Plan Development Getting from Principles to Paper
|
|
- Natalie Marsh
- 8 years ago
- Views:
Transcription
1 Plan Development Getting from Principles to Paper March 22, 2015 Table of Contents / Agenda Goals of the workshop Overview of relevant standards Industry standards Government regulations Company standards Mapping standards to plan outline Document Control Document control principles Template development Development of different plan types Incident Management Business Continuity Disaster Recovery (data center) Application Recovery Technology Recovery Disaster Recovery Exercise Small Groups plan review and critique Conclusion 2
2 Goals of the Workshop Present an overview of the factors and requirements that shape plan development Give examples of plan development based on these requirements Allow participants to review and critique these examples based on their needs and experience 3 Two Types of Plan Factors External Requirements Factors outside of the plan that determine what will guide, direct, limit its content Regulatory requirements Audit Corporate policy Internal Usability Factors that shape the usefulness of the plan for those reading it Order of content Length Verbiage (or lack of it) Optional content 4
3 Regulations, Policies, and Standards: International Organization for Standardization (ISO) ISO/IEC 2011 All rights reserved 5 Regulations, Policies, and Standards: International Organization for Standardization (ISO) ISO Societal security Business Continuity Management Systems Requirements Supersedes BS 25999, which was withdrawn in 2012 A generic business continuity management standard that can be used by any organization, or any part of an organization, no matter what size it is or what it does However, exactly how you apply ISO is up to you and will depend on your organization's unique business continuity needs and obligations and the particular expectations and requirements of interested parties Plan-Do-Check-Act (PDCA) is an iterative four-step management method outlined in ISO and organized as follows: 1. PLAN - Parts 4, 5, 6, and 7 expect you to plan the establishment of your organization's BCMS. 2. DO - Part 8 expects you to establish your BCMS 3. CHECK - Part 9 expects you to evaluate your BCMS 4. ACT - Part 10 expects you to improve your BCMS. 6
4 Regulations, Policies, and Standards: International Organization for Standardization (ISO) ISO Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity ISO/IEC provides guidance on the concepts and principles behind the role of information and communications technology in ensuring business continuity. The Standard: Suggests a structure or framework (actually a set of methods and processes) for any organization private, governmental, and non-governmental; Identifies and specifies all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization s ISMS, helping to ensure business continuity; Enables an organization to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner. 7 Regulations, Policies, and Standards: International Organization for Standardization (ISO) ISO Information technology - Security techniques - Guidelines for information and communication technology readiness for business continuity Plan-Do-Check-Act (PDCA) is an iterative four-step management method outlined in ISO PLAN. Establish a Disaster Recovery Business Continuity policy with objectives, metrics, and processes relevant to managing risk and improving the enterprise's Information and Communication Technology ability and readiness to operate at the level defined within the parameters of the enterprise's overall disaster recovery and business continuity objectives. 2. DO. Implement and operate the Disaster Recovery and Business Continuity policies, procedures, controls, and processes. 3. CHECK. Assess and monitor the performance metrics as defined within the Disaster Recovery and Business Continuity policy metrics and communicate the results to the management of the enterprise. This process can be done via an audit, a test of the plan, or an actual execution of the plan via a post event analysis session. 4. ACT. Modify the Disaster Recovery and Business Continuity policies, procedures, and metrics based on the "Check" (audit, test, or execution of the plan) in order to improve the Disaster Recovery and Business Continuity Policy 8
5 Regulations, Policies, and Standards: Federal Financial Institutions Examination Council (FFIEC) In summary, the following factors represent critical aspects of an effective business continuity planning process: The effectiveness of business continuity planning depends upon the involvement of the board and senior management; Business continuity planning involves a continuous, process-oriented approach that includes a BIA, a risk assessment, risk management, and risk monitoring and testing; A thorough BIA and risk assessment should form the foundation of a comprehensive BCP; The BCP and testing program should be developed on an enterprise-wide basis; The effectiveness of the BCP should be validated through annual, or more frequent, testing; The BCP and test program should be thoroughly documented, evaluated by institution management, independently reviewed by an internal and/or external audit function, and reported to the board; The BCP and test program should be updated to reflect and respond to changes in the institution and gaps identified during continuity testing; and In addition to the BCP, other financial institution policies, standards, and processes should be integrated into the business continuity planning process. 9 Regulations, Policies, and Standards: National Fire Protection Association (NFPA) NFPA National Fire Protection Association (NFPA) Standard on Disaster/Emergency Management and Business Continuity Programs (NFPA 1600). The NFPA 1600 standard is a description of the basic criteria for a comprehensive program that addresses disaster recovery, emergency management, and business continuity. NFPA 1600 is considered by many to be an excellent benchmark for continuity and emergency planners in both the public and private sectors. The standard addresses methodologies for defining and identifying risks and vulnerabilities and provides planning guidelines that address stabilizing the restoration of the physical infrastructure, protecting the health and safety of personnel, and crisis communications procedures. This standard shall establish a common set of criteria for all hazards disaster/emergency management and business continuity programs, hereinafter referred to as the program. This standard provides the fundamental criteria to develop, implement, assess, and maintain the program for prevention, mitigation, preparedness, response, continuity, and recovery. 10
6 Regulations, Policies, and Standards: Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy Rule - is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA. On that date, Office for Civil Rights (OCR) began accepting complaints involving the privacy of personal health information in the health care system. HIPAA Security Rule - establishes national standards for the security of electronic protected health information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, This final rule specifies a series of administrative, technical, and physical security safeguards for covered entities to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Compliance with the standards was required as of April 20, 2005, for most entities covered by HIPAA. The authority to administer and enforce the Security Rule was transferred to OCR on July 27, HIPAA Breach Notification Rule - requires covered entities and their business associates to notify the Secretary, individuals, and in some cases, the media, regarding breaches of unsecured protected health information. Compliance with the standards was required as of September 23, Regulations, Policies, and Standards: Health Insurance Portability and Accountability Act (HIPAA) HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know that he/she violated HIPAA and by exercising reasonable diligence, would not have known. $100 per violation, with an annual maximum of $25,000 for repeat violations. Note: This is the maximum penalty that can be imposed by the State Attorney General regardless of the violation. $50,000 per violation, with an annual maximum of $1.5 million. HIPAA violation due to reasonable cause and not due to willful neglect. $1,000 per violation, with an annual maximum of $100,000 for repeat violations. $50,000 per violation, with an annual maximum of $1.5 million. HIPAA violation due to willfull neglect but violation is corrected within the required time period. $10,000 per violation, with an annual maximum of $250,000 for repeat violations. $50,000 per violation, with an annual maximum of $1.5 million. HIPAA violation due to willful neglect and is not corrected. $50,000 per violation, with an annual maximum of $1.5 million. $50,000 per violation, with an annual maximum of $1.5 million 12
7 Regulations, Policies, and Standards: National Institute of Standards and Technology (NIST) NIST Contingency Planning Guide for Federal Information Systems NIST s Information Technology Laboratory has published a recommended guidance document on contingency planning for federal departments and agencies. (Industry will find the recommendations valuable as well.) NIST Special Publication (SP) , Contingency Planning Guide for Information Technology Systems provides instructions, recommendations, and considerations for government IT contingency planning NIST SP provides guidance to individuals responsible for preparing and maintaining contingency plans. The guide discusses essential contingency plan elements and processes, highlights specific considerations and concerns associated with contingency planning for various types of IT systems, and provides examples to assist readers in developing their own IT contingency plans. 13 Regulations, Policies, and Standards: Company Policy What is your industry? What external standards are referenced? Business Continuity Disaster Recovery Incident Management 14
8 Regulations, Policies, and Standards: Standards Comparison 15 Regulations, Policies, and Standards: Internal Company Policy (cont d) What is required? Business Continuity Plan Application Disaster Recovery Plan Technology Disaster Recovery Plan Incident Management Plan Data Center Disaster Recovery Plan 3 rd Party Vendor (Off-site) Exercise Plan Exercise Report What is measurable? Exercises (types) Applications and Systems Communications Plans Number of; last reviewed or updated What is reportable? Management requirements from Policy 16
9 Regulations, Policies, and Standards: Internal Company Policy (cont d) What is a Policy? A statement of the philosophy, rules, and expectations of the organization Long-term in nature Relatively static Supported and interpreted by more detailed standards, guidelines, and procedures What is a Standard? A mandatory requirement that supports the policy and defines an acceptable level of control along with measurable compliance criteria For Example AIG s policy and standard for a Business Impact Analysis Policy: AIG Business Units are responsible for completing and maintaining a Business Impact Analysis Standard: AIG Business Units are responsible for developing a BIA for all functions/processes which at a minimum identifies: An overview of the overall business purpose A listing of business functions/processes Function/Process location (use multiple line, using the same function/process number) if the function/process is conducted in multiple locations. A summary of potential operational and financial impacts over time 17 Regulations, Policies, and Standards: Internal Company Policy (cont d) For Example - AIG policy and standard for a Business Continuity Plan Policy: AIG Business Units are responsible for completing and maintaining a Business Continuity Plan The BCP identifies the recovery strategy, actions, and activities required to recover business operations during any given operational disruption. Standard: AIG Business Units are responsible to document a BCP aligned to the RA and BIA which must include: Executive Summary Overview of BCP Recovery assumptions RTO for each function/process Staff recovery requirements Key recovery strategy 18
10 Mapping Standards: A Sample Mapping of Standards Requirements to Plan Content 19 Documentation Development and Control: Part 1: Documentation Control Methodology 1. Separate template section (preferably at the beginning of the document) Template information and history Template approval Instructions for completing the template 2. Only approved versions are published/implemented 3. Version numbers 4. Revision history detailed list of changes in each revision 5. Signoff 6. Header, footer, page numbers (content and location of fields should be defined) Good to have! 7. Document title = (Document purpose or subject) + (Applicable entity) or (Applicable entity) + (Document purpose or subject) Order of title may be determined by how documents are to be sorted or stored E.g., AIG Order Processing Application Recovery Plan 8. Filename = (Document title) + (Version number) 9. Version numbering: whole numbers (e.g., 2.00) for approved, published versions; decimals (e.g., 2.03) for intermediate revisions, drafts, etc. 10. Consistent use of effective date : always mm/dd/yyyy format, always linked to current official document version. 20
11 Documentation Development and Control: Part 2: Document Development Methodology Begin by using the agreed-upon document control methodology Identify the drivers of required content and what they require What do the applicable regulations/standards/policies require Consider a content/requirement mapping spreadsheet Determine the order of content More important information at the beginning More detailed explanations later on (e.g., listing of applications vs. application descriptions) Populate the main body of the document with relatively static information Restrict dynamic information primarily to the appendices (team rosters, etc.) Restrict dynamic information to as few sections as possible Use titles and positions in the document rather than individual names Restrict names and contact information to a minimal number of predefined sections Work to keep plans as concise as possible These ideas are helpful! Avoid maps, detailed navigation instructions Provide links where useful Burden of proof is on inclusion, not exclusion Consider a glossary of terms as the final appendix (especially company-specific acronyms) 21 Template Development: Template Section 1 22
12 Template Development: Template Section 2 23 Template Development: Incident Management Plan TOC 24
13 Template Development: Business Continuity Plan TOC 25 Template Development: Disaster Recovery Plan TOC 26
14 Template Development: Technical Recovery Plan TOC 27 Template Development: Application Recovery Plan TOC 28
15 Template Development: Disaster Recovery Exercise Plan TOC 29 Template Development: Sample Appendix for Contact Information 30
16 Template Development: Sample Appendix for Forms and Reporting 31 Template Development: Glossary 32
17 Template Development: Additional Considerations If working with a pre-existing plan, work backward to create a template and documentation standards If using a BC/DR software tool, build a template as a sample plan with a model table of contents Copy the template to form the beginning of a new plan As necessary, create separate TOCs for the template and individual plans that are based on it Use documents for static text and diagrams Use reports for appendices or tables with dynamic information (team listings, contact information, etc.) Regardless of the source of the finished template or plan (BC software, Word, etc.), always proofread and QA the final version 33 Summary of Major Steps in Getting from Principles to Paper Identify the drivers of required content and what they require Legal/regulatory Industry standards Company policy Define a methodology for documentation development and maintenance Identify the types of plans needed Develop a template for each plan type Disseminate and populate the templates Adhere to document management principles and a regular maintenance schedule 34
18 Putting the Work in Workshop : Your Turn Template Evaluation and Critique Each table will get a sample template and a critique worksheet; multiple groups will have the same template Review the template as a group and document your review What would you change about the order of the content? What would you delete from the template? What would you add to the template? We will go around the room and have each group summarize its review 35 Conclusion 36
19 Contact Information David Greb, BCM/Compliance Team Manager Work Phone: Andrew Collins, BCM/Compliance Project Manager Work Phone: Shawn Dennis, BCM/Compliance Project Manager Work Phone:
Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC
Assessing Your Disaster Recovery Plans Gregory H. Soule, CPA, CISA, CISSP, CFE Andrews Hooper Pavlik PLC Andrews Hooper Pavlik PLC Agenda Business Continuity Concepts Impact Analysis Risk Assessment Risk
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationNIST SP 800-34, Revision 1 Contingency Planning Guide for Federal Information Systems
NIST SP 800-34, Revision 1 Contingency Planning Guide for Federal Information Systems Marianne Swanson NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Table Of Contents Introduction to NIST SP 800-34
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationInstitute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY 14304-1745
ECP - 601: Effective Business Continuity Management: ISO 22301 This 3-day course provides an intensive, hands-on workshop covering all major aspects for the design of an effective Business Continuity Plan
More informationwww.td.com.au Business Continuity - IT Disaster Recovery Discussion Paper - - Commercial in Confidence Version V2.0R Wednesday, 5 September 2012
Business Continuity - IT Disaster Recovery Discussion Paper - - Version V2.0R Wednesday, 5 September 2012 Commercial in Confidence Melbourne Sydney 79-81 Coppin St Level 2 Richmond VIC 3121 414 Kent St
More informationBusiness Continuity Standards A Primer
INTELLIGENT NOTIFICATION Alphabet Soup: Making Sense of BC/DR Standards Part 1: Business Continuity Standards A Primer Why all the attention now? One of the hottest topics in BC/DR these days is standards.
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationBusiness Continuity Plan
Business Continuity Plan October 2007 Agenda Business continuity plan definition Evolution of the business continuity plan Business continuity plan life cycle FFIEC & Business continuity plan Questions
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationBusiness Continuity Policy
Business Continuity Policy 1 NHS England INFORMATION READER BOX Directorate Medical Commissioning Operations Patients and Information Nursing Trans. & Corp. Ops. Commissioning Strategy Finance Publications
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationUniversity of Glasgow. Policy for. Business Continuity Management
University of Glasgow Policy for Business Continuity Management 1 Policy Statement The University of Glasgow is committed to delivering the highest possible quality of service to our students, and the
More informationBest Practices in Disaster Recovery Planning and Testing
Best Practices in Disaster Recovery Planning and Testing axcient.com 2015. Axcient, Inc. All Rights Reserved. 1 Best Practices in Disaster Recovery Planning and Testing Disaster Recovery plans are widely
More informationDeveloping HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant
Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationBusiness Continuity Management Planning Methodology
, pp.9-16 http://dx.doi.org/10.14257/ijdrbc.2015.6.02 Business Continuity Management Planning Methodology Dr. Goh Moh Heng, Ph.D., BCCLA, BCCE, CMCE, CCCE, DRCE President, BCM Institute moh_heng@bcm-institute.org
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationBUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION
BUSINESS CONTINUITY: BEST PRACTICE, 2ND EDITION EXCERPT FROM THE FOREWORD TO THE 2ND EDITION The events of 9/11 have cast a long shadow over the world and led to a vital reappraisal of Enterprise Risk
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationTemple university. Auditing a business continuity management BCM. November, 2015
Temple university Auditing a business continuity management BCM November, 2015 Auditing BCM Agenda 1. Introduction 2. Definitions 3. Standards 4. BCM key elements IT Governance class - IT audit program
More informationBusiness Continuity Management
Business Continuity Management Standard Operating Procedure Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme. It should not
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationBy: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015
Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationBusiness Continuity Management Policy
Business Continuity Management Policy Business Continuity Policy Version 1.0 1 Version control Version Date Changes Author 0.1 April 13 1 st draft PH 0.2 June 13 Amendments in line with guidance PH 0.3
More informationBusiness Continuity Policy and Business Continuity Management System
Business Continuity Policy and Business Continuity Management System Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More information(Instructor-led; 2 Days)
Protecting Your Revenues: A Risk Management Approach to Business Continuity Planning (Instructor-led; 2 Days) Module I. Project Initiation and Management A. DRII/BCI Project initiation and control B. Business
More informationNHS Hardwick Clinical Commissioning Group. Business Continuity Policy
NHS Hardwick Clinical Commissioning Group Business Continuity Policy Version Date: 26 January 2016 Version Number: 2.0 Status: Approved Next Revision Due: January 2017 Gordon Stevens MBCI Corporate Assurance
More informationContingency Plan for HIPAA
TEMPLATE SUITE FOR BUSINESS CONTINUITY PLAN FOR SMALL BUSINESS (LESS THAN 50 EMPLOYEES) INCLUDES Total Cost: $549 Business Impact Analysis Enterprise Business Impact Analysis Survey Short (15 pages) Example
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationThe Role of Internal Audit In Business Continuity Planning
The Role of Internal Audit In Business Continuity Planning Dan Bailey, MBCP Page 0 Introduction Dan Bailey, MBCP Senior Manager Protiviti Inc. dan.bailey@protiviti.com Actively involved in the Information
More informationDeliverable: D2.2: Desktop Study Contingency Planning Methodologies and Business Continuity Version: 1.0 Seventh Framework Programme Theme
Deliverable: D2.2: Desktop Study Contingency Planning Methodologies and Business Continuity Version: 1.0 Seventh Framework Programme Theme ICT-SEC-2007-7.0-01 Project Acronym: EURACOM Project Full Title:
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationAN OVERVIEW OF INFORMATION SECURITY STANDARDS
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationMoving from BS 25999-2 to ISO 22301. The new international standard for business continuity management systems. Transition Guide
Transition Guide Moving from BS 25999-2 to ISO 22301 The new international standard for business continuity management systems Extract from The Route Map to Business Continuity Management: Meeting the
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationwww.pwc.com Business Resiliency Business Continuity Management - January 14, 2014
www.pwc.com Business Resiliency Business Continuity Management - January 14, 2014 Agenda Key Definitions Risks Business Continuity Management Program BCM Capability Assessment Process BCM Value Proposition
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationImplications of HIPAA Requirements on Healthcare Payment Processing
Implications of HIPAA Requirements on Healthcare Payment Processing Linda M Wolverton Vice President, Compliance, TEAMHealth Lynne Pearson Vice President, National Healthcare Treasury Management Fifth
More informationSample Business Associate Agreement Provisions
Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationBusiness Associates and HIPAA
Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business
More informationAn Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Joan Hash, Pauline Bowen, Arnold Johnson, Carla
More informationSECURETexas Health Information Privacy & Security Certification Program FAQs
What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare
More informationMeasuring Continuity Planning Program. Performance
Measuring Continuity Planning Program Performance Carl B Jackson Director Crisis Management & Continuity Planning Resource Center (CMCPRC) Measuring Continuity Planning Program Performance Session Agenda
More informationHow to Plan for Disaster Recovery and Business Continuity
A TAMP Systems White Paper TAMP Systems 1-516-623-2038 www.drsbytamp.com How to Plan for Disaster Recovery and Business Continuity By Tom Abruzzo, President and CEO Contents Introduction 1 Definitions
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationFrequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005
Frequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005 The following are a set of frequently asked questions that relate to new developments regarding ISO/IEC
More informationOCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
More informationSTATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
More informationBy. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd
BS 25999 Business Continuity Management By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd 1 Contents slide BSI British Standards 2006 BS 25999(Business Continuity) 2002 BS 15000
More informationJoe Dylewski President, ATMP Solutions
Joe Dylewski President, ATMP Solutions Joe Dylewski President, ATMP Solutions Assistant Professor, Madonna University 20 Years, Technology and Application Implementation Experience Served as Michigan Healthcare
More informationBusiness Continuity and Disaster Recovery Policy
Maine State Government Dept. of Administrative & Financial Services Office of Information Technology (OIT) Business Continuity and Disaster Recovery Policy I. Statement The Office of Information Technology
More information2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP
2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level Tracy L. Hall, MBCP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More information1.0 Policy Statement / Intentions (FOIA - Open)
Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies
More informationBusiness Continuity (Policy & Procedure)
Business Continuity (Policy & Procedure) Publication Scheme Y/N Can be published on Force Website Department of Origin Force Operations Policy Holder Ch Supt Head of Force Ops Author Business Continuity
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationVendor Management Panel Discussion. Managing 3 rd Party Risk
Vendor Management Panel Discussion Managing 3 rd Party Risk Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately
More informationContinuity of operations for critical infrastructure. Disclosure of critical information to the government.
Regulatory compliance is a significant factor influencing the development of your business resilience strategy. Moreover, while Business Continuity or Disaster Recovery regulations may not apply in every
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationAre You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com
Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Chris Apgar
More informationBCP and DR. P K Patel AGM, MoF
BCP and DR P K Patel AGM, MoF Key difference between BS 25999 and ISO 22301 ISO 22301 puts a much greater emphasis on setting the objectives, monitoring performance and metrics aligning BC to top management
More informationARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper
ARRA HITECH Stimulus HIPAA Security Compliance Reporter White Paper ARRA HITECH AND ACR2 HIPAA SECURITY The healthcare industry is in a time of great transition, with a government mandate for EHR/EMR systems,
More informationBusiness Continuity and Disaster Recovery Planning
Business Continuity and Disaster Recovery Planning Jennifer Brandt, CISA A p r i l 16, 2015 HISTORY OF STINNETT & ASSOCIATES Stinnett & Associates (Stinnett) is a professional advisory firm offering services
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationHIPAA Summit. March 10, 2011. Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC
HIPAA Summit March 10, 2011 Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC The Secretary shall provide for periodic audits to ensure that covered entities and business associates
More informationDisaster Recovery Journal Spring World 2014
Disaster Recovery Journal Spring World 2014 What works: Services and service supply chain business continuity risk management Don Hall, CBCP, Cisco Services Business Continuity Analyst Cisco Systems, Inc.
More informationNOTICE OF PRIVACY PRACTICES
Creative Community Living Services, Inc. HIPAAf4100 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationHIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13
HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationBusiness Continuity Policy
Business Continuity Policy Summary: This policy sets out the structure for ensuring that the PCT has effective Business Continuity Plans in place in order to maintain its essential business functions during
More informationHIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles dskyles@mcginnislaw.com
HIPAA Overview Darren Skyles, Partner McGinnis Lochridge HIPAA Health Insurance Portability and Accountability Act of 1996 Electronic transaction and code sets: Adopted standards for electronic transactions
More informationHIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More information