Information Security Issues in Research
|
|
- Toby Francis
- 5 years ago
- Views:
Transcription
1 Information Security Issues in Research March 2019 The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities Baker Tilly Virchow Krause, LLP Your Presenters Mike Cullen, CISA, CISSP, CIPP/US Senior Manager, Baker Tilly Meghan Senseney Senior Consultant, Baker Tilly 2 1
2 Today s Objectives 1. Learn the specialized IT and cybersecurity risks associated with research activities 2. Explain the various IT and cybersecurity requirements typically associated with research activities (e.g., export controls and OFAC requirements, FAR/DFARS, NIST) 3. Provide an audit template of typical research IT and cybersecurity risks with recommended controls 3 Information Security Risks in Research Overview 4 2
3 Information Security Risks in Research People Processes Technology 5 People Risks Human subjects Researchers Collaborators Collection of data (does the subject provide explicit and informed consent) IRB approval Security of data De-identification of data Destruction of data Collection of data Storage and protection of data De-identifying individual level data (if required) and storing the key or coding scheme separately from data Deletion and/or destruction of data Secure data transfer to collaborators Protection of data (once data is shared, how do you ensure collaborators are following requirements for secure storage and/or protection?) 6 3
4 Process Risks - Sponsored Projects Lifecycle Finding funding Proposal & budget development Closeout & audit Routing & approval process Post-award administration Submission & review Award set-up Award review & acceptance 7 Process Risks - IT Centralized versus decentralized management Logical security (authentication, passwords) User access (internal transfers, terminations, reviews) Change management (changes made to applications used to store, manage, and track sponsored projects and awards) Physical security of workstations, laptops, tablets, servers, and other specialized equipment for researchers Funding for initial IT investments, as well as long term funding after sponsored agreement is done 8 4
5 Technology Risks Enterprise systems Research-specific systems Rogue systems Access control (when individuals in research areas transfer or leave, central IT may not be aware until days or later) Can data be accessed via mobile device Lack of centralized management Controls implemented by non-it individuals (e.g., grad students) Lack of controls implemented (backups, user access reviews) Interfaces with enterprise systems Unknowns central IT or research administration may not even be aware of these systems since they are not responsible for managing (where is the data, who has access, who is managing the system) Lack of basic controls implemented 9 Information Security in Higher Education Increased complexity and oversight challenges in a decentralized environment Subject to many laws and regulations due to: Breadth and nature of business operations Faculty, staff, students, and alumni from many states and countries Numerous stakeholders for research compliance responsibilities Culture values the open exchange of information for scholarship and research Global constituents and community members mean expanded legal requirements Size and complexity of IT environments, including multiple applications and data stores holding personally identifiable information (PII) 10 5
6 Focus on cross-disciplinary collaborations, innovations, and partnerships Changing world of research Increasing complexity in sponsor requirements Increasing expectations of accountability Decreasing federal funding and changing priorities of US government research sponsors 11 Human Subjects Definition A human subject is defined as a living individual about whom a researcher (whether a professional or a student) obtains data through intervention or interaction with the individual or from individually identifiable information Regulations and ethical guidelines governing the use of human subjects: 45 CFR 46: Protection of human subjects Guidelines for Conduct of Research Involving Human Subjects at NIH The Belmont Report: Ethical principles and guidelines for the protection of human subjects of research Nuremberg Code: Directives for human experimentation World Medical Association Declaration of Helsinki 12 6
7 Human Subjects Oversight Human subject research is controlled based on oversight and monitoring by the Institutional Review Board (IRB) The IRB is responsible for approving any research protocols involving human subjects, and monitoring the conduct of these research activities The IRB reviews human subject research projects according to three principles: Minimize the risk to human subjects (beneficence) Ensure all subjects consent and are fully informed about the research and any risks (autonomy) Promote equity in human subjects research (justice) All human subjects research (including but not limited to recruitment) must be approved by the IRB before commencing The IRB typically approves projects for one year, thereafter conducting annual reviews 13 Human Subjects IT/Cyber Considerations Research involving human subjects does not alone trigger an IT security requirement; however, a lot of research is medical-related There is a high chance that the research being done involving human subjects would fall under HIPAA, DFARS, and/or other IT security requirements Researchers and PIs are likely not trained to recognize IT security requirements or understand the implications 14 7
8 IT and Cybersecurity Requirements in Research 15 Data Management Plans and Data Use Agreements Data Covered Why Higher Ed? Summary of Requirements Research sponsors typically reserve the right to audit data and examine records relevant to a grant In most cases, the institution owns the rights to the data. However in some sponsored research, the sponsor retains ownership. Certain agreements require institutions to store data for a certain period of time Certain agreements require institutions to publish data to allow for public access after research activities are completed The Bayh-Dole Act of 1980 allowed universities to have control of the intellectual property generated from federally-funded research Sponsors, including federal agencies, include data use requirements in grants, contracts, and cooperative agreements NSF policy, effective as of January 18, 2011, requires all proposals to include a data management plan Various federal agencies and other research sponsors have different data security and retention requirements. Sponsors also have requirements related to the timely sharing of data. 16 8
9 HIPAA Data Covered Why Higher Ed? Summary of Requirements Protected health information (PHI): Names; addresses; telephone; Dates (except year) Any unique identifying numbers (e.g., SSN; medical record; account) Device identifiers; web URLs; IP addresses Biometric identifiers; full-face photographs; identifying genetic information Applies to an educational institution which is designated as a covered entity, business associate, or hybrid entity Three main rules: 1. Privacy rule - Notice and consent 2. Security rule - Administrative safeguards - Technical safeguards - Physical safeguards 3. Data breach rule - Breach response plan Designate a HIPAA privacy officer and a HIPAA security officer Formalize policies and procedures Conduct periodic risk assessments 17 Potential audit/advisory activities (HIPAA): Determine the privacy and security officers roles and responsibilities with respect to development of policies and practices Gain an understanding of the system(s) in place that log system activity on users access to personal health information (PHI) Perform a HIPAA security risk assessment to trace the flow of PHI inside and outside the institution; focusing on for critical areas: processes, people, technology, & governance Identify the controls in place that maintain the disclosure logs for six years Review HIPAA training to ensure it covered HIPAA requirements 18 9
10 GDPR Data Covered Why Higher Ed? Summary of Requirements Personal data of EU individuals: Governs the collection, processing, use, and storage of personal data relating to any individual in the European Union (EU), including: - Citizens - Residents - Visitors - EU citizens living abroad Personal data is broadly defined, but includes: - Name - IP address - address - Date of birth - Gender Applies to all organizations (regardless of location) processing and holding the personal data relating to any EU individual Potentially applies if your institution has: - EU campus(es) - EU-based partner institutions - Students studying in the EU - Faculty teaching in the EU - Students, applicants, athletes, staff, faculty, alumni, donors, or patients who are EU citizens/residents - Visiting faculty or other visitors from the EU - EU-based vendors - Research subjects from the EU Breach notification Right to access Right to be forgotten Data portability Privacy by design - Data minimization Data Protection Officer 19 Potential audit/advisory activities (GDPR): What is your institution s GDPR footprint? (meaning, how does this apply to us?) Do you know how and where your institution s GDPR-covered personal data resides and how it is used, including EU citizen and resident students, faculty, staff, applications, donors, alumni, and human subjects? Does your institution practice data minimization? Does your institution practice privacy by design and privacy by default? Has your institution defined its risk threshold for GDPR? Is your institution prepared for right to be forgotten and data portability? 20 10
11 Export Controls Data Covered Why Higher Ed? Summary of Requirements Covers dual use items found on the Commerce Control List (CCL), which includes goods, equipment, materials, and software and technology Regulates items designed for commercial purposes which also have military applications (computers, pathogens, civilian aircraft, etc.) Institutions must be aware of deemed exports (transfer of items within a lab to foreign nationals) Sanction mechanisms intended to advance US trade interests and foreign policy initiatives, and to protect and promote our national security Governed by three federally-managed lists: International Traffic in Arms Regulations (ITAR); Department of State Export Administration Regulations (EAR); Department of Commerce Office of Foreign Assets Control (OFAC); Department of the Treasury Regulations apply to goods, technology, and related information 21 Potential audit/advisory activities (Export Controls): Applicability of exemptions Deemed exports Licensing Shipping and payments to foreign persons outside the US Faculty, staff, grad students Travel o Physically taking items with you on a trip such as: Laptop Encryption products on your laptop Cell phone Data/technology Blueprints, drawings, schematics Other tools of the trade Giving controlled technology/data to a foreign person outside the US 22 11
12 Controlled Unclassified Information (CUI) Data Covered Why Higher Ed? Summary of Requirements CUI: Names; addresses; telephone; Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls Excluding information that is classified Every federal agency has different CUI The National Archives, as the Executive Agent of CUI, has developed the CUI Registry ( which is the authoritative source for guidance regarding CUI policies and practices Applies to an educational institution which engages in research activities sponsored by or contracts/agreements with the federal government 23 Varies based on contract but all require basic cybersecurity protections be implemented DFARS Cyber Rule requires NIST SP FAR Basic Safeguarding Rule requires 17 basic controls from NIST SP FISMA requires NIST SP Types of Federal Information CUI CDI Controlled Unclassified Information - Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified (see Executive Order and CUI Registry at Covered Defense Information - Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract (see DFARS ) CDI FCI Federal Contract Information - Any information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided to the public (e.g., publicly accessible website data) or simple transactional data (e.g., billing or payment processing data) 24 12
13 Examples of Federal Information CUI see CUI Registry FCI Critical Infrastructure Financial Proprietary Business Information CDI Unclassified Controlled Technical Information or other information as described in the CUI Registry requiring safeguarding! see DFARS Any information that is NOT provided to the public or simple transactional data! see Federal Register; Basic Safeguarding ruling 25 FAR Case (CUI) Data Covered Why Higher Ed? Summary of Requirements Implements the National Archives and Records Administration (NARA) CUI program of E.O As the executive agent designated to oversee the Government-wide CUI program, NARA issued regulations in 2016 to address agency policies for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Applies the requirements contained in the 32 CFR Part 2002 and NIST SP to industry (i.e., beyond defense contractors) Specific clause 32 CFR Safeguarding Types of CUI standards (i.e., basic or specified) Non-Federal information systems must use NIST SP
14 DFARS (CDI) Data Covered Why Higher Ed? Summary of Requirements Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract Where contractor is handling CDI on their systems, must implement safeguarding controls according to NIST SP For systems operated on behalf of the government, see specific contract guidance and/or DFARS Cloud Computing Services if applicable Any other such services or systems (i.e., other than cloud computing) are subject to the security requirements specified in those contracts Implement adequate cybersecurity safeguarding controls on all covered contractor information systems following NIST SP Rapidly report cyber incidents affecting contractor information systems or CDI residing within those systems to the Federal Government A cyber incident is any action taken through computer networks resulting in the compromise, or an actual or potentially adverse effect, of an information system and/or the information residing within those systems 27 FAR Part (FCI) Data Covered Why Higher Ed? Summary of Requirements Effective June 2016; requires contractors to implement 15 safeguarding controls and procedures, mapping to 17 control requirements in NIST SP Establishes basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well Applies to covered contractor information systems owned or operated by contractors that process, store, or transmit FCI 17 controls from NIST SP Rule does not apply to sales of commercially available off-the-shelf (COTS) items. For example, contractors who are resellers of COTS items (e.g., printers, copiers) may not be impacted
15 Federal Information Security Management Act (FISMA) Data Covered Why Higher Ed? Summary of Requirements Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets NIST charged with developing guidelines and control standards Applies to federal agencies, as well as contractors operating systems on behalf of the government Certain agencies now include FISMA requirements within federal grants and contracts, impacting higher education institutions NIST control standards require documented evidence of control effectiveness 29 Who is Impacted? For subcontractors and suppliers, flow-down requirements apply! Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls to be in compliance Subcontractors will be held accountable for breaches if they have not implemented required controls Prime contractors may be impacted by breaches involving their subcontractors Prime contractors may proactively engage key subcontractors to understand their current security posture and assess risk to their contracts Collaborative solutions are being implemented to capture information on subcontractors cybersecurity safeguarding practices 30 15
16 Federal data protection audit tips Work with your general counsel or legal on all privacy related audits/assessments/reviews due to the complex nature and variety of privacy and security laws and regulations Include privacy and security specific questions or criteria into the scope of all types of audits (e.g., financial, operations, IT) Be prepared to modify the scope of audits due to privacy and security s pervasive reach 31 Federal data protection audit tips (cont.) During a privacy/security risk assessment or audit, Internal Audit should involve: - General counsel or legal - Compliance - Information technology and security - Human resources - Admissions - Financial aid - Registrar - Development/Advancement - Clinic and counseling center - Finance and accounting - Dining services - Athletics 32 16
17 Federal data protection audit tips Perform an early morning or late night inspection of departments and offices (with cooperation of police/public safety/security) to identify: Unsecured (e.g., out on desks, left on printers/copiers) physical records containing personal information Computer equipment not physically secured or screen locked Review mobile device (e.g., smart phones, tablets, laptops) security configurations by working with technical experts in IT/security Review information security plans/programs against legal requirements 33 Audit Templates for Research IT and Cybersecurity Controls 34 17
18 Example control questions to ask What are all of the types of data that your lab collects, analyzes, and/or creates (e.g., human subjects, health data, intellectual property, government supplied data)? Does your lab have to manage any data following a data use agreement for any sponsored work? Does your lab have any documented data management plans for any sponsored work? Does your lab manage any network security devices (e.g., firewalls) or configurations? Does your lab maintain an up-to-date inventory of all hardware devices on the lab network? Does your lab maintain an up-to-date inventory of all authorized software that is required in the lab for any research purpose on any research system? 35 Example control questions to ask (cont.) Does your lab prioritize (i.e., categorize) research data based on classification, criticality, and business value? Does your lab review existing user accounts and administrative privileges on computers, networks, and applications quarterly? Does your lab review existing versions of system security agent software and regularly apply the most current security updates to devices in your lab? Does your lab manage the security configurations on devices in your lab (e.g., workstations, laptops, desktops, tablets, phones)? Does your lab have encryption on workstations (laptops, desktops, phones, tablets) or hard drives in the lab? Does your lab manage and protect the physical access to data and devices within the lab? 36 18
19 Example control questions to ask (cont.) Does your lab utilize centrally-managed anti-malware software to continuously monitor and defend each of the lab's workstations and servers? Does your lab ensure that all system data is automatically backed up on a regular basis? Does your lab maintain an inventory of all accounts organized by authentication system? For all functional roles in the lab (prioritizing those mission-critical to the research and its security), are the necessary knowledge, skills and abilities identified? Are all employees instructed to report any suspicious or unauthorized use of personal or research data in accordance with the University's policies and procedures? 37 Contact information Mike Cullen, CISA, CISSP, CIPP/US Senior Manager, Baker Tilly mike.cullen@bakertilly.com Meghan Senseney Senior Consultant, Baker Tilly meghan.senseney@bakertilly.com
20 Questions? 39 20
21
22
23
24
25
26
27
28
29
30
UCOP ITS Systemwide CISO Office Systemwide IT Policy
UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification
More informationINTRODUCTION TO DFARS
INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW COPYRIGHT 2017 FLANK. ALL RIGHTS RESERVED. INTRODUCTION TO DFARS 800-171 CTI VS. CUI VS. CDI OVERVIEW Defense contractors having to comply with
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationGet Compliant with the New DFARS Cybersecurity Requirements
Get Compliant with the New DFARS 252.204-7012 Cybersecurity Requirements Reginald M. Jones ( Reggie ) Chair, Federal Government Contracts Practice Group rjones@foxrothschild.com; 202-461-3111 August 30,
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationDFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com
DFARS Compliance SLAIT Consulting SECURITY SERVICES Mike D Arezzo Director of Security Services Introduction 18+ year career in Information Technology and Security General Electric (GE) as Software Governance
More informationWhy is the CUI Program necessary?
Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationProtect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP
Protect Your Institution with Effective Cybersecurity Governance 1 Your presenter Mike Cullen, Senior Manager, Baker Tilly CISA, CISSP, CIPP/US > Leads the firm s Higher Education Technology Risk Services
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationMobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services
Augusta University Medical Center Policy Library Mobile Device Policy Policy Owner: Information Technology Support and Services POLICY STATEMENT Augusta University Medical Center (AUMC) discourages the
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More informationData Compromise Notice Procedure Summary and Guide
Data Compromise Notice Procedure Summary and Guide Various federal and state laws require notification of the breach of security or compromise of personally identifiable data. No single federal law or
More information2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA
2018 SRAI Annual Meeting October 27-31 Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA Controlled Unclassified Information Regulations: Practical Processes and Negotiations
More informationNew Process and Regulations for Controlled Unclassified Information
New Process and Regulations for Controlled Unclassified Information David Brady TJ Beckett Office of Export and Secure Research Compliance http://www.oesrc.researchcompliance.vt.edu/ Agenda Background
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationWhat is a Dataset? Information Security and Privacy Office (ISPO) Risk Assessment Program August 2018 Version 1.1
What is a Dataset? Information Security and Privacy Office (ISPO) Risk Assessment Program August 2018 Version 1.1 Risk Assessments - Datasets Dataset Definition A dataset (or data set) is a collection
More informationRed Flags Program. Purpose
Red Flags Program Purpose The purpose of this Red Flags Rules Program is to document the protocol adopted by the University of Memphis in compliance with the Red Flags Rules. Many offices at the University
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationBusiness Partner Security Standard
Business Partner Security Standard Responsible Office: Technology Services, Information Security Office Initial Standard Approved: 03/2016 Current Revision Approved: 06/01/2017 Standard Statement and Purpose
More informationPilieroMazza Webinar Preparing for NIST SP December 14, 2017
PilieroMazza Webinar Preparing for NIST SP 800-171 December 14, 2017 Presented by Jon Williams, Partner jwilliams@pilieromazza.com (202) 857-1000 Kimi Murakami, Counsel kmurakami@pilieromazza.com (202)
More informationDepartment of Defense Cybersecurity Requirements: What Businesses Need to Know?
Department of Defense Cybersecurity Requirements: What Businesses Need to Know? Why is Cybersecurity important to the Department of Defense? Today, more than ever, the Department of Defense (DoD) relies
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationThe FAR Basic Safeguarding Rule
The FAR Basic Safeguarding Rule Erin B. Sheppard, Partner Michael J. McGuinn, Counsel December 8, 2016 Agenda Regulatory landscape FAR Rule History Requirements Harmonization Subcontract issues What s
More informationInternational Compliance
International Compliance for Higher Ed Martin Biegelman, Deloitte Financial Advisory Services LLP Carolyn Marks, Yale University June 6, 2016 SCCE 2016 Higher Education Compliance Session Objectives Discuss
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationEmsi Privacy Shield Policy
Emsi Privacy Shield Policy Scope The Emsi Privacy Shield Policy ( Policy ) applies to the collection and processing of Personal Data that Emsi obtains from Data Subjects located in the European Union (
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationDEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.
DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY Cyber Security Safeguarding Covered Defense Information 30-31 August 2016 WARFIGHTER FIRST PEOPLE & CULTURE STRATEGIC ENGAGEMENT FINANCIAL
More informationSafeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer
Safeguarding Controlled Unclassified Information and Cyber Incident Reporting Kevin R. Gamache, Ph.D., ISP Facility Security Officer Why Are We Seeing These Rules? Stolen data provides potential adversaries
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationWithin the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):
Privacy Policy Introduction Ikano S.A. ( Ikano ) respects your privacy and is committed to protect your Personal Data by being compliant with this privacy policy ( Policy ). In addition to Ikano, this
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationROADMAP TO DFARS COMPLIANCE
ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationDFARS Defense Industrial Base Compliance Information
DFARS 252.204-7012 Defense Industrial Base Compliance Information Protecting Controlled Unclassified Information (CUI) Executive Order 13556 "Controlled Unclassified Information, November 2010 Established
More informationData Protection Policy
Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationNIST Special Publication
NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Ryan Bonner Brightline WHAT IS INFORMATION SECURITY? Personnel Security
More informationData Protection Policy
Data Protection Policy Status: Released Page 2 of 7 Introduction Our Data Protection policy indicates that we are dedicated to and responsible of processing the information of our employees, customers,
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationGeneral Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant
General Data Protection Regulation April 3, 2018 Sarah Ackerman, Managing Director Ross Patz, Consultant Introductions Sarah Ackerman, CISSP, CISA Managing Director, Cincinnati Responsible for overall
More informationPTLGateway Data Breach Policy
1 PTLGateway Data Breach Policy Last Updated Date: 02 March 2018 Data Breach Policy This page informs you of our policy which is to establish the goals and the vision for the breach response process. This
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationControlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner
Controlled Unclassified Information (CUI) and FISMA: an update May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner What is FISMA? Federal Information Security Modernization Act
More informationCompliance with NIST
Compliance with NIST 800-171 1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments What is NIST? NIST (National
More informationCYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA
CYBER SECURITY BRIEF Presented By: Curt Parkinson DCMA September 20, 2017 Agenda 2 DFARS 239.71 Updates Cybersecurity Contracting DFARS Clause 252.204-7001 DFARS Clause 252.239-7012 DFARS Clause 252.239-7010
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationISOO CUI Overview for ACSAC
ISOO CUI Overview for ACSAC Briefing Outline ISOO Overview Overview of the CUI Program CUI and IT Implementation CUI and NIST Standards and Guidelines NIST SP 800-171 CUI Approach for the Contractor Environment
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationDo you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?
European Union (EU) General Data Protection Regulation (GDPR) Do you handle EU residents personal data? The GDPR update is coming May 25, 2018. Are you ready? What do you need to do? Governance and Accountability
More informationGeneral Data Protection Regulation Frequently Asked Questions (FAQ) General Questions
General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into
More informationPost-Secondary Institution Data-Security Overview and Requirements
Post-Secondary Institution Data-Security Overview and Tiina K.O. Rodrigue, EdDc, CISSP, CISM, PMP, CSM, CEA, ITIL, ISC2 Compliance Mapper, A+ Senior Advisor Cybersecurity - 2017 Agenda Who needs to worry
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationOutline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security
Outline Why protect CUI? Impacts to National Security Current Practices CUI Program & Existing Agency Practices Information Security Reform CUI Registry 32CFR2002 NIST SP 800-171 (Rev 1) Federal Acquisition
More informationClient Computing Security Standard (CCSS)
Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices
More informationOutline. Other Considerations Q & A. Physical Electronic
June 2018 Outline What is CUI? CUI Program Implementation of the CUI Program NIST SP 800-171A (Draft) Federal Acquisition Regulation update Basic and Specified CUI Marking Destruction Controlled Environments
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationEU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?
EU GDPR and Email The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of the personal data of European Union (EU) citizens across all EU markets. It replaces existing
More informationHealthcare HIPAA and Cybersecurity Update
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Healthcare HIPAA and Cybersecurity Update Agenda > Introductions > Cybersecurity
More informationSafeguarding Unclassified Controlled Technical Information
Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039): The Challenges of New DFARS Requirements and Recommendations for Compliance Version 1 Authors: Justin Gercken, TSCP E.K.
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationa. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard
Kiosk Security Standard 1. Purpose This standard was created to set minimum requirements for generally shared devices that need to be easily accessible for faculty, staff, students, and the general public,
More informationPolicies & Regulations
Policies & Regulations Email Policy Number Effective Revised Review Responsible Division/Department: Administration and Finance / Office of the CIO/ Information Technology Services (ITS) New Policy Major
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Cybersecurity and HIPAA update Agenda Introductions Cybersecurity Overview
More informationCybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017
Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationIMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates
IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates Introduction to International Privacy Law General Data Protection Regulation 2 2018 HITRUST Alliance What
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More information