Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel
|
|
- Britton Ellis
- 6 years ago
- Views:
Transcription
1 Presenting a live 90-minute webinar with interactive Q&A Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel Evaluating Data Security Risks During Due Diligence, Negotiating Contractual Protections, Monitoring Supplier Performance TUESDAY, FEBRUARY 7, pm Eastern 12pm Central 11am Mountain 10am Pacific Today s faculty features: Matthew A. Karlyn, Partner, Foley & Lardner, Boston The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.
2 Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
3 Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you that you will receive immediately following the program. For additional information about continuing education, call us at ext. 35.
4 Program Materials FOR LIVE EVENT ONLY If you have not printed the conference materials for this program, please complete the following steps: Click on the ^ symbol next to Conference Materials in the middle of the lefthand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.
5 Integrating Information Security Into the Supplier Contracting Process Matt Karlyn Partner Foley & Lardner (617) Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL
6 Overview Information security requires a unified approach Security policies Employee education Use of technology (e.g., firewalls, encryption, intrusion protection systems) Security audits Addressing security in contracts with business partners and other suppliers 6
7 Overview Security measures can be divided into three main categories Administrative: Policies and procedures Technical: Firewalls, intrusion detection systems, encryption Physical: Secure doors and facilities, video and other monitoring, security guards Many privacy and security laws are use this language 7
8 Types of Contracts and Relationships Any agreement where a third party will have access to the company s Network Facilities Data Confidential information including information about people as well as proprietary processes, etc. Access can be remote or physical 8
9 What are we Protecting? Confidential information Intellectual property Personally identifiable information 9
10 Why Protections are Important Protect valuable assets of the company Establish a due diligence process Protect business reputation Avoid public embarrassment Minimize potential liability Comply with laws 10
11 Three Step Approach to Incorporating Information Security in IT Contracting Step 1: Internal and vendor due diligence Step 2: Contractual protections Step 3: Information handling and security procedures and requirements, generally in the form of contract exhibits Common errors Failure to involve all relevant stakeholders in the process Failure to assess the unique requirements of the particular transaction Failure to maintain flexibility 11
12 Scaling of Security in IT Contracting Information security is a not an all or nothing proposition Protections (and the company s approach) must scale to meet the risk Fees (i.e., how much the company is paying) should not be part of the analysis Most data security laws are written in terms of scaling meaning they take into account things like The size, scope and type of business The resources available The amount and type of data stored The need for confidentiality and security 12
13 Scaling of Security Massachusetts Data Security Law: safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. 13
14 Step 1: Internal and Supplier Due Diligence 14
15 Initial Internal Due Diligence What is the mix of data sensitivity and criticality of service / product provided? HIGH RISK Mission critical processes Highly sensitive data MEDIUM RISK Generally available data High service levels required Non-confidential enterprise data LOW RISK Non-mission critical service or process Generally available data Can accept outages and variable performance 15
16 Vendor Due Diligence From the outset, vendors must be on notice that the information they provide as part of the company s information security due diligence will be (1) relied upon in making a vendor selection, and (2) part of the contract Make security part of RFP process (if you have one) To ensure proper documentation and uniformity in the due diligence process, companies should develop a vendor due diligence questionnaire 16
17 Questionnaire Key Areas Financial condition Insurance coverage Actions against the vendor (e.g., criminal convictions, litigation, regulatory enforcement actions, breaches of security, etc.) Location of services Offshore transmission of data Intended use of subcontractors Personnel security standards Information security policies Business continuity/disaster recovery requirements Data destruction procedures Physical security procedures Access controls Development and maintenance procedures Privacy policies 17
18 Initial Vendor Due Diligence Provides uniform framework for due diligence Ensures key areas are addressed Provides easy way to incorporate information into contract Educates vendors with respect to compliance expectations 18
19 Step 2: Contractual Protections 19
20 U.S. Regulatory Language Should be Treated as a Floor Including the HIPAA, GLB and other statutory / regulatory minimally required security language, without more, may not adequately protect companies In many cases, cannot solely rely on compliance with applicable laws requirements Even the more robust language provided in laws and regulations (e.g., HIPAA Security Rule, GLB Safeguards Rule) may not provide sufficient protection 20
21 Some Contract Protections are Not Optional Some security protections in vendor agreements are required by law GLB HIPAA/HITECH Massachusetts, California, etc. 21
22 One Size Does Not Fit All Important to maintain flexibility in the contracting process Develop library of alternative contractual protections to address common areas of disagreement between parties 22
23 Key Contractual Protections Confidentiality Draft broadly be sure to include all potential confidential information Marking requirements are generally disfavored and unworkable Ensure ongoing protection of trade secrets (i.e., no term with respect to the confidentiality of trade secrets) 23
24 Standard of Care for Confidentiality Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, but in no event less than reasonable care. Vendor shall treat Customer Confidential Information as strictly confidential and shall use the same care to prevent disclosure of such information as it uses with respect to its own most confidential or proprietary information, which shall not be less than the standard of care imposed by state and federal laws and regulations relating to the protection of such information and, in the absence of any legally imposed standard of care, the standard shall be that of a reasonable person under the circumstances. 24
25 Key Contractual Protections Warranties Compliance with best industry standard practices Compliance with state/federal law; privacy policy, etc. Use of subcontractors Limit; require approval; primary vendor remains responsible If subcontractor is providing critical functions (hosting, outsource provider) Greater need for due diligence Control over changes to subcontractors Ample notice of change Assistance in conducting diligence Termination right Consider use of subcontractor NDA Where appropriate include specific security requirements in additional to baseline confidentiality protections 25
26 Key Contractual Protections Personnel due diligence background checks and screening Control of personnel Removal, inspection, monitor Compliance with access requirements/security No removal of data Termination for failure to comply Indemnity protection from third party claims for breach of confidentiality or failure to comply with security obligations 26
27 Key Contractual Protections General Security Obligations Take all reasonable measures to secure and defend its systems and facilities from unauthorized access or intrusion Periodically test systems and facilities for vulnerabilities Immediate reporting of breaches Joint security audits Regulatory access and compliance Firewalls, antivirus, etc. Termination for compliance issues 27
28 Key Contractual Protections Exceptions to Limitation of Liability Breach of confidentiality, indemnification obligations, use of name, misappropriation of IP Security breach notification Notice from vendor Customer controls notice Allocation of costs Annual certification of compliance 28
29 Key Contractual Protections Security breach notification for PII Associated costs Ensure prompt notice from vendor of actual and potential breaches to ensure your ability to comply with applicable laws Control of notice Allocate responsibility for costs 29
30 Step 3:Information Handling Requirements 30
31 Information Handling Requirements Where appropriate, attach specific information handling requirements in an exhibit to the contract Securing PII Encryption Secure destruction of data Securing removable media 31
32 Negotiation Tips Raise security requirements from the outset, including liability expectations Educate the vendor about legal requirements that apply to your company Flexibility is required, but usually for only a narrow range of requirements Create alternatives to your required language Think about how to address common vendor arguments We cannot change the way we secure our systems for a single engagement Baseline security requirements prevent us from evolving security standards 32
33 Flexibility in Contracting Process Ongoing re-evaluation of contracting approach to reflect: Changes in laws Feedback from vendors Developing means to address vendor feedback can speed negotiations, lower costs and contribute to a more efficient contracting and procurement process Contracting is a dynamic process hire people who know how to procure goods and services efficiently! 33
34 Case 1: Information is Generally Available and Service/Application is Low Risk Commonly working from vendor forms where negotiation is impossible or limited Difficult to impose company s privacy and security requirements on the vendor Thoroughly review vendor s privacy and security practices and determine gaps with company s practices Vendors typically maintain right to alter privacy and security practices from time-to-time attach policies to contract as of the effective date and ensure future revisions to not diminish obligations Be prepared to agree to vendor s privacy and security practices 34
35 Case 2: Highly Sensitive Data is Used/Processed as Part of Mission Critical Application Due diligence effort is critical Ensure that vendors understand that security requirements will be a critical part of the transaction and the company is unlikely to rely solely on the vendor s practices Frequently (always?) appropriate to impose the company s security practices on the vendor Frequent compliance audits mandatory Contractual protections extensive 35
36 Case 3: Data Somewhat Sensitive and Used/Processed as Part of an Important Service or Application The most difficult cases often requires flexibility and creativity Perform gap analysis between vendor security practices and company s security requirements Consider creating an addendum to the vendor practices to fill gaps Consider contractual protections, but be flexible in approach work with vendor to create correct solution 36
37 Post Execution Ensure process includes an ongoing policing of vendor performance and compliance Develop means to address vendor feedback, accommodate and adapt to changes Anticipate that contracting is a dynamic process 37
38 A Guide to IT Contracting: Checklists, Tools, and Techniques 38
39 Questions? Matt Karlyn Partner Foley & Lardner LLP (617)
Barbara J. Grahn, Partner, Fox Rothschild, Minneapolis Roberto Kunz-Hallstein, Partner, Dr. Kunz-Hallstein Rechtsanwälte, Munich, Germany
Presenting a live 90-minute webinar with interactive Q&A Madrid Protocol: Obtaining and Maintaining International Trademark Protection Filing Procedure, Deficiency Notices, Subsequent Designations, Application
More informationDistracted Driving Accident Claims Involving Mobile Devices Special Considerations and New Frontiers in Legal Liability
Presenting a live 90-minute webinar with interactive Q&A Distracted Driving Accident Claims Involving Mobile Devices Special Considerations and New Frontiers in Legal Liability WEDNESDAY, AUGUST 1, 2012
More informationConsiderations for Building Owners Best Practices for Drafting and Negotiating Lease Agreements for Telecom Equipment
Presenting a live 90 minute webinar with interactive Q&A Rooftop Leases: Legal and Business Considerations for Building Owners Best Practices for Drafting and Negotiating Lease Agreements for Telecom Equipment
More informationCloud Computing in Healthcare: HIPAA and State Law Challenges
Presenting a 90-Minute Encore Presentation of the Teleconference with Email Q&A Cloud Computing in Healthcare: HIPAA and State Law Challenges Navigating Privacy and Security Risks THURSDAY, JULY 19, 2012
More informationProtecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014
Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014 2014, Mika Meyers Beckett & Jones PLC All Rights Reserved Presented
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationPrivacy Policy Effective May 25 th 2018
Privacy Policy Effective May 25 th 2018 1. General Information 1.1 This policy ( Privacy Policy ) explains what information Safety Management Systems, 2. Scope Inc. and its subsidiaries ( SMS ), it s brand
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationEU GDPR & ISO Integrated Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-iso integrated-documentation-toolkit
EU GDPR & https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit Note: The documentation should preferably be implemented in the order in which it is listed here. The order
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationLearning Management System - Privacy Policy
We recognize that visitors to our Learning Management System (LMS) may be concerned about what happens to information they provide when they make use of the system. We also recognize that education and
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationTop Five Privacy and Data Security Issues for Nonprofit Organizations
Top Five Privacy and Data Security Issues for Nonprofit Organizations Julia K. Tama, Esq. Jeffrey S. Tenenbaum, Esq. Association of Corporate Counsel Nonprofit Organizations Committee Legal Quick Hit MAY
More informationOpen Data Policy City of Irving
Open Data Policy City of Irving 1. PURPOSE: The City of Irving is committed to fostering open, transparent, and accessible city government, and recognizes that by sharing data freely, the city will generate
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationTerms of Use. Changes. General Use.
Terms of Use THESE TERMS AND CONDITIONS (THE TERMS ) ARE A LEGAL CONTRACT BETWEEN YOU AND SPIN TRANSFER TECHNOLOGIES ( SPIN TRANSFER TECHNOLOGIES, STT, WE OR US ). THE TERMS EXPLAIN HOW YOU ARE PERMITTED
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationKey Customer Issues to Consider Before Entering into a Cloud Services Arrangement
Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement Law Seminars International December 9, 2014 Peter J. Kinsella 303/291-2328 The information provided in this presentation
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationBuilding Information Modeling and Digital Data Exhibit
Document E203 2013 Building Information Modeling and Digital Data Exhibit This Exhibit dated the day of in the year is incorporated into the agreement (the Agreement ) between the Parties for the following
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationencrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?
Data Privacy According to statistics provided by the Data Breach Level Index, hackers and thieves are stealing more than 227,000 personal records per hour as of 2017, generally targeting customer information
More informationData Use and Reciprocal Support Agreement (DURSA) Overview
Data Use and Reciprocal Support Agreement (DURSA) Overview 1 Steve Gravely, Troutman Sanders LLP Jennifer Rosas, ehealth Exchange Director January 12, 2017 Introduction Steve Gravely Partner and Healthcare
More informationAutomotive Privacy. A discussion of privacy and security legal compliance for the automotive industry
Automotive Privacy A discussion of privacy and security legal compliance for the automotive industry 2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationGeneral Data Protection Regulation Frequently Asked Questions (FAQ) General Questions
General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationGuide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com
: HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data
More informationUse of data processor (external business unit)
Published with the support of: Code of conduct for information security www.normen.no Use of data processor (external business unit) Supporting document Fact sheet no 10 Version: 4.0 Date: 12 Feb 2015
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationAccess to University Data Policy
UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationEU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS
EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS 18 May 2014 Monica Salgado Portuguese Laywer (Advogada) / Registered European Lawyer Janine Regan Solicitor Monica Salgado Monica is a Portuguese qualified
More informationSCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E
EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS 18 May 2014 Monica Salgado Portuguese Laywer (Advogada) / Registered European Lawyer Janine Regan Solicitor Monica Salgado Monica is a Portuguese qualified
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW
ANATOMY OF A DATA BREACH: DEVELOPMENTS IN DATA SECURITY AND CLOUD COMPUTING LAW Janis Kestenbaum (Federal Trade Commission) John O Tuel (GlaxoSmithKline) Alfred Saikali (Shook Hardy & Bacon) Christopher
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationFritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice The Stonhard Group" Notice Whose Personal Data do we collect?
Fritztile is a brand of The Stonhard Group THE STONHARD GROUP Privacy Notice For the purposes of applicable data protection and privacy laws, The Stonhard Group, a division of Stoncor Group, Inc. ( The
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014
Federal Energy Regulatory Commission Order No. 791 June 2, 2014 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently proposed
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationPRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018
Effective Date: July 2, 2018 PRIVACY COMMITMENT Protecting your privacy is very important to Prosci and this privacy policy is our way of providing you with details about the types of information we collect
More informationAnother Cook in the Kitchen: The New FAR Rule on Cybersecurity
Another Cook in the Kitchen: The New FAR Rule on Cybersecurity Breakout Session #: F13 Erin B. Sheppard, Partner, Dentons US LLP Michael J. McGuinn, Counsel, Dentons US LLP Date: Tuesday, July 26 Time:
More informationCyber Security Law --- Are you ready?
Cyber Security Law --- Are you ready? Xun Yang Of Counsel, Commercial IP and Technology 9 May 2017 1 / B_LIVE_APAC1:2207856v1 Content Overview of Cyber Security Law Legislative Development Key Issues in
More informationOverview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018
Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018 Agenda Principal Obligations Under GDPR Key U.S. Privacy & Cybersecurity Laws E.U.
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationPCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1
PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationHIPAA Audits and the New Audit Protocol
Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationConsideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015
Federal Energy Regulatory Commission Order No. 791 January 23, 2015 67 and 76 67. For the reasons discussed below, the Commission concludes that the identify, assess, and correct language, as currently
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationUse of data processor (external business unit)
Published with the support of: Code of conduct for information security www.normen.no Use of data processor (external business unit) Supporting document Fact sheet no 10 Version: 3.0 Date: 15 Dec 2010
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationGDPR compliance: some basics & practical to do list
GDPR compliance: some basics & practical to do list Philippe LAURENT independent full service business law firm located in Brussels May 2017 Personal data processing = any operation or set of operations
More informationPRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology
PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology 24 October 2017 Content Overview of Cyber Security Law Observations on Implementation of Cyber
More informationDFARS Cyber Rule Considerations For Contractors In 2018
Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com DFARS Cyber Rule Considerations For Contractors
More informationThroughout this Data Use Notice, we use plain English summaries which are intended to give you guidance about what each section is about.
By visiting and using The Training Hub and associated companies and affiliate s websites, mobile sites, and/or applications (together, the Site ), registering to use our services offered through the Site,
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationLegal notice and Privacy policy
Legal notice and Privacy policy We appreciate your interest in us. Below you will find information of legal relevance when visiting this website. In addition, you will find our Privacy Policy, which explains
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationEXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices
Multifamily and Cybersecurity: The Threat Landscape and Best Practices By CHRISTOPHER G. CWALINA, ESQ., KAYLEE A. COX, ESQ. and THOMAS H. BENTZ, JR., ESQ. HOLLAND & KNIGHT Overview Cyber policy is critical
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationChecklist According to ISO IEC 17065:2012 for bodies certifying products, process and services
Name of Certifying Body Address of Certifying Body Case number Date of assessment With several locations Yes No Assessed locations: (Name)/Address: (Name)/Address: (Name)/Address: Assessed area (technical
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationMade In Hackney Data Protection Policy Last Updated:
Made In Hackney Data Protection Policy Last Updated: 16.05.2018 Definitions Charity GDPR Responsible Person Register of Systems Made In Hackney (MIH), a registered charity. means the General Data Protection
More information