MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Size: px
Start display at page:

Download "MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)"

Transcription

1 MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10)

2 Table of Contents 1. Program Summary Definitions Identity Theft Personal Information Requiring Notification (PIRN) Other Related Rules and Regulations Family Educational Rights and Privacy Act (FERPA) Payment Credit Industry Data Security Standards (PCI DSS) Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) FACTA "Red Flag Rules Roles Program Oversight Business Process Owners System Owners Department Heads and Other Managers Individuals with Access to PIRN Data Incident Response Team (DIRT) Information Technology Security Services (ITSS) Minimizing PIRN on Campus Understanding Where PIRN Is Limiting Access to PIRN Awareness, Training and Education Third-Party Assurances Protection of Hard Copy Files Protection of Electronic Files Monitoring and Enforcement... 8 Appendix A: Program Oversight Responsibilities... 9 Appendix B: Data Incident Response Team (DIRT) Appendix C: Incident Response Appendix D: Massachusetts General Laws Chapter 93I: Section 2. Standards for disposal of records containing personal information; disposal by third party; enforcement Appendix E: 201 CMR Computer System Security Requirements Last Updated: 2/26/10 11:19 AM 2

3 1. Program Summary This Information Security Program 1 has been adopted in accordance with chapter 93H of the Massachusetts General Laws and corresponding regulations setting forth Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17). These regulations apply to certain types of personal information that are commonly encountered in MIT business processes. The Massachusetts regulations identify personal information that if exposed may put the identified individuals at risk of identity theft [2.1]. The regulations require the affected individuals be notified when this information is exposed as a result of unauthorized use or a security breach. In this document we refer to this information as Personal Information Requiring Notification or PIRN [2.2]. This Program applies to any area of MIT where PIRN, whether maintained in paper hard copy, electronically or in any other media, is collected, edited, manipulated, reviewed, reported, disposed of or stored. 2 It is the responsibility of all members of the MIT community to be aware when they are handling PIRN and to understand and follow the processes defined in or referenced from this document. For business processes and systems with PIRN, it is the responsibility of each Business Process Owner [4.2] or System Owner [4.3] to define the specifics of how the information in their stewardship will be protected, and to ensure anyone using the process or system is familiar with the protection protocol. MIT's general approach to protecting PIRN is based on three pillars: 1. Minimizing the collection and storage of PIRN as well as limiting access on a need to know basis. Minimizing the collection and storage of PIRN will reduce the chance of its compromise by both limiting the number of staff members who have to handle this information, and reducing the likelihood of a mistaken disclosure. It will also reduce the risk of a technological compromise of electronic PIRN, either via hacking, mistaken processing of data or loss of media containing such information. 2. Increasing staff awareness of data management along with providing appropriate education on how to protect PIRN. Educating and making staff aware of how to handle PIRN will help better protect it from disclosure or compromise. 3. Utilizing industry best practices in the management of the technology surrounding the processing and storage of PIRN. MIT makes use of and will continue to improve upon technology best practices to protect personal information, both at rest (while on storage media) and in transit (while being processed or communicated among both computer systems and people.) 1 This Program may also be referred to as WISP (Written Information Security Program). 2 Some departments and laboratories have the responsibility to develop policies and procedures that pertain to special circumstances. For example, access to government-classified material at Lincoln Laboratory requires establishing specific procedures. In such cases, this Program is considered the minimally acceptable level of protection and control. Last Updated: 2/26/10 11:19 AM 3

4 2. Definitions 2.1 Identity Theft MIT s Information Security Program for Identity theft is the illegal use of another person s identifying information in order to steal money or get other benefits. 2.2 Personal Information Requiring Notification (PIRN) PIRN, which is currently equivalent to personal information under Massachusetts 201 CMR 17, is defined in this Program as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such a person: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that PIRN shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 3. Other Related Rules and Regulations In addition to Massachusetts regulations, handlers of PIRN should also be aware of these other laws and regulations regarding personal information: 3.1 Family Educational Rights and Privacy Act (FERPA) Although student education records which include an individual's Social Security number, financial account number or other PIRN are covered by this Information Security Program, all student records, regardless of whether they contain PIRN, are also subject to the requirements of FERPA. For more information, see MIT s Student Information Policy. [http://web.mit.edu/policies/11/sip.html] 3.2 Payment Credit Industry Data Security Standards (PCI DSS) Personal credit card information is PIRN and is covered by this Information Security Program. Additionally, MIT merchants who accept personal credit cards must also follow MIT's Merchant Policies that include MIT's PCI DSS Policy. [https://web.mit.edu/chargemit/secure/policies/index.html] 3.3 Health Insurance Portability and Accountability Act (HIPAA) For information about protected health information maintained by MIT Medical, see MIT's Medical Privacy page and MIT's Medical Privacy Policy. [http://medweb.mit.edu/about/privacy/] 3.4 Gramm Leach Bliley Act (GLBA) The GLBA requires financial institutions to adopt certain privacy safeguards. Insofar as covered transactions under GLBA include an individual's financial account number, this Information Security Program would also cover them. 3.5 FACTA "Red Flag Rules Section 114 of the Fair and Accurate Credit Transactions Act (FACTA), also known as the Red Flag Rules, requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft in connection with the opening of certain new and existing accounts. Last Updated: 2/26/10 11:19 AM 4

5 In accordance with federal regulations, MIT has adopted an Identity Theft Prevention Program [http:// web.mit.edu/infoprotect/docs/mit-red_flag_prog.pdf]. The safeguards referenced in the Identity Theft Prevention Program are the same as the minimum-security standards referenced in this Program. 4. Roles MIT s Information Security Program for 4.1 Program Oversight Oversight and maintenance of the Written Information Security Program is the responsibility of the Head of Information Services & Technology, the Vice President and General Counsel and the Institute Auditor. This group will carry out responsibilities as described in Appendix A. 4.2 Business Process Owners Senior MIT Managers ("Business Process Executives") who have the functional or organizational responsibility for process(es) involving PIRN are expected to designate one or more Business Process Owners. Business Process Owners should have awareness of the relevant regulatory and compliance issues, as well as the responsibility and authority for defining the rights of others to collect, use, or store data during the process execution. To the extent that IT systems are used as part of the process, Business Process Owners will work with System Owners [4.3] to ensure that appropriate tools and controls are in place to enforce the desired policies. Business Process Owners may further delegate specific responsibilities; however, in the event of a data incident or questions about policy, both the Business Process Executive and the Business Process Owner are accountable for the outcome. 4.3 System Owners Senior IT Managers who have responsibility for the systems supporting business process(es) involving PIRN are expected to designate one or more System Owners. System Owners should have awareness of IT parameters used to support the regulatory and compliance issues, and the technology used to implement the policies with regard to collecting, using or storing the data during the process execution. System Owners will generally take policy direction from the Business Process Owner. System Owners may delegate specific responsibilities, however, in the event of a data incident or questions about controls, the System Owner and Senior IT Manager are expected to be part of the discussions. 4.4 Department Heads and Other Managers Department Heads and other Managers have a responsibility for ensuring that the individuals in their areas who are accessing or dealing with business processes involving PIRN are aware of the requirements for handling PIRN, and to provide them with awareness, training, and education opportunities [see 6]. Department Heads and Managers are also expected to provide appropriate technical support such as software tools and fully trained IT support staff to facilitate compliance. 4.5 Individuals with Access to PIRN Individuals with access to PIRN should be aware of this Program so that they can follow appropriate steps to protect PIRN in hard copy, electronic or other forms. Computer security is of particular importance Last Updated: 2/26/10 11:19 AM 5

6 when protecting electronic files. Individuals are encouraged to work with the System Owners or local technical support staff who can provide security solutions or recommendations. Many departments have a local IT support group or an arrangement with IS&T. 4.6 Data Incident Response Team (DIRT) The Data Incident Response Team (DIRT) is notified when a possible breach of PIRN or other sensitive information is suspected. DIRT coordinates MIT's response, if any, to a possible security breach. More information about DIRT is in Appendix B. 4.7 Information Technology Security Services (ITSS) Information Technology Security Services (ITSS) is a support team within IS&T. ITSS is the first technical team notified in the event of a suspected computer or network intrusion that may involve PIRN or other sensitive information covered by MIT policy. ITSS evaluates the technical specifics of each event and notifies DIRT when a breach of PIRN is suspected. More information about ITSS and information security is online [http://ist.mit.edu/security]. 5. Minimizing PIRN on Campus 5.1 Understanding Where PIRN Is Each Business Process Owner or System Owner is expected to: Understand why PIRN is needed, and to limit the amount of PIRN that is collected to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected. Understand the data flows, including hard copy and electronic, where data is stored, used or transmitted, whether files are distributed or centralized. Determine appropriate record retention for PIRN (which may be for a shorter time period than other information in the record). Ensure that when electronic and hard copy records are redacted, deleted or destroyed, this is done in such a way that PIRN can not be practicably read or reconstructed. Appendix D sets forth specific legal requirements for the deletion or destruction of records that contain PIRN. When a new business requirement for handling PIRN develops, Business Process Owners are expected to update processes and protocols as appropriate and keep Business Process Executives informed. Business Process Owners or System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy. 5.2 Limiting Access to PIRN Each Business Process Owner or System Owner will establish a protocol that defines the rules, processes and/or systems for: Limiting access to only authorized and authenticated individuals who need PIRN to conduct MIT business. 3 Removing access when it is no longer needed, such as in the event of employment termination or job change. 3 Limits on access should not preclude cross-departmental collaborations and data exchanges on an as-needed basis; authorized sharing of information from a single source has lower risk of exposure compared to duplicative data stores. Last Updated: 2/26/10 11:19 AM 6

7 Periodically reviewing who has access to ensure it is in alignment with current business needs, done at least annually. Updating each individual's authentication key (e.g., password, certificate, etc.) at least annually. Determining whether remote access will be allowed and, if so, ensure controls exist to protect the security and confidentiality of PIRN. Securing electronic and hard copy files when stored or during transmission, as well as understanding that electronic files that contain PIRN should not be transmitted over MITnet or the Internet unless secured. 4 Logging and monitoring access to detect unauthorized attempts to access PIRN, as well as inappropriate access by authorized individuals. Business Process Owners and System Owners may delegate the above responsibilities to one or more individuals who have received training or education in information security and privacy. 6. Awareness, Training and Education Program oversight responsibilities include providing communication, appropriate documentation and sufficient training related to the Information Security Program. Each Business Process Owner or System Owner will take steps to ensure those authorized to access PIRN have received training in the specific responsibilities and procedures associated with that area. They will also ensure that one or more individuals in those areas receive training or education in information security and privacy. Department managers and supervisors will take steps to ensure that individuals in their area who are working with processes involving PIRN have appropriate and sufficient training, as well as access to relevant tools and IT support services to enable compliance with this Program. Individuals are expected to be aware when they are part of a process that includes PIRN. They are also expected to avail themselves of relevant training and guidance offered by Business Process Owners, System Owners or their department. 7. Third-Party Assurances Each Business Process Owner or System Owner must undertake reasonable steps to verify that third-party service providers with access to PIRN have the capacity and the commitment to protect such information in accordance with Massachusetts law and regulations. Service providers should be aware of MIT s responsibilities to protect PIRN. Contracts must include appropriate clauses that require service providers to implement and maintain appropriate security measures to protect PIRN as well as language that ensures the design of secure systems and data handling processes. MIT s Procurement Office can provide assistance with contract language. 8. Protection of Hard Copy Files In addition to removing PIRN from files where they are not required for business processes, recommended protective measures for paper, microfiche, or other non-computerized files include physically locking cabinets, drawers, offices and other areas containing these files. Places where 4 To remain compliant, electronic files that contain PIRN must be encrypted during transmission over MITnet or the Internet. See Appendix E. Last Updated: 2/26/10 11:19 AM 7

8 unsecured hard copy files collect (such as fax machines, copiers or mail rooms) must be monitored to minimize unauthorized access. Secure file destruction (such as using a cross-cut shredder or certified shredding service) ensures hard copy files with PIRN are never disposed of in regular trash or recycling bins. Further recommendations can be found online [http://web.mit.edu/infoprotect]. 9. Protection of Electronic Files Massachusetts regulations 201 CMR Computer System Security Requirements (see Appendix E) include a number of requirements related to the protection of electronic files. MIT has developed a set of minimum IT security standards that to the extent technically feasible must be used for the protection of laptop and desktop computers, smart phones as well as mobile storage devices such as USB memory sticks that process, store, view or transmit PIRN. While not an exhaustive list, below are technologies that, when used concurrently, would meet compliance requirements: Operating system and software updates Firewall configuration Virus and malware protection Passwords Protecting data in transit Encryption Physical security Data destruction/removal Backups Data inventory Designation of workstations for specific functions Principle of least privilege Browser and protections File server protections Further recommendations as well as reviewed tools and applications for the protection of electronic PIRN can be found online [http://web.mit.edu/infoprotect]. 10. Monitoring and Enforcement Each year, MIT will review this Program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of PIRN. Information safeguards will be updated as necessary to limit risks. Compliance with this Program will be reviewed as part of regularly scheduled operational and IT audits conducted by MIT's Audit Division. MIT employees whose behavior is inconsistent with this Program will be subject to MIT disciplinary action, up to and including termination. See MIT HR Policy 6.3 Termination for Poor Performance or Failure to Comply with Institute Policies [http://hrweb.mit.edu/policy/6/6-3.html]. Enforcement actions relative to MIT faculty, students, temporary employees or others who compromise the protection of PIRN will be addressed on a case-by-case basis. Last Updated: 2/26/10 11:19 AM 8

9 Appendix A: Program Oversight Responsibilities Oversight and maintenance of the Written Information Security Program is the responsibility of the Head of Information Services & Technology, the Vice President and General Counsel and the Institute Auditor. Responsibilities of this group include: Annually reviewing the effectiveness of the Information Security Program; Apprising the MIT's Audit Committee of any significant incidents, or changes in the Information Security Program; Overseeing communication and training; Updating the Program, policies, guidelines and standards as needed; Participating in any data breach de-briefing; Sponsoring/overseeing one or more working groups, as circumstances require, to see that these Program responsibilities are achieved. Meetings: MIT s Information Security Program for This group is not required to meet on an established frequency, but will convene as needed to respond to changing regulations, business conditions, data incidents, significant audit findings, or other incidents that may prompt discussion. This should occur no less than annually. Last Updated: 2/26/10 11:19 AM 9

10 Appendix B: Data Incident Response Team (DIRT) In order to respond to and recover from data security breaches, MIT established a Data Incident Response Team in the Fall of When a compromise of data is suspected, a report is sent to DIRT, whose responsibilities are to: Alert: Immediately notify all members of the team that a possible data incident occurred. Subsequently, keep the team members aware of the status of the incident. Respond: Get in touch with the contact person for the machine in question -- if related to an electronic data incident -- to remove it from the network. Investigate: Determine as soon as possible the full scope of the incident: what types of data were involved, the cause of the problem, and if PIRN had been exposed. Notify: If an incident leads to exposure or if the team has reason to believe that information was acquired or used by unauthorized persons for an unauthorized purpose, the team initiates appropriate notification processes, in accordance with relevant laws, regulations, and contract requirements, so that counter-measures can be taken to protect the affected individuals against fraud and identity theft. Document: Any actions taken in connection with an incident are documented and a post-incident review of events is conducted in order to record changes in business practices relating to the protection of PIRN. Last Updated: 2/26/10 11:19 AM 10

11 Appendix C: Incident Response Although MIT hopes that its efforts at protecting personal information will result in no compromises of PIRN or other sensitive information, compromises may still happen. It is just as important that MIT handles such incidents properly. 5 From time to time, the IT Security Services team receives reports that a computer containing personal information is at risk of being compromised, or that a computer account has been used in a way that exposed personal information. Compromises can happen when a computer is running an outdated and unpatched operating system. Indications of a compromise include alerts from anti-virus and anti-malware software. Some signs of compromise are subtle and no alerts may be generated. Other ways information could be disclosed are through loss or theft of laptops and other storage devices, web searchable Athena Lockers, unencrypted documents and databases, weak passwords, lack of access controls, and data on disposed hard drives. Information contained on hard copy files can be exposed as well if not properly secured. Individuals should avoid trying to address situations on their own, as they may corrupt forensic information necessary to determine the scope of the issue and the risks to MIT. If you believe a breach of PIRN may have occurred, immediately report the incident by sending to If you have received a notice that a computer has a possible compromise, follow the instructions in the notice. The incident responders will work through a process to determine if a reportable breach has occurred, and will engage MIT's Data Incident Response Team as appropriate. Detailed instructions for reporting and handling a potential compromise of PIRN can be found online: [http://ist.mit.edu/security/support/data_breach]. 5 MIT may decide to send out a notice even if there is no confirmation that a breach of security resulted in unauthorized exposure of PIRN. It may also send out a notice if information is exposed that does not fall under the definition of PIRN, but is still considered sensitive. In those cases, notification decisions will be made on a case-bycase basis. Last Updated: 2/26/10 11:19 AM 11

12 Appendix D: Massachusetts General Laws Chapter 93I: Section 2. Standards for disposal of records containing personal information; disposal by third party; enforcement [Note: Up-to-date version may be found at Section 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information: (a) paper documents containing personal information shall be redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed; (b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed. Any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information. Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties. Last Updated: 2/26/10 11:19 AM 12

13 Appendix E: 201 CMR Computer System Security Requirements [Note: Up-to-date version may be found at Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements: (1) Secure user authentication protocols including: (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only; and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. (2) Secure access control measures that: (i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls. (3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly. (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information. (5) Encryption of all personal information stored on laptops or other portable devices. (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security. Last Updated: 2/26/10 11:19 AM 13

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00 Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting

More information

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection

More information

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY The Council s document management policy is intended to cover all documents produced and held by the

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved. Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00

More information

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use

More information

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or

More information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...

More information

COUNCIL POLICY NO. C-13

COUNCIL POLICY NO. C-13 COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Massachusetts Identity Theft/ Data Security Regulations

Massachusetts Identity Theft/ Data Security Regulations Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central. POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

Identity Theft Prevention Program Compliance Model

Identity Theft Prevention Program Compliance Model September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

PII Personally Identifiable Information Training and Fraud Prevention

PII Personally Identifiable Information Training and Fraud Prevention PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?

More information

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008 AUBURN WATER SYSTEM Identity Theft Prevention Program Effective October 20, 2008 I. PROGRAM ADOPTION Auburn Water System developed this Identity Theft Prevention Program ("Program") pursuant to the Federal

More information

Information Technology

Information Technology Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Navigating the New MA Data Security Regulations

Navigating the New MA Data Security Regulations Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became

More information

b. USNH requires that all campus organizations and departments collecting credit card receipts:

b. USNH requires that all campus organizations and departments collecting credit card receipts: USNH Payment Card Industry Data Security Standard (PCI DSS) Version 3 Administration and Department Policy Draft Revision 3/12/2013 1. Purpose. The purpose of this policy is to assist the University System

More information

01.230 IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS)

01.230 IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS) 01.230 IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS) Authority: Board of Trustees History: Effective May 1, 2009 (approved initially April 24, 2009) Source of Authority: Related Links: Responsible Office:

More information

PII = Personally Identifiable Information

PII = Personally Identifiable Information PII = Personally Identifiable Information EMU is committed to protecting the privacy of personally identifiable information of its students, faculty, staff, and other individuals associated with the University.

More information

Credit Card Handling Security Standards

Credit Card Handling Security Standards Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges

More information

LSE PCI-DSS Cardholder Data Environments Information Security Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy LSE PCI-DSS Cardholder Data Environments Information Security Policy Written By: Jethro Perkins, Information Security Manager Reviewed By: Ali Lindsley, PCI-DSS Project Manager Endorsed By: PCI DSS project

More information

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579 IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor

More information

The Massachusetts Data Security Law and Regulations

The Massachusetts Data Security Law and Regulations The Massachusetts Data Security Law and Regulations November 2, 2009 Boston Brussels Chicago Düsseldorf Houston London Los Angeles Miami Milan Munich New York Orange County Rome San Diego Silicon Valley

More information

Information Security Policy

Information Security Policy Information Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED

More information

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule

More information

Appendix 1 Payment Card Industry Data Security Standards Program

Appendix 1 Payment Card Industry Data Security Standards Program Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect

More information

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with

More information

MFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical

MFA Perspective. 201 CMR 17.00: The Massachusetts Privacy Law. Compliance is Mandatory... Be Thorough but Be Practical MFA Perspective 201 CMR 17.00: The Massachusetts Privacy Law Compliance is Mandatory... Be Thorough but Be Practical DEADLINE FOR FULL COMPLIANCE HAS BEEN EXTENDED FROM JANUARY 1, 2010 TO MARCH 1, 2010

More information

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and

More information

2011 Data Breach Notifications Report

2011 Data Breach Notifications Report 2011 Data Breach Notifications Report December 2011 2011 Report on Data Breach Notifications History, Laws and Regulations On October 31, 2007, the Commonwealth s Data Security Breach Law, Mass. Gen. Law

More information

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)

More information

College of DuPage Information Technology. Information Security Plan

College of DuPage Information Technology. Information Security Plan College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Protecting MIT Data. State Laws & Regulations. T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia

Protecting MIT Data. State Laws & Regulations. T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia Protecting MIT Data T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia State Laws & Regulations General Laws, Chapter 93H: Massachusetts Data Breach Law, outlines when to notify (2007) 201 CMR 17.00:

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Dartmouth College Merchant Credit Card Policy for Processors

Dartmouth College Merchant Credit Card Policy for Processors Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the

More information

The University of North Carolina at Charlotte Identity Theft Prevention Program

The University of North Carolina at Charlotte Identity Theft Prevention Program The University of North Carolina at Charlotte Identity Theft Prevention Program Program Adoption As a best practice and using as a guide the Federal Trade Commission s ( FTC ) Red Flags Rule ( Rule ),

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS) CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration

More information

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine

More information

Valdosta Technical College. Information Security Plan

Valdosta Technical College. Information Security Plan Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

MONROE COUNTY WATER AUTHORITY IDENTITY THEFT PREVENTION POLICY REVISED MARCH 2014

MONROE COUNTY WATER AUTHORITY IDENTITY THEFT PREVENTION POLICY REVISED MARCH 2014 MONROE COUNTY WATER AUTHORITY IDENTITY THEFT PREVENTION POLICY REVISED MARCH 2014 Section 41.90 of Title 12 of the Code of Federal Regulations (the Regulations ) requires every utility that offers or maintains

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

Covered Areas: Those EVMS departments that have activities with Covered Accounts. I. POLICY Eastern Virginia Medical School (EVMS) establishes the following identity theft program ( Program ) to detect, identify, and mitigate identity theft in its Covered Accounts in accordance with

More information

CSR Breach Reporting Service Frequently Asked Questions

CSR Breach Reporting Service Frequently Asked Questions CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM

CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM INTRODUCTION CHAPTER OSCEOLA COUNTY IDENTITY THEFT PREVENTION PROGRAM The Osceola County Board of County Commissioners is committed to protecting consumers who do business with Osceola County, and as such

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

Vulnerability Management Policy

Vulnerability Management Policy Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully

More information

Massachusetts Residents

Massachusetts Residents Identity Theft & Fraud Protection for Identity Theft & Fraud Protection for Massachusetts Residents Copyright Notice November 2009 Joe Burns All rights reserved This PowerPoint presentation is a part of

More information

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

More information

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their

More information

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability

More information

Network Security Policy

Network Security Policy Network Security Policy I. PURPOSE Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

CREDIT CARD PROCESSING & SECURITY POLICY

CREDIT CARD PROCESSING & SECURITY POLICY FINANCE AND TREASURY POLICIES AND PROCEDURES E071 CREDIT CARD PROCESSING & SECURITY POLICY PURPOSE The purpose of this policy is to establish guidelines for processing charges/credits on Credit Cards to

More information

Information Technology Security Policies

Information Technology Security Policies Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral

More information

6-8065 Payment Card Industry Compliance

6-8065 Payment Card Industry Compliance 0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card

More information

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY PURPOSE The Payment Card Industry Data Security Standard was established by the credit card industry in response to an increase in identify theft

More information

DSU Identity Theft Prevention Policy No. DSU 802.7.001

DSU Identity Theft Prevention Policy No. DSU 802.7.001 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 IDENTITY THEFT PREVENTION DSU Policy No. 802.7.001 SOURCE: Fair and Accurate

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Data Privacy: What your nonprofit needs to know Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015 Overview 2 Data privacy versus data security Privacy polices and best practices Data security

More information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information