DATA RETENTION REPORT
|
|
- Penelope Underwood
- 8 years ago
- Views:
Transcription
1 DATA RETENTION REPORT 12 February
2 TABLE OF CONTENTS I. INTRODUCTION... 3 Overview of national legislation... 3 Methodology followed... 5 Adoption of the data retention executive act... 6 II. ANALYSIS... 7 Retained Data... 7 General overview of adopted solutions... 8 Security of Information Technologies (IT)... 8 Submittal of Traffic Data... 9 Logical Protection Authentication/Authorization Records Cryptography Fixed and mobile security at the workstation Conveyance, transmission protocols Physical protection Backup and Disaster Recovery Systems III. CONCLUSIONS IV. ANNEX (facultative)
3 I. INTRODUCTION Overview of national legislation The provisions on Data Retention Directive have been implemented in our Electronic Communications Act (ECA 1 ). In accordance with the relevant provisions of ECA, the provider is obliged to keep the retention data for the purposes of: - providing data on traffic in electronic communication network, provided by Criminal Procedure Act; - ensuring national security and constitutional order and ensuring security, political and economical interests of Slovenia, as provided by Slovene Intelligence and Security Agency Act; - defence, as provided by Defence Act. The authorities responsible for application of the Directive 2006/24/EC in Slovenia are: National Regulatory Authority Post and Electronic Communications Agency of the Republic of Slovenia (APEK: and The Information Commissioner of the Republic of Slovenia ( Art. 112(2) of ECA provides that the Information Commissioner performs supervision over retained data (user, traffic and location data, which are acquired or processed in relation to provision of public communications networks or services in accordance with the Art. 107a -107e of ECA). The Information Commissioner supervises whether the data are retained, secured and used in accordance with the law. Electronic communications market in Slovenia is largely dominated by a couple of large providers and a long-tail of small providers. Total number of providers of electronic communications (hereinafter: providers) is 131 according to the 2008 Annual report of the NRA. Several of them provide a number of different services: 1 Unofficial translation available at: -upb1_unofficial_translation_english.pdf 3
4 ISPs: 64 Mobile operators: 3 (plus 3 service providers with their own network) Cable operators: 73 Telephone fixed: 22 In terms of mobile telephony the market-share distribution is rather concentrated between two major providers: 4
5 Similar situation with somewhat larger competition may be observed in broadband market: Methodology followed The Information Commissioner has introduces the data retenion audits in its annual ex-ufficio inspection plan. Insofar we have taken a two-stage process. First there is the documentation phase, where the relevant documents are obtained from the providers and checked at our offices. For this phase the common Questionnaire to telecom providers and ISPs, developed by Enforcement Subgroup of the Article 29 Working party was translated and sent to 10 selected providers. Providers were selected in a way that covers the majority of markets in the services that are covered by the Data Retention Directive. Given the competition structure in these markets the selected providers cover more than 90% of market share in all respective markets. Having received the replies from the providers in the second phase the inspection is performed in situ, to establish whether the documented procedures are also performed in practice. Given the resources available at the Information Commissioner 5 in situ-audits were carried out in 2009 and it 5
6 was decided that the in-situ data retention audits continue throughout 2010 being a part of the 2010 Annual ex-ufficio audit plan. The Information Commissioner is currently considering an introduction of a third phase that would consist of a purely technical inspection of the technical solutions for data retention that are most commonly used on our market. This effectively represents two or three providers (or resellers) of data retention technical solutions that have set up their systems as a contractual service to the electronic communication providers. Adoption of the data retention executive act Given the general observation that the requirements for data retention are rather broad and vague and that several providers have opted for unsecure means for storing the data required by the law and subsequent problems in terms of supervision, the National Regulatory Agency and the Information Commissioner decided to draft an implementing measure (an executive act under the ECA), which should set more concrete requirements for data retention in terms of security, quality, integrity and confidentiality of stored data. The draft executive act was put into public debate and comments from providers were allowed, received, processed and reflected in the final text of the act. The executive act was adopted on 31 December 2008 and published in the Official Gazette of the Republic of Slovenia (No. 126/2008). We also need to point out that the provisions on data retention for internet traffic data entered into force on 15 March The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data (unofficial translation) is available in Slovenian at this link: In brief, the act consists of two major parts. The first part is orientated towards adoption ob best practice measures for ensuring confidentiality, security and availability of data such as the approach taken by the ISO/IEC standard on management of information security. Generally speaking the Executive Act obliges the providers to adopt an ISMS-like system for management of information security including management reviews, document management, review and improvement of the ISMS and similar. Providers need to inform 6
7 the National Regulatory Agency and the Information Commissioner about the management review of the ISMS. The second part of the Executive act focuses on the security requirements for secure storage of data retention data. In general the operators need to adopt measures that enable fully authentic audit trails of any access to retained data, the retained data may only be stored in a separated information system that does not allow any kind of subsequent change or manipulation with retained data, providers need to produce effective back-up copies and so on. II. ANALYSIS The Questionnaire was sent to selected providers on 24 th March 2009 with a deadline of 30 th April All of the selected providers replied in due time. Overall, the responses of the questionnaire already reflected the requirements set by the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data, since majority of the inspected providers have already taken care of meeting up the requirements of the Executive Act. Retained Data In terms of the array of stored data the analysis of the replies to the questionnaire and the in-situ audits did not detect any major irregularities. The written replies to the questionnaire usually referred to the data categories that were specifically mentioned or required by the ECA, whereas the in-situ audits confirmed substantial deflections in one case. One of inspected providers of cable internet access, and VoIP has obviously not taken the requirement of the ECA and the Executive Act seriously enough. Irregularities in terms of security of data were substantial for example the provider has actually lost a portion of its data due to inappropriate backup procedures due to disk failure. Furthermore, there were some irregularities around integrity of audit trails and inconsistent access rights do retained data, which were not retained in a separate information system, but were rather stored using the same equipment as for billing purposes. Such substantial 7
8 irregularities however were not detected at other providers who have all taken up concrete measures for security of retained data. General overview of adopted solutions Given the rather strict requirements of the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data at least the large market-share holders have taken the data retention requirements seriously and have already adopted the Information Security Management Systems or are in the process of finalizing the drafts. The requirements of the Executive Act have therefore had huge improvements in ensuring confidentiality, integrity and availability of data. The situation, however, might be different with providers that occupy small market shares and do not have enough human or financial resources to introduce an ISMS or to opt for advanced technical solutions for data retention. In site-audits that will be carried out later will probably affirm this prediction. Security of Information Technologies (IT) Audited providers have given the Information Commissioner access to their Information Security Management Systems documentation, including risk assessments, risk management procedures, password and back-up policies etc, where only minor deficiencies were observed. Majority of providers have dedicated security officers or CISO that oversee also the data retention part. Apart from already mentioned provider with poor security findings, other selected providers have set up Information Security Management Systems and have opted for contractual providers of specialized data storage/retention solutions. Two major players in this market have thus covered the majority of large providers and they offer dedicated solutions from world-wide storage solution providers such as EMC/IBM and Sun Microsystems. More specifically EMC/IBM Centera CAS-type solution was introduced with 7 major electronic communication providers in our market, whereas one provider chose Sun Microsystems Coppereye storage solution. All of the mentioned solutions employ state-of the art technology for secure storage and handling with retained data including: 8
9 Write-once-read-many (WORM) - once written data cannot be duplicated modified or deleted until retention period has expired Access to source data only achieved by running predefined queries Protection against o accidental or unlawful destruction o accidental loss o alteration o unauthorized or unlawful storage, processing, access or disclosure Accessed by authorized personnel only Encyrpted storage Destroyed at the end of the period of retention Support for secure erasure standards (DoD STD). One of the providers of data retention solutions, who also covered the majority of large electronic communication providers, has received an ISO/IEC certificate. The employed architecture usually combines traffic data sources (various mediation devices and traffic data servers) with subscriber data and sends them do dedicated storage device which is physically and logically separated from other information systems (such as billing) within the provider. Retention period and deletion is enforced automatically and cannot be altered once set. In all cases data is stored in Slovenia. Submittal of Traffic Data The number of received requests for retained data differs significantly between inspected providers ranging from one per month to 5-6 per day. The majority of request refers to data from mobile and fixed telephony, whereas the number of requests concerning internet related data is much lower. The competent authorities for requests are in accordance with ECA the National intelligence Agency, the Courts and Ministry of Defence. The majority of requests is submitted by law enforcement under the provisions of Criminal Procedure Act. In some cases the Information Commissioner has noted also 9
10 requests by the police without the necessary court order probably due to inappropriate interpretation of ECA by some police stations and their competencies. Logical Protection Audited providers have stated that external contractual parties do not have access to retained data, which includes the contractual supplier of data retention solution. Request for new users need to be put forward by the provider, and contractual parties only have access to the data retention system within the premises of the provider under the provider s supervision. Providers employ all the usual logical access control systems such as firewalls, IDS/IPS systems and similar. Mobile or remote access to date retention system is not permitted in majority of cases. Authentication/Authorization In most of the cases, the dedicated data retention solutions have built in authentication/authorization requirements, whereas the list of allowed users is documented and updated by the provider. In most cases there are not more than one to five users that have the privileges to access the retained data and fulfil the received requests for retained data. Password policies that were audited usually reflect the standard requirements in terms of length, strength, expiry and so on. Records Audit trails are provided by the dedicated data retention solutions themselves. All of the access to the system are recorded, including the actions of administrators, in non-changeable and reliable manner and stored in the system. As explained above, the situation was different with one provider who did not opt out for a dedicated data retention solution. Cryptography Dedicated data retention solutions store data in encrypted manner. 10
11 Fixed and mobile security at the workstation In general the providers employ standard workstation security features, such as MS WSUS servers, Active Directory control and so on. Workstation maintenance and provisioning is usually covered in the ISMS documentation. Conveyance, transmission protocols Each provider conveys information on traffic data to the competent authorities differently according to their requests. Some use dedicated encrypted accounts to receive requests (usually for law enforcement). National Intelligence Agency requests usually arrive by courier and are also executed in this manner. Documents are classified in accordance with ECA, however some providers report about some inconsistencies in applying the confidentiality level by competent authorities. Data are usually still not conveyed in a fully electronically manner but rather on paper or portable electronic media. Several providers have expressed their support for implementation of the ETSI standard for secure electronic delivery of data. Physical protection Providers employ different measures for physical protection, data retention solutions are usually physically separated from other information systems and equipment. Magnetic card access control, fire alarms, technical security personnel and video surveillance systems are the most commonly used features. Physical security is usually managed as a part of ISMS. Backup and Disaster Recovery Systems There are some providers that do not have Disaster Recovery systems in operation, whereas others have such solutions on distant locations. Dedicated data retention solution offer the possibility of disaster recovery on separated locations but not all the providers have decided for such options. In these cases they rely to mirror copies/servers within the same location. 11
12 III. CONCLUSIONS General impression after the performed investigation is that the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data has brought huge benefits in terms of confidentiality and security of retained data, as well as in terms of overall security procedures within providers, since it demands the establishment of an Information Security Management System. In general, larger operators have ensured compliance with the ECA and the Executive Act, the situation might however be different with small-scale providers that do not have the necessary legal, human nor financial resources, but on the other hand only cover minor portions of the electronic communications market. Dedicated data retention solutions adequately address various information security aspects, which is also reflected in this report. In general providers will not be sanctioned by the information Commissioner except in one case, where severe security flaws were identified. It has to be noted that ECA has been amended and the most important changes that were introduced are the reductions of retention periods form previously 24 months for both types of data to 14 months for telephony data and 8 months for internet related data. The amendment of the ECA was adopted by the Parliament on 29 th December 2009 and the provisions entered into force on 28 th January The amendments do not have any transitional provisions therefore the shortened period applies also to older data. IV. ANNEX (facultative) The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data (in Slovenian): 12
The potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationGuidelines on Data Protection. Draft. Version 3.1. Published by
Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationThe Regulatory framework and VoIP. Merijn Schik, DG INFOSOC
The Regulatory framework and VoIP Merijn Schik, DG INFOSOC Disclaimer This presentation is personal to its author and does not necessarily reflect the official position of the Commission No inferences
More informationThis document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.
SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,
More informationORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA
ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA ON THE AMENDMENT OF THE ORDER NO. 1V-1013 ON THE APPROVAL OF THE RULES ON THE ENSURANCE OF SECURITY AND INTEGRITY
More informationRegulations on Information Systems Security. I. General Provisions
Riga, 7 July 2015 Regulations No 112 (Meeting of the Board of the Financial and Capital Market Commission Min. No 25; paragraph 2) Regulations on Information Systems Security Issued in accordance with
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationECSA EuroCloud Star Audit Data Privacy Audit Guide
ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationSUPPORT TO KOSOVO INSTITUTIONS IN THE FIELD OF FOR PROTECTION OF PERSONAL DATA
INSTRUMENT FOR PRE ACCESSION ANNUAL PROGRAM 2012 SUPPORT TO KOSOVO INSTITUTIONS IN THE FIELD OF FOR PROTECTION OF PERSONAL DATA Project number: Europe Aid/133806/C/SER/XK Contract number: 2013/333-753
More informationUniversity of Aberdeen Information Security Policy
University of Aberdeen Information Security Policy Contents Introduction to Information Security... 1 How can information be protected?... 1 1. Information Security Policy... 3 Subsidiary Policy details:...
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationSpillemyndigheden s Certification Programme Information Security Management System
SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...
More informationBOWMAN SYSTEMS SECURING CLIENT DATA
BOWMAN SYSTEMS SECURING CLIENT DATA 2012 Bowman Systems L.L.C. All Rights Reserved. This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationData Compliance. And. Your Obligations
Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationEXIN Information Security Foundation based on ISO/IEC 27002. Sample Exam
EXIN Information Security Foundation based on ISO/IEC 27002 Sample Exam Edition June 2016 Copyright 2016 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored
More informationarchiving documents in electronic format
LAW No. 135 of May 15 th 2007 on archiving documents in electronic format ISSUER: THE PARLIAMENT OF ROMANIA PUBLISHED WITH: THE OFFICIAL GAZETTE NO. 345 of May 22 nd 2007 The Parliament of Romania passes
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationRevision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014
Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationThe Contractor's Responsibility - Preventing Improper Information Process
BRIGHT HORIZONS BASELINE THIRD PARTY SECURITY REQUIREMENTS Version 1.0 (updated March 2015) Contents SECTION 1:... 3 REQUIREMENTS INTRODUCTION AND BACKGROUND... 3 1. SUMMARY... 3 2. DEFINITIONS... 3 3.
More informationPolish Financial Supervision Authority. Guidelines
Polish Financial Supervision Authority Guidelines on the Management of Information Technology and ICT Environment Security for Insurance and Reinsurance Undertakings Warsaw, 16 December 2014 Table of Contents
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationOfficial Journal of RS, No. 86/2006 of 11. 08. 2006 REGULATION
Official Journal of RS, No. 86/2006 of 11. 08. 2006 Pursuant to Articles 10, 23, 36, 40, 43, 47, 53, 54, 63, 71, 72, 73, 74, 88 and 91 of the Protection of Documents and Archives and Archival Institutions
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationCircular to All Licensed Corporations on Information Technology Management
Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationArchive Storage Technologies Supporting Information Lifecycle Management
Archive Storage Technologies Supporting Information Lifecycle Management V Noboru Osada V Kunihiko Kassai (Manuscript received September 16, 2005) A large amount of fixed content has been generated due
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationManagement Standards for Information Security Measures for the Central Government Computer Systems
Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationCHAPTER 466b. SLOT COMPUTER SYSTEMS TECHNICAL STANDARD
CHAPTER 466b. SLOT COMPUTER SYSTEMS TECHNICAL STANDARD 466b.1. Slot computer systems. (a) Definitions. The following words and terms, when used in this chapter, have the following meanings, unless the
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 24 February 2005 6566/05 LIMITE COPEN 35 TELECOM 10
COUNCIL OF THE EUROPEAN UNION Brussels, 24 February 2005 6566/05 LIMITE COPEN 35 TELECOM 0 REPORT from : Working Party on cooperation in criminal matters to : Article 36 Committee No. prev. doc. : 5098/04
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationCyber-Ark Software and the PCI Data Security Standard
Cyber-Ark Software and the PCI Data Security Standard INTER-BUSINESS VAULT (IBV) The PCI DSS Cyber-Ark s View The Payment Card Industry Data Security Standard (PCI DSS) defines security measures to protect
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationPrivacy Level Agreement Outline for the Sale of Cloud Services in the European Union
Privacy Level Agreement Working Group Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union February 2013 The PLA Outline has been developed within CSA by an expert working
More informationMCOLES Information and Tracking Network. Security Policy. Version 2.0
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
More informationThe Anti-Corruption Compliance Platform
The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop
More informationSecurity Framework Information Security Management System
NJ Department of Human Services Security Framework - Information Security Management System Building Technology Solutions that Support the Care, Protection and Empowerment of our Clients JAMES M. DAVY
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationRegulatory Framework for Communications Security and Privacy in Greece
Regulatory Framework for Communications Security and Privacy in Greece Georgia Bafoutsou, Nikolaos Antoniadis, Eugenia Nikolouzou, Athanasios Panagopoulos Authority for the Assurance of Communications
More informationHIPAA: The Role of PatientTrak in Supporting Compliance
HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining
More informationSAS 70 Exams Of EBT Controls And Processors
Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationData Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.
Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History
More informationCITY UNIVERSITY OF HONG KONG. Information Classification and
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
More informationCompliance Response Edition 07/2009. SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures. simatic wincc DOKUMENTATION
Compliance Response Edition 07/2009 SIMATIC WinCC V7.0 Compliance Response Electronic Records / Electronic Signatures simatic wincc DOKUMENTATION Compliance Response Electronic Records / Electronic Signatures
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationPRIVACY AND DATA SECURITY MODULE
"This project has been funded under the fourth AAL call, AAL-2011-4. This publication [communication] reflects the views only of the author, and the Commission cannot be held responsible for any use which
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationICANWK406A Install, configure and test network security
ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationTechnical Proposition. Security
Technical Proposition ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net info@adamsoftware.net Why Read this Technical Proposition?
More informationSecurity Control Standard
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
More informationLife Cycle of Records
Discard Create Inactive Life Cycle of Records Current Retain Use Semi-current Records Management Policy April 2014 Document title Records Management Policy April 2014 Document author and department Responsible
More informationINFORMATION SECURITY GUIDELINES
INFORMATION SECURITY GUIDELINES TABLE OF CONTENTS: Scope of Document 1 Data Definition Guidelines (Appendix 1).2 Data Protection Guidelines (Appendix 2).3 Protection of Electronic or Machine- Readable
More informationWHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationSERIES A : GUIDANCE DOCUMENTS. Document Nr 3
DATRET/EXPGRP (2009) 3 - FINAL EXPERTS GROUP "THE PLATFORM FOR ELECTRONIC DATA RETENTION FOR THE INVESTIGATION, DETECTION AND PROSECUTION OF SERIOUS CRIME" ESTABLISHED BY COMMISSION DECISION 2008/324/EC
More informationData Stored on a Windows Server Connected to a Network
Attachment A Form to Describe Sensitive Data Security Plan For the Use of Sensitive Data from The National Longitudinal Study of Adolescent to Adult Health Data Stored on a Windows Server Connected to
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationRackspace Archiving Compliance Overview
Rackspace Archiving Compliance Overview Freedom Information Act Sunshine Laws The federal government and nearly all state governments have established Open Records laws. The purpose of these laws is to
More information