CIPP/E-certified attorney at Godfrey & Kahn S.C. in Milwaukee, Wisconsin. She specializes in cybersecurity and
More informationLifeWays Operating Procedures
07-02.08 EMAIL GUIDELINES AND REQUIREMENTS I. PURPOSE To define the security, privacy and professional standards and considerations regarding electronic mail communication. II. SCOPE This procedure covers
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationCredit Card Data Compromise: Incident Response Plan
Credit Card Data Compromise: Incident Response Plan Purpose It is the objective of the university to maintain secure financial transactions. In order to comply with state law and contractual obligations,
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationAn Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule
An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule Legal Disclaimer: This overview is not intended as legal advice and should not be taken as such. We recommend that you consult legal
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More information716 West Ave Austin, TX USA
Fundamentals of Computer and Internet Fraud GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION What Is Computer Crime?... 2 Computer Fraud
More informationNMHC HIPAA Security Training Version
NMHC HIPAA Security Training 2017 Version HIPAA Data Security HIPAA Data Security is intended to provide the technical controls to ensure electronic Protected Health Information (PHI) is kept secure and
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationIAM Security & Privacy Policies Scott Bradner
IAM Security & Privacy Policies Scott Bradner November 24, 2015 December 2, 2015 Tuesday Wednesday 9:30-10:30 a.m. 10:00-11:00 a.m. 6 Story St. CR Today s Agenda How IAM Security and Privacy Policies Complement
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationSANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018
SANMINA CORPORATION PRIVACY POLICY Effective date: May 25, 2018 This Privacy Policy (the Policy ) sets forth the privacy principles that Sanmina Corporation and its subsidiaries (collectively, Sanmina
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationWhy you MUST protect your customer data
Why you MUST protect your customer data If you think you re exempt from compliance with customer data security and privacy laws because you re a small business, think again. Businesses of all sizes are
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationTERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.
TERMS OF USE A. PLEASE READ THESE TERMS CAREFULLY. YOUR ACCESS TO AND USE OF THE SERVICES ARE SUBJECT TO THESE TERMS. IF YOU DISAGREE OR CANNOT FULLY COMPLY WITH THESE TERMS, DO NOT ATTEMPT TO ACCESS AND/OR
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationA Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016
A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016 Panelists Beverly J. Jones, Esq. Senior Vice President and Chief Legal Officer ASPCA Christin S. McMeley, CIPP-US
More informationUCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification
University of California UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification UCOP Implementation Plan for Compliance with Business and Finance Bulletin
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationCybersecurity 2016 Survey Summary Report of Survey Results
Introduction In 2016, the International City/County Management Association (ICMA), in partnership with the University of Maryland, Baltimore County (UMBC), conducted a survey to better understand local
More informationPrivacy & Information Security Protocol: Breach Notification & Mitigation
The VUMC Privacy Office coordinates compliance with the required notification steps and prepares the necessary notification and reporting documents. The business unit from which the breach occurred covers
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationSecuring Information Systems
Chapter 7 Securing Information Systems 7.1 2007 by Prentice Hall STUDENT OBJECTIVES Analyze why information systems need special protection from destruction, error, and abuse. Assess the business value
More informationHIPAA UPDATE. Michael L. Brody, DPM
HIPAA UPDATE Michael L. Brody, DPM Objectives: How to respond to a patient s request for a copy of their records. Understand your responsibilities after you send information out to another doctor, hospital
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationProtecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014
Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationWhat to do if your business is the victim of a data or security breach?
What to do if your business is the victim of a data or security breach? Introduction The following information is intended to help you decide how to start preparing for and some of the steps you will want
More informationInformation Security in Corporation
Information Security in Corporation System Vulnerability and Abuse Software Vulnerability Commercial software contains flaws that create security vulnerabilities. Hidden bugs (program code defects) Zero
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationUniversity Policies and Procedures ELECTRONIC MAIL POLICY
University Policies and Procedures 10-03.00 ELECTRONIC MAIL POLICY I. Policy Statement: All students, faculty and staff members are issued a Towson University (the University ) e-mail address and must
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More information