Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Size: px
Start display at page:

Download "Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory"

Transcription

1 Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable Controls and Compliance... 3 Federal Information Processing Standard (FIPS) Publication Data Stewardship... 5 Data Inventory and Classification Spreadsheet... 6 Physical Devices and Systems Software Platforms and Applications Inventory... 9 Applicable Controls and Compliance... 9 NIST SP R PCI DSS SAQ A/B-IP NDCBF Implementation Sensitive Data Inventory Project Documents with Sensitive Data IT Asset Inventory and Tracking Risk Exposure Risk Rating/Level of Risk Risk Management Dashboard RACI Work Product and Outcomes Implementation Status Authorizations Document Location... 18

2 Overview A current and accurate inventory of information technology (IT) assets is critical to determining those assets that are sensitive and require special protections. It is a foundational input to many of the critical information technology security controls. For example, the lack of a current and accurate inventory inhibits what is considered one of the most critical IT security management functions, identity and access management; the ability to identify and control who has access to IT assets that contain or provide a path to sensitive information. Understanding the data in custody is critical to managing IT security risks. This document includes a method for data inventory and classification. ID.AM-1 is the requirement to maintain an inventory of physical devices and systems. ID.AM-2 is the requirement to maintain an inventory of software platforms and applications. Because of similarities, ID.AM-1 and ID.AM-2 were combined into one document. NDCBF IT Security Plan Confidential Page 2 of 18

3 Sensitive Data Inventory and Classification Applicable Controls and Compliance Federal Information Processing Standard (FIPS) Publication 199 The FIPS 199 model has become the standard for identifying and classifying sensitive information. Sensitive information is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or an organization. For the purposes of the NDCBF IT security plan, NDCBF is concerned about two types of sensitive information. Personally Identifiable Information (PII) Security of PII is regulated at the federal and state level and by industry associations like the PCI Standards Council through their Payment Card Industry Data Security Standard (PCI DSS). Sensitive PII is data that can be traced back to an individual and that, if disclosed, could result in harm to that person. Threats include not only crimes such as identity theft but also disclosure of personal information that the individual would prefer remained private. o Examples of PII are: Name and other names used Social security number; full and truncated Passport number Driver's license and other government identification numbers Citizenship, legal status, gender, race/ethnicity NDCBF IT Security Plan Confidential Page 3 of 18

4 Birth date, place of birth Home and personal cell telephone numbers Medical information Personally identifiable financial information o Protected Health Information (PHI) PHI is a type of PII. Security of PHI is regulated at the federal and state level. At the federal level, security of PHI is regulated through a number of acts and laws related to Health Insurance Portability and Accountability (HIPAA) and, in Texas, through Texas House Bill 300. At the federal level, PHI is individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Transmitted or maintained in any other form or medium Texas House Bill 300 basically expands it to any health related information regardless of transmission type o PHI is any information, whether oral or recorded in any form or medium, that: (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an NDCBF IT Security Plan Confidential Page 4 of 18

5 individual, or the past, present, or future payment for the provision of health care to an individual Business information: Sensitive business information includes anything that poses a risk to NDCBF. A key type of business information aggressively sought after by malware criminals is IT systems access data; the information about user credentials and privileged accounts. Compromise of user names and passwords provides access to other sensitive data. Additional type of business data sought after includes trade secrets, acquisition plans, financial data and supplier and customer information, among other possibilities. Data Stewardship Data assets are managed data stewards. For NDCBF there are two types of data stewards; data owners and data maintainers. They can be one person or multiple people. It is very important in data security to clearly define the roles. Data owners are the stewards that have the responsibility of determining: What specific sensitive data is necessary to conduct operations in NDCBF? Why does NDCBF have to have that sensitive data? Who should have access to sensitive data (internal and external)? How long that sensitive data is in maintained? What happens to the sensitive data when it is no longer needed? What is the process for sensitive data disposal? NDCBF IT Security Plan Confidential Page 5 of 18

6 Data owners and data maintainers should collaborate on sensitive data maintenance issues like: What records are kept documenting the management, accessibility, and disposal of sensitive data? Where is sensitive data located? The data steward that maintains the data may own the application in which the data resides. In NDCBF s case, Shelby v.5 (finance) and Arena are the databases that contain much of NDCBF s sensitive data. The Shelby v.5 and Arena administrator with input from the data owner is responsible for managing accessibility and ongoing maintenance. A good amount of NDCBF s data resides in other applications besides Shelby v.5 and Arena. That data also needs to be accounted for. Data Inventory and Classification Spreadsheet A data inventory and classification spreadsheet has been developed to help with data classification and inventory. It will be maintained for all data in the custody of NDCBF. Security classification categories will be used in conjunction with vulnerability and threat information when assessing the risk to NDCBF. Data assets will be managed data stewards. Data sensitivity - Sensitivity classification identifies information in terms of accessibility standard and what type of data it is. All information stored, processed or transmitted by information resources shall be identified by one of three levels of NDCBF IT Security Plan Confidential Page 6 of 18

7 sensitivity. If more than one sensitivity level could apply to the information, the highest level (most restrictive) will be selected: o Public - Information that is authorized for release to the public. The disclosure, unauthorized access, or unauthorized use of public information would not adversely impact NDCBF, the staff, congregation members, business partners, or the public. An example is the list of NDCBF staff. o Secure - Information that is available for official purposes but would not be released to the public unless requested. The disclosure, unauthorized access, or unauthorized use of secure information would have a limited adverse impact on NDCBF, the staff, congregation members, business partners, or the public. An example is financial information. o Confidential - Information of a sensitive nature that is available only to designated personnel. The disclosure, unauthorized access, or unauthorized use of confidential information would have a significant adverse impact on NDCBF, the staff, congregation members, business partners, or the public. An example is an individual s personal financial information. Potential Loss Impact Information assets shall be classified in terms of low, moderate, or high impact of loss on each of the following: confidentiality, integrity, and availability of the assets with the higher the impact the greater the security control required. A foundational concept used throughout the information security domain is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability, (CIA). NDCBF IT Security Plan Confidential Page 7 of 18

8 o Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information integrity Guarding against improper information modification or destruction and ensuring information authenticity o Data integrity The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit System integrity The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental o Availability Ensuring timely and reliable access to and use of information The loss classification should have some correlation to both data classification and sensitivity. Low impact - Loss of confidentiality, integrity, or availability could have a limited adverse effect on NDCBF operations, NDCBF assets and/or individuals. Public information is often categorized as having a low impact. Moderate impact - Loss of confidentiality, integrity, or availability could have a serious adverse effect on NDCBF operations, NDCBF assets and/or individuals. Secure data would be categorized as having a limited impact. High impact - Loss of confidentiality, integrity, or availability could have a severe and/or catastrophic adverse effect on NDCBF operations, NDCBF assets and/or NDCBF IT Security Plan Confidential Page 8 of 18

9 individuals. Confidential and/or personal information should be categorized as having a high impact. The data inventory and classification spreadsheet template and PDF version is available here: o PDF: nts/identify/ndcbf_data_inventory_classification_2018.pdf o Spreadsheet: nts/identify/ndcbf_data_inventory_classification_2018.xlt Physical Devices and Systems Software Platforms and Applications Inventory Applicable Controls and Compliance NIST SP R4 Control CM-8 Information Systems Component Inventory Supplemental Guidance: Develop and maintain a centralized IT inventory system that includes components from all NDCBF information systems. The inventories will include system-specific information required for proper component accountability (e.g., NDCBF IT Security Plan Confidential Page 9 of 18

10 information system association, information system owner). Information necessary for effective accountability of information system components includes hardware inventory specifications, software license information, software version numbers, component owners, networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. PCI DSS SAQ A/B-IP A list of all such devices and personnel with access A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) NDCBF IT Security Plan Confidential Page 10 of 18

11 NDCBF Implementation Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Sensitive Data Inventory Project April 2018 a sensitive data inventory project has been initiated. A presentation which includes document inventory form has been developed to distribute to NDCBF s leadership. The presentation: Provides an overview of the responsibility of NDCBF leadership to exercise due diligence with the custody of sensitive data Includes an organization chart illustrating an estimate of the NDCBF departments that might contain sensitive data Provides a form to be completed by department leaders. The form is designed to list the documents and reports within departments that o Contains sensitive.data o Lists the applications or uses of the forms o Lists the users of the forms This information will be used to start a sensitive data inventory. The inventory will be further developed as defined earlier in this instruction. Documents with Sensitive Data April 2018 IT Asset Inventory and Tracking NDCBF has contracted and authorized 5K Technology Services to document and maintain the inventory of NDCBF-owned information system assets. An accurate, up-to- NDCBF IT Security Plan Confidential Page 11 of 18

12 date inventory is foundational and required to implement many of the IT security policies. The IT Security Committee recommends that 5K Technical Services implement and maintain an inventory tracking system for all NDCBF IT assets. This will enable 5K Technology Services to configure and manage the network and systems so unauthorized devices, applications, and users are automatically detected and denied access. 5K Technical Services will maintain an inventory that: Accurately reflects the current information system Includes all components within the authorization boundary of the information system Is at the level of granularity deemed necessary for tracking and reporting Includes: o Network devices (firewalls, routers, switches, load balancers, etc.) o Servers (physical and or/logical, and the underlying operating systems and applications residing on such servers). o Desktops o Laptops o Tablets o Removable Storage Devices o Other Mobile Computing Devices o Output devices o Mobile phones??? Use of personal phones with NDCBF specifications and compensation or use of only NDCBF owned mobile phone NDCBF IT Security Plan Confidential Page 12 of 18

13 o Other networks or systems that interface with the NDCBF information technology network o Video surveillance system o Building access management system o Audio visual lighting (AVL) o Cloud-Based services Applications including: o TherapyNotes o Arena o Shelby v.5 o Bookstore Manager o Others to be determined Data using the NDCBF Data Inventory and Classification Report o 5K Technical Services in partnership with the data stewards will maintain the NDCBF Data Inventory and Classification Report. 5K Technical Services will update the IT inventory to maintain currency and review the inventory with the NDCBF IT Security Team annually. NDCBF IT Security Plan Confidential Page 13 of 18

14 Risk Exposure Risk Rating/Level of Risk Vulnerability - Lack of an accurate and up-to-date inventory prohibits effective personnel (internal and external), vendor, data, and systems security management. The current inventory of physical devices, systems software platforms, and applications does not adequately list and describe the NDCBF s IT assets, which includes all computing devices, information technology (IT) systems, IT network, IT circuits, software, virtual computing platforms (common in cloud and virtualized computing), and related hardware (e.g. locks, cabinets, keyboards) and data. Risk Component Impact Likelihood Risk Treatment Strategy Treatment Strategy Status Risk Exposure Level High Very Likely Risk Reduction Under Development High Risk Management Dashboard NDCBF IT Security Plan Confidential Page 14 of 18

15 A dashboard that shows the monthly status of each element is under development. It shows the vulnerability impact, likelihood, risk treatment strategy, status, and current exposure. ID.AM-1, 2, and Data Inventory and Classification belong to the NDCBF IT Security Plan Family Identify Asset Management ID.AM DAM_Monthly_Risk_Management_Dashboard.pdf RACI Accountable Responsibility Consult Inform NDCBF Executive Director 5K Technical Services Data Stewards NDCBF Department Leads Elder Board NDCBF IT Security Plan Confidential Page 15 of 18

16 Work Product and Outcomes Data Inventory and Classification, Physical Devices and Systems ID.AM-1, To be created Implementation Status Supplier Deliverables Status In IT Security Team Director of Administration 5K Technical Services Arena Administrator Department Leads Finalize and adoption of this document 5K Technical Services inventory maintenance contractual agreement Complete inventory Data Inventory and Classification Spreadsheet Systems, applications and data listing Progress or Complete Target Completion Date NDCBF IT Security Plan Confidential Page 16 of 18

17 Authorizations Signature Director IT Security Team: Print Name and Date: Signature Operations Director: Print Name and Date: Signature Elder Board Member: Print Name and Date: NDCBF IT Security Plan Confidential Page 17 of 18

18 Document Location IT Security Plan Asset Management Inventory Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2, Data Inventory and Classification o PDF: nts/identify/ndcbf_itsecplan_idam_idam1_idam2.pdf Data Inventory and Classification Spreadsheet o PDF: nts/identify/ndcbf_data_inventory_classification_2018.pdf o Spreadsheet: nts/identify/ndcbf_data_inventory_classification_2018.xlt Risk Management Dashboard: o PDF: nts/identify/idam_monthly_risk_management_dashboard.pdf NDCBF IT Security Plan Confidential Page 18 of 18

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf

More information

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets

More information

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets

More information

SYSTEMS ASSET MANAGEMENT POLICY

SYSTEMS ASSET MANAGEMENT POLICY SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security

More information

Information Security Policy

Information Security Policy April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING

More information

HIPAA Federal Security Rule H I P A A

HIPAA Federal Security Rule H I P A A H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created

More information

Data Compromise Notice Procedure Summary and Guide

Data Compromise Notice Procedure Summary and Guide Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or

More information

Employee Security Awareness Training Program

Employee Security Awareness Training Program Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,

More information

DATA STEWARDSHIP STANDARDS

DATA STEWARDSHIP STANDARDS DATA STEWARDSHIP STANDARDS Policy: Enterprise Data Stewardship Policy Document: Data Stewardship Standards Campus: MSU-Billings (MSUB) Revision: 01-08-18 Contact: Michael Barber, Chief Information Officer

More information

Putting It All Together:

Putting It All Together: Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,

More information

Red Flags/Identity Theft Prevention Policy: Purpose

Red Flags/Identity Theft Prevention Policy: Purpose Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and

More information

Information Classification & Protection Policy

Information Classification & Protection Policy University of Scranton Information Technology Policy Information Classification & Protection Policy Executive Sponsor: AVP Information Resources Responsible Office: Information Security Originally Issued:

More information

LCU Privacy Breach Response Plan

LCU Privacy Breach Response Plan LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard

More information

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015 Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually

More information

Checklist: Credit Union Information Security and Privacy Policies

Checklist: Credit Union Information Security and Privacy Policies Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC

More information

HIPAA Compliance Checklist

HIPAA Compliance Checklist HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.

More information

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate

More information

Access to University Data Policy

Access to University Data Policy UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public

More information

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring

More information

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Is your privacy secure? HIPAA Compliance Workshop September 2008 Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner Agenda Have you secured your key operational, competitive and financial

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

IAM Security & Privacy Policies Scott Bradner

IAM Security & Privacy Policies Scott Bradner IAM Security & Privacy Policies Scott Bradner November 24, 2015 December 2, 2015 Tuesday Wednesday 9:30-10:30 a.m. 10:00-11:00 a.m. 6 Story St. CR Today s Agenda How IAM Security and Privacy Policies Complement

More information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

University of Pittsburgh Security Assessment Questionnaire (v1.7) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided

More information

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System Slide 1 RMF Overview RMF Module 1 RMF takes into account the organization as a whole, including strategic goals and objectives and relationships between mission/business processes, the supporting information

More information

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions

More information

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i

More information

Security Policies and Procedures Principles and Practices

Security Policies and Procedures Principles and Practices Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability

More information

Table of Contents. PCI Information Security Policy

Table of Contents. PCI Information Security Policy PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology

More information

01.0 Policy Responsibilities and Oversight

01.0 Policy Responsibilities and Oversight Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities

More information

Cybersecurity in Higher Ed

Cybersecurity in Higher Ed Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,

More information

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision

More information

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets Protecting Information Assets - Week 3 - Data Classification Processes and Models Readings In the News MIS5206 Week 3 Data Classification Processes and Models Test Taking Tip Quiz Readings Vacca Chapter

More information

Media Protection Program

Media Protection Program Media Protection Program Version 1.0 November 2017 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PROGRAM DETAILS 4 3.2 MEDIA STORAGE AND ACCESS 4 3.3 MEDIA TRANSPORT

More information

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes Effective Date: 01/01/2014 Page 1 of 7 REVISION HISTORY Revision No. Revision Date Authors Description of Changes 1.0 11/04/2013 CISO Populate Into Standard Template APPROVED BY This Policy is established

More information

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016 HIPAA Faux Pas Lauren Gluck Physician s Computer Company User s Conference 2016 Goals of this course Overview of HIPAA and Protected Health Information Define HIPAA s Minimum Necessary Rule Properly de-identifying

More information

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,

More information

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1 Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security

More information

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using

More information

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS

More information

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the

More information

Cyber Risks in the Boardroom Conference

Cyber Risks in the Boardroom Conference Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks

More information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.

More information

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE Page 1 of 11 I. PURPOSE AND BACKGROUND UW-Madison is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA). This policy establishes requirements for technical security

More information

UTAH VALLEY UNIVERSITY Policies and Procedures

UTAH VALLEY UNIVERSITY Policies and Procedures Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information

More information

Information Security Data Classification Procedure

Information Security Data Classification Procedure Information Security Data Classification Procedure A. Procedure 1. Audience 1.1 All University staff, vendors, students, volunteers, and members of advisory and governing bodies, in all campuses and locations

More information

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements

More information

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_

More information

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule

More information

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations

More information

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:

More information

INFORMATION ASSET MANAGEMENT POLICY

INFORMATION ASSET MANAGEMENT POLICY INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives

More information

Records Management and Retention

Records Management and Retention Records Management and Retention Category: Governance Number: Audience: University employees and Board members Last Revised: January 29, 2017 Owner: Secretary to the Board Approved by: Board of Governors

More information

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018 DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information

More information

Cyber Security Issues

Cyber Security Issues RHC Summit 6/9/2017 Cyber Security Issues Dennis E. Leber CISO CHFS Why is it Important? Required by Law Good Business Strategy Right Thing to Do Why is it Important? According to Bitglass' 2017 Healthcare

More information

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO Section: Subject: Administration (AD) Data Governance AD.3.3.1 DATA GOVERNANCE PROCEDURE Legislation: Alberta Evidence Act (RSA 2000 ca-18); Copyright Act, R.S.C., 1985, c.c-42; Electronic Transactions

More information

Southern Adventist University Information Security Policy. Version 1 Revised Apr

Southern Adventist University Information Security Policy. Version 1 Revised Apr Southern Adventist University Information Security Policy Version 1 Revised Apr 27 2015 Summary The purpose of this policy statement is to establish the requirements necessary to prevent or minimize accidental

More information

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy and Procedure: SDM Guidance for HIPAA Business Associates Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:

More information

Standard: Risk Assessment Program

Standard: Risk Assessment Program Standard: Risk Assessment Program Page 1 Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university

More information

Apex Information Security Policy

Apex Information Security Policy Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8

More information

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4 Policy Sensitive Information Version 3.4 Table of Contents Sensitive Information Policy -... 2 Overview... 2 Policy... 2 PCI... 3 HIPAA... 3 Gramm-Leach-Bliley (Financial Services Modernization Act of

More information

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy August 10, 2017 version WORKING DOCUMENT Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy This working

More information

Unit Compliance to the HIPAA Security Rule

Unit Compliance to the HIPAA Security Rule HIPAA Risk Analysis Unit Compliance to the HIPAA Security Rule OIT Security Risk and Compliance PURPOSE The purpose of this document is to provide guidance for units on how to perform a Risk Analysis of

More information

DEPAUW UNIVERSITY DATA CLASSIFICATION POLICY AND HANDLING RECOMMENDATIONS ( )

DEPAUW UNIVERSITY DATA CLASSIFICATION POLICY AND HANDLING RECOMMENDATIONS ( ) DEPAUW UNIVERSITY DATA CLASSIFICATION POLICY AND HANDLING RECOMMENDATIONS (05-01-2016) I. Purpose...1 II. Scope...1 III. Acknowledgements...1 IV. Institutional Data Classification Levels...2 V. Classification

More information

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact? June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing

More information

Baseline Information Security and Privacy Requirements for Suppliers

Baseline Information Security and Privacy Requirements for Suppliers Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

10 Things Every Auditor Should Do Before Performing a Security Audit

10 Things Every Auditor Should Do Before Performing a Security Audit 10 Things Every Auditor Should Do Before Performing a Security Audit 2 Opening Remarks Moderator R. Kinney Poynter Executive Director NASACT Speaker Rick Gamache Senior Consultant BerryDunn Objectives

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union) ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain

More information

Frequently Asked Question Regarding 201 CMR 17.00

Frequently Asked Question Regarding 201 CMR 17.00 Frequently Asked Question Regarding 201 CMR 17.00 What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009? There are some important differences in the

More information

HIPAA & Privacy Compliance Update

HIPAA & Privacy Compliance Update HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com

More information

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB

More information

Development Authority of the North Country Governance Policies

Development Authority of the North Country Governance Policies Development Authority of the North Country Governance Policies Subject: Electronic Signature Policy Adopted: March 28, 2018 (Annual Meeting) Resolution: 2018-03-35 Table of Contents SECTION 1.0 INTRODUCTION...

More information

UCOP ITS Systemwide CISO Office Systemwide IT Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification

More information

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Elements of a Swift (and Effective) Response to a HIPAA Security Breach Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information

More information

HIPAA Privacy and Security Training Program

HIPAA Privacy and Security Training Program Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training

More information

DETAILED POLICY STATEMENT

DETAILED POLICY STATEMENT Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico

More information

GM Information Security Controls

GM Information Security Controls : Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5

More information

PS Mailing Services Ltd Data Protection Policy May 2018

PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect

More information

HIPAA Security and Privacy Policies & Procedures

HIPAA Security and Privacy Policies & Procedures Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400

More information

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify

More information

PTLGateway Data Breach Policy

PTLGateway Data Breach Policy 1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This

More information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary

More information

[Utility Name] Identity Theft Prevention Program

[Utility Name] Identity Theft Prevention Program [Utility Name] Identity Theft Prevention Program Effective beginning, 2008 Minnesota Municipal Utilities Association Sample Red Flag policy I. PROGRAM ADOPTION The [Utility Name] ("Utility") developed

More information

EXHIBIT A. - HIPAA Security Assessment Template -

EXHIBIT A. - HIPAA Security Assessment Template - Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,

More information

Data Protection Policy

Data Protection Policy Introduction In order to; provide education, training, assessment and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its

More information

HIPAA FOR BROKERS. revised 10/17

HIPAA FOR BROKERS. revised 10/17 HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.

More information

[DATA SYSTEM]: Privacy and Security October 2013

[DATA SYSTEM]: Privacy and Security October 2013 Data Storage, Privacy, and Security [DATA SYSTEM]: Privacy and Security October 2013 Following is a description of the technical and physical safeguards [data system operator] uses to protect the privacy

More information

The Impact of Cybersecurity, Data Privacy and Social Media

The Impact of Cybersecurity, Data Privacy and Social Media Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus

More information

Going Paperless & Remote File Sharing

Going Paperless & Remote File Sharing Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director Introduction Define the subject matter Move

More information

LifeWays Operating Procedures

LifeWays Operating Procedures 07-02.08 EMAIL GUIDELINES AND REQUIREMENTS I. PURPOSE To define the security, privacy and professional standards and considerations regarding electronic mail communication. II. SCOPE This procedure covers

More information

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:

More information

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches

More information

Internet of Things Toolkit for Small and Medium Businesses

Internet of Things Toolkit for Small and Medium Businesses Your Guide #IoTatWork to IoT Security #IoTatWork Internet of Things Toolkit for Small and Medium Businesses Table of Contents Introduction 1 The Internet of Things (IoT) 2 Presence of IoT in Business Sectors

More information

Information Security Controls Policy

Information Security Controls Policy Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within

More information

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description: UCOP ITS Systemwide CISO Office Systemwide IT Policy UC Event Logging Standard Revision History Date: By: Contact Information: Description: 05/02/18 Robert Smith robert.smith@ucop.edu Approved by the CISOs

More information